lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-01 10:06:53 +03:00
Code Activity

Use const-time interface throughout mbedtls_rsa_rsaes_oaep_decrypt

Browse Source 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
This commit is contained in:
Dave Rodgman
2023-09-18 18:46:19 +01:00
parent 986006e567
commit b4e6b41aa0
1 changed files with 9 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
library/rsa.c
View File

@ -1541,8 +1541,8 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t ilen, i, pad_len; size_t ilen, i, pad_len;
unsigned char *p, pad_done; unsigned char *p;
int bad; mbedtls_ct_condition_t bad, pad_done;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
unsigned char lhash[MBEDTLS_MD_MAX_SIZE]; unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
unsigned int hlen; unsigned int hlen;
@ -1602,27 +1602,26 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
* Check contents, in "constant-time" * Check contents, in "constant-time"
*/ */
p = buf; p = buf;
bad = 0;
bad |= *p++; /* First byte must be 0 */ bad = mbedtls_ct_bool(*p++); /* First byte must be 0 */
p += hlen; /* Skip seed */ p += hlen; /* Skip seed */
/* Check lHash */ /* Check lHash */
bad |= mbedtls_ct_memcmp(lhash, p, hlen); bad = mbedtls_ct_bool_or(bad, mbedtls_ct_bool(mbedtls_ct_memcmp(lhash, p, hlen)));
p += hlen; p += hlen;
/* Get zero-padding len, but always read till end of buffer /* Get zero-padding len, but always read till end of buffer
* (minus one, for the 01 byte) */ * (minus one, for the 01 byte) */
pad_len = 0; pad_len = 0;
pad_done = 0; pad_done = MBEDTLS_CT_FALSE;
for (i = 0; i < ilen - 2 * hlen - 2; i++) { for (i = 0; i < ilen - 2 * hlen - 2; i++) {
pad_done |= p[i]; pad_done = mbedtls_ct_bool_or(pad_done, mbedtls_ct_uint_ne(p[i], 0));
pad_len += ((pad_done | (unsigned char) -pad_done) >> 7) ^ 1; pad_len += mbedtls_ct_mpi_uint_if_else_0(mbedtls_ct_bool_not(pad_done), 1);
} }
p += pad_len; p += pad_len;
bad |= *p++ ^ 0x01; bad = mbedtls_ct_bool_or(bad, mbedtls_ct_uint_ne(*p++, 0x01));
/* /*
* The only information "leaked" is whether the padding was correct or not * The only information "leaked" is whether the padding was correct or not
@ -1630,7 +1629,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
* recommendations in PKCS#1 v2.2: an opponent cannot distinguish between * recommendations in PKCS#1 v2.2: an opponent cannot distinguish between
* the different error conditions. * the different error conditions.
*/ */
if (bad != 0) { if (bad != MBEDTLS_CT_FALSE) {
ret = MBEDTLS_ERR_RSA_INVALID_PADDING; ret = MBEDTLS_ERR_RSA_INVALID_PADDING;
goto cleanup; goto cleanup;
} }