mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-27 02:34:23 +01:00
Move the constant-time part of mbedtls_rsa_rsaes_pkcs1_v15_decrypt to a function
Tne unpadding part of `mbedtls_rsa_rsaes_pkcs1_v15_decrypt` function is contant-time therefore it moved to a separate function to be prepared for moving to the contant-time module. Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
This commit is contained in:
parent
bc3a288b2c
commit
c2aee6fc0b
@ -1479,20 +1479,16 @@ cleanup:
|
|||||||
#endif /* MBEDTLS_PKCS1_V21 */
|
#endif /* MBEDTLS_PKCS1_V21 */
|
||||||
|
|
||||||
#if defined(MBEDTLS_PKCS1_V15)
|
#if defined(MBEDTLS_PKCS1_V15)
|
||||||
/*
|
int mbedtls_cf_rsaes_pkcs1_v15_unpadding( int mode,
|
||||||
* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
|
size_t ilen,
|
||||||
*/
|
size_t *olen,
|
||||||
int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
|
|
||||||
int (*f_rng)(void *, unsigned char *, size_t),
|
|
||||||
void *p_rng,
|
|
||||||
int mode, size_t *olen,
|
|
||||||
const unsigned char *input,
|
|
||||||
unsigned char *output,
|
unsigned char *output,
|
||||||
size_t output_max_len )
|
size_t output_max_len,
|
||||||
|
unsigned char *buf )
|
||||||
{
|
{
|
||||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||||
size_t ilen, i, plaintext_max_size;
|
size_t i, plaintext_max_size;
|
||||||
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
|
|
||||||
/* The following variables take sensitive values: their value must
|
/* The following variables take sensitive values: their value must
|
||||||
* not leak into the observable behavior of the function other than
|
* not leak into the observable behavior of the function other than
|
||||||
* the designated outputs (output, olen, return value). Otherwise
|
* the designated outputs (output, olen, return value). Otherwise
|
||||||
@ -1509,31 +1505,10 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
|
|||||||
size_t plaintext_size = 0;
|
size_t plaintext_size = 0;
|
||||||
unsigned output_too_large;
|
unsigned output_too_large;
|
||||||
|
|
||||||
RSA_VALIDATE_RET( ctx != NULL );
|
plaintext_max_size = mbedtls_cf_size_if( output_max_len > ilen - 11,
|
||||||
RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
|
ilen - 11,
|
||||||
mode == MBEDTLS_RSA_PUBLIC );
|
|
||||||
RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
|
|
||||||
RSA_VALIDATE_RET( input != NULL );
|
|
||||||
RSA_VALIDATE_RET( olen != NULL );
|
|
||||||
|
|
||||||
ilen = ctx->len;
|
|
||||||
plaintext_max_size = ( output_max_len > ilen - 11 ?
|
|
||||||
ilen - 11 :
|
|
||||||
output_max_len );
|
output_max_len );
|
||||||
|
|
||||||
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
|
|
||||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
|
|
||||||
if( ilen < 16 || ilen > sizeof( buf ) )
|
|
||||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
|
||||||
|
|
||||||
ret = ( mode == MBEDTLS_RSA_PUBLIC )
|
|
||||||
? mbedtls_rsa_public( ctx, input, buf )
|
|
||||||
: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
|
|
||||||
|
|
||||||
if( ret != 0 )
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
/* Check and get padding length in constant time and constant
|
/* Check and get padding length in constant time and constant
|
||||||
* memory trace. The first byte must be 0. */
|
* memory trace. The first byte must be 0. */
|
||||||
bad |= buf[0];
|
bad |= buf[0];
|
||||||
@ -1646,6 +1621,51 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
|
|||||||
* to the good case limits the risks of leaking the padding validity. */
|
* to the good case limits the risks of leaking the padding validity. */
|
||||||
*olen = plaintext_size;
|
*olen = plaintext_size;
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Implementation of the PKCS#1 v2.1 RSAES-PKCS1-V1_5-DECRYPT function
|
||||||
|
*/
|
||||||
|
int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
void *p_rng,
|
||||||
|
int mode,
|
||||||
|
size_t *olen,
|
||||||
|
const unsigned char *input,
|
||||||
|
unsigned char *output,
|
||||||
|
size_t output_max_len )
|
||||||
|
{
|
||||||
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||||
|
size_t ilen;
|
||||||
|
unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
|
||||||
|
|
||||||
|
RSA_VALIDATE_RET( ctx != NULL );
|
||||||
|
RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE ||
|
||||||
|
mode == MBEDTLS_RSA_PUBLIC );
|
||||||
|
RSA_VALIDATE_RET( output_max_len == 0 || output != NULL );
|
||||||
|
RSA_VALIDATE_RET( input != NULL );
|
||||||
|
RSA_VALIDATE_RET( olen != NULL );
|
||||||
|
|
||||||
|
ilen = ctx->len;
|
||||||
|
|
||||||
|
if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
if( ilen < 16 || ilen > sizeof( buf ) )
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
ret = ( mode == MBEDTLS_RSA_PUBLIC )
|
||||||
|
? mbedtls_rsa_public( ctx, input, buf )
|
||||||
|
: mbedtls_rsa_private( ctx, f_rng, p_rng, input, buf );
|
||||||
|
|
||||||
|
if( ret != 0 )
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
ret = mbedtls_cf_rsaes_pkcs1_v15_unpadding( mode, ilen, olen, output,
|
||||||
|
output_max_len,
|
||||||
|
(unsigned char *) &buf );
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
mbedtls_platform_zeroize( buf, sizeof( buf ) );
|
mbedtls_platform_zeroize( buf, sizeof( buf ) );
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user