From 3fb31cef450cef82015170f8e825a2d656163ea6 Mon Sep 17 00:00:00 2001 From: Juraj Somorovsky Date: Wed, 26 Oct 2016 09:28:03 -0400 Subject: Avoid timing channel in OAEP decoding (CVE-2016-8871) --- src/lib/pk_pad/eme_oaep/oaep.cpp | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/lib/pk_pad/eme_oaep/oaep.cpp b/src/lib/pk_pad/eme_oaep/oaep.cpp index 81d41afea..f58254fdd 100644 --- a/src/lib/pk_pad/eme_oaep/oaep.cpp +++ b/src/lib/pk_pad/eme_oaep/oaep.cpp @@ -59,15 +59,20 @@ secure_vector OAEP::unpad(byte& valid_mask, Also have to be careful about timing attacks! Pointed out by Falko Strenzke. + + According to the standard (Section 7.1.1), the encryptor always + creates a message as follows: + i. Concatenate a single octet with hexadecimal value 0x00, + maskedSeed, and maskedDB to form an encoded message EM of + length k octets as + EM = 0x00 || maskedSeed || maskedDB. + where k is the length of the modulus N. + Therefore, the first byte can always be skipped safely. */ - if(in[0] == 0) - { - in += 1; - in_length -= 1; - } - - secure_vector input(in, in + in_length); + byte skip_first = CT::is_zero(in[0]) & 0x01; + + secure_vector input(in + skip_first, in + in_length); CT::poison(input.data(), input.size()); -- cgit v1.2.3