From f8ab069d6aed6fd25bf1c1ee06e4f2dd0d93076d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sun, 27 Oct 2013 17:21:14 +0100 Subject: [PATCH 1/4] Make get_pkcs_padding() constant-time --- library/cipher.c | 25 +++++---- tests/suites/test_suite_cipher.padding.data | 62 ++++++++++++++++++++- 2 files changed, 75 insertions(+), 12 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index 5edc39a6c..0f545adf2 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -406,7 +406,7 @@ static void add_pkcs_padding( unsigned char *output, size_t output_len, size_t data_len ) { size_t padding_len = output_len - data_len; - unsigned char i = 0; + unsigned char i; for( i = 0; i < padding_len; i++ ) output[data_len + i] = (unsigned char) padding_len; @@ -415,23 +415,26 @@ static void add_pkcs_padding( unsigned char *output, size_t output_len, static int get_pkcs_padding( unsigned char *input, size_t input_len, size_t *data_len ) { - size_t i, padding_len = 0; + size_t i, pad_idx; + unsigned char padding_len, bad = 0; if( NULL == input || NULL == data_len ) return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA; padding_len = input[input_len - 1]; - - if( padding_len > input_len || padding_len == 0 ) - return POLARSSL_ERR_CIPHER_INVALID_PADDING; - - for( i = input_len - padding_len; i < input_len; i++ ) - if( input[i] != padding_len ) - return POLARSSL_ERR_CIPHER_INVALID_PADDING; - *data_len = input_len - padding_len; - return 0; + /* Avoid logical || since it results in a branch */ + bad |= padding_len > input_len; + bad |= padding_len == 0; + + /* The number of bytes checked must be independent of padding_len, + * so pick input_len, which is usually 8 or 16 (one block) */ + pad_idx = input_len - padding_len; + for( i = 0; i < input_len; i++ ) + bad |= ( input[i] ^ padding_len ) * ( i >= pad_idx ); + + return POLARSSL_ERR_CIPHER_INVALID_PADDING * (bad != 0); } #endif /* POLARSSL_CIPHER_PADDING_PKCS7 */ diff --git a/tests/suites/test_suite_cipher.padding.data b/tests/suites/test_suite_cipher.padding.data index 2cad0a9fb..8776a2852 100644 --- a/tests/suites/test_suite_cipher.padding.data +++ b/tests/suites/test_suite_cipher.padding.data @@ -82,10 +82,70 @@ Check PKCS padding #6 (too few padding bytes) depends_on:POLARSSL_CIPHER_PADDING_PKCS7 check_padding:POLARSSL_PADDING_PKCS7:"DABBAD0002":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 -Check PKCS padding #7 (non-uniform padding bytes) +Check PKCS padding #7 (non-uniform padding bytes #1) depends_on:POLARSSL_CIPHER_PADDING_PKCS7 check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00030203":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 +Check PKCS padding #7 (non-uniform padding bytes #2) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00030103":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #3) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00030703":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #4) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00030b03":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #5) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00031303":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #6) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00032303":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #7) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00034203":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #8) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00038303":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #9) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00020303":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #10) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00010303":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #11) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00070303":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #12) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD000b0303":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #13) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00130303":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #14) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00230303":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #15) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00420303":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + +Check PKCS padding #7 (non-uniform padding bytes #16) +depends_on:POLARSSL_CIPHER_PADDING_PKCS7 +check_padding:POLARSSL_PADDING_PKCS7:"DABBAD00830303":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 + Check PKCS padding #8 (overlong) depends_on:POLARSSL_CIPHER_PADDING_PKCS7 check_padding:POLARSSL_PADDING_PKCS7:"040404":POLARSSL_ERR_CIPHER_INVALID_PADDING:0 From d17df51277d74ba6f487b3e72c4c0bb4ba55eb9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sun, 27 Oct 2013 17:32:43 +0100 Subject: [PATCH 2/4] Make get_zeros_and_len_padding() constant-time --- library/cipher.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index 0f545adf2..17368a171 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -491,23 +491,25 @@ static void add_zeros_and_len_padding( unsigned char *output, static int get_zeros_and_len_padding( unsigned char *input, size_t input_len, size_t *data_len ) { - size_t i, padding_len = 0; + size_t i, pad_idx; + unsigned char padding_len, bad = 0; if( NULL == input || NULL == data_len ) return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA; padding_len = input[input_len - 1]; - - if( padding_len > input_len || padding_len == 0 ) - return POLARSSL_ERR_CIPHER_INVALID_PADDING; - - for( i = input_len - padding_len; i < input_len - 1; i++ ) - if( input[i] != 0x00 ) - return POLARSSL_ERR_CIPHER_INVALID_PADDING; - *data_len = input_len - padding_len; - return 0; + /* Avoid logical || since it results in a branch */ + bad |= padding_len > input_len; + bad |= padding_len == 0; + + /* The number of bytes checked must be independent of padding_len */ + pad_idx = input_len - padding_len; + for( i = 0; i < input_len - 1; i++ ) + bad |= input[i] * ( i >= pad_idx ); + + return POLARSSL_ERR_CIPHER_INVALID_PADDING * (bad != 0); } #endif /* POLARSSL_CIPHER_PADDING_ZEROS_AND_LEN */ From 6c329901142b5ed4bb8ac45b58efc0946a238bd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sun, 27 Oct 2013 18:25:03 +0100 Subject: [PATCH 3/4] Make get_one_and_zeros_padding() constant-time --- library/cipher.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index 17368a171..cbbdcd510 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -456,20 +456,24 @@ static void add_one_and_zeros_padding( unsigned char *output, static int get_one_and_zeros_padding( unsigned char *input, size_t input_len, size_t *data_len ) { - unsigned char *p = input + input_len - 1; + size_t i; + unsigned char done = 0, prev_done, bad; if( NULL == input || NULL == data_len ) return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA; - while( *p == 0x00 && p > input ) - --p; + bad = 0xFF; + *data_len = 0; + for( i = input_len; i > 0; i-- ) + { + prev_done = done; + done |= ( input[i-1] != 0 ); + *data_len |= ( i - 1 ) * ( done != prev_done ); + bad &= ( input[i-1] ^ 0x80 ) | ( done == prev_done ); + } - if( *p != 0x80 ) - return POLARSSL_ERR_CIPHER_INVALID_PADDING; + return POLARSSL_ERR_CIPHER_INVALID_PADDING * (bad != 0); - *data_len = p - input; - - return 0; } #endif /* POLARSSL_CIPHER_PADDING_ONE_AND_ZEROS */ From e68bf171eb9ac92404d42c54984ea90101899430 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sun, 27 Oct 2013 18:26:39 +0100 Subject: [PATCH 4/4] Make get_zeros_padding() constant-time --- library/cipher.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index cbbdcd510..2941f40f3 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -533,14 +533,19 @@ static void add_zeros_padding( unsigned char *output, static int get_zeros_padding( unsigned char *input, size_t input_len, size_t *data_len ) { - unsigned char *p = input + input_len - 1; + size_t i; + unsigned char done = 0, prev_done; + if( NULL == input || NULL == data_len ) return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA; - while( *p == 0x00 && p > input ) - --p; - - *data_len = *p == 0x00 ? 0 : p - input + 1; + *data_len = 0; + for( i = input_len; i > 0; i-- ) + { + prev_done = done; + done |= ( input[i-1] != 0 ); + *data_len |= i * ( done != prev_done ); + } return 0; }