mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 13:40:49 +02:00
F-4591: fix right-justification of short DH shared secret
The constant-time path of _DH_compute_key (DH_compute_key_padded) had the XMEMMOVE source/dest swapped and used (padded_keySz - keySz) as the length instead of keySz, overwriting the secret with junk when keySz < padded_keySz. Move key[0..keySz-1] to the high end, matching the idiom used in tls.c/sniffer.c.
This commit is contained in:
@@ -4977,8 +4977,7 @@ static int _DH_compute_key(unsigned char* key, const WOLFSSL_BIGNUM* otherPub,
|
||||
* correctly.
|
||||
*/
|
||||
if (keySz < padded_keySz) {
|
||||
XMEMMOVE(key, key + (padded_keySz - keySz),
|
||||
padded_keySz - keySz);
|
||||
XMEMMOVE(key + (padded_keySz - keySz), key, keySz);
|
||||
XMEMSET(key, 0, padded_keySz - keySz);
|
||||
keySz = padded_keySz;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user