weixin_39519554
2020-12-09 09:26 阅读 2

ntru_decrypt()

I think there are some missing return statements in the function.


if (!ntru_check_rep_weight(&ci, dm0))
  {
   retcode = NTRU_ERR_DM0_VIOLATION;
   return retcode; // Exit here?
  }

Supplying improperly-encoded data to the method occasionally aborted the parent process. The error code NTRU_ERR_INVALID_ENCODING was returned.

Please review.

该提问来源于开源项目:tbuktu/libntru

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

8条回答 默认 最新

  • weixin_39519554 weixin_39519554 2020-12-09 09:26

    Relevant?

    https://github.com/tbuktu/libntru/commit/c10b1171bb3587dafb5f927e1dac073afb817bd9#diff-bc7ed26bef52ae607a93d0ca414d4b7d

    点赞 评论 复制链接分享
  • weixin_39755853 weixin_39755853 2020-12-09 09:26

    I got rid of the immediate return statements in the commit you linked to, because they leak information that can potentially be exploited in a timing attack. I'm not checking whether retcode has been assigned an error code already, so that is a bug I need to fix.

    What you mean by "occasionally aborted the parent process"? Did you get a segmentation fault or something?

    点赞 评论 复制链接分享
  • weixin_39519554 weixin_39519554 2020-12-09 09:26

    Yah, segmentation faults. Sorry.

    点赞 评论 复制链接分享
  • weixin_39519554 weixin_39519554 2020-12-09 09:26

    Will test the new changes.

    点赞 评论 复制链接分享
  • weixin_39519554 weixin_39519554 2020-12-09 09:26

    Alright, I have an instance where cl = 236. The largest allowable size of the dec variable is 170 (from ntru_max_msg_len()). The memcpy(dec, cM_head, cl) may be a problem. I'm using EES1087EP2.

    I added the following.

    
       uint8_t length = ntru_max_msg_len(params);
        if(cl > length)
          cl = length;
    
    点赞 评论 复制链接分享
  • weixin_39519554 weixin_39519554 2020-12-09 09:26

    Would a dec_size parameter be more meaningful?

    点赞 评论 复制链接分享
  • weixin_39755853 weixin_39755853 2020-12-09 09:26

    You mean rename dec_len to dec_size? I don't see anything wrong with dec_len and besides, it's documented in the header file.

    Thank you for bringing this bug, or rather two bugs, to my attention.

    点赞 评论 复制链接分享
  • weixin_39519554 weixin_39519554 2020-12-09 09:26

    The function doesn't know the correct size of dec. dec_len is used for reporting the actual size of the decrypted data. I was concerned with modifying cl. A dec_size may create a clearer separation. However, the function expects dec to be of size max...() and now enforces it. Never mind. :o)

    点赞 评论 复制链接分享

相关推荐