Fix multiplication producing a negative zero
Fix mbedtls_mpi_mul_mpi() when one of the operands is zero and the
other is negative. The sign of the result must be 1, since some
library functions do not treat {-1, 0, NULL} or {-1, n, {0}} as
representing the value 0.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/library/bignum.c b/library/bignum.c
index acdccde..418fbf2 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1658,7 +1658,17 @@
for( ; j > 0; j-- )
mpi_mul_hlp( i, A->p, X->p + j - 1, B->p[j - 1] );
- X->s = A->s * B->s;
+ /* If the result is 0, we don't shortcut the operation, which reduces
+ * but does not eliminate side channels leaking the zero-ness. We do
+ * need to take care to set the sign bit properly since the library does
+ * not fully support an MPI object with a value of 0 and s == -1. */
+ if( ( i == 0 && ( A->n == 0 || A->p[0] == 0 ) ) ||
+ ( j == 0 && ( B->n == 0 || B->p[0] == 0 ) ) )
+ {
+ X->s = 1;
+ }
+ else
+ X->s = A->s * B->s;
cleanup: