From da719da30c6724c5873e0ffeb59ed7fbfd262552 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 1 Jun 2026 18:33:04 +0200 Subject: [PATCH] F-4591: fix right-justification of short DH shared secret The constant-time path of _DH_compute_key (DH_compute_key_padded) had the XMEMMOVE source/dest swapped and used (padded_keySz - keySz) as the length instead of keySz, overwriting the secret with junk when keySz < padded_keySz. Move key[0..keySz-1] to the high end, matching the idiom used in tls.c/sniffer.c. --- src/pk.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/pk.c b/src/pk.c index 131e1367e0..bfc039e5d0 100644 --- a/src/pk.c +++ b/src/pk.c @@ -4977,8 +4977,7 @@ static int _DH_compute_key(unsigned char* key, const WOLFSSL_BIGNUM* otherPub, * correctly. */ if (keySz < padded_keySz) { - XMEMMOVE(key, key + (padded_keySz - keySz), - padded_keySz - keySz); + XMEMMOVE(key + (padded_keySz - keySz), key, keySz); XMEMSET(key, 0, padded_keySz - keySz); keySz = padded_keySz; }