commit 171a8f1c957f02fce452f9e27e58ef74b54e3a88
author Hanno Becker <hanno.becker@arm.com> Wed Sep 06 12:32:16 2017 +0100
committer Hanno Becker <hanno.becker@arm.com> Tue Oct 03 07:58:00 2017 +0100
tree 7f50aa2e4e17aaafc4ef2b30d33929bf1c17e5ea
parent 558477d073655f1b956bcc334794ac082c436f34

Move constant time memcmp for signature verification

This commit replaces the ad-hoc code for constant-time double-checking the PKCS1 v1.5 RSA signature by an invocation of
`mbedtls_safer_memcmp`.

library/rsa.c

diff --git a/library/rsa.c b/library/rsa.c
index bdd2538..3cc90c0 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -71,6 +71,20 @@
     volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
 }
 
+/* constant-time buffer comparison */
+static inline int mbedtls_safer_memcmp( const void *a, const void *b, size_t n )
+{
+    size_t i;
+    const unsigned char *A = (const unsigned char *) a;
+    const unsigned char *B = (const unsigned char *) b;
+    unsigned char diff = 0;
+
+    for( i = 0; i < n; i++ )
+        diff |= A[i] ^ B[i];
+
+    return( diff );
+}
+
 /*
  * Initialize an RSA context
  */
@@ -1162,9 +1176,6 @@
     unsigned char *p = sig;
     const char *oid = NULL;
     unsigned char *sig_try = NULL, *verif = NULL;
-    size_t i;
-    unsigned char diff;
-    volatile unsigned char diff_no_optimize;
     int ret;
 
     if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 )
@@ -1249,12 +1260,7 @@
     MBEDTLS_MPI_CHK( mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig_try ) );
     MBEDTLS_MPI_CHK( mbedtls_rsa_public( ctx, sig_try, verif ) );
 
-    /* Compare in constant time just in case */
-    for( diff = 0, i = 0; i < ctx->len; i++ )
-        diff |= verif[i] ^ sig[i];
-    diff_no_optimize = diff;
-
-    if( diff_no_optimize != 0 )
+    if( mbedtls_safer_memcmp( verif, sig, ctx->len ) != 0 )
     {
         ret = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
         goto cleanup;