diff options
Diffstat (limited to 'src/lib/libcrypto/rsa/rsa_oaep.c')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_oaep.c | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c index fd0b7f361f..1849e55cd5 100644 --- a/src/lib/libcrypto/rsa/rsa_oaep.c +++ b/src/lib/libcrypto/rsa/rsa_oaep.c | |||
| @@ -77,14 +77,16 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, | |||
| 77 | int i, dblen, mlen = -1; | 77 | int i, dblen, mlen = -1; |
| 78 | unsigned char *maskeddb; | 78 | unsigned char *maskeddb; |
| 79 | int lzero; | 79 | int lzero; |
| 80 | unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; | 80 | unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; |
| 81 | 81 | ||
| 82 | if (--num < 2 * SHA_DIGEST_LENGTH + 1) | 82 | if (--num < 2 * SHA_DIGEST_LENGTH + 1) |
| 83 | { | 83 | goto decoding_err; |
| 84 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); | ||
| 85 | return (-1); | ||
| 86 | } | ||
| 87 | 84 | ||
| 85 | lzero = num - flen; | ||
| 86 | if (lzero < 0) | ||
| 87 | goto decoding_err; | ||
| 88 | maskeddb = from - lzero + SHA_DIGEST_LENGTH; | ||
| 89 | |||
| 88 | dblen = num - SHA_DIGEST_LENGTH; | 90 | dblen = num - SHA_DIGEST_LENGTH; |
| 89 | db = OPENSSL_malloc(dblen); | 91 | db = OPENSSL_malloc(dblen); |
| 90 | if (db == NULL) | 92 | if (db == NULL) |
| @@ -93,9 +95,6 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, | |||
| 93 | return (-1); | 95 | return (-1); |
| 94 | } | 96 | } |
| 95 | 97 | ||
| 96 | lzero = num - flen; | ||
| 97 | maskeddb = from - lzero + SHA_DIGEST_LENGTH; | ||
| 98 | |||
| 99 | MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen); | 98 | MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen); |
| 100 | for (i = lzero; i < SHA_DIGEST_LENGTH; i++) | 99 | for (i = lzero; i < SHA_DIGEST_LENGTH; i++) |
| 101 | seed[i] ^= from[i - lzero]; | 100 | seed[i] ^= from[i - lzero]; |
| @@ -107,21 +106,20 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, | |||
| 107 | SHA1(param, plen, phash); | 106 | SHA1(param, plen, phash); |
| 108 | 107 | ||
| 109 | if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0) | 108 | if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0) |
| 110 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); | 109 | goto decoding_err; |
| 111 | else | 110 | else |
| 112 | { | 111 | { |
| 113 | for (i = SHA_DIGEST_LENGTH; i < dblen; i++) | 112 | for (i = SHA_DIGEST_LENGTH; i < dblen; i++) |
| 114 | if (db[i] != 0x00) | 113 | if (db[i] != 0x00) |
| 115 | break; | 114 | break; |
| 116 | if (db[i] != 0x01 || i++ >= dblen) | 115 | if (db[i] != 0x01 || i++ >= dblen) |
| 117 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, | 116 | goto decoding_err; |
| 118 | RSA_R_OAEP_DECODING_ERROR); | ||
| 119 | else | 117 | else |
| 120 | { | 118 | { |
| 121 | mlen = dblen - i; | 119 | mlen = dblen - i; |
| 122 | if (tlen < mlen) | 120 | if (tlen < mlen) |
| 123 | { | 121 | { |
| 124 | RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); | 122 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); |
| 125 | mlen = -1; | 123 | mlen = -1; |
| 126 | } | 124 | } |
| 127 | else | 125 | else |
| @@ -130,6 +128,13 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, | |||
| 130 | } | 128 | } |
| 131 | OPENSSL_free(db); | 129 | OPENSSL_free(db); |
| 132 | return (mlen); | 130 | return (mlen); |
| 131 | |||
| 132 | decoding_err: | ||
| 133 | /* to avoid chosen ciphertext attacks, the error message should not reveal | ||
| 134 | * which kind of decoding error happened */ | ||
| 135 | RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); | ||
| 136 | if (db != NULL) OPENSSL_free(db); | ||
| 137 | return -1; | ||
| 133 | } | 138 | } |
| 134 | 139 | ||
| 135 | int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen) | 140 | int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen) |