Const-time padding improvements

peterdettman · peterdettman · commit 78263005e327 · 2022-08-25T13:02:15.000+07:00
diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/ISO10126d2Padding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/ISO10126d2Padding.java
@@ -61,9 +61,11 @@ public int addPadding(
     public int padCount(byte[] in)
         throws InvalidCipherTextException
     {
-        int count = in[in.length - 1] & 0xff;
+        int count = in[in.length - 1] & 0xFF;
+        int position = in.length - count;
 
-        if (count > in.length)
+        int failed = (position | (count - 1)) >> 31;
+        if (failed != 0)
         {
             throw new InvalidCipherTextException("pad block corrupted");
         }
diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/ISO7816d4Padding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/ISO7816d4Padding.java
@@ -60,18 +60,20 @@ public int addPadding(
     public int padCount(byte[] in)
         throws InvalidCipherTextException
     {
-        int count = in.length - 1;
-
-        while (count > 0 && in[count] == 0)
+        int position = -1, still00Mask = -1;
+        int i = in.length;
+        while (--i >= 0)
         {
-            count--;
+            int next = in[i] & 0xFF;
+            int match00Mask = ((next ^ 0x00) - 1) >> 31;
+            int match80Mask = ((next ^ 0x80) - 1) >> 31;
+            position ^= (i ^ position) & (still00Mask & match80Mask);
+            still00Mask &= match00Mask;
         }
-
-        if (in[count] != (byte)0x80)
+        if (position < 0)
         {
             throw new InvalidCipherTextException("pad block corrupted");
         }
-        
-        return in.length - count;
+        return in.length - position;
     }
 }
diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/PKCS7Padding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/PKCS7Padding.java
@@ -56,18 +56,16 @@ public int addPadding(
     public int padCount(byte[] in)
         throws InvalidCipherTextException
     {
-        int count = in[in.length - 1] & 0xff;
-        byte countAsbyte = (byte)count;
+        byte countAsByte = in[in.length - 1];
+        int count = countAsByte & 0xFF;
+        int position = in.length - count;
 
-        // constant time version
-        boolean failed = (count > in.length | count == 0);
-
-        for (int i = 0; i < in.length; i++)
+        int failed = (position | (count - 1)) >> 31;
+        for (int i = 0; i < in.length; ++i)
         {
-            failed |= (in.length - i <= count) & (in[i] != countAsbyte);
+            failed |= (in[i] ^ countAsByte) & ~((i - position) >> 31);
         }
-
-        if (failed)
+        if (failed != 0)
         {
             throw new InvalidCipherTextException("pad block corrupted");
         }
diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/TBCPadding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/TBCPadding.java
@@ -76,14 +76,15 @@ public int addPadding(
     public int padCount(byte[] in)
         throws InvalidCipherTextException
     {
-        byte code = in[in.length - 1];
-
-        int index = in.length - 1;
-        while (index > 0 && in[index - 1] == code)
+        int i = in.length;
+        int code = in[--i] & 0xFF, count = 1, countingMask = -1;
+        while (--i >= 0)
         {
-            index--;
+            int next = in[i] & 0xFF;
+            int matchMask = ((next ^ code) - 1) >> 31;
+            countingMask &= matchMask;
+            count -= countingMask;
         }
-
-        return in.length - index;
+        return count;
     }
 }
diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/X923Padding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/X923Padding.java
@@ -68,9 +68,11 @@ public int addPadding(
     public int padCount(byte[] in)
         throws InvalidCipherTextException
     {
-        int count = in[in.length - 1] & 0xff;
+        int count = in[in.length - 1] & 0xFF;
+        int position = in.length - count;
 
-        if (count > in.length)
+        int failed = (position | (count - 1)) >> 31;
+        if (failed != 0)
         {
             throw new InvalidCipherTextException("pad block corrupted");
         }
diff --git a/core/src/main/java/org/bouncycastle/crypto/paddings/ZeroBytePadding.java b/core/src/main/java/org/bouncycastle/crypto/paddings/ZeroBytePadding.java
@@ -56,18 +56,15 @@ public int addPadding(
     public int padCount(byte[] in)
         throws InvalidCipherTextException
     {
-        int count = in.length;
-
-        while (count > 0)
+        int count = 0, still00Mask = -1;
+        int i = in.length;
+        while (--i >= 0)
         {
-            if (in[count - 1] != 0)
-            {
-                break;
-            }
-
-            count--;
+            int next = in[i] & 0xFF;
+            int match00Mask = ((next ^ 0x00) - 1) >> 31;
+            still00Mask &= match00Mask;
+            count -= still00Mask;
         }
-
-        return in.length - count;
+        return count;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -61,9 +61,11 @@ public int addPadding(`
`61`	`61`	`public int padCount(byte[] in)`
`62`	`62`	`throws InvalidCipherTextException`
`63`	`63`	`{`
`64`		`- int count = in[in.length - 1] & 0xff;`
	`64`	`+ int count = in[in.length - 1] & 0xFF;`
	`65`	`+ int position = in.length - count;`
`65`	`66`
`66`		`- if (count > in.length)`
	`67`	`+ int failed = (position \| (count - 1)) >> 31;`
	`68`	`+ if (failed != 0)`
`67`	`69`	`{`
`68`	`70`	`throw new InvalidCipherTextException("pad block corrupted");`
`69`	`71`	`}`
Original file line number	Diff line number	Diff line change
`@@ -60,18 +60,20 @@ public int addPadding(`
`60`	`60`	`public int padCount(byte[] in)`
`61`	`61`	`throws InvalidCipherTextException`
`62`	`62`	`{`
`63`		`- int count = in.length - 1;`
`64`		`-`
`65`		`- while (count > 0 && in[count] == 0)`
	`63`	`+ int position = -1, still00Mask = -1;`
	`64`	`+ int i = in.length;`
	`65`	`+ while (--i >= 0)`
`66`	`66`	`{`
`67`		`- count--;`
	`67`	`+ int next = in[i] & 0xFF;`
	`68`	`+ int match00Mask = ((next ^ 0x00) - 1) >> 31;`
	`69`	`+ int match80Mask = ((next ^ 0x80) - 1) >> 31;`
	`70`	`+ position ^= (i ^ position) & (still00Mask & match80Mask);`
	`71`	`+ still00Mask &= match00Mask;`
`68`	`72`	`}`
`69`		`-`
`70`		`- if (in[count] != (byte)0x80)`
	`73`	`+ if (position < 0)`
`71`	`74`	`{`
`72`	`75`	`throw new InvalidCipherTextException("pad block corrupted");`
`73`	`76`	`}`
`74`		`-`
`75`		`- return in.length - count;`
	`77`	`+ return in.length - position;`
`76`	`78`	`}`
`77`	`79`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,18 +56,16 @@ public int addPadding(`
`56`	`56`	`public int padCount(byte[] in)`
`57`	`57`	`throws InvalidCipherTextException`
`58`	`58`	`{`
`59`		`- int count = in[in.length - 1] & 0xff;`
`60`		`- byte countAsbyte = (byte)count;`
	`59`	`+ byte countAsByte = in[in.length - 1];`
	`60`	`+ int count = countAsByte & 0xFF;`
	`61`	`+ int position = in.length - count;`
`61`	`62`
`62`		`- // constant time version`
`63`		`- boolean failed = (count > in.length \| count == 0);`
`64`		`-`
`65`		`- for (int i = 0; i < in.length; i++)`
	`63`	`+ int failed = (position \| (count - 1)) >> 31;`
	`64`	`+ for (int i = 0; i < in.length; ++i)`
`66`	`65`	`{`
`67`		`- failed \|= (in.length - i <= count) & (in[i] != countAsbyte);`
	`66`	`+ failed \|= (in[i] ^ countAsByte) & ~((i - position) >> 31);`
`68`	`67`	`}`
`69`		`-`
`70`		`- if (failed)`
	`68`	`+ if (failed != 0)`
`71`	`69`	`{`
`72`	`70`	`throw new InvalidCipherTextException("pad block corrupted");`
`73`	`71`	`}`
Original file line number	Diff line number	Diff line change
`@@ -76,14 +76,15 @@ public int addPadding(`
`76`	`76`	`public int padCount(byte[] in)`
`77`	`77`	`throws InvalidCipherTextException`
`78`	`78`	`{`
`79`		`- byte code = in[in.length - 1];`
`80`		`-`
`81`		`- int index = in.length - 1;`
`82`		`- while (index > 0 && in[index - 1] == code)`
	`79`	`+ int i = in.length;`
	`80`	`+ int code = in[--i] & 0xFF, count = 1, countingMask = -1;`
	`81`	`+ while (--i >= 0)`
`83`	`82`	`{`
`84`		`- index--;`
	`83`	`+ int next = in[i] & 0xFF;`
	`84`	`+ int matchMask = ((next ^ code) - 1) >> 31;`
	`85`	`+ countingMask &= matchMask;`
	`86`	`+ count -= countingMask;`
`85`	`87`	`}`
`86`		`-`
`87`		`- return in.length - index;`
	`88`	`+ return count;`
`88`	`89`	`}`
`89`	`90`	`}`
Original file line number	Diff line number	Diff line change
`@@ -68,9 +68,11 @@ public int addPadding(`
`68`	`68`	`public int padCount(byte[] in)`
`69`	`69`	`throws InvalidCipherTextException`
`70`	`70`	`{`
`71`		`- int count = in[in.length - 1] & 0xff;`
	`71`	`+ int count = in[in.length - 1] & 0xFF;`
	`72`	`+ int position = in.length - count;`
`72`	`73`
`73`		`- if (count > in.length)`
	`74`	`+ int failed = (position \| (count - 1)) >> 31;`
	`75`	`+ if (failed != 0)`
`74`	`76`	`{`
`75`	`77`	`throw new InvalidCipherTextException("pad block corrupted");`
`76`	`78`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,18 +56,15 @@ public int addPadding(`
`56`	`56`	`public int padCount(byte[] in)`
`57`	`57`	`throws InvalidCipherTextException`
`58`	`58`	`{`
`59`		`- int count = in.length;`
`60`		`-`
`61`		`- while (count > 0)`
	`59`	`+ int count = 0, still00Mask = -1;`
	`60`	`+ int i = in.length;`
	`61`	`+ while (--i >= 0)`
`62`	`62`	`{`
`63`		`- if (in[count - 1] != 0)`
`64`		`- {`
`65`		`- break;`
`66`		`- }`
`67`		`-`
`68`		`- count--;`
	`63`	`+ int next = in[i] & 0xFF;`
	`64`	`+ int match00Mask = ((next ^ 0x00) - 1) >> 31;`
	`65`	`+ still00Mask &= match00Mask;`
	`66`	`+ count -= still00Mask;`
`69`	`67`	`}`
`70`		`-`
`71`		`- return in.length - count;`
	`68`	`+ return count;`
`72`	`69`	`}`
`73`	`70`	`}`