lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-11-03 20:33:16 +03:00
Code Activity

Fix timing side-channel in PKCS7 padding

Browse Source 
Previously, we were checking if the last padding byte was in the range
1-16 and returning early if not. This was to prevent an integer overflow
in the output length.

Instead, do the checks in constant-time and conditionally set the output
length based on whether the padding is correct or not, preventing both
the side-channel and the integer overflow.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
This commit is contained in:
David Horstmann
2025-01-20 17:44:00 +00:00
parent d37e0c4639
commit 652ea21737
1 changed files with 3 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
library/cipher.c
View File

@@ -851,10 +851,6 @@ MBEDTLS_STATIC_TESTABLE int get_pkcs_padding(unsigned char *input,
} }
padding_len = input[input_len - 1]; padding_len = input[input_len - 1];
if (padding_len == 0 || padding_len > input_len) {
return MBEDTLS_ERR_CIPHER_INVALID_PADDING;
}
*data_len = input_len - padding_len;
mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len); mbedtls_ct_condition_t bad = mbedtls_ct_uint_gt(padding_len, input_len);
bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0)); bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_eq(padding_len, 0));
@@ -868,6 +864,9 @@ MBEDTLS_STATIC_TESTABLE int get_pkcs_padding(unsigned char *input,
bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different)); bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool_and(in_padding, different));
} }
/* If the padding is invalid, set the output length to 0 */
*data_len = mbedtls_ct_if(bad, 0, input_len - padding_len);
return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING); return mbedtls_ct_error_if_else_0(bad, MBEDTLS_ERR_CIPHER_INVALID_PADDING);
} }
#endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */