[openssl-commits] [openssl] OpenSSL_1_1_1-stable update

Matt Caswell matt at openssl.org
Fri Nov 30 15:02:18 UTC 2018


The branch OpenSSL_1_1_1-stable has been updated
       via  f1d91b89701627cc39e98987bc344aaae64f64fb (commit)
       via  f5ebe54c00128d5ee0a28ba7f822a8d1b07e71e5 (commit)
       via  db1b63f45c8585c9c7741e0540c01baad22aa190 (commit)
       via  382448f33757d96a65207c8e9b55fadf45517e57 (commit)
       via  d2cd28b99efa65dbd39cb8db0f2ad992be1aab00 (commit)
      from  89cb61de2af5f0fb07c86de086d57f20d523f6ba (commit)


- Log -----------------------------------------------------------------
commit f1d91b89701627cc39e98987bc344aaae64f64fb
Author: Andy Polyakov <appro at openssl.org>
Date:   Fri Sep 14 17:24:13 2018 +0200

    rsa/rsa_ssl.c: make RSA_padding_check_SSLv23 constant-time.
    
    Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
    if nul delimiter is preceded by 8 consecutive 0x03 bytes.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit 603221407ddc6404f8c417c6beadebf84449074c)

commit f5ebe54c00128d5ee0a28ba7f822a8d1b07e71e5
Author: Andy Polyakov <appro at openssl.org>
Date:   Thu Sep 6 21:54:23 2018 +0200

    rsa/rsa_oaep.c: remove memcpy calls from RSA_padding_check_PKCS1_OAEP.
    
    And make RSAErr call unconditional.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit 75f5e944be97f28867e7c489823c889d89d0bd06)

commit db1b63f45c8585c9c7741e0540c01baad22aa190
Author: Andy Polyakov <appro at openssl.org>
Date:   Sat Sep 1 12:00:33 2018 +0200

    rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2.
    
    And make RSAErr call unconditional.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit e875b0cf2f10bf2adf73e0c2ec81428290f4660c)

commit 382448f33757d96a65207c8e9b55fadf45517e57
Author: Andy Polyakov <appro at openssl.org>
Date:   Fri Sep 14 12:17:43 2018 +0200

    rsa/rsa_ossl.c: make RSAerr call in rsa_ossl_private_decrypt unconditional.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit 89072e0c2a483f2ad678e723e112712567b0ceb1)

commit d2cd28b99efa65dbd39cb8db0f2ad992be1aab00
Author: Andy Polyakov <appro at openssl.org>
Date:   Sat Sep 1 12:19:30 2018 +0200

    err/err.c: add err_clear_last_constant_time.
    
    Expected usage pattern is to unconditionally set error and then
    wipe it if there was no actual error.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (cherry picked from commit f658a3b64d8750642f4975090740865f770c2a1b)

-----------------------------------------------------------------------

Summary of changes:
 crypto/err/err.c                          |  21 +++++
 crypto/rsa/rsa_oaep.c                     |  82 +++++++++++-------
 crypto/rsa/rsa_ossl.c                     |   5 +-
 crypto/rsa/rsa_pk1.c                      |  93 +++++++++++----------
 crypto/rsa/rsa_ssl.c                      | 133 +++++++++++++++++++++---------
 doc/man3/RSA_padding_add_PKCS1_type_1.pod |   7 +-
 include/internal/constant_time_locl.h     |   6 ++
 7 files changed, 234 insertions(+), 113 deletions(-)

diff --git a/crypto/err/err.c b/crypto/err/err.c
index 34061bc..66a60e9 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -20,6 +20,7 @@
 #include <openssl/opensslconf.h>
 #include "internal/thread_once.h"
 #include "internal/ctype.h"
+#include "internal/constant_time_locl.h"
 
 static int err_load_strings(const ERR_STRING_DATA *str);
 
@@ -878,3 +879,23 @@ int ERR_clear_last_mark(void)
     es->err_flags[top] &= ~ERR_FLAG_MARK;
     return 1;
 }
+
+void err_clear_last_constant_time(int clear)
+{
+    ERR_STATE *es;
+    int top;
+
+    es = ERR_get_state();
+    if (es == NULL)
+        return;
+
+    top = es->top;
+
+    es->err_flags[top] &= ~(0 - clear);
+    es->err_buffer[top] &= ~(0UL - clear);
+    es->err_file[top] = (const char *)((uintptr_t)es->err_file[top] &
+                                       ~((uintptr_t)0 - clear));
+    es->err_line[top] |= 0 - clear;
+
+    es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS;
+}
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index f13c6fc..689e6dc 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -120,7 +120,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
                                       const EVP_MD *mgf1md)
 {
     int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
-    unsigned int good, found_one_byte;
+    unsigned int good = 0, found_one_byte, mask;
     const unsigned char *maskedseed, *maskeddb;
     /*
      * |em| is the encoded message, zero-padded to exactly |num| bytes: em =
@@ -147,8 +147,11 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
      * the ciphertext, see PKCS #1 v2.2, section 7.1.2.
      * This does not leak any side-channel information.
      */
-    if (num < flen || num < 2 * mdlen + 2)
-        goto decoding_err;
+    if (num < flen || num < 2 * mdlen + 2) {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
+               RSA_R_OAEP_DECODING_ERROR);
+        return -1;
+    }
 
     dblen = num - mdlen - 1;
     db = OPENSSL_malloc(dblen);
@@ -157,25 +160,26 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
         goto cleanup;
     }
 
-    if (flen != num) {
-        em = OPENSSL_zalloc(num);
-        if (em == NULL) {
-            RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
-                   ERR_R_MALLOC_FAILURE);
-            goto cleanup;
-        }
+    em = OPENSSL_malloc(num);
+    if (em == NULL) {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
+               ERR_R_MALLOC_FAILURE);
+        goto cleanup;
+    }
 
-        /*
-         * Caller is encouraged to pass zero-padded message created with
-         * BN_bn2binpad, but if it doesn't, we do this zero-padding copy
-         * to avoid leaking that information. The copy still leaks some
-         * side-channel information, but it's impossible to have a fixed
-         * memory access pattern since we can't read out of the bounds of
-         * |from|.
-         */
-        memcpy(em + num - flen, from, flen);
-        from = em;
+    /*
+     * Caller is encouraged to pass zero-padded message created with
+     * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
+     * bounds, it's impossible to have an invariant memory access pattern
+     * in case |from| was not zero-padded in advance.
+     */
+    for (from += flen, em += num, i = 0; i < num; i++) {
+        mask = ~constant_time_is_zero(flen);
+        flen -= 1 & mask;
+        from -= 1 & mask;
+        *--em = *from & mask;
     }
+    from = em;
 
     /*
      * The first byte must be zero, however we must not leak if this is
@@ -222,32 +226,48 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
      * so plaintext-awareness ensures timing side-channels are no longer a
      * concern.
      */
-    if (!good)
-        goto decoding_err;
-
     msg_index = one_index + 1;
     mlen = dblen - msg_index;
 
-    if (tlen < mlen) {
-        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_DATA_TOO_LARGE);
-        mlen = -1;
-    } else {
-        memcpy(to, db + msg_index, mlen);
-        goto cleanup;
+    /*
+     * For good measure, do this check in constant tine as well.
+     */
+    good &= constant_time_ge(tlen, mlen);
+
+    /*
+     * Even though we can't fake result's length, we can pretend copying
+     * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen|
+     * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
+     * where |mlen'| is "saturated" |mlen| value. Deducing information
+     * about failure or |mlen| would take attacker's ability to observe
+     * memory access pattern with byte granularity *as it occurs*. It
+     * should be noted that failure is indistinguishable from normal
+     * operation if |tlen| is fixed by protocol.
+     */
+    tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen);
+    msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
+    mlen = dblen - msg_index;
+    for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) {
+        unsigned int equals = constant_time_eq(i, mlen);
+
+        from -= dblen & equals; /* if (i == dblen) rewind   */
+        mask &= mask ^ equals;  /* if (i == dblen) mask = 0 */
+        to[i] = constant_time_select_8(mask, from[i], to[i]);
     }
 
- decoding_err:
     /*
      * To avoid chosen ciphertext attacks, the error message should not
      * reveal which kind of decoding error happened.
      */
     RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
            RSA_R_OAEP_DECODING_ERROR);
+    err_clear_last_constant_time(1 & good);
  cleanup:
     OPENSSL_cleanse(seed, sizeof(seed));
     OPENSSL_clear_free(db, dblen);
     OPENSSL_clear_free(em, num);
-    return mlen;
+
+    return constant_time_select_int(good, mlen, -1);
 }
 
 int PKCS1_MGF1(unsigned char *mask, long len,
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
index 09762b7..4651342 100644
--- a/crypto/rsa/rsa_ossl.c
+++ b/crypto/rsa/rsa_ossl.c
@@ -10,6 +10,7 @@
 #include "internal/cryptlib.h"
 #include "internal/bn_int.h"
 #include "rsa_locl.h"
+#include "internal/constant_time_locl.h"
 
 static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
                                   unsigned char *to, RSA *rsa, int padding);
@@ -479,8 +480,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
         RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
         goto err;
     }
-    if (r < 0)
-        RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
+    RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
+    err_clear_last_constant_time(r >= 0);
 
  err:
     if (ctx != NULL)
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index d07c0d6..b3a7a06 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -158,7 +158,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
     int i;
     /* |em| is the encoded message, zero-padded to exactly |num| bytes */
     unsigned char *em = NULL;
-    unsigned int good, found_zero_byte;
+    unsigned int good, found_zero_byte, mask;
     int zero_index = 0, msg_index, mlen = -1;
 
     if (tlen < 0 || flen < 0)
@@ -169,39 +169,41 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
      * section 7.2.2.
      */
 
-    if (flen > num)
-        goto err;
-
-    if (num < 11)
-        goto err;
+    if (flen > num || num < 11) {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
+               RSA_R_PKCS_DECODING_ERROR);
+        return -1;
+    }
 
-    if (flen != num) {
-        em = OPENSSL_zalloc(num);
-        if (em == NULL) {
-            RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
-            return -1;
-        }
-        /*
-         * Caller is encouraged to pass zero-padded message created with
-         * BN_bn2binpad, but if it doesn't, we do this zero-padding copy
-         * to avoid leaking that information. The copy still leaks some
-         * side-channel information, but it's impossible to have a fixed
-         * memory access pattern since we can't read out of the bounds of
-         * |from|.
-         */
-        memcpy(em + num - flen, from, flen);
-        from = em;
+    em = OPENSSL_malloc(num);
+    if (em == NULL) {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
+        return -1;
+    }
+    /*
+     * Caller is encouraged to pass zero-padded message created with
+     * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
+     * bounds, it's impossible to have an invariant memory access pattern
+     * in case |from| was not zero-padded in advance.
+     */
+    for (from += flen, em += num, i = 0; i < num; i++) {
+        mask = ~constant_time_is_zero(flen);
+        flen -= 1 & mask;
+        from -= 1 & mask;
+        *--em = *from & mask;
     }
+    from = em;
 
     good = constant_time_is_zero(from[0]);
     good &= constant_time_eq(from[1], 2);
 
+    /* scan over padding data */
     found_zero_byte = 0;
     for (i = 2; i < num; i++) {
         unsigned int equals0 = constant_time_is_zero(from[i]);
-        zero_index =
-            constant_time_select_int(~found_zero_byte & equals0, i,
-                                     zero_index);
+
+        zero_index = constant_time_select_int(~found_zero_byte & equals0,
+                                              i, zero_index);
         found_zero_byte |= equals0;
     }
 
@@ -210,7 +212,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
      * If we never found a 0-byte, then |zero_index| is 0 and the check
      * also fails.
      */
-    good &= constant_time_ge((unsigned int)(zero_index), 2 + 8);
+    good &= constant_time_ge(zero_index, 2 + 8);
 
     /*
      * Skip the zero byte. This is incorrect if we never found a zero-byte
@@ -220,27 +222,34 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
     mlen = num - msg_index;
 
     /*
-     * For good measure, do this check in constant time as well; it could
-     * leak something if |tlen| was assuming valid padding.
+     * For good measure, do this check in constant time as well.
      */
-    good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen));
+    good &= constant_time_ge(tlen, mlen);
 
     /*
-     * We can't continue in constant-time because we need to copy the result
-     * and we cannot fake its length. This unavoidably leaks timing
-     * information at the API boundary.
+     * Even though we can't fake result's length, we can pretend copying
+     * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
+     * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
+     * where |mlen'| is "saturated" |mlen| value. Deducing information
+     * about failure or |mlen| would take attacker's ability to observe
+     * memory access pattern with byte granularity *as it occurs*. It
+     * should be noted that failure is indistinguishable from normal
+     * operation if |tlen| is fixed by protocol.
      */
-    if (!good) {
-        mlen = -1;
-        goto err;
-    }
+    tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
+    msg_index = constant_time_select_int(good, msg_index, num - tlen);
+    mlen = num - msg_index;
+    for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
+        unsigned int equals = constant_time_eq(i, mlen);
 
-    memcpy(to, from + msg_index, mlen);
+        from -= tlen & equals;  /* if (i == mlen) rewind   */
+        mask &= mask ^ equals;  /* if (i == mlen) mask = 0 */
+        to[i] = constant_time_select_8(mask, from[i], to[i]);
+    }
 
- err:
     OPENSSL_clear_free(em, num);
-    if (mlen == -1)
-        RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
-               RSA_R_PKCS_DECODING_ERROR);
-    return mlen;
+    RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR);
+    err_clear_last_constant_time(1 & good);
+
+    return constant_time_select_int(good, mlen, -1);
 }
diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c
index 286d0a4..c565459 100644
--- a/crypto/rsa/rsa_ssl.c
+++ b/crypto/rsa/rsa_ssl.c
@@ -12,6 +12,7 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
+#include "internal/constant_time_locl.h"
 
 int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
                            const unsigned char *from, int flen)
@@ -52,57 +53,115 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
     return 1;
 }
 
+/*
+ * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
+ * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also
+ * preserves error code reporting for backward compatibility.
+ */
 int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
                              const unsigned char *from, int flen, int num)
 {
-    int i, j, k;
-    const unsigned char *p;
+    int i;
+    /* |em| is the encoded message, zero-padded to exactly |num| bytes */
+    unsigned char *em = NULL;
+    unsigned int good, found_zero_byte, mask, threes_in_row;
+    int zero_index = 0, msg_index, mlen = -1, err;
 
-    p = from;
     if (flen < 10) {
         RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
         return -1;
     }
-    /* Accept even zero-padded input */
-    if (flen == num) {
-        if (*(p++) != 0) {
-            RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
-            return -1;
-        }
-        flen--;
-    }
-    if ((num != (flen + 1)) || (*(p++) != 02)) {
-        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
-        return -1;
-    }
 
-    /* scan over padding data */
-    j = flen - 1;               /* one for type */
-    for (i = 0; i < j; i++)
-        if (*(p++) == 0)
-            break;
-
-    if ((i == j) || (i < 8)) {
-        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
-               RSA_R_NULL_BEFORE_BLOCK_MISSING);
+    em = OPENSSL_malloc(num);
+    if (em == NULL) {
+        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, ERR_R_MALLOC_FAILURE);
         return -1;
     }
-    for (k = -9; k < -1; k++) {
-        if (p[k] != 0x03)
-            break;
+    /*
+     * Caller is encouraged to pass zero-padded message created with
+     * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
+     * bounds, it's impossible to have an invariant memory access pattern
+     * in case |from| was not zero-padded in advance.
+     */
+    for (from += flen, em += num, i = 0; i < num; i++) {
+        mask = ~constant_time_is_zero(flen);
+        flen -= 1 & mask;
+        from -= 1 & mask;
+        *--em = *from & mask;
     }
-    if (k == -1) {
-        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_SSLV3_ROLLBACK_ATTACK);
-        return -1;
+    from = em;
+
+    good = constant_time_is_zero(from[0]);
+    good &= constant_time_eq(from[1], 2);
+    err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02);
+    mask = ~good;
+
+    /* scan over padding data */
+    found_zero_byte = 0;
+    threes_in_row = 0;
+    for (i = 2; i < num; i++) {
+        unsigned int equals0 = constant_time_is_zero(from[i]);
+
+        zero_index = constant_time_select_int(~found_zero_byte & equals0,
+                                              i, zero_index);
+        found_zero_byte |= equals0;
+
+        threes_in_row += 1 & ~found_zero_byte;
+        threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3);
     }
 
-    i++;                        /* Skip over the '\0' */
-    j -= i;
-    if (j > tlen) {
-        RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_LARGE);
-        return -1;
+    /*
+     * PS must be at least 8 bytes long, and it starts two bytes into |from|.
+     * If we never found a 0-byte, then |zero_index| is 0 and the check
+     * also fails.
+     */
+    good &= constant_time_ge(zero_index, 2 + 8);
+    err = constant_time_select_int(mask | good, err,
+                                   RSA_R_NULL_BEFORE_BLOCK_MISSING);
+    mask = ~good;
+
+    good &= constant_time_lt(threes_in_row, 8);
+    err = constant_time_select_int(mask | good, err,
+                                   RSA_R_SSLV3_ROLLBACK_ATTACK);
+    mask = ~good;
+
+    /*
+     * Skip the zero byte. This is incorrect if we never found a zero-byte
+     * but in this case we also do not copy the message out.
+     */
+    msg_index = zero_index + 1;
+    mlen = num - msg_index;
+
+    /*
+     * For good measure, do this check in constant time as well.
+     */
+    good &= constant_time_ge(tlen, mlen);
+    err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE);
+
+    /*
+     * Even though we can't fake result's length, we can pretend copying
+     * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
+     * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
+     * where |mlen'| is "saturated" |mlen| value. Deducing information
+     * about failure or |mlen| would take attacker's ability to observe
+     * memory access pattern with byte granularity *as it occurs*. It
+     * should be noted that failure is indistinguishable from normal
+     * operation if |tlen| is fixed by protocol.
+     */
+    tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
+    msg_index = constant_time_select_int(good, msg_index, num - tlen);
+    mlen = num - msg_index;
+    for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
+        unsigned int equals = constant_time_eq(i, mlen);
+
+        from -= tlen & equals;  /* if (i == mlen) rewind   */
+        mask &= mask ^ equals;  /* if (i == mlen) mask = 0 */
+        to[i] = constant_time_select_8(mask, from[i], to[i]);
     }
-    memcpy(to, p, (unsigned int)j);
 
-    return j;
+    OPENSSL_clear_free(em, num);
+    RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, err);
+    err_clear_last_constant_time(1 & good);
+
+    return constant_time_select_int(good, mlen, -1);
 }
diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
index 93911ca..9ea2634 100644
--- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod
+++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
@@ -110,7 +110,12 @@ L<ERR_get_error(3)>.
 The RSA_padding_check_PKCS1_type_2() padding check leaks timing
 information which can potentially be used to mount a Bleichenbacher
 padding oracle attack. This is an inherent weakness in the PKCS #1
-v1.5 padding design. Prefer PKCS1_OAEP padding.
+v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can
+be recommended to pass zero-padded B<f>, so that B<fl> equals to
+B<rsa_len>, and if fixed by protocol, B<tlen> being set to the
+expected length. In such case leakage would be minimal, it would
+take attacker's ability to observe memory access pattern with byte
+granilarity as it occurs, post-factum timing analysis won't do.
 
 =head1 SEE ALSO
 
diff --git a/include/internal/constant_time_locl.h b/include/internal/constant_time_locl.h
index 82ff746..cde30f4 100644
--- a/include/internal/constant_time_locl.h
+++ b/include/internal/constant_time_locl.h
@@ -324,4 +324,10 @@ static ossl_inline void constant_time_lookup(void *out,
     }
 }
 
+/*
+ * Expected usage pattern is to unconditionally set error and then
+ * wipe it if there was no actual error. |clear| is 1 or 0.
+ */
+void err_clear_last_constant_time(int clear);
+
 #endif                          /* HEADER_CONSTANT_TIME_LOCL_H */


More information about the openssl-commits mailing list