Define the error case's output in RSA_message_index_PKCS1_type_2.

The use in s3_srvr.c doesn't care (it doesn't even have to be in bounds), but it's good to have the value be initialized and not a function of the input. (The old uninitialized case wasn't hit in s3_srvr.c because of the earlier bounds check.) Change-Id: Ib6b418b3c140aa564f8a46da3d34bb2b69f06195 Reviewed-on: https://boringssl-review.googlesource.com/2845 Reviewed-by: Adam Langley <agl@google.com>
author: David Benjamin <davidben@chromium.org> 2014-12-30 02:41:09 +0300
committer: Adam Langley <agl@google.com> 2015-01-15 00:52:36 +0300
commit: c61517cb5a7fe72ccbc8c8e9f51055d69ed14e88 (patch)
tree: 22419f2eb74b60118db243047cad7445e1d41aff /crypto
parent: 70bd80a2367fc00e579be6ab041048b8ec930b1f (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/crypto/rsa/padding.c b/crypto/rsa/padding.c
index 70dafb2a..4c25d9cd 100644
--- a/crypto/rsa/padding.c
+++ b/crypto/rsa/padding.c
@@ -231,6 +231,9 @@ int RSA_message_index_PKCS1_type_2(const uint8_t *from, size_t from_len,
   /* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
    * Standard", section 7.2.2. */
   if (from_len < RSA_PKCS1_PADDING_SIZE) {
+    /* |from| is zero-padded to the size of the RSA modulus, a public value, so
+     * this can be rejected in non-constant time. */
+    *out_index = 0;
     return 0;
   }
 
@@ -256,8 +259,9 @@ int RSA_message_index_PKCS1_type_2(const uint8_t *from, size_t from_len,
   valid_index &= constant_time_le(2 + 8, zero_index);
 
   /* Skip the zero byte. */
-  *out_index = zero_index + 1;
+  zero_index++;
 
+  *out_index = constant_time_select(valid_index, zero_index, 0);
   return valid_index;
 }
author	David Benjamin <davidben@chromium.org>	2014-12-30 02:41:09 +0300
committer	Adam Langley <agl@google.com>	2015-01-15 00:52:36 +0300
commit	c61517cb5a7fe72ccbc8c8e9f51055d69ed14e88 (patch)
tree	22419f2eb74b60118db243047cad7445e1d41aff /crypto
parent	70bd80a2367fc00e579be6ab041048b8ec930b1f (diff)