diff options
Diffstat (limited to 'src/lib/libcrypto/rsa')
| -rw-r--r-- | src/lib/libcrypto/rsa/rsa_oaep.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c index aa37868950..932695009f 100644 --- a/src/lib/libcrypto/rsa/rsa_oaep.c +++ b/src/lib/libcrypto/rsa/rsa_oaep.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: rsa_oaep.c,v 1.34 2021/12/12 21:30:14 tb Exp $ */ | 1 | /* $OpenBSD: rsa_oaep.c,v 1.35 2022/02/20 19:16:34 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. | 3 | * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. |
| 4 | * | 4 | * |
| @@ -224,17 +224,16 @@ RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, | |||
| 224 | from -= 1 & mask; | 224 | from -= 1 & mask; |
| 225 | *--em = *from & mask; | 225 | *--em = *from & mask; |
| 226 | } | 226 | } |
| 227 | from = em; | ||
| 228 | 227 | ||
| 229 | /* | 228 | /* |
| 230 | * The first byte must be zero, however we must not leak if this is | 229 | * The first byte must be zero, however we must not leak if this is |
| 231 | * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA | 230 | * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA |
| 232 | * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). | 231 | * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). |
| 233 | */ | 232 | */ |
| 234 | good = constant_time_is_zero(from[0]); | 233 | good = constant_time_is_zero(em[0]); |
| 235 | 234 | ||
| 236 | maskedseed = from + 1; | 235 | maskedseed = em + 1; |
| 237 | maskeddb = from + 1 + mdlen; | 236 | maskeddb = em + 1 + mdlen; |
| 238 | 237 | ||
| 239 | if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) | 238 | if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) |
| 240 | goto cleanup; | 239 | goto cleanup; |
| @@ -290,15 +289,16 @@ RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, | |||
| 290 | * should be noted that failure is indistinguishable from normal | 289 | * should be noted that failure is indistinguishable from normal |
| 291 | * operation if |tlen| is fixed by protocol. | 290 | * operation if |tlen| is fixed by protocol. |
| 292 | */ | 291 | */ |
| 293 | tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); | 292 | tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen), |
| 293 | dblen - mdlen - 1, tlen); | ||
| 294 | msg_index = constant_time_select_int(good, msg_index, dblen - tlen); | 294 | msg_index = constant_time_select_int(good, msg_index, dblen - tlen); |
| 295 | mlen = dblen - msg_index; | 295 | mlen = dblen - msg_index; |
| 296 | for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { | 296 | for (mask = good, i = 0; i < tlen; i++) { |
| 297 | unsigned int equals = constant_time_eq(i, mlen); | 297 | unsigned int equals = constant_time_eq(msg_index, dblen); |
| 298 | 298 | ||
| 299 | from -= dblen & equals; /* if (i == mlen) rewind */ | 299 | msg_index -= tlen & equals; /* rewind at EOF */ |
| 300 | mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ | 300 | mask &= ~equals; /* mask = 0 at EOF */ |
| 301 | to[i] = constant_time_select_8(mask, from[i], to[i]); | 301 | to[i] = constant_time_select_8(mask, db[msg_index++], to[i]); |
| 302 | } | 302 | } |
| 303 | 303 | ||
| 304 | /* | 304 | /* |