aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pk_pad
diff options
context:
space:
mode:
authorJuraj Somorovsky <[email protected]>2016-10-26 09:28:03 -0400
committerJack Lloyd <[email protected]>2016-10-26 09:28:03 -0400
commit3fb31cef450cef82015170f8e825a2d656163ea6 (patch)
tree87d0dbfb925216d12b2c991f99a75b5eb6404b9a /src/lib/pk_pad
parentaefaf218c4f6d91578a263bb853ba0473ff101bb (diff)
Avoid timing channel in OAEP decoding (CVE-2016-8871)
Diffstat (limited to 'src/lib/pk_pad')
-rw-r--r--src/lib/pk_pad/eme_oaep/oaep.cpp19
1 files changed, 12 insertions, 7 deletions
diff --git a/src/lib/pk_pad/eme_oaep/oaep.cpp b/src/lib/pk_pad/eme_oaep/oaep.cpp
index 81d41afea..f58254fdd 100644
--- a/src/lib/pk_pad/eme_oaep/oaep.cpp
+++ b/src/lib/pk_pad/eme_oaep/oaep.cpp
@@ -59,15 +59,20 @@ secure_vector<byte> OAEP::unpad(byte& valid_mask,
Also have to be careful about timing attacks! Pointed out by Falko
Strenzke.
+
+ According to the standard (Section 7.1.1), the encryptor always
+ creates a message as follows:
+ i. Concatenate a single octet with hexadecimal value 0x00,
+ maskedSeed, and maskedDB to form an encoded message EM of
+ length k octets as
+ EM = 0x00 || maskedSeed || maskedDB.
+ where k is the length of the modulus N.
+ Therefore, the first byte can always be skipped safely.
*/
- if(in[0] == 0)
- {
- in += 1;
- in_length -= 1;
- }
-
- secure_vector<byte> input(in, in + in_length);
+ byte skip_first = CT::is_zero<byte>(in[0]) & 0x01;
+
+ secure_vector<byte> input(in + skip_first, in + in_length);
CT::poison(input.data(), input.size());