From 64e09322e3cbda39d673f985f495178209ff12f5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 7 Nov 2013 16:20:34 -0800 Subject: Fixed a bug in padding, and also made it more constant time --- cryptography/hazmat/primitives/padding.py | 34 ++++++++++++++++++++++++++++--- tests/hazmat/primitives/test_padding.py | 1 + 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index ddcadd89..de889685 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -11,11 +11,34 @@ # See the License for the specific language governing permissions and # limitations under the License. +import cffi + import six from cryptography.hazmat.primitives import interfaces +_ffi = cffi.FFI() +_ffi.cdef(""" +unsigned int Cryptography_constant_time_lt(unsigned int, unsigned int); +""") +_lib = _ffi.verify(""" +/* Returns the value of the input with the most-significant-bit copied to all + of the bits. This relies on implementation details of computers with 2's + complement representations of integers, which is not required by the C + standard. */ +static unsigned int Cryptography_DUPLICATE_MSB_TO_ALL(unsigned int a) { + return (unsigned int)((int)(a) >> (sizeof(int) * 8 - 1)); +} + +/* This returns 0xFF if a < b else 0x00, but does so in a constant time + fashion */ +unsigned int Cryptography_constant_time_lt(unsigned int a, unsigned int b) { + a -= b; + return Cryptography_DUPLICATE_MSB_TO_ALL(a); +} +""") + class PKCS7(object): def __init__(self, block_size): super(PKCS7, self).__init__() @@ -104,14 +127,19 @@ class _PKCS7UnpaddingContext(object): if not self._buffer: raise ValueError("Invalid padding bytes") - pad_size = six.indexbytes(self._buffer, -1) + if len(self._buffer) != self.block_size // 8: + raise ValueError("Invalid padding bytes") + pad_size = six.indexbytes(self._buffer, -1) if pad_size > self.block_size // 8: raise ValueError("Invalid padding bytes") + mismatch = 0 - for b in six.iterbytes(self._buffer[-pad_size:]): - mismatch |= b ^ pad_size + for i in xrange(self.block_size // 8): + mask = _lib.Cryptography_constant_time_lt(i, pad_size) + b = six.indexbytes(self._buffer, self.block_size // 8 - 1 - i) + mismatch |= (mask & (pad_size ^ b)) if mismatch != 0: raise ValueError("Invalid padding bytes") diff --git a/tests/hazmat/primitives/test_padding.py b/tests/hazmat/primitives/test_padding.py index 3cefafaf..91d58439 100644 --- a/tests/hazmat/primitives/test_padding.py +++ b/tests/hazmat/primitives/test_padding.py @@ -29,6 +29,7 @@ class TestPKCS7(object): (128, b"1111111111111111"), (128, b"111111111111111\x06"), (128, b""), + (128, b"\x06" * 6), ]) def test_invalid_padding(self, size, padded): unpadder = padding.PKCS7(size).unpadder() -- cgit v1.2.3 From 4a9a80d22216329447c4983e2e819dcfe209974e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 7 Nov 2013 16:29:29 -0800 Subject: py3k fix --- cryptography/hazmat/primitives/padding.py | 1 + 1 file changed, 1 insertion(+) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index de889685..74d49a0f 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -14,6 +14,7 @@ import cffi import six +from six.moves import xrange from cryptography.hazmat.primitives import interfaces -- cgit v1.2.3 From ab8719a903266fda3203bcdfbad7bd510c97c217 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 7 Nov 2013 17:20:20 -0800 Subject: flake8 fixes --- cryptography/hazmat/primitives/padding.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index 74d49a0f..23a6c032 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -40,6 +40,7 @@ unsigned int Cryptography_constant_time_lt(unsigned int a, unsigned int b) { } """) + class PKCS7(object): def __init__(self, block_size): super(PKCS7, self).__init__() @@ -135,7 +136,6 @@ class _PKCS7UnpaddingContext(object): if pad_size > self.block_size // 8: raise ValueError("Invalid padding bytes") - mismatch = 0 for i in xrange(self.block_size // 8): mask = _lib.Cryptography_constant_time_lt(i, pad_size) -- cgit v1.2.3 From 6b3be7f0078bd69f39b6666f7ea84040b7274e68 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 8 Nov 2013 09:17:48 -0800 Subject: More constant time, better --- cryptography/hazmat/primitives/padding.py | 7 +------ tests/hazmat/primitives/test_padding.py | 1 + 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index 23a6c032..34bdfd89 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -126,15 +126,10 @@ class _PKCS7UnpaddingContext(object): if self._buffer is None: raise ValueError("Context was already finalized") - if not self._buffer: - raise ValueError("Invalid padding bytes") - if len(self._buffer) != self.block_size // 8: raise ValueError("Invalid padding bytes") pad_size = six.indexbytes(self._buffer, -1) - if pad_size > self.block_size // 8: - raise ValueError("Invalid padding bytes") mismatch = 0 for i in xrange(self.block_size // 8): @@ -142,7 +137,7 @@ class _PKCS7UnpaddingContext(object): b = six.indexbytes(self._buffer, self.block_size // 8 - 1 - i) mismatch |= (mask & (pad_size ^ b)) - if mismatch != 0: + if mismatch != 0 or not (0 < pad_size <= self.block_size // 8): raise ValueError("Invalid padding bytes") res = self._buffer[:-pad_size] diff --git a/tests/hazmat/primitives/test_padding.py b/tests/hazmat/primitives/test_padding.py index 91d58439..6a2b6243 100644 --- a/tests/hazmat/primitives/test_padding.py +++ b/tests/hazmat/primitives/test_padding.py @@ -30,6 +30,7 @@ class TestPKCS7(object): (128, b"111111111111111\x06"), (128, b""), (128, b"\x06" * 6), + (128, b"\x00" * 16), ]) def test_invalid_padding(self, size, padded): unpadder = padding.PKCS7(size).unpadder() -- cgit v1.2.3 From 4a6f5dcddef1b9a3afbe8cc47b7483e3589781fe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 15 Nov 2013 11:17:36 -0800 Subject: Move all unpadding logic to C --- cryptography/hazmat/primitives/padding.py | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index 34bdfd89..ec575195 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -21,9 +21,11 @@ from cryptography.hazmat.primitives import interfaces _ffi = cffi.FFI() _ffi.cdef(""" -unsigned int Cryptography_constant_time_lt(unsigned int, unsigned int); +bool Cryptography_check_padding(uint8_t *, unsigned int); """) _lib = _ffi.verify(""" +#include + /* Returns the value of the input with the most-significant-bit copied to all of the bits. This relies on implementation details of computers with 2's complement representations of integers, which is not required by the C @@ -38,9 +40,22 @@ unsigned int Cryptography_constant_time_lt(unsigned int a, unsigned int b) { a -= b; return Cryptography_DUPLICATE_MSB_TO_ALL(a); } + +bool Cryptography_check_padding(uint8_t *data, unsigned int block_len) { + unsigned int i; + uint8_t pad_size = data[block_len - 1]; + uint8_t mismatch = 0; + for (i = 0; i < block_len; i++) { + unsigned int mask = Cryptography_constant_time_lt(i, pad_size); + uint8_t b = data[block_len - 1 - i]; + mismatch |= (mask & (pad_size ^ b)); + } + return mismatch == 0; +} """) + class PKCS7(object): def __init__(self, block_size): super(PKCS7, self).__init__() @@ -131,13 +146,9 @@ class _PKCS7UnpaddingContext(object): pad_size = six.indexbytes(self._buffer, -1) - mismatch = 0 - for i in xrange(self.block_size // 8): - mask = _lib.Cryptography_constant_time_lt(i, pad_size) - b = six.indexbytes(self._buffer, self.block_size // 8 - 1 - i) - mismatch |= (mask & (pad_size ^ b)) + valid = _lib.Cryptography_check_padding(self._buffer, self.block_size // 8) - if mismatch != 0 or not (0 < pad_size <= self.block_size // 8): + if not valid or not (0 < pad_size <= self.block_size // 8): raise ValueError("Invalid padding bytes") res = self._buffer[:-pad_size] -- cgit v1.2.3 From 1bbb7ce8b5e5c6379227dcb79c51bddbda6e4d23 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 15 Nov 2013 15:59:06 -0800 Subject: Fixed flake8 issues --- cryptography/hazmat/primitives/padding.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index ec575195..b07f5014 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -14,7 +14,6 @@ import cffi import six -from six.moves import xrange from cryptography.hazmat.primitives import interfaces @@ -55,7 +54,6 @@ bool Cryptography_check_padding(uint8_t *data, unsigned int block_len) { """) - class PKCS7(object): def __init__(self, block_size): super(PKCS7, self).__init__() @@ -146,7 +144,9 @@ class _PKCS7UnpaddingContext(object): pad_size = six.indexbytes(self._buffer, -1) - valid = _lib.Cryptography_check_padding(self._buffer, self.block_size // 8) + valid = _lib.Cryptography_check_padding( + self._buffer, self.block_size // 8 + ) if not valid or not (0 < pad_size <= self.block_size // 8): raise ValueError("Invalid padding bytes") -- cgit v1.2.3 From 0c679c64241d74dd02bda891c9f04508cd535535 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 16 Nov 2013 08:16:24 -0800 Subject: const correctness --- cryptography/hazmat/primitives/padding.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index b07f5014..926a4bbd 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -20,7 +20,7 @@ from cryptography.hazmat.primitives import interfaces _ffi = cffi.FFI() _ffi.cdef(""" -bool Cryptography_check_padding(uint8_t *, unsigned int); +bool Cryptography_check_padding(const uint8_t *, unsigned int); """) _lib = _ffi.verify(""" #include @@ -40,7 +40,7 @@ unsigned int Cryptography_constant_time_lt(unsigned int a, unsigned int b) { return Cryptography_DUPLICATE_MSB_TO_ALL(a); } -bool Cryptography_check_padding(uint8_t *data, unsigned int block_len) { +bool Cryptography_check_padding(const uint8_t *data, unsigned int block_len) { unsigned int i; uint8_t pad_size = data[block_len - 1]; uint8_t mismatch = 0; -- cgit v1.2.3 From c925b10c9a1638240a3be833d9e7271d4e3767ed Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 18 Nov 2013 09:39:33 -0800 Subject: Even more constant time --- cryptography/hazmat/primitives/padding.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index 926a4bbd..03c03e37 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -24,6 +24,7 @@ bool Cryptography_check_padding(const uint8_t *, unsigned int); """) _lib = _ffi.verify(""" #include +#include /* Returns the value of the input with the most-significant-bit copied to all of the bits. This relies on implementation details of computers with 2's @@ -49,7 +50,13 @@ bool Cryptography_check_padding(const uint8_t *data, unsigned int block_len) { uint8_t b = data[block_len - 1 - i]; mismatch |= (mask & (pad_size ^ b)); } - return mismatch == 0; + + /* Make sure any bits set are copied to the lowest bit */ + mismatch |= mismatch >> 4; + mismatch |= mismatch >> 2; + mismatch |= mismatch >> 1; + /* Now check the low bit to see if it's set */ + return (mismatch & 1) == 0; } """) -- cgit v1.2.3 From cadf114a546a370d43c2c8e176dae311030904f7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 18 Nov 2013 09:49:53 -0800 Subject: Make this comment more accurate --- cryptography/hazmat/primitives/padding.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index 03c03e37..00ac379c 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -34,7 +34,7 @@ static unsigned int Cryptography_DUPLICATE_MSB_TO_ALL(unsigned int a) { return (unsigned int)((int)(a) >> (sizeof(int) * 8 - 1)); } -/* This returns 0xFF if a < b else 0x00, but does so in a constant time +/* This returns 0xFFFF if a < b else 0x00, but does so in a constant time fashion */ unsigned int Cryptography_constant_time_lt(unsigned int a, unsigned int b) { a -= b; -- cgit v1.2.3 From 051d47c9518b7ef4f7bca51df37eadaadad7d56e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 18 Nov 2013 09:51:51 -0800 Subject: Use types more precisely --- cryptography/hazmat/primitives/padding.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index 00ac379c..b03b4a61 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -20,7 +20,7 @@ from cryptography.hazmat.primitives import interfaces _ffi = cffi.FFI() _ffi.cdef(""" -bool Cryptography_check_padding(const uint8_t *, unsigned int); +bool Cryptography_check_padding(const uint8_t *, uint8_t); """) _lib = _ffi.verify(""" #include @@ -30,19 +30,19 @@ _lib = _ffi.verify(""" of the bits. This relies on implementation details of computers with 2's complement representations of integers, which is not required by the C standard. */ -static unsigned int Cryptography_DUPLICATE_MSB_TO_ALL(unsigned int a) { - return (unsigned int)((int)(a) >> (sizeof(int) * 8 - 1)); +static uint8_t Cryptography_DUPLICATE_MSB_TO_ALL(uint8_t a) { + return (uint8_t)((int8_t)(a) >> (sizeof(int8_t) * 8 - 1)); } -/* This returns 0xFFFF if a < b else 0x00, but does so in a constant time +/* This returns 0xFF if a < b else 0x00, but does so in a constant time fashion */ -unsigned int Cryptography_constant_time_lt(unsigned int a, unsigned int b) { +uint8_t Cryptography_constant_time_lt(uint8_t a, uint8_t b) { a -= b; return Cryptography_DUPLICATE_MSB_TO_ALL(a); } -bool Cryptography_check_padding(const uint8_t *data, unsigned int block_len) { - unsigned int i; +bool Cryptography_check_padding(const uint8_t *data, uint8_t block_len) { + uint8_t i; uint8_t pad_size = data[block_len - 1]; uint8_t mismatch = 0; for (i = 0; i < block_len; i++) { -- cgit v1.2.3 From 4dd04c8f6eca8a85a57349a5be952f8c2f51ec6c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 18 Nov 2013 10:19:57 -0800 Subject: Remove unused include --- cryptography/hazmat/primitives/padding.py | 1 - 1 file changed, 1 deletion(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index b03b4a61..938afcec 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -24,7 +24,6 @@ bool Cryptography_check_padding(const uint8_t *, uint8_t); """) _lib = _ffi.verify(""" #include -#include /* Returns the value of the input with the most-significant-bit copied to all of the bits. This relies on implementation details of computers with 2's -- cgit v1.2.3 From cdea8aa87bd98ad6277262803f4a2b8cb48153a3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 18 Nov 2013 15:00:33 -0800 Subject: No more undefined behavior --- cryptography/hazmat/primitives/padding.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index 938afcec..8df4549e 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -26,11 +26,9 @@ _lib = _ffi.verify(""" #include /* Returns the value of the input with the most-significant-bit copied to all - of the bits. This relies on implementation details of computers with 2's - complement representations of integers, which is not required by the C - standard. */ + of the bits. */ static uint8_t Cryptography_DUPLICATE_MSB_TO_ALL(uint8_t a) { - return (uint8_t)((int8_t)(a) >> (sizeof(int8_t) * 8 - 1)); + return -(a >> (sizeof(uint8_t) * 8 - 1)); } /* This returns 0xFF if a < b else 0x00, but does so in a constant time -- cgit v1.2.3 From 41b148725fd688016098ecab51956b08fb890439 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 18 Nov 2013 15:05:03 -0800 Subject: This is a static function --- cryptography/hazmat/primitives/padding.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index 8df4549e..f1c64f4d 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -33,7 +33,7 @@ static uint8_t Cryptography_DUPLICATE_MSB_TO_ALL(uint8_t a) { /* This returns 0xFF if a < b else 0x00, but does so in a constant time fashion */ -uint8_t Cryptography_constant_time_lt(uint8_t a, uint8_t b) { +static uint8_t Cryptography_constant_time_lt(uint8_t a, uint8_t b) { a -= b; return Cryptography_DUPLICATE_MSB_TO_ALL(a); } -- cgit v1.2.3 From 04b8330d0a719b7f312207e7098c44f55a25fe39 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 18 Nov 2013 15:16:29 -0800 Subject: Use an instruction that is more likely to be constant time on a modern x86 CPU --- cryptography/hazmat/primitives/padding.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index f1c64f4d..bc7a768d 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -28,7 +28,7 @@ _lib = _ffi.verify(""" /* Returns the value of the input with the most-significant-bit copied to all of the bits. */ static uint8_t Cryptography_DUPLICATE_MSB_TO_ALL(uint8_t a) { - return -(a >> (sizeof(uint8_t) * 8 - 1)); + return (1 - (a >> (sizeof(uint8_t) * 8 - 1))) - 1; } /* This returns 0xFF if a < b else 0x00, but does so in a constant time -- cgit v1.2.3 From 2c03c89cce729f08496756bcac5f8564b5599dca Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 19 Nov 2013 10:44:51 -0800 Subject: Even fewer secret branches before the data is valid --- cryptography/hazmat/primitives/padding.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index bc7a768d..d185fb6f 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -48,6 +48,9 @@ bool Cryptography_check_padding(const uint8_t *data, uint8_t block_len) { mismatch |= (mask & (pad_size ^ b)); } + /* Check to make sure the pad_size was within the valid range. */ + mismatch |= ~(0 < pad_size <= block_len); + /* Make sure any bits set are copied to the lowest bit */ mismatch |= mismatch >> 4; mismatch |= mismatch >> 2; @@ -146,15 +149,15 @@ class _PKCS7UnpaddingContext(object): if len(self._buffer) != self.block_size // 8: raise ValueError("Invalid padding bytes") - pad_size = six.indexbytes(self._buffer, -1) valid = _lib.Cryptography_check_padding( self._buffer, self.block_size // 8 ) - if not valid or not (0 < pad_size <= self.block_size // 8): + if not valid: raise ValueError("Invalid padding bytes") + pad_size = six.indexbytes(self._buffer, -1) res = self._buffer[:-pad_size] self._buffer = None return res -- cgit v1.2.3 From 624947cd6d884a10d5f1e984612f25ea07a1ffbb Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 19 Nov 2013 10:46:58 -0800 Subject: Doh, fix --- cryptography/hazmat/primitives/padding.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index d185fb6f..4e834726 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -49,7 +49,8 @@ bool Cryptography_check_padding(const uint8_t *data, uint8_t block_len) { } /* Check to make sure the pad_size was within the valid range. */ - mismatch |= ~(0 < pad_size <= block_len); + mismatch |= !(0 < pad_size); + mismatch |= !(pad_size <= block_len); /* Make sure any bits set are copied to the lowest bit */ mismatch |= mismatch >> 4; -- cgit v1.2.3 From 844c2870be39af0872cd68e6204597d6663561cd Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 19 Nov 2013 10:48:37 -0800 Subject: Constant time comparisons here --- cryptography/hazmat/primitives/padding.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index 4e834726..cf7dbecd 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -49,8 +49,8 @@ bool Cryptography_check_padding(const uint8_t *data, uint8_t block_len) { } /* Check to make sure the pad_size was within the valid range. */ - mismatch |= !(0 < pad_size); - mismatch |= !(pad_size <= block_len); + mismatch |= ~Cryptography_constant_time_lt(0, pad_size); + mismatch |= Cryptography_constant_time_lt(block_len, pad_size); /* Make sure any bits set are copied to the lowest bit */ mismatch |= mismatch >> 4; -- cgit v1.2.3 From fa1b5bf92e7429c03811050cb2b4b316808da70f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 19 Nov 2013 11:01:03 -0800 Subject: flake8 --- cryptography/hazmat/primitives/padding.py | 1 - 1 file changed, 1 deletion(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index cf7dbecd..6e583b24 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -150,7 +150,6 @@ class _PKCS7UnpaddingContext(object): if len(self._buffer) != self.block_size // 8: raise ValueError("Invalid padding bytes") - valid = _lib.Cryptography_check_padding( self._buffer, self.block_size // 8 ) -- cgit v1.2.3 From 769073b7d3a9cc397eb916bda00bb34eb5cbd130 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 19 Nov 2013 11:04:13 -0800 Subject: name this function correcctly --- cryptography/hazmat/primitives/padding.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index 6e583b24..6849d149 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -20,7 +20,7 @@ from cryptography.hazmat.primitives import interfaces _ffi = cffi.FFI() _ffi.cdef(""" -bool Cryptography_check_padding(const uint8_t *, uint8_t); +bool Cryptography_check_pkcs7_padding(const uint8_t *, uint8_t); """) _lib = _ffi.verify(""" #include @@ -38,7 +38,7 @@ static uint8_t Cryptography_constant_time_lt(uint8_t a, uint8_t b) { return Cryptography_DUPLICATE_MSB_TO_ALL(a); } -bool Cryptography_check_padding(const uint8_t *data, uint8_t block_len) { +bool Cryptography_check_pkcs7_padding(const uint8_t *data, uint8_t block_len) { uint8_t i; uint8_t pad_size = data[block_len - 1]; uint8_t mismatch = 0; @@ -150,7 +150,7 @@ class _PKCS7UnpaddingContext(object): if len(self._buffer) != self.block_size // 8: raise ValueError("Invalid padding bytes") - valid = _lib.Cryptography_check_padding( + valid = _lib.Cryptography_check_pkcs7_padding( self._buffer, self.block_size // 8 ) -- cgit v1.2.3