diff options
author | Juraj Somorovsky <[email protected]> | 2016-10-26 09:28:03 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-10-26 09:28:03 -0400 |
commit | 3fb31cef450cef82015170f8e825a2d656163ea6 (patch) | |
tree | 87d0dbfb925216d12b2c991f99a75b5eb6404b9a /src | |
parent | aefaf218c4f6d91578a263bb853ba0473ff101bb (diff) |
Avoid timing channel in OAEP decoding (CVE-2016-8871)
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/pk_pad/eme_oaep/oaep.cpp | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/src/lib/pk_pad/eme_oaep/oaep.cpp b/src/lib/pk_pad/eme_oaep/oaep.cpp index 81d41afea..f58254fdd 100644 --- a/src/lib/pk_pad/eme_oaep/oaep.cpp +++ b/src/lib/pk_pad/eme_oaep/oaep.cpp @@ -59,15 +59,20 @@ secure_vector<byte> OAEP::unpad(byte& valid_mask, Also have to be careful about timing attacks! Pointed out by Falko Strenzke. + + According to the standard (Section 7.1.1), the encryptor always + creates a message as follows: + i. Concatenate a single octet with hexadecimal value 0x00, + maskedSeed, and maskedDB to form an encoded message EM of + length k octets as + EM = 0x00 || maskedSeed || maskedDB. + where k is the length of the modulus N. + Therefore, the first byte can always be skipped safely. */ - if(in[0] == 0) - { - in += 1; - in_length -= 1; - } - - secure_vector<byte> input(in, in + in_length); + byte skip_first = CT::is_zero<byte>(in[0]) & 0x01; + + secure_vector<byte> input(in + skip_first, in + in_length); CT::poison(input.data(), input.size()); |