Removed timing differences due to bad padding from RSA decrypt for

PKCS#1 v1.5 operations
This commit is contained in:
Paul Bakker 2013-02-28 18:06:26 +01:00
parent a43231c5a5
commit 8804f69d46
2 changed files with 35 additions and 11 deletions

View file

@ -17,6 +17,9 @@ Changes
Security
* Removed further timing differences during SSL message decryption in
ssl_decrypt_buf()
* Removed timing differences due to bad padding from
rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
operations
= Version 1.2.5 released 2013-02-02
Changes

View file

@ -623,9 +623,9 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
unsigned char *output,
size_t output_max_len)
{
int ret;
size_t ilen;
unsigned char *p;
int ret, correct = 1;
size_t ilen, pad_count = 0;
unsigned char *p, *q;
unsigned char bt;
unsigned char buf[POLARSSL_MPI_MAX_SIZE];
@ -647,36 +647,57 @@ int rsa_rsaes_pkcs1_v15_decrypt( rsa_context *ctx,
p = buf;
if( *p++ != 0 )
return( POLARSSL_ERR_RSA_INVALID_PADDING );
correct = 0;
bt = *p++;
if( ( bt != RSA_CRYPT && mode == RSA_PRIVATE ) ||
( bt != RSA_SIGN && mode == RSA_PUBLIC ) )
{
return( POLARSSL_ERR_RSA_INVALID_PADDING );
correct = 0;
}
if( bt == RSA_CRYPT )
{
while( *p != 0 && p < buf + ilen - 1 )
p++;
pad_count += ( *p++ != 0 );
if( *p != 0 || p >= buf + ilen - 1 )
return( POLARSSL_ERR_RSA_INVALID_PADDING );
correct &= ( *p == 0 && p < buf + ilen - 1 );
q = p;
// Also pass over all other bytes to reduce timing differences
//
while ( q < buf + ilen - 1 )
pad_count += ( *q++ != 0 );
// Prevent compiler optimization of pad_count
//
correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
p++;
}
else
{
while( *p == 0xFF && p < buf + ilen - 1 )
p++;
pad_count += ( *p++ == 0xFF );
if( *p != 0 || p >= buf + ilen - 1 )
return( POLARSSL_ERR_RSA_INVALID_PADDING );
correct &= ( *p == 0 && p < buf + ilen - 1 );
q = p;
// Also pass over all other bytes to reduce timing differences
//
while ( q < buf + ilen - 1 )
pad_count += ( *q++ != 0 );
// Prevent compiler optimization of pad_count
//
correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
p++;
}
if( correct == 0 )
return( POLARSSL_ERR_RSA_INVALID_PADDING );
if (ilen - (p - buf) > output_max_len)
return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );