Use of secure memory when generating secret primes in libgcrypt
Closed, ResolvedPublic


I'm not sure whether there is really a flaw or whether the behavior was intended for some unknown reason: when generating secret primes the function gen_prime(...) in cipher/primegen.c is called with a non-zero second argument. Then the corresponding mpi's are allocated in secure (locked) memory, however, this is AFAIS not true for some intermediate data:

mods = xmalloc (no_of_small_prime_numbers * sizeof *mods);

I suggest to use xmalloc_secure(...) here, because otherwise some bits of the secret prime candidate may be leaked by paged out memory:

/* Calculate all remainders. */
  for (i=0; (x = small_prime_numbers[i]); i++ )
    mods[i] = mpi_fdiv_r_ui(NULL, prime, x);

Related Objects

stm created this task.Mar 20 2018, 7:09 PM
werner triaged this task as Normal priority.Apr 5 2018, 2:49 PM
werner added a subscriber: werner.

Hmmm, needs to be investigated.

werner closed this task as Resolved.
werner claimed this task.