make the padding check constant time and move evp exponent print size macro to local file

Author: JacobBarthelmeh

wolfcrypt/src/evp.c

@@ -318,6 +318,7 @@ int wolfSSL_EVP_PKEY_is_a(const WOLFSSL_EVP_PKEY *pkey, const char *name) {
 
 #define WOLFSSL_EVP_PKEY_PRINT_LINE_WIDTH_MAX  80
 #define WOLFSSL_EVP_PKEY_PRINT_DIGITS_PER_LINE 15
+#define WOLFSSL_EVP_EXPONENT_PRINT_MAX         24
 
 static unsigned int cipherType(const WOLFSSL_EVP_CIPHER *cipher);
 
@@ -11877,7 +11878,7 @@ static int PrintHexWithColon(WOLFSSL_BIO* out, const byte* input,
 static int PrintPubKeyRSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
     int indent, int bitlen, WOLFSSL_ASN1_PCTX* pctx)
 {
-    byte   buff[EVP_EXPONENT_PRINT_MAX] = { 0 };
+    byte   buff[WOLFSSL_EVP_EXPONENT_PRINT_MAX] = { 0 };
     int    res = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
     word32 inOutIdx = 0;
     word32 nSz;             /* size of modulus */
@@ -12021,7 +12022,7 @@ static int PrintPubKeyEC(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
 {
     byte*   pub = NULL;
     word32  pubSz = 0;
-    byte    buff[EVP_EXPONENT_PRINT_MAX] = { 0 };
+    byte    buff[WOLFSSL_EVP_EXPONENT_PRINT_MAX] = { 0 };
     int     res = WOLFSSL_SUCCESS;
     word32  inOutIdx = 0;
     int     curveId = 0;
@@ -12210,7 +12211,7 @@ static int PrintPubKeyDSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
     int indent, int bitlen, WOLFSSL_ASN1_PCTX* pctx)
 {
 
-    byte    buff[EVP_EXPONENT_PRINT_MAX] = { 0 };
+    byte    buff[WOLFSSL_EVP_EXPONENT_PRINT_MAX] = { 0 };
     int     length;
     int     res = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
     word32  inOutIdx = 0;
@@ -12417,7 +12418,7 @@ static int PrintPubKeyDH(WOLFSSL_BIO* out, const byte* pkey, int pkeySz,
     int indent, int bitlen, WOLFSSL_ASN1_PCTX* pctx)
 {
 
-    byte    buff[EVP_EXPONENT_PRINT_MAX] = { 0 };
+    byte    buff[WOLFSSL_EVP_EXPONENT_PRINT_MAX] = { 0 };
     int     res = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
     word32  length;
     word32  inOutIdx;

wolfcrypt/src/pkcs7.c

@@ -13263,18 +13263,16 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in,
 
             padLen = encryptedContent[encryptedContentSz-1];
 
-            /* copy plaintext to output */
-            if (padLen == 0 || padLen > expBlockSz ||
-                padLen > encryptedContentSz) {
-                ret = BUFFER_E;
-                break;
-            }
-
-            /* Check all padding bytes. Better implementation would be to run
-             * through the entire block. */
-            for (padIndex = encryptedContentSz - padLen;
+            /* Constant-time padding check */
+            padCheck |= ctMaskEq(padLen, 0);
+            padCheck |= ctMaskGT(padLen, expBlockSz);
+            padCheck |= ctMaskGT(padLen, encryptedContentSz);
+            padCheck |= ctMaskGT(expBlockSz, encryptedContentSz);
+            for (padIndex = encryptedContentSz - expBlockSz;
                  padIndex < encryptedContentSz; padIndex++) {
-                padCheck |= encryptedContent[padIndex] ^ padLen;
+                byte inPad = ctMaskGTE(padIndex,
+                                       encryptedContentSz - (int)padLen);
+                padCheck |= inPad & (encryptedContent[padIndex] ^ padLen);
             }
             if (padCheck != 0) {
                 ret = BUFFER_E;
@@ -15331,19 +15329,16 @@ int wc_PKCS7_DecodeEncryptedData(wc_PKCS7* pkcs7, byte* in, word32 inSz,
             if (ret == 0) {
                 padLen = encryptedContent[encryptedContentSz-1];
 
-                if (padLen == 0 || padLen > expBlockSz ||
-                    padLen > encryptedContentSz) {
-                    WOLFSSL_MSG("Bad padding size found");
-                    ret = BUFFER_E;
-                    XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
-                    break;
-                }
-
-                /* Check all padding bytes. Better implementation would be to
-                 * run through the entire block. */
-                for (padIndex = encryptedContentSz - padLen;
+                /* Constant-time padding check */
+                padCheck |= ctMaskEq(padLen, 0);
+                padCheck |= ctMaskGT(padLen, expBlockSz);
+                padCheck |= ctMaskGT(padLen, encryptedContentSz);
+                padCheck |= ctMaskGT(expBlockSz, encryptedContentSz);
+                for (padIndex = encryptedContentSz - expBlockSz;
                      padIndex < encryptedContentSz; padIndex++) {
-                     padCheck |= encryptedContent[padIndex] ^ padLen;
+                    byte inPad = ctMaskGTE(padIndex,
+                                           encryptedContentSz - (int)padLen);
+                    padCheck |= inPad & (encryptedContent[padIndex] ^ padLen);
                 }
                 if (padCheck != 0) {
                     WOLFSSL_MSG("Bad padding bytes found");

wolfssl/wolfcrypt/types.h

@@ -2423,8 +2423,6 @@ enum Max_ASN {
 
 #endif /* WOLFSSL_CERT_GEN */
 
-#define EVP_EXPONENT_PRINT_MAX 24
-
 #ifdef __cplusplus
     }   /* extern "C" */
 #endif