octoleo/phpseclib
1
0
Fork 0
mirror of https://github.com/phpseclib/phpseclib.git synced 2024-11-16 18:25:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

RSA: protect against possible timing attacks during OAEP decryption

Browse Source
This commit is contained in:
terrafrost 2019-03-08 07:27:04 -06:00
parent a276c2b073
commit ca76d3913f
1 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
phpseclib/Crypt/RSA.php
View File

@ -2305,12 +2305,13 @@ class Crypt_RSA
return false;
}
$result = 0;
$result = "\0";
$x^= $y;
for ($i = 0; $i < strlen($x); $i++) {
$result |= ord($x[$i]) ^ ord($y[$i]);
$result|= $x[$i];
}
return $result == 0;
return $result === "\0";
}
/**
@ -2517,19 +2518,26 @@ class Crypt_RSA
$db = $maskedDB ^ $dbMask;
$lHash2 = substr($db, 0, $this->hLen);
$m = substr($db, $this->hLen);
if (!$this->_equals($lHash, $lHash2)) {
user_error('Decryption error');
return false;
$hashesMatch = $this->_equals($lHash, $lHash2);
$leadingZeros = 1;
$patternMatch = 0;
$offset = 0;
for ($i = 0; $i < strlen($m); $i++) {
$patternMatch|= $leadingZeros & ($m[$i] === "\1");
$leadingZeros&= $m[$i] === "\0";
$offset+= $patternMatch ? 0 : 1;
}
$m = ltrim($m, chr(0));
if (ord($m[0]) != 1) {
// we do & instead of && to avoid https://en.wikipedia.org/wiki/Short-circuit_evaluation
// to protect against timing attacks
if (!$hashesMatch & !$patternMatch) {
user_error('Decryption error');
return false;
}
// Output the message M
return substr($m, 1);
return substr($m, $offset + 1);
}
/**