aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2018-03-25 19:51:40 -0400
committerRob Austein <sra@hactrn.net>2018-03-25 19:51:40 -0400
commit57b551588e3ce4a1e79d8bb8d9d2a409a7cbf202 (patch)
tree21896d60ae09fa167b4c7a0985c09c62681505a1
parent9a956ed5a42301ee1efb5642cc0f381751d917f5 (diff)
Clear search state variables in rsa.c's find_prime().
Failing to clear the temporary buffer used to transfer bits from the TRNG into a bignum was a real leak of something very close to keying material, albeit only onto the local stack where it was almost certain to have been overwritten by subsequent operations (generation of other key components, wrap and PKCS #8 encoding) before pkey_generate_rsa() ever returned to its caller. Still, bad coder, no biscuit. Failing to clear the remainders array was probably harmless, but doctrine says clear it anyway.
-rw-r--r--rsa.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/rsa.c b/rsa.c
index b5e52c5..01d8290 100644
--- a/rsa.c
+++ b/rsa.c
@@ -829,6 +829,7 @@ static hal_error_t find_prime(const unsigned prime_length,
buffer[sizeof(buffer) - 1] |= 0x01; /* Candidates are odd */
fp_read_unsigned_bin(result, buffer, sizeof(buffer));
+ memset(buffer, 0, sizeof(buffer));
for (size_t i = 0; i < sizeof(small_prime)/sizeof(*small_prime); i++) {
fp_digit d;
@@ -853,10 +854,8 @@ static hal_error_t find_prime(const unsigned prime_length,
possible = fp_cmp_d(t, 1) == FP_EQ;
}
- if (possible) {
- fp_zero(t);
- return HAL_OK;
- }
+ if (possible)
+ break;
fp_add_d(result, 2, result);
@@ -864,6 +863,10 @@ static hal_error_t find_prime(const unsigned prime_length,
if ((remainder[i] += 2) >= small_prime[i])
remainder[i] -= small_prime[i];
}
+
+ memset(remainder, 0, sizeof(remainder));
+ fp_zero(t);
+ return HAL_OK;
}
/*