summaryrefslogtreecommitdiffstats
path: root/crypto/rsa
diff options
context:
space:
mode:
authorBernd Edlinger <bernd.edlinger@hotmail.de>2017-04-26 09:59:18 +0200
committerRich Salz <rsalz@openssl.org>2017-04-26 21:00:16 -0400
commitde46e8246bf30f9d8a6b8a66b37f8bf63115aeb6 (patch)
tree1da42cc4d561e9426601286490b5b6d73c8341ce /crypto/rsa
parentb99f1023f8ac357ffb8d009cf78fba586de26b5a (diff)
Remove unnecessary loop in pkey_rsa_decrypt.
It is not necessary to remove leading zeros here because RSA_padding_check_PKCS1_OAEP_mgf1 appends them again. As this was not done in constant time, this might have leaked timing information. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3313) (cherry picked from commit 237bc6c997e42295eeb32c8c1c709e6e6042b839)
Diffstat (limited to 'crypto/rsa')
-rw-r--r--crypto/rsa/rsa_pmeth.c9
1 files changed, 2 insertions, 7 deletions
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
index ac583bf60b..8896e2e977 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -446,19 +446,14 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
int ret;
RSA_PKEY_CTX *rctx = ctx->data;
if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
- int i;
if (!setup_tbuf(rctx, ctx))
return -1;
ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
ctx->pkey->pkey.rsa, RSA_NO_PADDING);
if (ret <= 0)
return ret;
- for (i = 0; i < ret; i++) {
- if (rctx->tbuf[i])
- break;
- }
- ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf + i,
- ret - i, ret,
+ ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
+ ret, ret,
rctx->oaep_label,
rctx->oaep_labellen,
rctx->md, rctx->mgf1md);
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-26 23:31:03 +0000