int i, dblen, mlen = -1;
const unsigned char *maskeddb;
int lzero;
- unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+ unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
if (--num < 2 * SHA_DIGEST_LENGTH + 1)
- {
- RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
- return (-1);
- }
+ goto decoding_err;
lzero = num - flen;
if (lzero < 0)
- {
- RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
- return (-1);
- }
+ goto decoding_err;
maskeddb = from - lzero + SHA_DIGEST_LENGTH;
dblen = num - SHA_DIGEST_LENGTH;
SHA1(param, plen, phash);
if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
- RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+ goto decoding_err;
else
{
for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
}
OPENSSL_free(db);
return (mlen);
+
+decoding_err:
+ /* to avoid chosen ciphertext attacks, the error message should not reveal
+ * which kind of decoding error happened */
+ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+ if (db != NULL) OPENSSL_free(db);
+ return -1;
}
int MGF1(unsigned char *mask, long len,