[SECURITY] Timing Leakage in GCM Implementation

soatok commented 2 years ago

https://github.com/bcgit/pc-dart/blob/08d1aaa920e4d00ddf94140f65f952cac48707d1/lib/block/modes/gcm.dart#L132-L137

This contains two timing leaks:

Branch prediction-based (if)
Functions are only called if a bit is set

Recommendation: Implement a constant-time conditional select, so the algorithm looks like this:

b = _bit(y, i);
_ct_xor(z, v, b);
b = _shiftRight(v);
_ct_xor(v, r, b);

And the implementation of _ct_xor could look like this:

  void _ct_xor(Uint8List x, Uint8List y, int b) {
    var mask = (-b) & 0xff;
    for (var i = 0; i < x.length; i++) {
      x[i] = (y![i] & mask) ^ (x![i] & ~mask);
    }
  }

Disclaimer: I am not a Dart developer, so I'm not an expert to the subtleties of the language. This is pseudocode.

mwcw commented 2 years ago

Hi,

Thanks a lot for reporting this issue, release 3.4.0-rc2 should address it.

MW

mwcw commented 2 years ago

https://github.com/bcgit/pc-dart/releases/tag/v3.4.0

bcgit / pc-dart

[SECURITY] Timing Leakage in GCM Implementation #140