diff --git a/library/constant_time.c b/library/constant_time.c index 85e0e76ad..1ea79de4c 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -310,19 +310,19 @@ void mbedtls_cf_memcpy_if_eq( unsigned char *dest, dest[i] = ( src[i] & mask ) | ( dest[i] & ~mask ); } -void mbedtls_cf_memcpy_offset( unsigned char *dst, - const unsigned char *src_base, - size_t offset_secret, +void mbedtls_cf_memcpy_offset( unsigned char *dest, + const unsigned char *src, + size_t offset, size_t offset_min, size_t offset_max, size_t len ) { - size_t offset; + size_t offsetval; - for( offset = offset_min; offset <= offset_max; offset++ ) + for( offsetval = offset_min; offsetval <= offset_max; offsetval++ ) { - mbedtls_cf_memcpy_if_eq( dst, src_base + offset, len, - offset, offset_secret ); + mbedtls_cf_memcpy_if_eq( dest, src + offsetval, len, + offsetval, offset ); } } @@ -564,11 +564,11 @@ int mbedtls_mpi_lt_mpi_ct( const mbedtls_mpi *X, #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, + unsigned char *input, size_t ilen, - size_t *olen, unsigned char *output, size_t output_max_len, - unsigned char *buf ) + size_t *olen ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t i, plaintext_max_size; @@ -594,19 +594,19 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, /* Check and get padding length in constant time and constant * memory trace. The first byte must be 0. */ - bad |= buf[0]; + bad |= input[0]; if( mode == MBEDTLS_RSA_PRIVATE ) { /* Decode EME-PKCS1-v1_5 padding: 0x00 || 0x02 || PS || 0x00 * where PS must be at least 8 nonzero bytes. */ - bad |= buf[1] ^ MBEDTLS_RSA_CRYPT; + bad |= input[1] ^ MBEDTLS_RSA_CRYPT; /* Read the whole buffer. Set pad_done to nonzero if we find * the 0x00 byte and remember the padding length in pad_count. */ for( i = 2; i < ilen; i++ ) { - pad_done |= ((buf[i] | (unsigned char)-buf[i]) >> 7) ^ 1; + pad_done |= ((input[i] | (unsigned char)-input[i]) >> 7) ^ 1; pad_count += ((pad_done | (unsigned char)-pad_done) >> 7) ^ 1; } } @@ -614,16 +614,16 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, { /* Decode EMSA-PKCS1-v1_5 padding: 0x00 || 0x01 || PS || 0x00 * where PS must be at least 8 bytes with the value 0xFF. */ - bad |= buf[1] ^ MBEDTLS_RSA_SIGN; + bad |= input[1] ^ MBEDTLS_RSA_SIGN; /* Read the whole buffer. Set pad_done to nonzero if we find * the 0x00 byte and remember the padding length in pad_count. * If there's a non-0xff byte in the padding, the padding is bad. */ for( i = 2; i < ilen; i++ ) { - pad_done |= mbedtls_cf_uint_if( buf[i], 0, 1 ); + pad_done |= mbedtls_cf_uint_if( input[i], 0, 1 ); pad_count += mbedtls_cf_uint_if( pad_done, 0, 1 ); - bad |= mbedtls_cf_uint_if( pad_done, 0, buf[i] ^ 0xFF ); + bad |= mbedtls_cf_uint_if( pad_done, 0, input[i] ^ 0xFF ); } } @@ -668,7 +668,7 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, * through memory or cache access patterns. */ bad = mbedtls_cf_uint_mask( bad | output_too_large ); for( i = 11; i < ilen; i++ ) - buf[i] &= ~bad; + input[i] &= ~bad; /* If the plaintext is too large, truncate it to the buffer size. * Copy anyway to avoid revealing the length through timing, because @@ -684,7 +684,7 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, * does not depend on the plaintext size. After this move, the * starting location of the plaintext is no longer sensitive * information. */ - mbedtls_cf_mem_move_to_left( buf + ilen - plaintext_max_size, + mbedtls_cf_mem_move_to_left( input + ilen - plaintext_max_size, plaintext_max_size, plaintext_max_size - plaintext_size ); @@ -696,7 +696,7 @@ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, * length, validity of padding, success of the decryption, and other * secrets. */ if( output_max_len != 0 ) - memcpy( output, buf + ilen - plaintext_max_size, plaintext_max_size ); + memcpy( output, input + ilen - plaintext_max_size, plaintext_max_size ); /* Report the amount of data we copied to the output buffer. In case * of errors (bad padding or output too large), the value of *olen diff --git a/library/constant_time.h b/library/constant_time.h index 7767268f0..bed22c5ed 100644 --- a/library/constant_time.h +++ b/library/constant_time.h @@ -263,21 +263,21 @@ void mbedtls_cf_memcpy_if_eq( unsigned char *dest, * offset_secret, but only on \p offset_min, \p offset_max and \p len. * Functionally equivalent to memcpy(dst, src + offset_secret, len). * - * \param dst The destination buffer. This must point to a writable + * \param dest The destination buffer. This must point to a writable * buffer of at least \p len bytes. - * \param src_base The base of the source buffer. This must point to a + * \param src The base of the source buffer. This must point to a * readable buffer of at least \p offset_max + \p len - * bytes. - * \param offset_secret The offset in the source buffer from which to copy. + * bytes. Shouldn't overlap with \p dest. + * \param offset The offset in the source buffer from which to copy. * This must be no less than \p offset_min and no greater * than \p offset_max. - * \param offset_min The minimal value of \p offset_secret. - * \param offset_max The maximal value of \p offset_secret. + * \param offset_min The minimal value of \p offset. + * \param offset_max The maximal value of \p offset. * \param len The number of bytes to copy. */ -void mbedtls_cf_memcpy_offset( unsigned char *dst, - const unsigned char *src_base, - size_t offset_secret, +void mbedtls_cf_memcpy_offset( unsigned char *dest, + const unsigned char *src, + size_t offset, size_t offset_min, size_t offset_max, size_t len ); @@ -342,22 +342,22 @@ int mbedtls_cf_hmac( mbedtls_md_context_t *ctx, * * \param mode The mode of operation. This must be either * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated). + * \param input The input buffer for the unpadding operation. * \param ilen The length of the ciphertext. - * \param olen The address at which to store the length of - * the plaintext. This must not be \c NULL. * \param output The buffer used to hold the plaintext. This must * be a writable buffer of length \p output_max_len Bytes. * \param output_max_len The length in Bytes of the output buffer \p output. - * \param buf The input buffer for the unpadding operation. + * \param olen The address at which to store the length of + * the plaintext. This must not be \c NULL. * * \return \c 0 on success. * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. */ int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode, + unsigned char *input, size_t ilen, - size_t *olen, unsigned char *output, size_t output_max_len, - unsigned char *buf ); + size_t *olen ); #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ diff --git a/library/rsa.c b/library/rsa.c index a387d0989..ea888713b 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1517,9 +1517,8 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, if( ret != 0 ) goto cleanup; - ret = mbedtls_cf_rsaes_pkcs1_v15_unpadding( mode, ilen, olen, output, - output_max_len, - (unsigned char *) &buf ); + ret = mbedtls_cf_rsaes_pkcs1_v15_unpadding( mode, buf, ilen, + output, output_max_len, olen ); cleanup: mbedtls_platform_zeroize( buf, sizeof( buf ) );