diff options
author | Rob Austein <sra@hactrn.net> | 2018-03-25 19:51:40 -0400 |
---|---|---|
committer | Rob Austein <sra@hactrn.net> | 2018-03-25 19:51:40 -0400 |
commit | 57b551588e3ce4a1e79d8bb8d9d2a409a7cbf202 (patch) | |
tree | 21896d60ae09fa167b4c7a0985c09c62681505a1 | |
parent | 9a956ed5a42301ee1efb5642cc0f381751d917f5 (diff) |
Clear search state variables in rsa.c's find_prime().
Failing to clear the temporary buffer used to transfer bits from the
TRNG into a bignum was a real leak of something very close to keying
material, albeit only onto the local stack where it was almost certain
to have been overwritten by subsequent operations (generation of other
key components, wrap and PKCS #8 encoding) before pkey_generate_rsa()
ever returned to its caller. Still, bad coder, no biscuit.
Failing to clear the remainders array was probably harmless, but
doctrine says clear it anyway.
-rw-r--r-- | rsa.c | 11 |
1 files changed, 7 insertions, 4 deletions
@@ -829,6 +829,7 @@ static hal_error_t find_prime(const unsigned prime_length, buffer[sizeof(buffer) - 1] |= 0x01; /* Candidates are odd */ fp_read_unsigned_bin(result, buffer, sizeof(buffer)); + memset(buffer, 0, sizeof(buffer)); for (size_t i = 0; i < sizeof(small_prime)/sizeof(*small_prime); i++) { fp_digit d; @@ -853,10 +854,8 @@ static hal_error_t find_prime(const unsigned prime_length, possible = fp_cmp_d(t, 1) == FP_EQ; } - if (possible) { - fp_zero(t); - return HAL_OK; - } + if (possible) + break; fp_add_d(result, 2, result); @@ -864,6 +863,10 @@ static hal_error_t find_prime(const unsigned prime_length, if ((remainder[i] += 2) >= small_prime[i]) remainder[i] -= small_prime[i]; } + + memset(remainder, 0, sizeof(remainder)); + fp_zero(t); + return HAL_OK; } /* |