File libgcrypt-CVE-2024-2236_06.patch of Package libgcrypt.39917

From 39ce60e45ef08a15dae068ee9990b8f70af93408 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 7 Jun 2024 14:42:33 +0200
Subject: [PATCH 06/11] rsa: Do not accept invalid PKCS#1.5 padding when
 deciphering

The current code can accept 0-length padding when deciphering
PKCS#1.5 ciphertext. This is against the specification and hopefully
nobody depends on this.

--
* cipher/rsa-common.c (_gcry_rsa_pkcs1_decode_for_enc): Fail for too
  short padding.
* src/const-time.h (ct_lt_s): New.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
 cipher/rsa-common.c | 2 ++
 src/const-time.h    | 6 ++++++
 2 files changed, 8 insertions(+)

Index: libgcrypt-1.6.1/cipher/rsa-common.c
===================================================================
--- libgcrypt-1.6.1.orig/cipher/rsa-common.c
+++ libgcrypt-1.6.1/cipher/rsa-common.c
@@ -246,7 +246,9 @@ _gcry_rsa_pkcs1_decode_for_enc (unsigned
     }
 
   failed |= not_found;
-  n0 += !not_found; /* Skip the zero byte.  */
+  n0 += ct_is_zero (not_found); /* Skip the zero byte.  */
+  /* the valid padding is at least 8 bytes -- the plaintext needs to start at index 11 or later */
+  failed |= ct_lt_s (n0, 11);
 
   /* To avoid an extra allocation we reuse the frame buffer.  The only
      caller of this function will anyway free the result soon.  */
Index: libgcrypt-1.6.1/src/const-time.h
===================================================================
--- libgcrypt-1.6.1.orig/src/const-time.h
+++ libgcrypt-1.6.1/src/const-time.h
@@ -17,6 +17,13 @@
  * License along with this program; if not, see <https://www.gnu.org/licenses/>.
  */
 
+ 
+static inline size_t
+ct_lt_s (size_t a, size_t b)
+{
+  return ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(size_t) * 8 - 1));
+}
+
 /*
  * Return 1 if it's not same, 0 if same.
  */