DHM: Fix dhm_check_range() always returning 0
Although the variable ret was initialised to an error, the
MBEDTLS_MPI_CHK macro was overwriting it. Therefore it ended up being
0 whenewer the bignum computation was successfull and stayed 0
independently of the actual check.
diff --git a/ChangeLog b/ChangeLog
index a3171d7..15e6214 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS 1.3.x branch released xxxx-xx-xx
+
+Security
+ * Fix dhm_check_range() failing to detect trivial subgroups and potentially
+ leaking 1 bit of the private key. Reported by prashantkspatil.
+
= mbed TLS 1.3.21 branch released 2017-08-10
Security
diff --git a/library/dhm.c b/library/dhm.c
index 48fba2a..6f1c51c 100644
--- a/library/dhm.c
+++ b/library/dhm.c
@@ -91,6 +91,9 @@
*
* Parameter should be: 2 <= public_param <= P - 2
*
+ * This means that we need to return an error if
+ * public_param < 2 or public_param > P-2
+ *
* For more information on the attack, see:
* http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
@@ -98,17 +101,17 @@
static int dhm_check_range( const mpi *param, const mpi *P )
{
mpi L, U;
- int ret = POLARSSL_ERR_DHM_BAD_INPUT_DATA;
+ int ret = 0;
mpi_init( &L ); mpi_init( &U );
MPI_CHK( mpi_lset( &L, 2 ) );
MPI_CHK( mpi_sub_int( &U, P, 2 ) );
- if( mpi_cmp_mpi( param, &L ) >= 0 &&
- mpi_cmp_mpi( param, &U ) <= 0 )
+ if( mpi_cmp_mpi( param, &L ) < 0 ||
+ mpi_cmp_mpi( param, &U ) > 0 )
{
- ret = 0;
+ ret = POLARSSL_ERR_DHM_BAD_INPUT_DATA;
}
cleanup: