Make PKCS #1 and OAEP decoding constant time to avoid oracle attacks

via timing channels. Add annotations for checking constant-time code using ctgrind to PKCS #1 and OAEP, as well as IDEA and Curve25519 which were already written as constant time code.
author: Jack Lloyd <[email protected]> 2015-10-16 17:39:43 -0400
committer: Jack Lloyd <[email protected]> 2015-10-16 17:39:43 -0400
commit: ea07110c86c7ae2601e71dd3c1134873ccfd721f (patch)
tree: 1ccbb775a624d8a977f21a37b2d60a619fc0824f /src/lib/pubkey
parent: f257cb324614adb5f9266ca185ab2bfeb64b1dd4 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/src/lib/pubkey/curve25519/donna.cpp b/src/lib/pubkey/curve25519/donna.cpp
index 4fab78cb8..ab9363761 100644
--- a/src/lib/pubkey/curve25519/donna.cpp
+++ b/src/lib/pubkey/curve25519/donna.cpp
@@ -30,6 +30,7 @@
 #include <botan/curve25519.h>
 #include <botan/mul128.h>
 #include <botan/internal/donna128.h>
+#include <botan/internal/ct_utils.h>
 #include <botan/loadstor.h>
 
 namespace Botan {
@@ -418,6 +419,10 @@ crecip(felem out, const felem z) {
 
 int
 curve25519_donna(u8 *mypublic, const u8 *secret, const u8 *basepoint) {
+
+  BOTAN_CONST_TIME_POISON(secret, 32);
+  BOTAN_CONST_TIME_POISON(basepoint, 32);
+
   limb bp[5], x[5], z[5], zmone[5];
   uint8_t e[32];
   int i;
@@ -432,6 +437,10 @@ curve25519_donna(u8 *mypublic, const u8 *secret, const u8 *basepoint) {
   crecip(zmone, z);
   fmul(z, x, zmone);
   fcontract(mypublic, z);
+
+  BOTAN_CONST_TIME_UNPOISON(secret, 32);
+  BOTAN_CONST_TIME_UNPOISON(basepoint, 32);
+  BOTAN_CONST_TIME_UNPOISON(mypublic, 32);
   return 0;
 }
author	Jack Lloyd <[email protected]>	2015-10-16 17:39:43 -0400
committer	Jack Lloyd <[email protected]>	2015-10-16 17:39:43 -0400
commit	ea07110c86c7ae2601e71dd3c1134873ccfd721f (patch)
tree	1ccbb775a624d8a977f21a37b2d60a619fc0824f /src/lib/pubkey
parent	f257cb324614adb5f9266ca185ab2bfeb64b1dd4 (diff)