diff options
author | Jack Lloyd <[email protected]> | 2015-10-17 23:21:14 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2015-10-17 23:21:14 -0400 |
commit | ada3ce066d1edfe95ee8bffa82f0c2846908a4e1 (patch) | |
tree | d3818b138d9bcb11de1ce69660201c215140a1ab /src/lib | |
parent | ea07110c86c7ae2601e71dd3c1134873ccfd721f (diff) |
Cleanups in ct and oaep
In OAEP expand the const time block to cover MGF1 also
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/pk_pad/eme_oaep/oaep.cpp | 20 | ||||
-rw-r--r-- | src/lib/utils/ct_utils.h | 99 |
2 files changed, 23 insertions, 96 deletions
diff --git a/src/lib/pk_pad/eme_oaep/oaep.cpp b/src/lib/pk_pad/eme_oaep/oaep.cpp index 48a9b5c63..b114afb8b 100644 --- a/src/lib/pk_pad/eme_oaep/oaep.cpp +++ b/src/lib/pk_pad/eme_oaep/oaep.cpp @@ -61,7 +61,7 @@ secure_vector<byte> OAEP::pad(const byte in[], size_t in_length, * OAEP Unpad Operation */ secure_vector<byte> OAEP::unpad(const byte in[], size_t in_length, - size_t key_length) const + size_t key_length) const { /* Must be careful about error messages here; if an attacker can @@ -84,17 +84,19 @@ secure_vector<byte> OAEP::unpad(const byte in[], size_t in_length, secure_vector<byte> input(key_length); buffer_insert(input, key_length - in_length, in, in_length); - mgf1_mask(*m_hash, - &input[m_Phash.size()], input.size() - m_Phash.size(), - input.data(), m_Phash.size()); + BOTAN_CONST_TIME_POISON(input.data(), input.size()); + + const size_t hlen = m_Phash.size(); mgf1_mask(*m_hash, - input.data(), m_Phash.size(), - &input[m_Phash.size()], input.size() - m_Phash.size()); + &input[hlen], input.size() - hlen, + input.data(), hlen); - BOTAN_CONST_TIME_POISON(input.data(), input.size()); + mgf1_mask(*m_hash, + input.data(), hlen, + &input[hlen], input.size() - hlen); - size_t delim_idx = 2 * m_Phash.size(); + size_t delim_idx = 2 * hlen; byte waiting_for_delim = 0xFF; byte bad_input = 0; @@ -114,7 +116,7 @@ secure_vector<byte> OAEP::unpad(const byte in[], size_t in_length, // If we never saw any non-zero byte, then it's not valid input bad_input |= waiting_for_delim; - bad_input |= ct_expand_mask_8(!same_mem(&input[m_Phash.size()], m_Phash.data(), m_Phash.size())); + bad_input |= ct_expand_mask_8(!same_mem(&input[hlen], m_Phash.data(), hlen)); BOTAN_CONST_TIME_UNPOISON(input.data(), input.size()); BOTAN_CONST_TIME_UNPOISON(&bad_input, sizeof(bad_input)); diff --git a/src/lib/utils/ct_utils.h b/src/lib/utils/ct_utils.h index 02148001e..4ae735330 100644 --- a/src/lib/utils/ct_utils.h +++ b/src/lib/utils/ct_utils.h @@ -40,25 +40,21 @@ namespace Botan { #endif /* -* Constant time operations for 32 bit values: -* mask, select, zero, equals, min, max -*/ - -/* * Expand to a mask used for other operations * @param in an integer * @return 0 if in == 0 else 0xFFFFFFFF */ - inline uint32_t ct_expand_mask_32(uint32_t x) { + // First fold x down to a single bit: uint32_t r = x; - r |= r >> 1; - r |= r >> 2; - r |= r >> 4; - r |= r >> 8; r |= r >> 16; + r |= r >> 8; + r |= r >> 4; + r |= r >> 2; + r |= r >> 1; r &= 1; + // assumes 2s complement signed representation r = ~(r - 1); return r; } @@ -68,23 +64,9 @@ inline uint32_t ct_select_mask_32(uint32_t mask, uint32_t a, uint32_t b) return (a & mask) | (b & ~mask); } -inline uint32_t ct_select_cond_32(bool cond, uint32_t a, uint32_t b) - { - return ct_select_mask_32(ct_expand_mask_32(static_cast<uint32_t>(cond)), a, b); - } - -inline uint32_t ct_get_high_bit_32(uint32_t x) - { - return (x >> (8 * sizeof(x) - 1)); - } - -/* -* If x is zero, return 0xFFFF... -* Otherwise returns zero -*/ inline uint32_t ct_is_zero_32(uint32_t x) { - return ct_expand_mask_32(ct_get_high_bit_32(~x & (x-1))); + return ~ct_expand_mask_32(x); } inline uint32_t ct_is_equal_32(uint32_t x, uint32_t y) @@ -92,43 +74,13 @@ inline uint32_t ct_is_equal_32(uint32_t x, uint32_t y) return ct_is_zero_32(x ^ y); } -/** -* Branch-free maximum -* Note: assumes twos-complement signed representation -* @param a an integer -* @param b an integer -* @return max(a,b) -*/ -inline uint32_t ct_max_32(uint32_t a, uint32_t b) - { - const uint32_t s = b - a; - return ct_select_cond_32(ct_get_high_bit_32(s), a, b); - } - -/** -* Branch-free minimum -* Note: assumes twos-complement signed representation -* @param a an integer -* @param b an integer -* @return min(a,b) -*/ -inline uint32_t ct_min_32(uint32_t a, uint32_t b) - { - const uint32_t s = b - a; - return ct_select_cond_32(ct_get_high_bit_32(s), b, a); - } - -/* -* Constant time operations for 16 bit values: -* mask, select, zero, equals -*/ inline uint16_t ct_expand_mask_16(uint16_t x) { uint16_t r = x; - r |= r >> 1; - r |= r >> 2; - r |= r >> 4; r |= r >> 8; + r |= r >> 4; + r |= r >> 2; + r |= r >> 1; r &= 1; r = ~(r - 1); return r; @@ -139,21 +91,9 @@ inline uint16_t ct_select_mask_16(uint16_t mask, uint16_t a, uint16_t b) return (a & mask) | (b & ~mask); } -inline uint16_t ct_select_cond_16(bool cond, uint16_t a, uint16_t b) - { - return ct_select_mask_16(ct_expand_mask_16(static_cast<uint16_t>(cond)), a, b); - } - -inline uint16_t ct_get_high_bit_16(uint16_t x) - { - return (x >> (8 * sizeof(x) - 1)); - } - inline uint16_t ct_is_zero_16(uint16_t x) { - //uint16_t z = x & (x - 1) - //return ct_expand_mask_16((~x & (x-1)) - return ct_expand_mask_16(ct_get_high_bit_16(~x & (x-1))); + return ~ct_expand_mask_16(x); } inline uint16_t ct_is_equal_16(uint16_t x, uint16_t y) @@ -161,11 +101,6 @@ inline uint16_t ct_is_equal_16(uint16_t x, uint16_t y) return ct_is_zero_16(x ^ y); } -/* -* Constant time operations for 8 bit values: -* mask, select, zero, equals -*/ - inline uint8_t ct_expand_mask_8(uint8_t x) { uint8_t r = x; @@ -182,19 +117,9 @@ inline uint8_t ct_select_mask_8(uint8_t mask, uint8_t a, uint8_t b) return (a & mask) | (b & ~mask); } -inline uint8_t ct_select_cond_8(bool cond, uint8_t a, uint8_t b) - { - return ct_select_mask_8(ct_expand_mask_8(static_cast<uint8_t>(cond)), a, b); - } - -inline uint8_t ct_get_high_bit_8(uint8_t x) - { - return (x >> (8 * sizeof(x) - 1)); - } - inline uint8_t ct_is_zero_8(uint8_t x) { - return ct_expand_mask_8(ct_get_high_bit_8(~x & (x-1))); + return ~ct_expand_mask_8(x); } inline uint8_t ct_is_equal_8(uint8_t x, uint8_t y) |