| rsa_pk1.c (302408) | rsa_pk1.c (325337) |
|---|---|
| 1/* crypto/rsa/rsa_pk1.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * --- 241 unchanged lines hidden (view full) --- 250 * leak something if |tlen| was assuming valid padding. 251 */ 252 good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen)); 253 254 /* 255 * We can't continue in constant-time because we need to copy the result 256 * and we cannot fake its length. This unavoidably leaks timing 257 * information at the API boundary. | 1/* crypto/rsa/rsa_pk1.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * --- 241 unchanged lines hidden (view full) --- 250 * leak something if |tlen| was assuming valid padding. 251 */ 252 good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen)); 253 254 /* 255 * We can't continue in constant-time because we need to copy the result 256 * and we cannot fake its length. This unavoidably leaks timing 257 * information at the API boundary. |
| 258 * TODO(emilia): this could be addressed at the call site, 259 * see BoringSSL commit 0aa0767340baf925bda4804882aab0cb974b2d26. | |
| 260 */ 261 if (!good) { 262 mlen = -1; 263 goto err; 264 } 265 266 memcpy(to, em + msg_index, mlen); 267 268 err: | 258 */ 259 if (!good) { 260 mlen = -1; 261 goto err; 262 } 263 264 memcpy(to, em + msg_index, mlen); 265 266 err: |
| 269 if (em != NULL) | 267 if (em != NULL) { 268 OPENSSL_cleanse(em, num); |
| 270 OPENSSL_free(em); | 269 OPENSSL_free(em); |
| 270 } |
|
| 271 if (mlen == -1) 272 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, 273 RSA_R_PKCS_DECODING_ERROR); 274 return mlen; 275} | 271 if (mlen == -1) 272 RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, 273 RSA_R_PKCS_DECODING_ERROR); 274 return mlen; 275} |