when checking OAEP, signal just a single kind of 'decoding error'

diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index 164cd0df3206f6988a0d9f9035f4b23d409cd07f..581c495997f8d93c9309cb7ec118ed9b71daacea 100644 (file)
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -77,20 +77,14 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
     int i, dblen, mlen = -1;
     unsigned char *maskeddb;
     int lzero;
-    unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+    unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
 
     if (--num < 2 * SHA_DIGEST_LENGTH + 1)
-       {
-       RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
-       return (-1);
-       }
+       goto decoding_err;
 
     lzero = num - flen;
     if (lzero < 0)
-       {
-       RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
-       return (-1);
-       }
+       goto decoding_err;
     maskeddb = from - lzero + SHA_DIGEST_LENGTH;
     
     dblen = num - SHA_DIGEST_LENGTH;
@@ -112,7 +106,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
     SHA1(param, plen, phash);
 
     if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
-       RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+       goto decoding_err;
     else
        {
        for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
@@ -135,6 +129,13 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
        }
     OPENSSL_free(db);
     return (mlen);
+
+decoding_err:
+    /* to avoid chosen ciphertext attacks, the error message should not reveal
+     * which kind of decoding error happened */
+    RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+    if (db != NULL) OPENSSL_free(db);
+    return -1;
     }
 
 int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen)