Avoid timing channel in OAEP decoding (CVE-2016-8871)

author: Juraj Somorovsky <[email protected]> 2016-10-26 09:28:03 -0400
committer: Jack Lloyd <[email protected]> 2016-10-26 09:28:03 -0400
commit: 3fb31cef450cef82015170f8e825a2d656163ea6 (patch)
tree: 87d0dbfb925216d12b2c991f99a75b5eb6404b9a /src/lib/pk_pad/eme_oaep
parent: aefaf218c4f6d91578a263bb853ba0473ff101bb (diff)
1 files changed, 12 insertions, 7 deletions
diff --git a/src/lib/pk_pad/eme_oaep/oaep.cpp b/src/lib/pk_pad/eme_oaep/oaep.cpp
index 81d41afea..f58254fdd 100644
--- a/src/lib/pk_pad/eme_oaep/oaep.cpp
+++ b/src/lib/pk_pad/eme_oaep/oaep.cpp
@@ -59,15 +59,20 @@ secure_vector<byte> OAEP::unpad(byte& valid_mask,
 
    Also have to be careful about timing attacks! Pointed out by Falko
    Strenzke.
+    
+   According to the standard (Section 7.1.1), the encryptor always 
+   creates a message as follows:
+      i. Concatenate a single octet with hexadecimal value 0x00,
+         maskedSeed, and maskedDB to form an encoded message EM of
+         length k octets as
+            EM = 0x00 || maskedSeed || maskedDB.
+   where k is the length of the modulus N.
+   Therefore, the first byte can always be skipped safely.
    */
 
-   if(in[0] == 0)
-      {
-      in += 1;
-      in_length -= 1;
-      }
-
-   secure_vector<byte> input(in, in + in_length);
+   byte skip_first = CT::is_zero<byte>(in[0]) & 0x01;
+   
+   secure_vector<byte> input(in + skip_first, in + in_length);
 
    CT::poison(input.data(), input.size());
author	Juraj Somorovsky <[email protected]>	2016-10-26 09:28:03 -0400
committer	Jack Lloyd <[email protected]>	2016-10-26 09:28:03 -0400
commit	3fb31cef450cef82015170f8e825a2d656163ea6 (patch)
tree	87d0dbfb925216d12b2c991f99a75b5eb6404b9a /src/lib/pk_pad/eme_oaep
parent	aefaf218c4f6d91578a263bb853ba0473ff101bb (diff)