Branch: Tag:

2014-07-25

2014-07-25 19:40:20 by Martin Nilsson <nilsson@opera.com>

More serious attempt at constant time RSA unpadding.

402:   string(8bit) rsa_unpad(Gmp.mpz block, int type)   {    string(8bit) s = block->digits(256); -  int i = search(s, "\0"); +     -  // Evaluate all error conditions for timing reasons. -  if ( `+( (i < 9), (sizeof(s) != (size - 1)), (s[0] != type) ) ) -  return 0; -  return s[i+1..]; +  // Content independent size information. Not timing sensitive. +  if( sizeof(s)!=(size-1) ) return 0; +  +  int i = Nettle.rsa_unpad(s, type); +  if( !i ) return 0; +  +  return s[i..];   }      //! Pads the @[digest] with @[rsa_pad] type 1 and signs it.