hdkv/yuzu
1
Fork 0
Code Issues Pull Requests Releases 1 Activity

early-access version 2698

Browse Source
This commit is contained in:
pineappleEA
2022-04-24 22:29:35 +02:00
parent c96f949832
commit caa0c2911b
486 changed files with 37806 additions and 14362 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
externals/libressl/crypto/rsa/rsa_oaep.c vendored
View File

@@ -1,4 +1,4 @@
/* $OpenBSD: rsa_oaep.c,v 1.33 2019/10/17 14:31:56 jsing Exp $ */
/* $OpenBSD: rsa_oaep.c,v 1.35 2022/02/20 19:16:34 tb Exp $ */
/*
* Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
*
@@ -80,6 +80,7 @@
#include <openssl/sha.h>
#include "constant_time_locl.h"
#include "evp_locl.h"
#include "rsa_locl.h"
int
@@ -223,17 +224,16 @@ RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
from -= 1 & mask;
*--em = *from & mask;
}
from = em;
/*
* The first byte must be zero, however we must not leak if this is
* true. See James H. Manger, "A Chosen Ciphertext Attack on RSA
* Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001).
*/
good = constant_time_is_zero(from[0]);
good = constant_time_is_zero(em[0]);
maskedseed = from + 1;
maskeddb = from + 1 + mdlen;
maskedseed = em + 1;
maskeddb = em + 1 + mdlen;
if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
goto cleanup;
@@ -289,15 +289,16 @@ RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
* should be noted that failure is indistinguishable from normal
* operation if |tlen| is fixed by protocol.
*/
tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen);
tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),
dblen - mdlen - 1, tlen);
msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
mlen = dblen - msg_index;
for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) {
unsigned int equals = constant_time_eq(i, mlen);
for (mask = good, i = 0; i < tlen; i++) {
unsigned int equals = constant_time_eq(msg_index, dblen);
from -= dblen & equals; /* if (i == mlen) rewind */
mask &= mask ^ equals; /* if (i == mlen) mask = 0 */
to[i] = constant_time_select_8(mask, from[i], to[i]);
msg_index -= tlen & equals; /* rewind at EOF */
mask &= ~equals; /* mask = 0 at EOF */
to[i] = constant_time_select_8(mask, db[msg_index++], to[i]);
}
/*