Merge pull request #7487 from AndrzejKurek/calloc-also-zeroizes-2-28
[Backport 2.28] Document mbedtls_calloc zeroization
diff --git a/ChangeLog.d/fix-a-few-unchecked-return.txt b/ChangeLog.d/fix-a-few-unchecked-return.txt
new file mode 100644
index 0000000..aadde36
--- /dev/null
+++ b/ChangeLog.d/fix-a-few-unchecked-return.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Fix some cases where mbedtls_mpi_mod_exp, RSA key construction or ECDSA
+ signature can silently return an incorrect result in low memory conditions.
diff --git a/library/bignum.c b/library/bignum.c
index 5dca3a9..384b924 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -2121,8 +2121,9 @@
* and squarings. Firstly, when multiplying by an element of the window
* W[i], we do a constant-trace table lookup to obfuscate i. This leaves
* squarings as having a different memory access patterns from other
- * multiplications. So secondly, we put the accumulator X in the table as
- * well, and also do a constant-trace table lookup to multiply by X.
+ * multiplications. So secondly, we put the accumulator in the table as
+ * well, and also do a constant-trace table lookup to multiply by the
+ * accumulator which is W[x_index].
*
* This way, all multiplications take the form of a lookup-and-multiply.
* The number of lookup-and-multiply operations inside each iteration of
@@ -2135,19 +2136,16 @@
* observe both memory accesses and branches. However, branch prediction
* exploitation typically requires many traces of execution over the same
* data, which is defeated by randomized blinding.
- *
- * To achieve this, we make a copy of X and we use the table entry in each
- * calculation from this point on.
*/
const size_t x_index = 0;
mbedtls_mpi_init(&W[x_index]);
- mbedtls_mpi_copy(&W[x_index], X);
j = N->n + 1;
- /* All W[i] and X must have at least N->n limbs for the mpi_montmul()
- * and mpi_montred() calls later. Here we ensure that W[1] and X are
- * large enough, and later we'll grow other W[i] to the same length.
- * They must not be shrunk midway through this function!
+ /* All W[i] including the accumulator must have at least N->n limbs for
+ * the mpi_montmul() and mpi_montred() calls later. Here we ensure that
+ * W[1] and the accumulator W[x_index] are large enough. later we'll grow
+ * other W[i] to the same length. They must not be shrunk midway through
+ * this function!
*/
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[x_index], j));
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], j));
@@ -2328,7 +2326,7 @@
/*
* Load the result in the output variable.
*/
- mbedtls_mpi_copy(X, &W[x_index]);
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(X, &W[x_index]));
cleanup:
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 1f0b37d..3ede933 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -366,7 +366,7 @@
#if defined(MBEDTLS_ECP_RESTARTABLE)
if (rs_ctx != NULL && rs_ctx->sig != NULL) {
- mbedtls_mpi_copy(r, pr);
+ MBEDTLS_MPI_CHK(mbedtls_mpi_copy(r, pr));
}
#endif
@@ -457,7 +457,7 @@
MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(d, data, grp_len));
MBEDTLS_MPI_CHK(derive_mpi(grp, &h, buf, blen));
MBEDTLS_MPI_CHK(mbedtls_mpi_write_binary(&h, data + grp_len, grp_len));
- mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len);
+ MBEDTLS_MPI_CHK(mbedtls_hmac_drbg_seed_buf(p_rng, md_info, data, 2 * grp_len));
#if defined(MBEDTLS_ECP_RESTARTABLE)
if (rs_ctx != NULL && rs_ctx->det != NULL) {
diff --git a/library/rsa_internal.c b/library/rsa_internal.c
index 2ff51c3..41ceff0 100644
--- a/library/rsa_internal.c
+++ b/library/rsa_internal.c
@@ -126,7 +126,7 @@
}
for (; attempt < num_primes; ++attempt) {
- mbedtls_mpi_lset(&K, primes[attempt]);
+ MBEDTLS_MPI_CHK(mbedtls_mpi_lset(&K, primes[attempt]));
/* Check if gcd(K,N) = 1 */
MBEDTLS_MPI_CHK(mbedtls_mpi_gcd(P, &K, N));