1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
/* pkcs1-sec-decrypt.c
The RSA publickey algorithm. Side channel resistant PKCS#1 decryption.
Copyright (C) 2001, 2012 Niels Möller
Copyright (C) 2018 Red Hat, Inc.
This file is part of GNU Nettle.
GNU Nettle is free software: you can redistribute it and/or
modify it under the terms of either:
* the GNU Lesser General Public License as published by the Free
Software Foundation; either version 3 of the License, or (at your
option) any later version.
or
* the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your
option) any later version.
or both in parallel, as here.
GNU Nettle is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received copies of the GNU General Public License and
the GNU Lesser General Public License along with this program. If
not, see http://www.gnu.org/licenses/.
*/
#if HAVE_CONFIG_H
# include "config.h"
#endif
#include <assert.h>
#include <string.h>
#include "memops.h"
#include "gmp-glue.h"
#include "pkcs1-internal.h"
/* Inputs are always cast to uint32_t values. But all values used in this
* function should never exceed the maximum value of a uint32_t anyway.
* these macros returns 1 on success, 0 on failure */
#define NOT_EQUAL(a, b) \
((0U - ((uint32_t)(a) ^ (uint32_t)(b))) >> 31)
#define EQUAL(a, b) \
((((uint32_t)(a) ^ (uint32_t)(b)) - 1U) >> 31)
#define GREATER_OR_EQUAL(a, b) \
(1U - (((uint32_t)(a) - (uint32_t)(b)) >> 31))
int
_pkcs1_sec_decrypt (size_t length, uint8_t *message,
size_t padded_message_length,
const volatile uint8_t *padded_message)
{
volatile int ok;
size_t i, t;
/* Message independent branch */
if (length + 11 > padded_message_length)
return 0;
t = padded_message_length - length - 1;
/* Check format, padding, message_size */
ok = EQUAL(padded_message[0], 0); /* ok if padded_message[0] == 0 */
ok &= EQUAL(padded_message[1], 2); /* ok if padded_message[1] == 2 */
for (i = 2; i < t; i++) /* check padding has no zeros */
{
ok &= NOT_EQUAL(padded_message[i], 0);
}
ok &= EQUAL(padded_message[t], 0); /* ok if terminator == 0 */
/* fill destination buffer regardless of outcome */
cnd_memcpy(ok, message, padded_message + t + 1, length);
return ok;
}
int
_pkcs1_sec_decrypt_variable(size_t *length, uint8_t *message,
size_t padded_message_length,
const volatile uint8_t *padded_message)
{
volatile int not_found = 1;
volatile int ok;
volatile size_t offset;
size_t buflen, msglen;
size_t shift, i;
/* Check format, padding, message_size */
ok = EQUAL(padded_message[0], 0);
ok &= EQUAL(padded_message[1], 2);
/* length is discovered in a side-channel silent way.
* not_found goes to 0 when the terminator is found.
* offset starts at 3 as it includes the terminator and
* the format bytes already */
offset = 3;
for (i = 2; i < padded_message_length; i++)
{
not_found &= NOT_EQUAL(padded_message[i], 0);
offset += not_found;
}
/* check if we ran out of buffer */
ok &= NOT_EQUAL(not_found, 1);
/* padding must be >= 11 (2 format bytes + 8 pad bytes min. + terminator) */
ok &= GREATER_OR_EQUAL(offset, 11);
/* offset can vary between 3 and padded_message_length, due to the loop
* above, therefore msglen can't underflow */
msglen = padded_message_length - offset;
/* we always fill the whole buffer but only up to
* padded_message_length length */
buflen = *length;
if (buflen > padded_message_length) { /* input independent branch */
buflen = padded_message_length;
}
/* if the message length is larger than the buffer we must fail */
ok &= GREATER_OR_EQUAL(buflen, msglen);
/* fill destination buffer fully regardless of outcome. Copies the message
* in a memory access independent way. The destination message buffer will
* be clobbered past the message length. */
shift = padded_message_length - buflen;
cnd_memcpy(ok, message, padded_message + shift, buflen);
offset -= shift;
/* In this loop, the bits of the 'offset' variable are used as shifting
* conditions, starting from the least significant bit. The end result is
* that the buffer is shifted left exactly 'offset' bytes. */
for (shift = 1; shift < buflen; shift <<= 1, offset >>= 1)
{
/* 'ok' is both a least significant bit mask and a condition */
cnd_memcpy(offset & ok, message, message + shift, buflen - shift);
}
/* update length only if we succeeded, otherwise leave unchanged */
*length = (msglen & (-(size_t) ok)) + (*length & ((size_t) ok - 1));
return ok;
}
|
