generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

RT3425: constant-time evp_enc

Browse Source 
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b55ff319f880adc874b8c95957adf2003117d42b)

Conflicts:
	crypto/evp/Makefile
	crypto/evp/evp_enc.c
This commit is contained in:
Emilia Kasper 2014-09-05 14:47:33 +02:00
parent 699d78ce98
commit 1bb01b1b5f
2 changed files with 30 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
crypto/evp/Makefile
View File

@ -385,7 +385,8 @@ evp_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
evp_enc.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h evp_enc.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
evp_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h evp_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
evp_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h evp_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
evp_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_enc.c evp_locl.h evp_enc.o: ../../include/openssl/x509_vfy.h ../constant_time_locl.h
evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h

49
crypto/evp/evp_enc.c
View File

@ -64,6 +64,7 @@
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h> #include <openssl/engine.h>
#endif #endif
#include "../constant_time_locl.h"
#include "evp_locl.h" #include "evp_locl.h"
#ifdef OPENSSL_FIPS #ifdef OPENSSL_FIPS
@ -301,11 +302,11 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
{ {
int i,n; unsigned int i, b;
unsigned int b; unsigned char pad, padding_good;
*outl=0; *outl=0;
b=ctx->cipher->block_size; b=(unsigned int)(ctx->cipher->block_size);
if (ctx->flags & EVP_CIPH_NO_PADDING) if (ctx->flags & EVP_CIPH_NO_PADDING)
{ {
if(ctx->buf_len) if(ctx->buf_len)
@ -324,28 +325,34 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
return(0); return(0);
} }
OPENSSL_assert(b <= sizeof ctx->final); OPENSSL_assert(b <= sizeof ctx->final);
n=ctx->final[b-1]; pad=ctx->final[b-1];
if (n == 0 || n > (int)b)
padding_good = (unsigned char)(~constant_time_is_zero_8(pad));
padding_good &= constant_time_ge_8(b, pad);
for (i = 1; i < b; ++i)
{ {
EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT); unsigned char is_pad_index = constant_time_lt_8(i, pad);
return(0); unsigned char pad_byte_good = constant_time_eq_8(ctx->final[b-i-1], pad);
padding_good &= constant_time_select_8(is_pad_index, pad_byte_good, 0xff);
} }
for (i=0; i<n; i++)
{ /*
if (ctx->final[--b] != n) * At least 1 byte is always padding, so we always write b - 1
{ * bytes to avoid a timing leak. The caller is required to have |b|
EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT); * bytes space in |out| by the API contract.
return(0); */
} for (i = 0; i < b - 1; ++i)
} out[i] = ctx->final[i] & padding_good;
n=ctx->cipher->block_size-n; /* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
for (i=0; i<n; i++) *outl = padding_good & ((unsigned char)(b - pad));
out[i]=ctx->final[i]; return padding_good & 1;
*outl=n;
} }
else else
*outl=0; {
return(1); *outl = 0;
return 1;
}
} }
void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)