mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-25 17:51:10 +00:00
Remove a remaining sensitive memory access in PKCS#1 v1.5 decryption
This commit is contained in:
parent
85a7442753
commit
40b57f4acd
|
@ -1512,14 +1512,14 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
/*
|
/* Check and get padding length in constant time and constant
|
||||||
* Check and get padding len in "constant-time"
|
* memory trace. The first byte must be 0. */
|
||||||
*/
|
bad |= buf[0];
|
||||||
bad |= buf[0]; /* First byte must be 0 */
|
|
||||||
|
|
||||||
/* This test does not depend on secret data */
|
|
||||||
if( mode == MBEDTLS_RSA_PRIVATE )
|
if( mode == MBEDTLS_RSA_PRIVATE )
|
||||||
{
|
{
|
||||||
|
/* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
|
||||||
|
* where PS must be at least 8 nonzero bytes. */
|
||||||
bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
|
bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
|
||||||
|
|
||||||
/* Get padding len, but always read till end of buffer
|
/* Get padding len, but always read till end of buffer
|
||||||
|
@ -1529,23 +1529,26 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
|
||||||
pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
|
pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
|
||||||
pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
|
pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
bad |= buf[pad_count + 2];
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
/* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00
|
||||||
|
* where PS must be at least 8 bytes with the value 0xFF. */
|
||||||
bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
|
bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
|
||||||
|
|
||||||
/* Get padding len, but always read till end of buffer
|
/* Get padding len, but always read till end of buffer
|
||||||
* (minus one, for the 00 byte) */
|
* (minus one, for the 00 byte) */
|
||||||
for( i = 2; i < ilen - 1; i++ )
|
for( i = 2; i < ilen - 1; i++ )
|
||||||
{
|
{
|
||||||
pad_done |= ( buf[i] != 0xFF );
|
pad_done |= if_int( buf[i], 0, 1 );
|
||||||
pad_count += ( pad_done == 0 );
|
pad_count += if_int( pad_done, 0, 1 );
|
||||||
|
bad |= if_int( pad_done, 0, buf[i] ^ 0xFF );
|
||||||
}
|
}
|
||||||
bad |= buf[pad_count + 2];
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* If pad_done is still zero, there's no data, only unfinished padding. */
|
||||||
|
bad |= if_int( pad_done, 0, 1 );
|
||||||
|
|
||||||
/* There must be at least 8 bytes of padding. */
|
/* There must be at least 8 bytes of padding. */
|
||||||
bad |= size_greater_than( 8, pad_count );
|
bad |= size_greater_than( 8, pad_count );
|
||||||
|
|
||||||
|
@ -1580,8 +1583,9 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
|
||||||
* from the same buffer whether the padding is good or not to
|
* from the same buffer whether the padding is good or not to
|
||||||
* avoid leaking the padding validity through overall timing or
|
* avoid leaking the padding validity through overall timing or
|
||||||
* through memory or cache access patterns. */
|
* through memory or cache access patterns. */
|
||||||
|
bad = all_or_nothing_int( bad | output_too_large );
|
||||||
for( i = 11; i < ilen; i++ )
|
for( i = 11; i < ilen; i++ )
|
||||||
buf[i] &= ~( bad | output_too_large );
|
buf[i] &= ~bad;
|
||||||
|
|
||||||
/* If the plaintext is too large, truncate it to the buffer size.
|
/* If the plaintext is too large, truncate it to the buffer size.
|
||||||
* Copy anyway to avoid revealing the length through timing, because
|
* Copy anyway to avoid revealing the length through timing, because
|
||||||
|
|
Loading…
Reference in a new issue