From ffe3c9166b35cdb220cc0ecc1614afb8451ae420 Mon Sep 17 00:00:00 2001
From: Thomas Pornin <pornin@bolet.org>
Date: Mon, 6 Aug 2018 00:16:09 +0200
Subject: [PATCH] Made Base64 decoding constant-time (with regards to actual
 data byte contents).

---
 src/codec/pemdec.c  | 125 ++++++++++++++++++++++++--------------------
 src/codec/pemdec.t0 |  22 +++++---
 2 files changed, 83 insertions(+), 64 deletions(-)

diff --git a/src/codec/pemdec.c b/src/codec/pemdec.c
index b599f84..8e54e6d 100644
--- a/src/codec/pemdec.c
+++ b/src/codec/pemdec.c
@@ -122,59 +122,52 @@ static const unsigned char t0_codeblock[] = {
 	0x14, 0x2C, 0x14, 0x01, 0x0A, 0x0D, 0x06, 0x03, 0x13, 0x04, 0x76, 0x01,
 	0x2D, 0x0C, 0x06, 0x05, 0x2E, 0x01, 0x03, 0x2D, 0x00, 0x01, 0x0D, 0x27,
 	0x05, 0x04, 0x01, 0x03, 0x2D, 0x00, 0x15, 0x2E, 0x01, 0x02, 0x2D, 0x00,
-	0x01, 0x01, 0x7F, 0x03, 0x00, 0x24, 0x01, 0x00, 0x17, 0x0D, 0x06, 0x03,
-	0x13, 0x04, 0x3C, 0x01, 0x7F, 0x17, 0x0D, 0x06, 0x13, 0x13, 0x02, 0x00,
-	0x05, 0x06, 0x2E, 0x01, 0x03, 0x2D, 0x04, 0x03, 0x01, 0x7F, 0x22, 0x01,
-	0x00, 0x00, 0x04, 0x23, 0x01, 0x01, 0x17, 0x0D, 0x06, 0x09, 0x13, 0x01,
-	0x00, 0x22, 0x01, 0x00, 0x00, 0x04, 0x14, 0x01, 0x02, 0x17, 0x0D, 0x06,
+	0x01, 0x01, 0x7F, 0x03, 0x00, 0x25, 0x01, 0x00, 0x18, 0x0D, 0x06, 0x03,
+	0x13, 0x04, 0x3C, 0x01, 0x7F, 0x18, 0x0D, 0x06, 0x13, 0x13, 0x02, 0x00,
+	0x05, 0x06, 0x2E, 0x01, 0x03, 0x2D, 0x04, 0x03, 0x01, 0x7F, 0x23, 0x01,
+	0x00, 0x00, 0x04, 0x23, 0x01, 0x01, 0x18, 0x0D, 0x06, 0x09, 0x13, 0x01,
+	0x00, 0x23, 0x01, 0x00, 0x00, 0x04, 0x14, 0x01, 0x02, 0x18, 0x0D, 0x06,
 	0x06, 0x13, 0x01, 0x7F, 0x00, 0x04, 0x08, 0x13, 0x01, 0x03, 0x2D, 0x01,
 	0x00, 0x00, 0x13, 0x01, 0x00, 0x03, 0x00, 0x04, 0xFF, 0x33, 0x01, 0x2C,
 	0x14, 0x01, 0x2D, 0x0D, 0x06, 0x04, 0x13, 0x01, 0x7F, 0x00, 0x14, 0x31,
 	0x06, 0x02, 0x13, 0x29, 0x14, 0x01, 0x0A, 0x0D, 0x06, 0x04, 0x13, 0x01,
-	0x02, 0x00, 0x25, 0x14, 0x1C, 0x06, 0x05, 0x13, 0x2E, 0x01, 0x03, 0x00,
+	0x02, 0x00, 0x16, 0x14, 0x1D, 0x06, 0x05, 0x13, 0x2E, 0x01, 0x03, 0x00,
 	0x03, 0x00, 0x29, 0x14, 0x01, 0x0A, 0x0D, 0x06, 0x04, 0x13, 0x01, 0x03,
-	0x00, 0x25, 0x14, 0x1C, 0x06, 0x05, 0x13, 0x2E, 0x01, 0x03, 0x00, 0x02,
+	0x00, 0x16, 0x14, 0x1D, 0x06, 0x05, 0x13, 0x2E, 0x01, 0x03, 0x00, 0x02,
 	0x00, 0x01, 0x06, 0x0A, 0x07, 0x03, 0x00, 0x29, 0x14, 0x01, 0x0A, 0x0D,
 	0x06, 0x04, 0x13, 0x01, 0x03, 0x00, 0x14, 0x01, 0x3D, 0x0D, 0x06, 0x2E,
 	0x13, 0x29, 0x14, 0x01, 0x0A, 0x0D, 0x06, 0x04, 0x13, 0x01, 0x03, 0x00,
 	0x2F, 0x05, 0x04, 0x13, 0x01, 0x03, 0x00, 0x01, 0x3D, 0x0C, 0x06, 0x03,
 	0x01, 0x03, 0x00, 0x02, 0x00, 0x01, 0x0F, 0x10, 0x06, 0x03, 0x01, 0x03,
-	0x00, 0x02, 0x00, 0x01, 0x04, 0x0F, 0x1B, 0x01, 0x01, 0x00, 0x25, 0x14,
-	0x1C, 0x06, 0x05, 0x13, 0x2E, 0x01, 0x03, 0x00, 0x02, 0x00, 0x01, 0x06,
+	0x00, 0x02, 0x00, 0x01, 0x04, 0x0F, 0x1C, 0x01, 0x01, 0x00, 0x16, 0x14,
+	0x1D, 0x06, 0x05, 0x13, 0x2E, 0x01, 0x03, 0x00, 0x02, 0x00, 0x01, 0x06,
 	0x0A, 0x07, 0x03, 0x00, 0x29, 0x14, 0x01, 0x0A, 0x0D, 0x06, 0x04, 0x13,
 	0x01, 0x03, 0x00, 0x14, 0x01, 0x3D, 0x0D, 0x06, 0x20, 0x13, 0x2F, 0x05,
 	0x03, 0x01, 0x03, 0x00, 0x02, 0x00, 0x01, 0x03, 0x10, 0x06, 0x03, 0x01,
-	0x03, 0x00, 0x02, 0x00, 0x01, 0x0A, 0x0F, 0x1B, 0x02, 0x00, 0x01, 0x02,
-	0x0F, 0x1B, 0x01, 0x01, 0x00, 0x25, 0x14, 0x1C, 0x06, 0x05, 0x13, 0x2E,
+	0x03, 0x00, 0x02, 0x00, 0x01, 0x0A, 0x0F, 0x1C, 0x02, 0x00, 0x01, 0x02,
+	0x0F, 0x1C, 0x01, 0x01, 0x00, 0x16, 0x14, 0x1D, 0x06, 0x05, 0x13, 0x2E,
 	0x01, 0x03, 0x00, 0x02, 0x00, 0x01, 0x06, 0x0A, 0x07, 0x03, 0x00, 0x02,
-	0x00, 0x01, 0x10, 0x0F, 0x1B, 0x02, 0x00, 0x01, 0x08, 0x0F, 0x1B, 0x02,
-	0x00, 0x1B, 0x01, 0x00, 0x00, 0x00, 0x14, 0x14, 0x01, 0x80, 0x41, 0x0E,
-	0x1A, 0x01, 0x80, 0x5A, 0x0B, 0x10, 0x06, 0x05, 0x01, 0x80, 0x41, 0x08,
-	0x00, 0x14, 0x14, 0x01, 0x80, 0x61, 0x0E, 0x1A, 0x01, 0x80, 0x7A, 0x0B,
-	0x10, 0x06, 0x05, 0x01, 0x80, 0x47, 0x08, 0x00, 0x14, 0x14, 0x01, 0x30,
-	0x0E, 0x1A, 0x01, 0x39, 0x0B, 0x10, 0x06, 0x04, 0x01, 0x04, 0x07, 0x00,
-	0x14, 0x01, 0x2B, 0x0D, 0x06, 0x04, 0x13, 0x01, 0x3E, 0x00, 0x14, 0x01,
-	0x2F, 0x0D, 0x06, 0x04, 0x13, 0x01, 0x3F, 0x00, 0x01, 0x3D, 0x0C, 0x1E,
-	0x00, 0x00, 0x28, 0x01, 0x01, 0x2D, 0x23, 0x06, 0x02, 0x04, 0x7B, 0x04,
-	0x75, 0x00, 0x14, 0x12, 0x2A, 0x14, 0x05, 0x04, 0x1F, 0x01, 0x7F, 0x00,
-	0x2C, 0x2A, 0x14, 0x01, 0x0A, 0x0D, 0x06, 0x05, 0x13, 0x1F, 0x01, 0x00,
-	0x00, 0x0D, 0x05, 0x05, 0x13, 0x2E, 0x01, 0x00, 0x00, 0x1D, 0x04, 0x5E,
-	0x00, 0x01, 0x01, 0x27, 0x06, 0x0B, 0x21, 0x01, 0x80, 0x7F, 0x2B, 0x14,
-	0x06, 0x02, 0x30, 0x00, 0x13, 0x04, 0x6E, 0x00, 0x2C, 0x14, 0x31, 0x05,
-	0x01, 0x00, 0x13, 0x04, 0x77, 0x00, 0x14, 0x14, 0x01, 0x80, 0x61, 0x0E,
-	0x1A, 0x01, 0x80, 0x7A, 0x0B, 0x10, 0x06, 0x03, 0x01, 0x20, 0x08, 0x00,
-	0x01, 0x14, 0x03, 0x00, 0x1A, 0x17, 0x05, 0x05, 0x1F, 0x2E, 0x01, 0x00,
-	0x00, 0x2C, 0x14, 0x01, 0x0A, 0x0D, 0x06, 0x06, 0x1F, 0x02, 0x00, 0x1A,
-	0x08, 0x00, 0x14, 0x01, 0x0D, 0x0D, 0x06, 0x03, 0x13, 0x04, 0x03, 0x2A,
-	0x17, 0x19, 0x1D, 0x1A, 0x1E, 0x1A, 0x04, 0x59, 0x00, 0x18, 0x14, 0x1C,
-	0x05, 0x01, 0x00, 0x13, 0x11, 0x04, 0x76, 0x00, 0x20, 0x19, 0x11, 0x00,
-	0x00, 0x2C, 0x01, 0x0A, 0x0C, 0x06, 0x02, 0x04, 0x78, 0x00, 0x01, 0x01,
-	0x7F, 0x03, 0x00, 0x2C, 0x14, 0x01, 0x0A, 0x0C, 0x06, 0x09, 0x31, 0x05,
-	0x04, 0x01, 0x00, 0x03, 0x00, 0x04, 0x70, 0x13, 0x02, 0x00, 0x00, 0x00,
-	0x14, 0x06, 0x14, 0x1E, 0x14, 0x21, 0x07, 0x16, 0x01, 0x2D, 0x0C, 0x06,
-	0x08, 0x21, 0x07, 0x1D, 0x01, 0x00, 0x1A, 0x19, 0x00, 0x04, 0x69, 0x21,
-	0x19, 0x00, 0x00, 0x14, 0x01, 0x0A, 0x0C, 0x1A, 0x01, 0x20, 0x0B, 0x10,
-	0x00
+	0x00, 0x01, 0x10, 0x0F, 0x1C, 0x02, 0x00, 0x01, 0x08, 0x0F, 0x1C, 0x02,
+	0x00, 0x1C, 0x01, 0x00, 0x00, 0x00, 0x28, 0x01, 0x01, 0x2D, 0x24, 0x06,
+	0x02, 0x04, 0x7B, 0x04, 0x75, 0x00, 0x14, 0x12, 0x2A, 0x14, 0x05, 0x04,
+	0x20, 0x01, 0x7F, 0x00, 0x2C, 0x2A, 0x14, 0x01, 0x0A, 0x0D, 0x06, 0x05,
+	0x13, 0x20, 0x01, 0x00, 0x00, 0x0D, 0x05, 0x05, 0x13, 0x2E, 0x01, 0x00,
+	0x00, 0x1E, 0x04, 0x5E, 0x00, 0x01, 0x01, 0x27, 0x06, 0x0B, 0x22, 0x01,
+	0x80, 0x7F, 0x2B, 0x14, 0x06, 0x02, 0x30, 0x00, 0x13, 0x04, 0x6E, 0x00,
+	0x2C, 0x14, 0x31, 0x05, 0x01, 0x00, 0x13, 0x04, 0x77, 0x00, 0x14, 0x14,
+	0x01, 0x80, 0x61, 0x0E, 0x1B, 0x01, 0x80, 0x7A, 0x0B, 0x10, 0x06, 0x03,
+	0x01, 0x20, 0x08, 0x00, 0x01, 0x14, 0x03, 0x00, 0x1B, 0x18, 0x05, 0x05,
+	0x20, 0x2E, 0x01, 0x00, 0x00, 0x2C, 0x14, 0x01, 0x0A, 0x0D, 0x06, 0x06,
+	0x20, 0x02, 0x00, 0x1B, 0x08, 0x00, 0x14, 0x01, 0x0D, 0x0D, 0x06, 0x03,
+	0x13, 0x04, 0x03, 0x2A, 0x18, 0x1A, 0x1E, 0x1B, 0x1F, 0x1B, 0x04, 0x59,
+	0x00, 0x19, 0x14, 0x1D, 0x05, 0x01, 0x00, 0x13, 0x11, 0x04, 0x76, 0x00,
+	0x21, 0x1A, 0x11, 0x00, 0x00, 0x2C, 0x01, 0x0A, 0x0C, 0x06, 0x02, 0x04,
+	0x78, 0x00, 0x01, 0x01, 0x7F, 0x03, 0x00, 0x2C, 0x14, 0x01, 0x0A, 0x0C,
+	0x06, 0x09, 0x31, 0x05, 0x04, 0x01, 0x00, 0x03, 0x00, 0x04, 0x70, 0x13,
+	0x02, 0x00, 0x00, 0x00, 0x14, 0x06, 0x14, 0x1F, 0x14, 0x22, 0x07, 0x17,
+	0x01, 0x2D, 0x0C, 0x06, 0x08, 0x22, 0x07, 0x1E, 0x01, 0x00, 0x1B, 0x1A,
+	0x00, 0x04, 0x69, 0x22, 0x1A, 0x00, 0x00, 0x14, 0x01, 0x0A, 0x0C, 0x1B,
+	0x01, 0x20, 0x0B, 0x10, 0x00
 };
 
 static const uint16_t t0_caddr[] = {
@@ -188,21 +181,20 @@ static const uint16_t t0_caddr[] = {
 	67,
 	149,
 	384,
-	464,
-	476,
-	511,
-	530,
-	540,
-	559,
-	603,
-	614,
-	619,
-	629,
-	654,
-	681
+	396,
+	431,
+	450,
+	460,
+	479,
+	523,
+	534,
+	539,
+	549,
+	574,
+	601
 };
 
-#define T0_INTERPRETED   28
+#define T0_INTERPRETED   29
 
 #define T0_ENTER(ip, rp, slot)   do { \
 		const unsigned char *t0_newip; \
@@ -450,6 +442,25 @@ br_pem_decoder_run(void *t0ctx)
 				}
 				break;
 			case 22: {
+				/* from-base64 */
+
+	uint32_t c = T0_POP();
+	uint32_t p, q, r, z;
+	p = c - 0x41;
+	q = c - 0x61;
+	r = c - 0x30;
+
+	z = ((p + 2) & -LT(p, 26))
+		| ((q + 28) & -LT(q, 26))
+		| ((r + 54) & -LT(r, 10))
+		| (64 & -EQ(c, 0x2B))
+		| (65 & -EQ(c, 0x2F))
+		| EQ(c, 0x3D);
+	T0_PUSHi((int32_t)z - 2);
+
+				}
+				break;
+			case 23: {
 				/* get8 */
 
 	size_t addr = T0_POP();
@@ -457,12 +468,12 @@ br_pem_decoder_run(void *t0ctx)
 
 				}
 				break;
-			case 23: {
+			case 24: {
 				/* over */
  T0_PUSH(T0_PEEK(1)); 
 				}
 				break;
-			case 24: {
+			case 25: {
 				/* read8-native */
 
 	if (CTX->hlen > 0) {
@@ -474,7 +485,7 @@ br_pem_decoder_run(void *t0ctx)
 
 				}
 				break;
-			case 25: {
+			case 26: {
 				/* set8 */
 
 	size_t addr = T0_POP();
@@ -483,12 +494,12 @@ br_pem_decoder_run(void *t0ctx)
 
 				}
 				break;
-			case 26: {
+			case 27: {
 				/* swap */
  T0_SWAP(); 
 				}
 				break;
-			case 27: {
+			case 28: {
 				/* write8 */
 
 	unsigned char x = (unsigned char)T0_POP();
diff --git a/src/codec/pemdec.t0 b/src/codec/pemdec.t0
index 4ebf0dd..2237abb 100644
--- a/src/codec/pemdec.t0
+++ b/src/codec/pemdec.t0
@@ -170,13 +170,21 @@ cc: read8-native ( -- x ) {
 
 \ Convert a Base64 character to its numerical value. Returned value is
 \ 0 to 63 for Base64 characters, -1 for '=', and -2 for all other characters.
-: from-base64 ( char -- x )
-	dup dup `A >= swap `Z <= and if 65 - ret then
-	dup dup `a >= swap `z <= and if 71 - ret then
-	dup dup `0 >= swap `9 <= and if 4 + ret then
-	dup `+ = if drop 62 ret then
-	dup `/ = if drop 63 ret then
-	`= <> 1- ;
+cc: from-base64 ( char -- x ) {
+	uint32_t c = T0_POP();
+	uint32_t p, q, r, z;
+	p = c - 0x41;
+	q = c - 0x61;
+	r = c - 0x30;
+
+	z = ((p + 2) & -LT(p, 26))
+		| ((q + 28) & -LT(q, 26))
+		| ((r + 54) & -LT(r, 10))
+		| (64 & -EQ(c, 0x2B))
+		| (65 & -EQ(c, 0x2F))
+		| EQ(c, 0x3D);
+	T0_PUSHi((int32_t)z - 2);
+}
 
 \ Test whether a character is whitespace (but not a newline).
 : ws? ( x -- bool )
-- 
2.17.1