Constant time/cache PKCS#1 RSA decryptiontmp-fix-CVE-2018-16868

This patch tries to make the code have the same time and memory access aptterns across all branches of the decryption function so that timining or cache side channels are minimized or neutralized. To do so it uses a new nettle rsa decryption function that is side-channel silent. Signed-off-by: Simo Sorce <simo@redhat.com>
author: Simo Sorce <simo@redhat.com> 2018-10-03 13:12:38 -0400
committer: Simo Sorce <simo@redhat.com> 2018-11-30 13:51:24 -0500
commit: 4804febddc2ed958e5ae774de2a8f85edeeff538 (patch)
tree: a7a693c3e8fb686581425217d0545b85612616c5 /lib/gnutls_int.h
parent: ed3bdddab73c792364deec423b2c2c498a939a64 (diff)
download: gnutls-4804febddc2ed958e5ae774de2a8f85edeeff538.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 16881d8827..50a9208346 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -1564,4 +1564,8 @@ inline static bool _gnutls_has_negotiate_ctypes(gnutls_session_t session)
 	return session->internals.flags & GNUTLS_ENABLE_CERT_TYPE_NEG;
 }
 
+/* Macros to aide constant time/mem checks */
+#define CONSTCHECK_NOT_EQUAL(a, b) ((-((uint32_t)(a) ^ (uint32_t)(b))) >> 31)
+#define CONSTCHECK_EQUAL(a, b) (1U - CONSTCHECK_NOT_EQUAL(a, b))
+
 #endif				/* GNUTLS_INT_H */
author	Simo Sorce <simo@redhat.com>	2018-10-03 13:12:38 -0400
committer	Simo Sorce <simo@redhat.com>	2018-11-30 13:51:24 -0500
commit	4804febddc2ed958e5ae774de2a8f85edeeff538 (patch)
tree	a7a693c3e8fb686581425217d0545b85612616c5 /lib/gnutls_int.h
parent	ed3bdddab73c792364deec423b2c2c498a939a64 (diff)
download	gnutls-4804febddc2ed958e5ae774de2a8f85edeeff538.tar.gz