Move the constant-time part of mbedtls_rsa_rsaes_pkcs1_v15_decrypt to a function

Tne unpadding part of `mbedtls_rsa_rsaes_pkcs1_v15_decrypt` function is
contant-time therefore it moved to a separate function to be prepared
for moving to the contant-time module.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
This commit is contained in:
gabor-mezei-arm 2021-09-26 15:20:48 +02:00 committed by Gabor Mezei
parent bc3a288b2c
commit c2aee6fc0b
No known key found for this signature in database
GPG Key ID: 106F5A41ECC305BD

View File

@ -1479,20 +1479,16 @@ cleanup:
#endif /* MBEDTLS_PKCS1_V21 */ #endif /* MBEDTLS_PKCS1_V21 */
#if defined(MBEDTLS_PKCS1_V15) #if defined(MBEDTLS_PKCS1_V15)
/* int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode,
* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function size_t ilen,
*/ size_t *olen,
int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode, size_t *olen,
const unsigned char *input,
unsigned char *output, unsigned char *output,
size_t output_max_len ) size_t output_max_len,
unsigned char *buf )
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t ilen, i, plaintext_max_size; size_t i, plaintext_max_size;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
/* The following variables take sensitive values: their value must /* The following variables take sensitive values: their value must
* not leak into the observable behavior of the function other than * not leak into the observable behavior of the function other than
* the designated outputs (output, olen, return value). Otherwise * the designated outputs (output, olen, return value). Otherwise
@ -1509,31 +1505,10 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
size_t plaintext_size = 0; size_t plaintext_size = 0;
unsigned output_too_large; unsigned output_too_large;
RSA_VALIDATE_RET( ctx != NULL ); plaintext_max_size = mbedtls_cf_size_if( output_max_len > ilen - 11,
RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || ilen - 11,
mode == MBEDTLS_RSA_PUBLIC );
RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
RSA_VALIDATE_RET( input != NULL );
RSA_VALIDATE_RET( olen != NULL );
ilen = ctx->len;
plaintext_max_size = ( output_max_len > ilen - 11 ?
ilen - 11 :
output_max_len ); output_max_len );
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
if( ilen < 16 || ilen > sizeof( buf ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
ret = ( mode == MBEDTLS_RSA_PUBLIC )
? mbedtls_rsa_public( ctx, input, buf )
: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
if( ret != 0 )
goto cleanup;
/* Check and get padding length in constant time and constant /* Check and get padding length in constant time and constant
* memory trace. The first byte must be 0. */ * memory trace. The first byte must be 0. */
bad |= buf[0]; bad |= buf[0];
@ -1646,6 +1621,51 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
* to the good case limits the risks of leaking the padding validity. */ * to the good case limits the risks of leaking the padding validity. */
*olen = plaintext_size; *olen = plaintext_size;
return( ret );
}
/*
* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
*/
int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
size_t *olen,
const unsigned char *input,
unsigned char *output,
size_t output_max_len )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t ilen;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
RSA_VALIDATE_RET( ctx != NULL );
RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
mode == MBEDTLS_RSA_PUBLIC );
RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
RSA_VALIDATE_RET( input != NULL );
RSA_VALIDATE_RET( olen != NULL );
ilen = ctx->len;
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
if( ilen < 16 || ilen > sizeof( buf ) )
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
ret = ( mode == MBEDTLS_RSA_PUBLIC )
? mbedtls_rsa_public( ctx, input, buf )
: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
if( ret != 0 )
goto cleanup;
ret = mbedtls_cf_rsaes_pkcs1_v15_unpadding( mode, ilen, olen, output,
output_max_len,
(unsigned char *) &buf );
cleanup: cleanup:
mbedtls_platform_zeroize( buf, sizeof( buf ) ); mbedtls_platform_zeroize( buf, sizeof( buf ) );