Make PKCS #1 and OAEP decoding constant time to avoid oracle attacks

via timing channels.

Add annotations for checking constant-time code using ctgrind to
PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already
written as constant time code.

1 files changed, 17 insertions, 0 deletions

diff --git a/doc/news.rst b/doc/news.rst
index 9eddabd5c..00a102427 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -4,6 +4,23 @@ Release Notes
 Version 1.11.22, Not Yet Released
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+* The routines for decoding PKCS #1 encryption and OAEP blocks have been
+  rewritten to run without secret indexes or branches. These cryptographic
+  operations are vulnerable to oracle attacks, including via side channels such
+  as timing or cache-based analysis. In theory it would be possible to attack
+  the previous implementations using such a side channel, which could allow
+  an attacker to mount a plaintext recovery attack.
+
+  By writing the code such that it does not depend on secret inputs for branch
+  or memory indexes, such a side channel would be much less likely to exist.
+
+* Add support for using ctgrind (https://github.com/agl/ctgrind) to test that
+  sections of code do not use secret inputs to decide branches or memory indexes.
+  The testing relies on dynamic checking using valgrind.
+
+  So far PKCS #1 decoding, OAEP decoding, IDEA, and Curve25519 have been notated
+  and confirmed to be constant time.
+
 * Public key operations can now be used with specified providers by passing an
   additional parameter to the constructor of the PK operation.