commit 4539a45cbff9dbf273121addb505ee2d0e75a557
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Jun 18 12:27:56 2020 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Jun 18 12:27:56 2020 +0200
tree 18b27a8fef26d233917a6c3deb75c23f9048e7d3
parent 25705e6757cfa052d007c7dede8c16577206f283

Use fixed-length encoding for internal RNG seed

CTR-DRBG and HMAC-DRBG may used the seed differently depending on its length.
To avoid leaks, pass them a constant-length seed.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

library/ecp.c

diff --git a/library/ecp.c b/library/ecp.c
index 1340879..be9e42d 100644
--- a/library/ecp.c
+++ b/library/ecp.c
@@ -172,16 +172,24 @@
 }
 
 /* DRBG context seeding */
-static int ecp_drbg_seed( ecp_drbg_context *ctx, const mbedtls_mpi *secret )
+static int ecp_drbg_seed( ecp_drbg_context *ctx,
+                   const mbedtls_mpi *secret, size_t secret_len )
 {
-    const unsigned char *secret_p = (const unsigned char *) secret->p;
-    const size_t secret_size = secret->n * sizeof( mbedtls_mpi_uint );
-
+    int ret;
+    unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
     /* The list starts with strong hashes */
     const mbedtls_md_type_t md_type = mbedtls_md_list()[0];
     const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_type );
 
-    return( mbedtls_hmac_drbg_seed_buf( ctx, md_info, secret_p, secret_size ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( secret,
+                                               secret_bytes, secret_len ) );
+
+    ret = mbedtls_hmac_drbg_seed_buf( ctx, md_info, secret_bytes, secret_len );
+
+cleanup:
+    mbedtls_platform_zeroize( secret_bytes, secret_len );
+
+    return( ret );
 }
 
 #elif defined(MBEDTLS_CTR_DRBG_C)
@@ -223,13 +231,22 @@
 }
 
 /* DRBG context seeding */
-static int ecp_drbg_seed( ecp_drbg_context *ctx, const mbedtls_mpi *secret )
+static int ecp_drbg_seed( ecp_drbg_context *ctx,
+                   const mbedtls_mpi *secret, size_t secret_len )
 {
-    const unsigned char *secret_p = (const unsigned char *) secret->p;
-    const size_t secret_size = secret->n * sizeof( mbedtls_mpi_uint );
+    int ret;
+    unsigned char secret_bytes[MBEDTLS_ECP_MAX_BYTES];
 
-    return( mbedtls_ctr_drbg_seed( ctx, ecp_ctr_drbg_null_entropy, NULL,
-                                   secret_p, secret_size ) );
+    MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( secret,
+                                               secret_bytes, secret_len ) );
+
+    ret = mbedtls_ctr_drbg_seed( ctx, ecp_ctr_drbg_null_entropy, NULL,
+                                 secret_bytes, secret_len );
+
+cleanup:
+    mbedtls_platform_zeroize( secret_bytes, secret_len );
+
+    return( ret );
 }
 
 #else
@@ -2267,7 +2284,8 @@
             rs_ctx->rsm->drbg_seeded == 0 )
 #endif
         {
-            MBEDTLS_MPI_CHK( ecp_drbg_seed( p_rng, m ) );
+            const size_t m_len = ( grp->nbits + 7 ) / 8;
+            MBEDTLS_MPI_CHK( ecp_drbg_seed( p_rng, m, m_len ) );
         }
 #if defined(MBEDTLS_ECP_RESTARTABLE)
         if( rs_ctx != NULL && rs_ctx->rsm != NULL )
@@ -2551,7 +2569,8 @@
 #if !defined(MBEDTLS_ECP_NO_INTERNAL_RNG)
     if( f_rng == NULL )
     {
-        MBEDTLS_MPI_CHK( ecp_drbg_seed( &drbg_ctx, m ) );
+        const size_t m_len = ( grp->nbits + 7 ) / 8;
+        MBEDTLS_MPI_CHK( ecp_drbg_seed( &drbg_ctx, m, m_len ) );
         f_rng = &ecp_drbg_random;
         p_rng = &drbg_ctx;
     }