From 7914568a309b7692bdcb9cebd1b8820c34e71c87 Mon Sep 17 00:00:00 2001
From: Justus Winter <justus@sequoia-pgp.org>
Date: Tue, 14 Mar 2023 16:07:13 +0100
Subject: openpgp: Immediately create ProtectedMPIs for secrets.

  - Avoid creating an MPI first, as this may leak the secrets.
---
 openpgp/src/crypto/backend/cng/asymmetric.rs     | 14 +++++++-------
 openpgp/src/crypto/backend/nettle/asymmetric.rs  |  4 ++--
 openpgp/src/crypto/backend/openssl/asymmetric.rs |  6 +++---
 openpgp/src/crypto/backend/rust/asymmetric.rs    | 18 +++++++++---------
 openpgp/src/crypto/mpi.rs                        |  9 +++++++++
 5 files changed, 30 insertions(+), 21 deletions(-)

diff --git a/openpgp/src/crypto/backend/cng/asymmetric.rs b/openpgp/src/crypto/backend/cng/asymmetric.rs
index 1d412476..d0a5fd9b 100644
--- a/openpgp/src/crypto/backend/cng/asymmetric.rs
+++ b/openpgp/src/crypto/backend/cng/asymmetric.rs
@@ -770,7 +770,7 @@ where
                 q: mpi::MPI::new(&public)
             },
             mpi::SecretKeyMaterial::EdDSA {
-                scalar: mpi::MPI::new(&private_key).into(),
+                scalar: private_key.into(),
             }.into()
         )
     }
@@ -810,10 +810,10 @@ where
                 n: mpi::MPI::new(&n.to_bytes_be()),
             },
             mpi::SecretKeyMaterial::RSA {
-                d: mpi::MPI::new(d).into(),
-                p: mpi::MPI::new(p).into(),
-                q: mpi::MPI::new(q).into(),
-                u: mpi::MPI::new(&u.to_bytes_be()).into(),
+                d: d.into(),
+                p: p.into(),
+                q: q.into(),
+                u: u.to_bytes_be().into(),
             }.into()
         )
     }
@@ -847,8 +847,8 @@ where
         let private = mpi::SecretKeyMaterial::RSA {
             p: p.into(),
             q: q.into(),
-            d: mpi::MPI::new(blob.priv_exp()).into(),
-            u: mpi::MPI::new(&u.to_bytes_be()).into(),
+            d: blob.priv_exp().into(),
+            u: u.to_bytes_be().into(),
         };
 
         Self::with_secret(
diff --git a/openpgp/src/crypto/backend/nettle/asymmetric.rs b/openpgp/src/crypto/backend/nettle/asymmetric.rs
index 7bfe617a..0d908c55 100644
--- a/openpgp/src/crypto/backend/nettle/asymmetric.rs
+++ b/openpgp/src/crypto/backend/nettle/asymmetric.rs
@@ -380,7 +380,7 @@ impl<R> Key4<SecretParts, R>
                 q: MPI::new_compressed_point(&public_key),
             },
             mpi::SecretKeyMaterial::EdDSA {
-                scalar: mpi::MPI::new(private_key).into(),
+                scalar: private_key.into(),
             }.into())
     }
 
@@ -405,7 +405,7 @@ impl<R> Key4<SecretParts, R>
                 n: mpi::MPI::new(&key.n()[..]),
             },
             mpi::SecretKeyMaterial::RSA {
-                d: mpi::MPI::new(d).into(),
+                d: d.into(),
                 p: a.into(),
                 q: b.into(),
                 u: c.into(),
diff --git a/openpgp/src/crypto/backend/openssl/asymmetric.rs b/openpgp/src/crypto/backend/openssl/asymmetric.rs
index 5a1dc295..07d0c7f4 100644
--- a/openpgp/src/crypto/backend/openssl/asymmetric.rs
+++ b/openpgp/src/crypto/backend/openssl/asymmetric.rs
@@ -456,7 +456,7 @@ where
                 q: public_key.into(),
             },
             mpi::SecretKeyMaterial::EdDSA {
-                scalar: mpi::MPI::new(&private_key).into(),
+                scalar: private_key.into(),
             }
             .into(),
         )
@@ -504,8 +504,8 @@ where
             },
             mpi::SecretKeyMaterial::RSA {
                 d: d_bn.into(),
-                p: mpi::MPI::new(p).into(),
-                q: mpi::MPI::new(q).into(),
+                p: p.into(),
+                q: q.into(),
                 u: u.into(),
             }
             .into(),
diff --git a/openpgp/src/crypto/backend/rust/asymmetric.rs b/openpgp/src/crypto/backend/rust/asymmetric.rs
index 7c4785e2..1ee32fc2 100644
--- a/openpgp/src/crypto/backend/rust/asymmetric.rs
+++ b/openpgp/src/crypto/backend/rust/asymmetric.rs
@@ -412,7 +412,7 @@ impl<R> Key4<SecretParts, R>
                 q: mpi::MPI::new(&public)
             },
             mpi::SecretKeyMaterial::EdDSA {
-                scalar: mpi::MPI::new(private_key).into(),
+                scalar: private_key.into(),
             }.into()
         )
     }
@@ -452,10 +452,10 @@ impl<R> Key4<SecretParts, R>
                 n: mpi::MPI::new(&n.to_bytes_be()),
             },
             mpi::SecretKeyMaterial::RSA {
-                d: mpi::MPI::new(d).into(),
-                p: mpi::MPI::new(p).into(),
-                q: mpi::MPI::new(q).into(),
-                u: mpi::MPI::new(&u.to_bytes_be()).into(),
+                d: d.into(),
+                p: p.into(),
+                q: q.into(),
+                u: u.to_bytes_be().into(),
             }.into()
         )
     }
@@ -477,10 +477,10 @@ impl<R> Key4<SecretParts, R>
         };
 
         let private = mpi::SecretKeyMaterial::RSA {
-            p: mpi::MPI::new(&p.to_bytes_be()).into(),
-            q: mpi::MPI::new(&q.to_bytes_be()).into(),
-            d: mpi::MPI::new(&key.d().to_bytes_be()).into(),
-            u: mpi::MPI::new(&u.to_bytes_be()).into(),
+            p: p.to_bytes_be().into(),
+            q: q.to_bytes_be().into(),
+            d: key.d().to_bytes_be().into(),
+            u: u.to_bytes_be().into(),
         };
 
         Self::with_secret(
diff --git a/openpgp/src/crypto/mpi.rs b/openpgp/src/crypto/mpi.rs
index 961398c5..a5fa4f63 100644
--- a/openpgp/src/crypto/mpi.rs
+++ b/openpgp/src/crypto/mpi.rs
@@ -329,6 +329,15 @@ pub struct ProtectedMPI {
 }
 assert_send_and_sync!(ProtectedMPI);
 
+impl From<&[u8]> for ProtectedMPI {
+    fn from(m: &[u8]) -> Self {
+        let value = Protected::from(MPI::trim_leading_zeros(m));
+        ProtectedMPI {
+            value,
+        }
+    }
+}
+
 impl From<Vec<u8>> for ProtectedMPI {
     fn from(m: Vec<u8>) -> Self {
         let value = Protected::from(MPI::trim_leading_zeros(&m));
-- 
cgit v1.2.3