diff options
| author | tb <> | 2018-08-19 20:15:30 +0000 |
|---|---|---|
| committer | tb <> | 2018-08-19 20:15:30 +0000 |
| commit | f4727c912d72e95a2522207dc2024bb85796a201 (patch) | |
| tree | 7fea73075fe8e14d0c739be1ccec294768d279ba /src | |
| parent | c27ef471eb0aec48d659006b6824c47b96405f3c (diff) | |
| download | openbsd-f4727c912d72e95a2522207dc2024bb85796a201.tar.gz openbsd-f4727c912d72e95a2522207dc2024bb85796a201.tar.bz2 openbsd-f4727c912d72e95a2522207dc2024bb85796a201.zip | |
Don't leak db on error in RSA_padding_check_PKCS1_OAEP().
CID #183499.
input & ok jsing, ok mestre on first version
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_oaep.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c index a62927506e..555205813a 100644 --- a/src/lib/libcrypto/rsa/rsa_oaep.c +++ b/src/lib/libcrypto/rsa/rsa_oaep.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa_oaep.c,v 1.27 2018/08/05 13:30:04 bcook Exp $ */ | 1 | /* $OpenBSD: rsa_oaep.c,v 1.28 2018/08/19 20:15:30 tb Exp $ */ |
| 2 | /* Written by Ulf Moeller. This software is distributed on an "AS IS" | 2 | /* Written by Ulf Moeller. This software is distributed on an "AS IS" |
| 3 | basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */ | 3 | basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */ |
| 4 | 4 | ||
| @@ -126,8 +126,7 @@ RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, | |||
| 126 | } | 126 | } |
| 127 | 127 | ||
| 128 | dblen = num - SHA_DIGEST_LENGTH; | 128 | dblen = num - SHA_DIGEST_LENGTH; |
| 129 | db = malloc(dblen + num); | 129 | if ((db = malloc(dblen + num)) == NULL) { |
| 130 | if (db == NULL) { | ||
| 131 | RSAerror(ERR_R_MALLOC_FAILURE); | 130 | RSAerror(ERR_R_MALLOC_FAILURE); |
| 132 | return -1; | 131 | return -1; |
| 133 | } | 132 | } |
| @@ -143,17 +142,17 @@ RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, | |||
| 143 | maskeddb = padded_from + SHA_DIGEST_LENGTH; | 142 | maskeddb = padded_from + SHA_DIGEST_LENGTH; |
| 144 | 143 | ||
| 145 | if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen)) | 144 | if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen)) |
| 146 | return -1; | 145 | goto err; |
| 147 | for (i = 0; i < SHA_DIGEST_LENGTH; i++) | 146 | for (i = 0; i < SHA_DIGEST_LENGTH; i++) |
| 148 | seed[i] ^= padded_from[i]; | 147 | seed[i] ^= padded_from[i]; |
| 149 | 148 | ||
| 150 | if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH)) | 149 | if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH)) |
| 151 | return -1; | 150 | goto err; |
| 152 | for (i = 0; i < dblen; i++) | 151 | for (i = 0; i < dblen; i++) |
| 153 | db[i] ^= maskeddb[i]; | 152 | db[i] ^= maskeddb[i]; |
| 154 | 153 | ||
| 155 | if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL)) | 154 | if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL)) |
| 156 | return -1; | 155 | goto err; |
| 157 | 156 | ||
| 158 | if (timingsafe_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) | 157 | if (timingsafe_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) |
| 159 | goto decoding_err; | 158 | goto decoding_err; |
| @@ -177,12 +176,13 @@ RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, | |||
| 177 | free(db); | 176 | free(db); |
| 178 | return mlen; | 177 | return mlen; |
| 179 | 178 | ||
| 180 | decoding_err: | 179 | decoding_err: |
| 181 | /* | 180 | /* |
| 182 | * To avoid chosen ciphertext attacks, the error message should not | 181 | * To avoid chosen ciphertext attacks, the error message should not |
| 183 | * reveal which kind of decoding error happened | 182 | * reveal which kind of decoding error happened |
| 184 | */ | 183 | */ |
| 185 | RSAerror(RSA_R_OAEP_DECODING_ERROR); | 184 | RSAerror(RSA_R_OAEP_DECODING_ERROR); |
| 185 | err: | ||
| 186 | free(db); | 186 | free(db); |
| 187 | return -1; | 187 | return -1; |
| 188 | } | 188 | } |