From 01aad13c384446a86d8acc57199807521fc90856 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Wed, 27 Jul 2022 12:02:15 +1000 Subject: [PATCH] Rework --- src/internal.c | 18 +++++++----------- wolfcrypt/src/misc.c | 11 ++++++----- wolfssl/wolfcrypt/misc.h | 3 +-- 3 files changed, 14 insertions(+), 18 deletions(-) diff --git a/src/internal.c b/src/internal.c index 0ec64b148..7b28e0037 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4626,10 +4626,8 @@ int VerifyRsaSign(WOLFSSL* ssl, byte* verifySig, word32 sigSz, int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, word32* outSz, RsaKey* key, DerBuffer* keyBufInfo) { - word32 outSzTmp; byte *outTmp; byte mask; - int zero; int ret; #ifdef HAVE_PK_CALLBACKS const byte* keyBuf = NULL; @@ -4678,12 +4676,10 @@ int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, word32* outSz, #endif /* WOLFSSL_ASYNC_CRYPT */ mask = ctMaskGT(ret, 0); - *outSz = 0; - zero = 0; - outSzTmp = (word32)ret; - ctMaskCopy(mask, (byte*)outSz, (byte*)&outSzTmp, (byte*)outSz, sizeof(*outSz)); - ctMaskCopy(mask, (byte*)&ret, (byte*)&zero, (byte*)&ret, sizeof(ret)); - ctMaskCopy(mask, (byte*)out, (byte*)&outTmp, (byte*)out, sizeof(*out)); + *outSz = (word32)(ret & (int)(sword8)mask); + ret &= (int)(sword8)(~mask); + /* Copy pointer */ + ctMaskCopy(mask, (byte*)out, (byte*)&outTmp, sizeof(*out)); WOLFSSL_LEAVE("RsaDec", ret); @@ -34762,7 +34758,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], ret = args->lastErr; args->lastErr = 0; /* reset */ - /* On error 'ret' will be negative - top bit set */ + /* On error 'ret' will be negative */ mask = ((unsigned int)ret >> ((sizeof(ret) * 8) - 1)) - 1; @@ -34771,8 +34767,8 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor; tmpRsa = input + args->idx - VERSION_SZ - SECRET_LEN; - ctMaskCopy(mask, (byte*)&args->output, - (byte*)&args->output, (byte*)&tmpRsa, sizeof(args->output)); + ctMaskCopy(~mask, (byte*)&args->output, (byte*)&tmpRsa, + sizeof(args->output)); if (args->output != NULL) { /* Use random secret on error */ for (i = VERSION_SZ; i < SECRET_LEN; i++) { diff --git a/wolfcrypt/src/misc.c b/wolfcrypt/src/misc.c index 7d534ffde..2c8172247 100644 --- a/wolfcrypt/src/misc.c +++ b/wolfcrypt/src/misc.c @@ -545,14 +545,15 @@ WC_STATIC WC_INLINE byte ctSetLTE(int a, int b) return (byte)(((word32)a - b - 1) >> 31); } -/* Constant time - copy size bytes from left to dst if mask is set, size bytes - * from right to dst if mask is not set */ -WC_STATIC WC_INLINE void ctMaskCopy(byte m, byte* dst, byte* left, byte* right, +/* Constant time - conditionally copy size bytes from src to dst if mask is set + */ +WC_STATIC WC_INLINE void ctMaskCopy(byte mask, byte* dst, byte* src, word16 size) { int i; - for (i = 0; i < size; ++i) - dst[i] = ctMaskSel(m, left[i], right[i]); + for (i = 0; i < size; ++i) { + dst[i] ^= (dst[i] ^ src[i]) & mask; + } } #endif diff --git a/wolfssl/wolfcrypt/misc.h b/wolfssl/wolfcrypt/misc.h index d0231e5ff..f732faeb8 100644 --- a/wolfssl/wolfcrypt/misc.h +++ b/wolfssl/wolfcrypt/misc.h @@ -126,8 +126,7 @@ WOLFSSL_LOCAL byte ctMaskNotEq(int a, int b); WOLFSSL_LOCAL byte ctMaskSel(byte m, byte a, byte b); WOLFSSL_LOCAL int ctMaskSelInt(byte m, int a, int b); WOLFSSL_LOCAL byte ctSetLTE(int a, int b); -WOLFSSL_LOCAL void ctMaskCopy(byte m, byte* dst, byte* left, byte* right, - word16 size); +WOLFSSL_LOCAL void ctMaskCopy(byte mask, byte* dst, byte* src, word16 size); #endif /* NO_INLINE */