lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

mbedtls_ecp_gen_privkey_mx: make bit manipulations unconditional

Browse Source 
Don't calculate the bit-size of the initially generated random number.
This is not necessary to reach the desired distribution of private
keys, and creates a (tiny) side channel opportunity.

This changes the way the result is derived from the random number, but
does not affect the resulting distribution.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine
2021-03-24 12:25:59 +01:00
parent 96449ceebe
commit 67986d0613
2 changed files with 5 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
library/ecp.c
View File

@ -3065,18 +3065,14 @@ int mbedtls_ecp_gen_privkey_mx( size_t high_bit,
void *p_rng )
{
int ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
size_t b;
size_t n_bytes = ( high_bit + 7 ) / 8;
/* [Curve25519] page 5 */
MBEDTLS_MPI_CHK( mbedtls_mpi_fill_random( d, n_bytes, f_rng, p_rng ) );
/* Make sure the most significant bit is high_bit */
b = mbedtls_mpi_bitlen( d ); /* mbedtls_mpi_bitlen is one-based */
if( b > high_bit + 1 )
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, b - 1 - high_bit ) );
else
MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, high_bit, 1 ) );
/* Make sure the most significant bit is exactly at high_bit */
MBEDTLS_MPI_CHK( mbedtls_mpi_shift_r( d, 8 * n_bytes - high_bit - 1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_set_bit( d, high_bit, 1 ) );
/* Make sure the last two bits are unset for Curve448, three bits for
Curve25519 */