From 7ae8106af87f1d9f94bbc9ac65b819f0473cf57e Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Wed, 26 Apr 2017 09:59:18 +0200 Subject: [PATCH] Remove unnecessary loop in pkey_rsa_decrypt. It is not necessary to remove leading zeros here because RSA_padding_check_PKCS1_OAEP_mgf1 appends them again. As this was not done in constant time, this might have leaked timing information. Reviewed-by: Rich Salz Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/3313) (cherry picked from commit 237bc6c997e42295eeb32c8c1c709e6e6042b839) --- crypto/rsa/rsa_pmeth.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index db4fb0fbf7..2d1dffbbb5 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -302,19 +302,14 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, int ret; RSA_PKEY_CTX *rctx = ctx->data; if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { - int i; if (!setup_tbuf(rctx, ctx)) return -1; ret = RSA_private_decrypt(inlen, in, rctx->tbuf, ctx->pkey->pkey.rsa, RSA_NO_PADDING); if (ret <= 0) return ret; - for (i = 0; i < ret; i++) { - if (rctx->tbuf[i]) - break; - } - ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf + i, - ret - i, ret, + ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, + ret, ret, rctx->oaep_label, rctx->oaep_labellen, rctx->md, rctx->mgf1md); -- 2.25.1