Define the error case's output in RSA_message_index_PKCS1_type_2.
The use in s3_srvr.c doesn't care (it doesn't even have to be in bounds), but
it's good to have the value be initialized and not a function of the input.
(The old uninitialized case wasn't hit in s3_srvr.c because of the earlier
bounds check.)
Change-Id: Ib6b418b3c140aa564f8a46da3d34bb2b69f06195
Reviewed-on: https://boringssl-review.googlesource.com/2845
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/rsa/padding.c b/crypto/rsa/padding.c
index 70dafb2..4c25d9c 100644
--- a/crypto/rsa/padding.c
+++ b/crypto/rsa/padding.c
@@ -231,6 +231,9 @@
/* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography
* Standard", section 7.2.2. */
if (from_len < RSA_PKCS1_PADDING_SIZE) {
+ /* |from| is zero-padded to the size of the RSA modulus, a public value, so
+ * this can be rejected in non-constant time. */
+ *out_index = 0;
return 0;
}
@@ -256,8 +259,9 @@
valid_index &= constant_time_le(2 + 8, zero_index);
/* Skip the zero byte. */
- *out_index = zero_index + 1;
+ zero_index++;
+ *out_index = constant_time_select(valid_index, zero_index, 0);
return valid_index;
}
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index a545734..ff2bd8b 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -164,9 +164,8 @@
* valid PKCS #1 message, it returns one and sets |*out_index| to the start of
* the unpadded message. The unpadded message is a suffix of the input and has
* length |from_len - *out_index|. Otherwise, it returns zero and sets
- * |*out_index| to some undefined value. This function runs in time independent
- * of the input data and is intended to be used directly to avoid
- * Bleichenbacher's attack.
+ * |*out_index| to zero. This function runs in time independent of the input
+ * data and is intended to be used directly to avoid Bleichenbacher's attack.
*
* WARNING: This function behaves differently from the usual OpenSSL convention
* in that it does NOT put an error on the queue in the error case. */
