Removed timing differences due to bad padding from RSA decrypt for
PKCS#1 v1.5 operations
diff --git a/library/rsa.c b/library/rsa.c
index cc14d8e..e53d9a2 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -623,9 +623,9 @@
unsigned char *output,
size_t output_max_len)
{
- int ret;
- size_t ilen;
- unsigned char *p;
+ int ret, correct = 1;
+ size_t ilen, pad_count = 0;
+ unsigned char *p, *q;
unsigned char bt;
unsigned char buf[POLARSSL_MPI_MAX_SIZE];
@@ -647,36 +647,57 @@
p = buf;
if( *p++ != 0 )
- return( POLARSSL_ERR_RSA_INVALID_PADDING );
+ correct = 0;
bt = *p++;
if( ( bt != RSA_CRYPT && mode == RSA_PRIVATE ) ||
( bt != RSA_SIGN && mode == RSA_PUBLIC ) )
{
- return( POLARSSL_ERR_RSA_INVALID_PADDING );
+ correct = 0;
}
if( bt == RSA_CRYPT )
{
while( *p != 0 && p < buf + ilen - 1 )
- p++;
+ pad_count += ( *p++ != 0 );
- if( *p != 0 || p >= buf + ilen - 1 )
- return( POLARSSL_ERR_RSA_INVALID_PADDING );
+ correct &= ( *p == 0 && p < buf + ilen - 1 );
+ q = p;
+
+ // Also pass over all other bytes to reduce timing differences
+ //
+ while ( q < buf + ilen - 1 )
+ pad_count += ( *q++ != 0 );
+
+ // Prevent compiler optimization of pad_count
+ //
+ correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
p++;
}
else
{
while( *p == 0xFF && p < buf + ilen - 1 )
- p++;
+ pad_count += ( *p++ == 0xFF );
- if( *p != 0 || p >= buf + ilen - 1 )
- return( POLARSSL_ERR_RSA_INVALID_PADDING );
+ correct &= ( *p == 0 && p < buf + ilen - 1 );
+ q = p;
+
+ // Also pass over all other bytes to reduce timing differences
+ //
+ while ( q < buf + ilen - 1 )
+ pad_count += ( *q++ != 0 );
+
+ // Prevent compiler optimization of pad_count
+ //
+ correct |= pad_count & 0x100000; /* Always 0 unless 1M bit keys */
p++;
}
+ if( correct == 0 )
+ return( POLARSSL_ERR_RSA_INVALID_PADDING );
+
if (ilen - (p - buf) > output_max_len)
return( POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE );