Skip to content

Commit

Permalink
Split constant time functions into crypto/subtle.
Browse files Browse the repository at this point in the history 
R=rsc
CC=go-dev
http://go/go-review/1018020
  • Loading branch information
@agl
agl committed Nov 2, 2009
1 parent d002489 commit ad67a86
Show file tree
Hide file tree
Showing 8 changed files with 249 additions and 216 deletions.
1 change: 1 addition & 0 deletions src/pkg/Make.deps
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ crypto/hmac.install: crypto/md5.install crypto/sha1.install hash.install os.inst
crypto/md5.install: hash.install os.install
crypto/rc4.install: os.install strconv.install
crypto/sha1.install: hash.install os.install
crypto/subtle.install:
debug/dwarf.install: encoding/binary.install os.install strconv.install
debug/macho.install: bytes.install debug/dwarf.install encoding/binary.install fmt.install io.install os.install strconv.install
debug/elf.install: debug/dwarf.install encoding/binary.install fmt.install io.install os.install strconv.install
Expand Down
1 change: 1 addition & 0 deletions src/pkg/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ DIRS=\
crypto/md5\
crypto/rc4\
crypto/sha1\
crypto/subtle\
debug/dwarf\
debug/macho\
debug/elf\
Expand Down
19 changes: 10 additions & 9 deletions src/pkg/crypto/rsa/pkcs1v15.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package rsa

import (
"bytes";
"crypto/subtle";
big "gmp";
"io";
"os";
Expand All @@ -27,7 +28,7 @@ func EncryptPKCS1v15(rand io.Reader, pub *PublicKey, msg []byte) (out []byte, er
// EM = 0x02 || PS || 0x00 || M
em := make([]byte, k-1);
em[0] = 2;
ps, mm := em[1:len(em)-len(msg)-1], em[len(em)-len(msg):len(em)];
ps, mm := em[1 : len(em)-len(msg)-1], em[len(em)-len(msg) : len(em)];
err = nonZeroRandomBytes(ps, rand);
if err != nil {
return;
Expand Down Expand Up @@ -77,8 +78,8 @@ func DecryptPKCS1v15SessionKey(rand io.Reader, priv *PrivateKey, ciphertext []by
return;
}

valid &= constantTimeEq(int32(len(msg)), int32(len(key)));
constantTimeCopy(valid, key, msg);
valid &= subtle.ConstantTimeEq(int32(len(msg)), int32(len(key)));
subtle.ConstantTimeCopy(valid, key, msg);
return;
}

Expand All @@ -96,8 +97,8 @@ func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid
}

em := leftPad(m.Bytes(), k);
firstByteIsZero := constantTimeByteEq(em[0], 0);
secondByteIsTwo := constantTimeByteEq(em[1], 2);
firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0);
secondByteIsTwo := subtle.ConstantTimeByteEq(em[1], 2);

// The remainder of the plaintext must be a string of non-zero random
// octets, followed by a 0, followed by the message.
Expand All @@ -107,9 +108,9 @@ func decryptPKCS1v15(rand io.Reader, priv *PrivateKey, ciphertext []byte) (valid
lookingForIndex = 1;

for i := 2; i < len(em); i++ {
equals0 := constantTimeByteEq(em[i], 0);
index = constantTimeSelect(lookingForIndex & equals0, i, index);
lookingForIndex = constantTimeSelect(equals0, 0, lookingForIndex);
equals0 := subtle.ConstantTimeByteEq(em[i], 0);
index = subtle.ConstantTimeSelect(lookingForIndex & equals0, i, index);
lookingForIndex = subtle.ConstantTimeSelect(equals0, 0, lookingForIndex);
}

valid = firstByteIsZero & secondByteIsTwo & (^lookingForIndex & 1);
Expand All @@ -126,7 +127,7 @@ func nonZeroRandomBytes(s []byte, rand io.Reader) (err os.Error) {

for i := 0; i < len(s); i++ {
for s[i] == 0 {
_, err = rand.Read(s[i:i+1]);
_, err = rand.Read(s[i : i+1]);
if err != nil {
return;
}
Expand Down
79 changes: 14 additions & 65 deletions src/pkg/crypto/rsa/rsa.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,12 @@ package rsa
// TODO(agl): Add support for PSS padding.

import (
"bytes";
big "gmp";
"hash";
"io";
"os";
"bytes";
"crypto/subtle";
big "gmp";
"hash";
"io";
"os";
)

var bigOne = big.NewInt(1)
Expand Down Expand Up @@ -92,7 +93,7 @@ type PublicKey struct {

// A PrivateKey represents an RSA key
type PrivateKey struct {
PublicKey; // public part.
PublicKey; // public part.
D *big.Int; // private exponent
P, Q *big.Int; // prime factors of N
}
Expand Down Expand Up @@ -300,58 +301,6 @@ func modInverse(a, n *big.Int) (ia *big.Int) {
return x;
}

// constantTimeCompare returns 1 iff the two equal length slices, x
// and y, have equal contents. The time taken is a function of the length of
// the slices and is independent of the contents.
func constantTimeCompare(x, y []byte) int {
var v byte;

for i := 0; i < len(x); i++ {
v |= x[i]^y[i];
}

return constantTimeByteEq(v, 0);
}

// constantTimeSelect returns a if v is 1 and b if v is 0.
// Its behaviour is undefined if v takes any other value.
func constantTimeSelect(v, a, b int) int {
return ^(v-1)&a | (v-1)&b;
}

// constantTimeByteEq returns 1 if a == b and 0 otherwise.
func constantTimeByteEq(a, b uint8) int {
x := ^(a^b);
x &= x>>4;
x &= x>>2;
x &= x>>1;

return int(x);
}

// constantTimeEq returns 1 if a == b and 0 otherwise.
func constantTimeEq(a, b int32) int {
x := ^(a^b);
x &= x>>16;
x &= x>>8;
x &= x>>4;
x &= x>>2;
x &= x>>1;

return int(x&1);
}

// constantTimeCopy copies the contents of y into x iff v == 1. If v == 0, x is left unchanged.
// Its behaviour is undefined if v takes any other value.
func constantTimeCopy(v int, x, y []byte) {
xmask := byte(v - 1);
ymask := byte(^(v - 1));
for i := 0; i < len(x); i++ {
x[i] = x[i] & xmask | y[i] & ymask;
}
return;
}

// decrypt performs an RSA decryption, resulting in a plaintext integer. If a
// random source is given, RSA blinding is used.
func decrypt(rand io.Reader, priv *PrivateKey, c *big.Int) (m *big.Int, err os.Error) {
Expand Down Expand Up @@ -419,7 +368,7 @@ func DecryptOAEP(hash hash.Hash, rand io.Reader, priv *PrivateKey, ciphertext []
// anything about this.)
em := leftPad(m.Bytes(), k);

firstByteIsZero := constantTimeByteEq(em[0], 0);
firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0);

seed := em[1 : hash.Size() + 1];
db := em[hash.Size() + 1 : len(em)];
Expand All @@ -433,7 +382,7 @@ func DecryptOAEP(hash hash.Hash, rand io.Reader, priv *PrivateKey, ciphertext []
// attacks like: J. Manger. A Chosen Ciphertext Attack on RSA Optimal
// Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1
// v2.0. In J. Kilian, editor, Advances in Cryptology.
lHash2Good := constantTimeCompare(lHash, lHash2);
lHash2Good := subtle.ConstantTimeCompare(lHash, lHash2);

// The remainder of the plaintext must be zero or more 0x00, followed
// by 0x01, followed by the message.
Expand All @@ -445,11 +394,11 @@ func DecryptOAEP(hash hash.Hash, rand io.Reader, priv *PrivateKey, ciphertext []
rest := db[hash.Size() : len(db)];

for i := 0; i < len(rest); i++ {
equals0 := constantTimeByteEq(rest[i], 0);
equals1 := constantTimeByteEq(rest[i], 1);
index = constantTimeSelect(lookingForIndex & equals1, i, index);
lookingForIndex = constantTimeSelect(equals1, 0, lookingForIndex);
invalid = constantTimeSelect(lookingForIndex & ^equals0, 1, invalid);
equals0 := subtle.ConstantTimeByteEq(rest[i], 0);
equals1 := subtle.ConstantTimeByteEq(rest[i], 1);
index = subtle.ConstantTimeSelect(lookingForIndex & equals1, i, index);
lookingForIndex = subtle.ConstantTimeSelect(equals1, 0, lookingForIndex);
invalid = subtle.ConstantTimeSelect(lookingForIndex & ^equals0, 1, invalid);
}

if firstByteIsZero & lHash2Good & ^invalid & ^lookingForIndex != 1 {
Expand Down

0 comments on commit ad67a86

Please sign in to comment.