From 3cd661c8dc45f4c05c49cbfa09301d118d2cbb77 Mon Sep 17 00:00:00 2001
From: Jack Lloyd <jack@randombit.net>
Date: Tue, 29 Aug 2017 17:09:23 -0400
Subject: Fix a valgrind const-time error in ISO 9796 padding

It didn't unpoison the output values.
---
 src/lib/pk_pad/iso9796/iso9796.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lib/pk_pad/iso9796/iso9796.cpp b/src/lib/pk_pad/iso9796/iso9796.cpp
index f56689389..6dcae799a 100644
--- a/src/lib/pk_pad/iso9796/iso9796.cpp
+++ b/src/lib/pk_pad/iso9796/iso9796.cpp
@@ -157,8 +157,13 @@ bool iso9796_verification(const secure_vector<uint8_t>& const_coded,
    //invalid, if delimiter 0x01 was not found or msg1_offset is too big
    bad_input |= waiting_for_delim;
    bad_input |= CT::is_less(coded.size(), tLength + HASH_SIZE + msg1_offset + SALT_SIZE);
+
    //in case that msg1_offset is too big, just continue with offset = 0. 
    msg1_offset = CT::select<size_t>(bad_input, 0, msg1_offset);
+
+   CT::unpoison(coded.data(), coded.size());
+   CT::unpoison(msg1_offset);
+
    secure_vector<uint8_t> msg1(coded.begin() + msg1_offset,
                             coded.end() - tLength - HASH_SIZE - SALT_SIZE);
    secure_vector<uint8_t> salt(coded.begin() + msg1_offset + msg1.size(),
@@ -198,8 +203,8 @@ bool iso9796_verification(const secure_vector<uint8_t>& const_coded,
    
    //check if H3 == H2
    bad_input |= CT::is_equal<uint8_t>(same_mem(H3.data(), H2.data(), HASH_SIZE), false);
-   CT::unpoison(coded.data(), coded.size());
    
+   CT::unpoison(bad_input);
    return (bad_input == 0);
    }
 
@@ -279,4 +284,4 @@ bool ISO_9796_DS3::verify(const secure_vector<uint8_t>& const_coded,
    {
    return iso9796_verification(const_coded, raw, key_bits, m_hash, 0);
    }
-}
\ No newline at end of file
+}
-- 
cgit v1.2.3