diff options
| author | Adam Langley <agl@chromium.org> | 2014-06-20 23:00:00 +0400 |
|---|---|---|
| committer | Adam Langley <agl@chromium.org> | 2014-06-21 00:17:37 +0400 |
| commit | 6887edb917ba9ecbed85f9d63ec36638b1d1dbb6 (patch) | |
| tree | f7b5e79542b15d85b999a2351c3964c8e34a145f /crypto/evp | |
| parent | aacec17a630eacfb8023a4a3075f0ea51629eb98 (diff) | |
Improvements in constant-time OAEP decoding.
This change adds a new function, BN_bn2bin_padded, that attempts, as
much as possible, to serialise a BIGNUM in constant time.
This is used to avoid some timing leaks in RSA decryption.
Diffstat (limited to 'crypto/evp')
| -rw-r--r-- | crypto/evp/p_rsa.c | 8 |
1 files changed, 1 insertions, 7 deletions
diff --git a/crypto/evp/p_rsa.c b/crypto/evp/p_rsa.c index 2fab371f..0128950e 100644 --- a/crypto/evp/p_rsa.c +++ b/crypto/evp/p_rsa.c @@ -299,7 +299,6 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, RSA_PKEY_CTX *rctx = ctx->data; if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { - int i; if (!setup_tbuf(rctx, ctx)) { return -1; } @@ -308,13 +307,8 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, if (ret <= 0) { return ret; } - for (i = 0; i < ret; i++) { - if (rctx->tbuf[i]) { - break; - } - } ret = RSA_padding_check_PKCS1_OAEP_mgf1( - out, ret, rctx->tbuf + i, ret - i, ret, rctx->oaep_label, + out, ret, rctx->tbuf, ret, rctx->oaep_label, rctx->oaep_labellen, rctx->md, rctx->mgf1md); } else { ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, |