when checking OAEP, signal just a single kind of 'decoding error'

20e021bf · Bodo Möller · 8ca2ae77 · 20e021bf
隐藏空白更改
内联并排

Showing with 11 addition and 10 deletion

crypto/rsa/rsa_oaep.c crypto/rsa/rsa_oaep.c +11 -10

未找到文件。
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -94,20 +94,14 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
    int i, dblen, mlen = -1;
    const unsigned char *maskeddb;
    int lzero;
-    unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+    unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
    if (--num < 2 * SHA_DIGEST_LENGTH + 1)
-	{
+	goto decoding_err;
-	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
-	return (-1);
-	}
    lzero = num - flen;
    if (lzero < 0)
-	{
+	goto decoding_err;
-	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
-	return (-1);
-	}
    maskeddb = from - lzero + SHA_DIGEST_LENGTH;
    dblen = num - SHA_DIGEST_LENGTH;
@@ -129,7 +123,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
    SHA1(param, plen, phash);
    if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
-	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+	goto decoding_err;
    else
 	{
 	for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
@@ -152,6 +146,13 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
 	}
    OPENSSL_free(db);
    return (mlen);
+decoding_err:
+    /* to avoid chosen ciphertext attacks, the error message should not reveal
+     * which kind of decoding error happened */
+    RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+    if (db != NULL) OPENSSL_free(db);
+    return -1;
    }
 int MGF1(unsigned char *mask, long len,