Removed timing differences due to bad padding from RSA decrypt for
PKCS#1 v1.5 operations
This commit is contained in:
parent
a43231c5a5
commit
8804f69d46
2 changed files with 35 additions and 11 deletions
|
@ -17,6 +17,9 @@ Changes
|
|||
Security
|
||||
* Removed further timing differences during SSL message decryption in
|
||||
ssl_decrypt_buf()
|
||||
* Removed timing differences due to bad padding from
|
||||
rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
|
||||
operations
|
||||
|
||||
= Version 1.2.5 released 2013-02-02
|
||||
Changes
|
||||
|
|
|
@ -623,9 +623,9 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
|
|||
unsigned char *output,
|
||||
size_t output_max_len)
|
||||
{
|
||||
int ret;
|
||||
size_t ilen;
|
||||
unsigned char *p;
|
||||
int ret, correct = 1;
|
||||
size_t ilen, pad_count = 0;
|
||||
unsigned char *p, *q;
|
||||
unsigned char bt;
|
||||
unsigned char buf[POLARSSL_MPI_MAX_SIZE];
|
||||
|
||||
|
@ -647,36 +647,57 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
|
|||
p = buf;
|
||||
|
||||
if( *p++ != 0 )
|
||||
return( POLARSSL_ERR_RSA_INVALID_PADDING );
|
||||
correct = 0;
|
||||
|
||||
bt = *p++;
|
||||
if( ( bt != RSA_CRYPT && mode == RSA_PRIVATE ) ||
|
||||
( bt != RSA_SIGN && mode == RSA_PUBLIC ) )
|
||||
{
|
||||
return( POLARSSL_ERR_RSA_INVALID_PADDING );
|
||||
correct = 0;
|
||||
}
|
||||
|
||||
if( bt == RSA_CRYPT )
|
||||
{
|
||||
while( *p != 0 && p < buf + ilen - 1 )
|
||||
p++;
|
||||
pad_count += ( *p++ != 0 );
|
||||
|
||||
if( *p != 0 || p >= buf + ilen - 1 )
|
||||
return( POLARSSL_ERR_RSA_INVALID_PADDING );
|
||||
correct &= ( *p == 0 && p < buf + ilen - 1 );
|
||||
|
||||
q = p;
|
||||
|
||||
// Also pass over all other bytes to reduce timing differences
|
||||
//
|
||||
while ( q < buf + ilen - 1 )
|
||||
pad_count += ( *q++ != 0 );
|
||||
|
||||
// Prevent compiler optimization of pad_count
|
||||
//
|
||||
correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
|
||||
p++;
|
||||
}
|
||||
else
|
||||
{
|
||||
while( *p == 0xFF && p < buf + ilen - 1 )
|
||||
p++;
|
||||
pad_count += ( *p++ == 0xFF );
|
||||
|
||||
if( *p != 0 || p >= buf + ilen - 1 )
|
||||
return( POLARSSL_ERR_RSA_INVALID_PADDING );
|
||||
correct &= ( *p == 0 && p < buf + ilen - 1 );
|
||||
|
||||
q = p;
|
||||
|
||||
// Also pass over all other bytes to reduce timing differences
|
||||
//
|
||||
while ( q < buf + ilen - 1 )
|
||||
pad_count += ( *q++ != 0 );
|
||||
|
||||
// Prevent compiler optimization of pad_count
|
||||
//
|
||||
correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
|
||||
p++;
|
||||
}
|
||||
|
||||
if( correct == 0 )
|
||||
return( POLARSSL_ERR_RSA_INVALID_PADDING );
|
||||
|
||||
if (ilen - (p - buf) > output_max_len)
|
||||
return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );
|
||||
|
||||
|
|
Loading…
Reference in a new issue