From 20e021bf41828439529eb7839286bf919ba7dfc4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bodo=20M=C3=B6ller?= Date: Wed, 6 Jun 2001 18:48:49 +0000 Subject: [PATCH] when checking OAEP, signal just a single kind of 'decoding error' --- crypto/rsa/rsa_oaep.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 64b59ee121..a893142fdb 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -94,20 +94,14 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, int i, dblen, mlen = -1; const unsigned char *maskeddb; int lzero; - unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; + unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; if (--num < 2 * SHA_DIGEST_LENGTH + 1) - { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); - return (-1); - } + goto decoding_err; lzero = num - flen; if (lzero < 0) - { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); - return (-1); - } + goto decoding_err; maskeddb = from - lzero + SHA_DIGEST_LENGTH; dblen = num - SHA_DIGEST_LENGTH; @@ -129,7 +123,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, SHA1(param, plen, phash); if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0) - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); + goto decoding_err; else { for (i = SHA_DIGEST_LENGTH; i < dblen; i++) @@ -152,6 +146,13 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, } OPENSSL_free(db); return (mlen); + +decoding_err: + /* to avoid chosen ciphertext attacks, the error message should not reveal + * which kind of decoding error happened */ + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); + if (db != NULL) OPENSSL_free(db); + return -1; } int MGF1(unsigned char *mask, long len, -- 2.25.1