yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-23 23:01:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make get_pkcs_padding() constant-time

Browse source
This commit is contained in:
Paul Bakker 2014-07-07 14:04:00 +02:00
parent 52cb87beb7
commit e46b17766c
2 changed files with 15 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
ChangeLog
View file

@ -7,6 +7,7 @@ Changes
= Version 1.2.10 released 2013-10-07 = Version 1.2.10 released 2013-10-07
Changes Changes
* Changed RSA blinding to a slower but thread-safe version * Changed RSA blinding to a slower but thread-safe version
* Make get_pkcs_padding() constant-time
Bugfix Bugfix
* Fixed memory leak in RSA as a result of introduction of blinding * Fixed memory leak in RSA as a result of introduction of blinding

25
library/cipher.c
View file

@ -500,7 +500,7 @@ static void add_pkcs_padding( unsigned char *output, size_t output_len,
size_t data_len ) size_t data_len )
{ {
size_t padding_len = output_len - data_len; size_t padding_len = output_len - data_len;
unsigned char i = 0; unsigned char i;
for( i = 0; i < padding_len; i++ ) for( i = 0; i < padding_len; i++ )
output[data_len + i] = (unsigned char) padding_len; output[data_len + i] = (unsigned char) padding_len;
@ -509,23 +509,26 @@ static void add_pkcs_padding( unsigned char *output, size_t output_len,
static int get_pkcs_padding( unsigned char *input, unsigned int input_len, static int get_pkcs_padding( unsigned char *input, unsigned int input_len,
size_t *data_len) size_t *data_len)
{ {
unsigned int i, padding_len = 0; unsigned int i, pad_idx;
unsigned char padding_len, bad = 0;
if( NULL == input || NULL == data_len ) if( NULL == input || NULL == data_len )
return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA; return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
padding_len = input[input_len - 1]; padding_len = input[input_len - 1];
if( padding_len > input_len )
return POLARSSL_ERR_CIPHER_INVALID_PADDING;
for( i = input_len - padding_len; i < input_len; i++ )
if( input[i] != padding_len )
return POLARSSL_ERR_CIPHER_INVALID_PADDING;
*data_len = input_len - padding_len; *data_len = input_len - padding_len;
return 0; /* Avoid logical || since it results in a branch */
bad |= padding_len > input_len;
bad |= padding_len == 0;
/* The number of bytes checked must be independent of padding_len,
* so pick input_len, which is usually 8 or 16 (one block) */
pad_idx = input_len - padding_len;
for( i = 0; i < input_len; i++ )
bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx );
return POLARSSL_ERR_CIPHER_INVALID_PADDING * (bad != 0);
} }
int cipher_finish( cipher_context_t *ctx, unsigned char *output, size_t *olen) int cipher_finish( cipher_context_t *ctx, unsigned char *output, size_t *olen)