Merge pull request #3563 from SparkiDev/base64_cr

Base64: Cache attack resistant decode
2025-07-29 18:27:29 +02:00 · 2020-12-15 15:16:09 -08:00
parent 7f44247954 972d6cfefc
commit bab2f55661
4 changed files with 133 additions and 17 deletions
--- a/wolfcrypt/src/coding.c
+++ b/wolfcrypt/src/coding.c
@ -34,6 +34,12 @@
 #ifndef NO_ASN
    #include <wolfssl/wolfcrypt/asn.h> /* For PEM_LINE_SZ */
 #endif
+#ifdef NO_INLINE
+    #include <wolfssl/wolfcrypt/misc.h>
+#else
+    #define WOLFSSL_MISC_INCLUDED
+    #include <wolfcrypt/src/misc.c>
+#endif

 enum {
    BAD         = 0xFF,  /* invalid encoding */
@ -53,18 +59,59 @@ enum {

 #ifdef WOLFSSL_BASE64_DECODE

+#ifdef BASE64_NO_TABLE
+static WC_INLINE byte Base64_Char2Val(byte c)
+{
+    word16 v = 0x0000;
+
+    v |= 0xff3E & ctMask16Eq(c, 0x2b);
+    v |= 0xff3F & ctMask16Eq(c, 0x2f);
+    v |= (c + 0xff04) & ctMask16GTE(c, 0x30) & ctMask16LTE(c, 0x39);
+    v |= (0xff00 + c - 0x41) & ctMask16GTE(c, 0x41) & ctMask16LTE(c, 0x5a);
+    v |= (0xff00 + c - 0x47) & ctMask16GTE(c, 0x61) & ctMask16LTE(c, 0x7a);
+    v |= ~(v >> 8);
+
+    return (byte)v;
+}
+#else
 static
-const byte base64Decode[] = { 62, BAD, BAD, BAD, 63,   /* + starts at 0x2B */
-                              52, 53, 54, 55, 56, 57, 58, 59, 60, 61,
-                              BAD, BAD, BAD, BAD, BAD, BAD, BAD,
-                              0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
-                              10, 11, 12, 13, 14, 15, 16, 17, 18, 19,
-                              20, 21, 22, 23, 24, 25,
-                              BAD, BAD, BAD, BAD, BAD, BAD,
-                              26, 27, 28, 29, 30, 31, 32, 33, 34, 35,
-                              36, 37, 38, 39, 40, 41, 42, 43, 44, 45,
-                              46, 47, 48, 49, 50, 51
+ALIGN64 const byte base64Decode[] = {          /* + starts at 0x2B */
+/* 0x28:       + , - . / */                   62, BAD, BAD, BAD,  63,
+/* 0x30: 0 1 2 3 4 5 6 7 */    52,  53,  54,  55,  56,  57,  58,  59,
+/* 0x38: 8 9 : ; < = > ? */    60,  61, BAD, BAD, BAD, BAD, BAD, BAD,
+/* 0x40: @ A B C D E F G */   BAD,   0,   1,   2,   3,   4,   5,   6,
+/* 0x48: H I J K L M N O */     7,   8,   9,  10,  11,  12,  13,  14,
+/* 0x50: P Q R S T U V W */    15,  16,  17,  18,  19,  20,  21,  22,
+/* 0x58: X Y Z [ \ ] ^ _ */    23,  24,  25, BAD, BAD, BAD, BAD, BAD,
+/* 0x60: ` a b c d e f g */   BAD,  26,  27,  28,  29,  30,  31,  32,
+/* 0x68: h i j k l m n o */    33,  34,  35,  36,  37,  38,  39,  40,
+/* 0x70: p q r s t u v w */    41,  42,  43,  44,  45,  46,  47,  48,
+/* 0x78: x y z           */    49,  50,  51
                            };
+#define BASE64DECODE_SZ    (byte)(sizeof(base64Decode))
+
+static WC_INLINE byte Base64_Char2Val(byte c)
+{
+#ifndef WC_NO_CACHE_RESISTANT
+    /* 80 characters in table.
+     * 64 bytes in a cache line - first line has 64, second has 16
+     */
+    byte v;
+    byte mask;
+
+    c -= BASE64_MIN;
+    mask = ctMaskLTE(c, 0x3f);
+    /* Load a value from the first cache line and use when mask set. */
+    v  = base64Decode[ c & 0x3f        ] &   mask ;
+    /* Load a value from the second cache line and use when mask not set. */
+    v |= base64Decode[(c & 0x0f) | 0x40] & (~mask);
+
+    return v;
+#else
+    return base64Decode[c - BASE64_MIN];
+#endif
+}
+#endif

 static WC_INLINE int Base64_SkipNewline(const byte* in, word32 *inLen, word32 *outJ)
 {
@ -102,7 +149,9 @@ int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
    word32 j = 0;
    word32 plainSz = inLen - ((inLen + (BASE64_LINE_SZ - 1)) / BASE64_LINE_SZ );
    int ret;
-    const byte maxIdx = (byte)sizeof(base64Decode) + BASE64_MIN - 1;
+#ifndef BASE64_NO_TABLE
+    const byte maxIdx = BASE64DECODE_SZ + BASE64_MIN - 1;
+#endif

    plainSz = (plainSz * 3 + 3) / 4;
    if (plainSz > *outLen) return BAD_FUNC_ARG;
@ -110,9 +159,9 @@ int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
    while (inLen > 3) {
        int pad3 = 0;
        int pad4 = 0;
-
        byte b1, b2, b3;
        byte e1, e2, e3, e4;
+
        if ((ret = Base64_SkipNewline(in, &inLen, &j)) != 0) {
            if (ret == BUFFER_E) {
                /* Running out of buffer here is not an error */
@ -146,7 +195,12 @@ int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
        if (e4 == PAD)
            pad4 = 1;

-        if (e1 < BASE64_MIN || e2 < BASE64_MIN || e3 < BASE64_MIN || e4 < BASE64_MIN) {
+        if (pad3 && !pad4)
+            return ASN_INPUT_E;
+
+#ifndef BASE64_NO_TABLE
+        if (e1 < BASE64_MIN || e2 < BASE64_MIN || e3 < BASE64_MIN ||
+                                                              e4 < BASE64_MIN) {
            WOLFSSL_MSG("Bad Base64 Decode data, too small");
            return ASN_INPUT_E;
        }
@ -155,16 +209,22 @@ int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
            WOLFSSL_MSG("Bad Base64 Decode data, too big");
            return ASN_INPUT_E;
        }
+#endif

        if (i + 1 + !pad3 + !pad4 > *outLen) {
            WOLFSSL_MSG("Bad Base64 Decode out buffer, too small");
            return BAD_FUNC_ARG;
        }

-        e1 = base64Decode[e1 - BASE64_MIN];
-        e2 = base64Decode[e2 - BASE64_MIN];
-        e3 = (e3 == PAD) ? 0 : base64Decode[e3 - BASE64_MIN];
-        e4 = (e4 == PAD) ? 0 : base64Decode[e4 - BASE64_MIN];
+        e1 = Base64_Char2Val(e1);
+        e2 = Base64_Char2Val(e2);
+        e3 = (e3 == PAD) ? 0 : Base64_Char2Val(e3);
+        e4 = (e4 == PAD) ? 0 : Base64_Char2Val(e4);
+
+        if (e1 == BAD || e2 == BAD || e3 == BAD || e4 == BAD) {
+            WOLFSSL_MSG("Bad Base64 Decode bad character");
+            return ASN_INPUT_E;
+        }

        b1 = (byte)((e1 << 2) | (e2 >> 4));
        b2 = (byte)(((e2 & 0xF) << 4) | (e3 >> 2));
--- a/wolfcrypt/src/misc.c
+++ b/wolfcrypt/src/misc.c
@ -435,12 +435,24 @@ WC_STATIC WC_INLINE word16 ctMask16GT(int a, int b)
    return (word16)((((word32)a - b - 1) >> 31) - 1);
 }

+/* Constant time - sets 16 bit integer mask when a >= b */
+WC_STATIC WC_INLINE word16 ctMask16GTE(int a, int b)
+{
+    return (word16)((((word32)a - b    ) >> 31) - 1);
+}
+
 /* Constant time - sets 16 bit integer mask when a < b. */
 WC_STATIC WC_INLINE word16 ctMask16LT(int a, int b)
 {
    return (word16)((((word32)b - a - 1) >> 31) - 1);
 }

+/* Constant time - sets 16 bit integer mask when a <= b. */
+WC_STATIC WC_INLINE word16 ctMask16LTE(int a, int b)
+{
+    return (word16)((((word32)b - a    ) >> 31) - 1);
+}
+
 /* Constant time - sets 16 bit integer mask when a == b. */
 WC_STATIC WC_INLINE word16 ctMask16Eq(int a, int b)
 {
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@ -1532,6 +1532,13 @@ static int base64_test(void)
    static const byte badSmall[] = "AAA Gdj=";
    static const byte badLarge[] = "AAA~Gdj=";
    static const byte badEOL[] = "A+Gd AA";
+    static const byte badPadding[] = "AA=A";
+    static const byte badChar[] = ",-.:;<=>?@[\\]^_`";
+    byte goodChar[] =
+        "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+        "abcdefghijklmnopqrstuvwxyz"
+        "0123456789+/;";
+    byte charTest[] = "A+Gd\0\0\0";
    int        i;

    /* Good Base64 encodings. */
@ -1543,6 +1550,12 @@ static int base64_test(void)
    ret = Base64_Decode(goodEnd, sizeof(goodEnd), out, &outLen);
    if (ret != 0)
        return -1201;
+    outLen = sizeof(goodChar);
+    ret = Base64_Decode(goodChar, sizeof(goodChar), goodChar, &outLen);
+    if (ret != 0)
+        return -1235;
+    if (outLen != 64 / 4 * 3)
+        return -1236;

    /* Bad parameters. */
    outLen = 1;
@ -1552,6 +1565,10 @@ static int base64_test(void)

    outLen = sizeof(out);
    ret = Base64_Decode(badEOL, sizeof(badEOL), out, &outLen);
+    if (ret != ASN_INPUT_E)
+        return -1203;
+    outLen = sizeof(out);
+    ret = Base64_Decode(badPadding, sizeof(badPadding), out, &outLen);
    if (ret != ASN_INPUT_E)
        return -1203;
    /* Bad character at each offset 0-3. */
@ -1564,6 +1581,31 @@ static int base64_test(void)
        if (ret != ASN_INPUT_E)
            return -1214 - i;
    }
+    /* Invalid character less than 0x2b */
+    for (i = 1; i < 0x2b; i++) {
+        outLen = sizeof(out);
+        charTest[0] = i;
+        ret = Base64_Decode(charTest, sizeof(charTest), out, &outLen);
+        if (ret != ASN_INPUT_E)
+            return -1240 - i;
+    }
+    /* Bad characters in range 0x2b - 0x7a. */
+    for (i = 0; i < (int)sizeof(badChar) - 1; i++) {
+        outLen = sizeof(out);
+        charTest[0] = badChar[i];
+        ret = Base64_Decode(charTest, sizeof(charTest), out, &outLen);
+        if (ret != ASN_INPUT_E)
+            return -1270 - i;
+    }
+    /* Invalid character greater than 0x7a */
+    for (i = 0x7b; i < 0x100; i++) {
+        outLen = sizeof(out);
+        charTest[0] = i;
+        ret = Base64_Decode(charTest, sizeof(charTest), out, &outLen);
+        if (ret != ASN_INPUT_E)
+            return -1290 - i;
+    }
+    

 #ifdef WOLFSSL_BASE64_ENCODE
    /* Decode and encode all symbols - non-alphanumeric. */
--- a/wolfssl/wolfcrypt/misc.h
+++ b/wolfssl/wolfcrypt/misc.h
@ -115,7 +115,9 @@ WOLFSSL_LOCAL byte ctMaskLT(int a, int b);
 WOLFSSL_LOCAL byte ctMaskLTE(int a, int b);
 WOLFSSL_LOCAL byte ctMaskEq(int a, int b);
 WOLFSSL_LOCAL word16 ctMask16GT(int a, int b);
+WOLFSSL_LOCAL word16 ctMask16GTE(int a, int b);
 WOLFSSL_LOCAL word16 ctMask16LT(int a, int b);
+WOLFSSL_LOCAL word16 ctMask16LTE(int a, int b);
 WOLFSSL_LOCAL word16 ctMask16Eq(int a, int b);
 WOLFSSL_LOCAL byte ctMaskNotEq(int a, int b);
 WOLFSSL_LOCAL byte ctMaskSel(byte m, byte a, byte b);