yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-25 17:45:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove a remaining sensitive memory access in PKCS#1 v1.5 decryption

Browse Source
This commit is contained in:
Gilles Peskine 2018-10-05 15:06:12 +02:00
parent 85a7442753
commit 40b57f4acd
1 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
library/rsa.c
View File

@ -1512,14 +1512,14 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
if( ret != 0 ) if( ret != 0 )
goto cleanup; goto cleanup;
/* /* Check and get padding length in constant time and constant
* Check and get padding len in "constant-time" * memory trace. The first byte must be 0. */
*/ bad |= buf[0];
bad |= buf[0]; /* First byte must be 0 */
/* This test does not depend on secret data */
if( mode == MBEDTLS_RSA_PRIVATE ) if( mode == MBEDTLS_RSA_PRIVATE )
{ {
/* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00
* where PS must be at least 8 nonzero bytes. */
bad |= buf[1] ^ MBEDTLS_RSA_CRYPT; bad |= buf[1] ^ MBEDTLS_RSA_CRYPT;
/* Get padding len, but always read till end of buffer /* Get padding len, but always read till end of buffer
@ -1529,23 +1529,26 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1; pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1;
pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1;
} }
bad |= buf[pad_count + 2];
} }
else else
{ {
/* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00
* where PS must be at least 8 bytes with the value 0xFF. */
bad |= buf[1] ^ MBEDTLS_RSA_SIGN; bad |= buf[1] ^ MBEDTLS_RSA_SIGN;
/* Get padding len, but always read till end of buffer /* Get padding len, but always read till end of buffer
* (minus one, for the 00 byte) */ * (minus one, for the 00 byte) */
for( i = 2; i < ilen - 1; i++ ) for( i = 2; i < ilen - 1; i++ )
{ {
pad_done |= ( buf[i] != 0xFF ); pad_done |= if_int( buf[i], 0, 1 );
pad_count += ( pad_done == 0 ); pad_count += if_int( pad_done, 0, 1 );
bad |= if_int( pad_done, 0, buf[i] ^ 0xFF );
} }
bad |= buf[pad_count + 2];
} }
/* If pad_done is still zero, there's no data, only unfinished padding. */
bad |= if_int( pad_done, 0, 1 );
/* There must be at least 8 bytes of padding. */ /* There must be at least 8 bytes of padding. */
bad |= size_greater_than( 8, pad_count ); bad |= size_greater_than( 8, pad_count );
@ -1580,8 +1583,9 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
* from the same buffer whether the padding is good or not to * from the same buffer whether the padding is good or not to
* avoid leaking the padding validity through overall timing or * avoid leaking the padding validity through overall timing or
* through memory or cache access patterns. */ * through memory or cache access patterns. */
bad = all_or_nothing_int( bad | output_too_large );
for( i = 11; i < ilen; i++ ) for( i = 11; i < ilen; i++ )
buf[i] &= ~( bad | output_too_large ); buf[i] &= ~bad;
/* If the plaintext is too large, truncate it to the buffer size. /* If the plaintext is too large, truncate it to the buffer size.
* Copy anyway to avoid revealing the length through timing, because * Copy anyway to avoid revealing the length through timing, because