mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 19:45:37 +01:00
Merge remote-tracking branch 'upstream-restricted/pr/422' into mbedtls-2.1-restricted
Resolved simple conflicts caused by the independent addition of calls to mbedtls_zeroize with sometimes whitespace or comment differences.
This commit is contained in:
commit
1b8822e9b3
@ -25,6 +25,13 @@ Security
|
|||||||
being leaked to memory after release.
|
being leaked to memory after release.
|
||||||
* Fix dhm_check_range() failing to detect trivial subgroups and potentially
|
* Fix dhm_check_range() failing to detect trivial subgroups and potentially
|
||||||
leaking 1 bit of the private key. Reported by prashantkspatil.
|
leaking 1 bit of the private key. Reported by prashantkspatil.
|
||||||
|
* Make mbedtls_mpi_read_binary constant-time with respect to
|
||||||
|
the input data. Previously, trailing zero bytes were detected
|
||||||
|
and omitted for the sake of saving memory, but potentially
|
||||||
|
leading to slight timing differences.
|
||||||
|
Reported by Marco Macchetti, Kudelski Group.
|
||||||
|
* Wipe stack buffer temporarily holding EC private exponent
|
||||||
|
after keypair generation.
|
||||||
|
|
||||||
Bugfix
|
Bugfix
|
||||||
* Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
|
* Fix some invalid RSA-PSS signatures with keys of size 8N+1 that were
|
||||||
|
@ -648,6 +648,10 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A, const mbedtls_mpi
|
|||||||
*
|
*
|
||||||
* \return 0 if successful,
|
* \return 0 if successful,
|
||||||
* MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
|
* MBEDTLS_ERR_MPI_ALLOC_FAILED if memory allocation failed
|
||||||
|
*
|
||||||
|
* \note The bytes obtained from the PRNG are interpreted
|
||||||
|
* as a big-endian representation of an MPI; this can
|
||||||
|
* be relevant in applications like deterministic ECDSA.
|
||||||
*/
|
*/
|
||||||
int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
|
int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
|
||||||
int (*f_rng)(void *, unsigned char *, size_t),
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
@ -672,16 +672,20 @@ cleanup:
|
|||||||
int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen )
|
int mbedtls_mpi_read_binary( mbedtls_mpi *X, const unsigned char *buf, size_t buflen )
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
size_t i, j, n;
|
size_t i, j;
|
||||||
|
size_t const limbs = CHARS_TO_LIMBS( buflen );
|
||||||
|
|
||||||
for( n = 0; n < buflen; n++ )
|
/* Ensure that target MPI has exactly the necessary number of limbs */
|
||||||
if( buf[n] != 0 )
|
if( X->n != limbs )
|
||||||
break;
|
{
|
||||||
|
mbedtls_mpi_free( X );
|
||||||
|
mbedtls_mpi_init( X );
|
||||||
|
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, limbs ) );
|
||||||
|
}
|
||||||
|
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( X, CHARS_TO_LIMBS( buflen - n ) ) );
|
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_lset( X, 0 ) );
|
||||||
|
|
||||||
for( i = buflen, j = 0; i > n; i--, j++ )
|
for( i = buflen, j = 0; i > 0; i--, j++ )
|
||||||
X->p[j / ciL] |= ((mbedtls_mpi_uint) buf[i - 1]) << ((j % ciL) << 3);
|
X->p[j / ciL] |= ((mbedtls_mpi_uint) buf[i - 1]) << ((j % ciL) << 3);
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
@ -1878,7 +1882,6 @@ int mbedtls_mpi_fill_random( mbedtls_mpi *X, size_t size,
|
|||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
mbedtls_zeroize( buf, sizeof( buf ) );
|
mbedtls_zeroize( buf, sizeof( buf ) );
|
||||||
|
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1830,7 +1830,6 @@ int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp
|
|||||||
{
|
{
|
||||||
/* SEC1 3.2.1: Generate d such that 1 <= n < N */
|
/* SEC1 3.2.1: Generate d such that 1 <= n < N */
|
||||||
int count = 0;
|
int count = 0;
|
||||||
unsigned char rnd[MBEDTLS_ECP_MAX_BYTES];
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Match the procedure given in RFC 6979 (deterministic ECDSA):
|
* Match the procedure given in RFC 6979 (deterministic ECDSA):
|
||||||
@ -1841,8 +1840,7 @@ int mbedtls_ecp_gen_keypair( mbedtls_ecp_group *grp, mbedtls_mpi *d, mbedtls_ecp
|
|||||||
*/
|
*/
|
||||||
do
|
do
|
||||||
{
|
{
|
||||||
MBEDTLS_MPI_CHK( f_rng( p_rng, rnd, n_size ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_size, f_rng, p_rng ) );
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( d, rnd, n_size ) );
|
|
||||||
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) );
|
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_size - grp->nbits ) );
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
Loading…
Reference in New Issue
Block a user