WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #5402 from rizlik/dke_rsa 

doClientKeyExchange improvements
pull/5411/head
David Garske 2022-07-27 08:01:16 -07:00 committed by GitHub
parent 5f47adba3c 01aad13c38
commit 6f282c2c57
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/internal.c
View File

@ -4626,6 +4626,8 @@ int VerifyRsaSign(WOLFSSL* ssl, byte* verifySig, word32 sigSz,
int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, word32* outSz, int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, word32* outSz,
RsaKey* key, DerBuffer* keyBufInfo) RsaKey* key, DerBuffer* keyBufInfo)
{ {
byte *outTmp;
byte mask;
int ret; int ret;
#ifdef HAVE_PK_CALLBACKS #ifdef HAVE_PK_CALLBACKS
const byte* keyBuf = NULL; const byte* keyBuf = NULL;
@ -4642,6 +4644,7 @@ int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, word32* outSz,
WOLFSSL_ENTER("RsaDec"); WOLFSSL_ENTER("RsaDec");
outTmp = *out;
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
/* initialize event */ /* initialize event */
ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
@ -4652,7 +4655,7 @@ int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, word32* outSz,
#ifdef HAVE_PK_CALLBACKS #ifdef HAVE_PK_CALLBACKS
if (ssl->ctx->RsaDecCb) { if (ssl->ctx->RsaDecCb) {
void* ctx = wolfSSL_GetRsaDecCtx(ssl); void* ctx = wolfSSL_GetRsaDecCtx(ssl);
ret = ssl->ctx->RsaDecCb(ssl, in, inSz, out, keyBuf, keySz, ctx); ret = ssl->ctx->RsaDecCb(ssl, in, inSz, &outTmp, keyBuf, keySz, ctx);
} }
else else
#endif /* HAVE_PK_CALLBACKS */ #endif /* HAVE_PK_CALLBACKS */
@ -4662,7 +4665,7 @@ int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, word32* outSz,
if (ret != 0) if (ret != 0)
return ret; return ret;
#endif #endif
ret = wc_RsaPrivateDecryptInline(in, inSz, out, key); ret = wc_RsaPrivateDecryptInline(in, inSz, &outTmp, key);
} }
/* Handle async pending response */ /* Handle async pending response */
@ -4672,11 +4675,11 @@ int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, word32* outSz,
} }
#endif /* WOLFSSL_ASYNC_CRYPT */ #endif /* WOLFSSL_ASYNC_CRYPT */
/* For positive response return in outSz */ mask = ctMaskGT(ret, 0);
if (ret > 0) { *outSz = (word32)(ret & (int)(sword8)mask);
*outSz = ret; ret &= (int)(sword8)(~mask);
ret = 0; /* Copy pointer */
} ctMaskCopy(mask, (byte*)out, (byte*)&outTmp, sizeof(*out));
WOLFSSL_LEAVE("RsaDec", ret); WOLFSSL_LEAVE("RsaDec", ret);
@ -34730,6 +34733,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
#ifndef NO_RSA #ifndef NO_RSA
case rsa_kea: case rsa_kea:
{ {
byte *tmpRsa;
byte mask; byte mask;
int i; int i;
@ -34754,7 +34758,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
ret = args->lastErr; ret = args->lastErr;
args->lastErr = 0; /* reset */ args->lastErr = 0; /* reset */
/* On error 'ret' will be negative - top bit set */ /* On error 'ret' will be negative */
mask = ((unsigned int)ret >> mask = ((unsigned int)ret >>
((sizeof(ret) * 8) - 1)) - 1; ((sizeof(ret) * 8) - 1)) - 1;
@ -34762,6 +34766,9 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
ssl->arrays->preMasterSecret[0] = ssl->chVersion.major; ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor; ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
tmpRsa = input + args->idx - VERSION_SZ - SECRET_LEN;
ctMaskCopy(~mask, (byte*)&args->output, (byte*)&tmpRsa,
sizeof(args->output));
if (args->output != NULL) { if (args->output != NULL) {
/* Use random secret on error */ /* Use random secret on error */
for (i = VERSION_SZ; i < SECRET_LEN; i++) { for (i = VERSION_SZ; i < SECRET_LEN; i++) {

12
wolfcrypt/src/misc.c
View File

@ -544,6 +544,18 @@ WC_STATIC WC_INLINE byte ctSetLTE(int a, int b)
{ {
return (byte)(((word32)a - b - 1) >> 31); return (byte)(((word32)a - b - 1) >> 31);
} }
/* Constant time - conditionally copy size bytes from src to dst if mask is set
*/
WC_STATIC WC_INLINE void ctMaskCopy(byte mask, byte* dst, byte* src,
word16 size)
{
int i;
for (i = 0; i < size; ++i) {
dst[i] ^= (dst[i] ^ src[i]) & mask;
}
}
#endif #endif
#if defined(WOLFSSL_W64_WRAPPER) #if defined(WOLFSSL_W64_WRAPPER)

1
wolfssl/wolfcrypt/misc.h
View File

@ -126,6 +126,7 @@ WOLFSSL_LOCAL byte ctMaskNotEq(int a, int b);
WOLFSSL_LOCAL byte ctMaskSel(byte m, byte a, byte b); WOLFSSL_LOCAL byte ctMaskSel(byte m, byte a, byte b);
WOLFSSL_LOCAL int ctMaskSelInt(byte m, int a, int b); WOLFSSL_LOCAL int ctMaskSelInt(byte m, int a, int b);
WOLFSSL_LOCAL byte ctSetLTE(int a, int b); WOLFSSL_LOCAL byte ctSetLTE(int a, int b);
WOLFSSL_LOCAL void ctMaskCopy(byte mask, byte* dst, byte* src, word16 size);
#endif /* NO_INLINE */ #endif /* NO_INLINE */