[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

[Rich Salz]

The branch OpenSSL_1_0_2-stable has been updated
       via  de46e8246bf30f9d8a6b8a66b37f8bf63115aeb6 (commit)
      from  b99f1023f8ac357ffb8d009cf78fba586de26b5a (commit)


- Log -----------------------------------------------------------------
commit de46e8246bf30f9d8a6b8a66b37f8bf63115aeb6
Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
Date:   Wed Apr 26 09:59:18 2017 +0200

    Remove unnecessary loop in pkey_rsa_decrypt.
    
    It is not necessary to remove leading zeros here because
    RSA_padding_check_PKCS1_OAEP_mgf1 appends them again. As this was not done
    in constant time, this might have leaked timing information.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Andy Polyakov <appro at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3313)
    (cherry picked from commit 237bc6c997e42295eeb32c8c1c709e6e6042b839)

-----------------------------------------------------------------------

Summary of changes:
 crypto/rsa/rsa_pmeth.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
index ac583bf..8896e2e 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -446,19 +446,14 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
     int ret;
     RSA_PKEY_CTX *rctx = ctx->data;
     if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {
-        int i;
         if (!setup_tbuf(rctx, ctx))
             return -1;
         ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
                                   ctx->pkey->pkey.rsa, RSA_NO_PADDING);
         if (ret <= 0)
             return ret;
-        for (i = 0; i < ret; i++) {
-            if (rctx->tbuf[i])
-                break;
-        }
-        ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf + i,
-                                                ret - i, ret,
+        ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf,
+                                                ret, ret,
                                                 rctx->oaep_label,
                                                 rctx->oaep_labellen,
                                                 rctx->md, rctx->mgf1md);