F-4591: fix right-justification of short DH shared secret

The constant-time path of _DH_compute_key (DH_compute_key_padded) had
the XMEMMOVE source/dest swapped and used (padded_keySz - keySz) as the
length instead of keySz, overwriting the secret with junk when keySz <
padded_keySz. Move key[0..keySz-1] to the high end, matching the idiom
used in tls.c/sniffer.c.
This commit is contained in:
Juliusz Sosinowicz
2026-06-01 18:33:04 +02:00
parent 108b120d7f
commit da719da30c
+1 -2
View File
@@ -4977,8 +4977,7 @@ static int _DH_compute_key(unsigned char* key, const WOLFSSL_BIGNUM* otherPub,
* correctly.
*/
if (keySz < padded_keySz) {
XMEMMOVE(key, key + (padded_keySz - keySz),
padded_keySz - keySz);
XMEMMOVE(key + (padded_keySz - keySz), key, keySz);
XMEMSET(key, 0, padded_keySz - keySz);
keySz = padded_keySz;
}