diff options
author | Bernd Edlinger <bernd.edlinger@hotmail.de> | 2017-04-26 09:59:18 +0200 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2017-04-26 20:47:37 -0400 |
commit | 237bc6c997e42295eeb32c8c1c709e6e6042b839 (patch) | |
tree | bb8a8bc22699b4e9a9f83b37231be45f4d29ad80 /crypto/rsa | |
parent | cf10df81e11eaba257368d1996a24fc3fc6d37f4 (diff) |
Remove unnecessary loop in pkey_rsa_decrypt.
It is not necessary to remove leading zeros here because
RSA_padding_check_PKCS1_OAEP_mgf1 appends them again. As this was not done
in constant time, this might have leaked timing information.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3313)
Diffstat (limited to 'crypto/rsa')
-rw-r--r-- | crypto/rsa/rsa_pmeth.c | 9 |
1 files changed, 2 insertions, 7 deletions
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index 0292b26e6c..4ba713910c 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -316,19 +316,14 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, RSA_PKEY_CTX *rctx = ctx->data; if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { - int i; if (!setup_tbuf(rctx, ctx)) return -1; ret = RSA_private_decrypt(inlen, in, rctx->tbuf, ctx->pkey->pkey.rsa, RSA_NO_PADDING); if (ret <= 0) return ret; - for (i = 0; i < ret; i++) { - if (rctx->tbuf[i]) - break; - } - ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf + i, - ret - i, ret, + ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, + ret, ret, rctx->oaep_label, rctx->oaep_labellen, rctx->md, rctx->mgf1md); |