X-Git-Url: https://git.distorted.org.uk/u/mdw/catacomb/blobdiff_plain/827a6719ee5725904cff6b135765de47cafaa499..1589affab225db500965e2cb869c534d6860e6bd:/oaep.c

diff --git a/oaep.c b/oaep.c
index becd058..f69c864 100644
--- a/oaep.c
+++ b/oaep.c
@@ -1,6 +1,6 @@
 /* -*-c-*-
  *
- * $Id: oaep.c,v 1.3 2001/02/22 09:04:39 mdw Exp $
+ * $Id: oaep.c,v 1.5 2002/01/13 20:20:39 mdw Exp $
  *
  * Optimal asymmetric encryption packing
  *
@@ -30,6 +30,12 @@
 /*----- Revision history --------------------------------------------------* 
  *
  * $Log: oaep.c,v $
+ * Revision 1.5  2002/01/13 20:20:39  mdw
+ * Hack the @oaep_decode@ code some more, to make it work again.
+ *
+ * Revision 1.4  2002/01/13 13:50:21  mdw
+ * Allow only one error return, to frustrate Manger's attack against OAEP.
+ *
  * Revision 1.3  2001/02/22 09:04:39  mdw
  * Fix memory leaks.
  *
@@ -143,6 +149,7 @@ int oaep_decode(const void *buf, size_t sz, dstr *d, void *p)
   ghash *h;
   octet *q, *mq, *qq;
   octet *pp;
+  unsigned bad = 0;
   size_t n;
   size_t hsz = o->ch->hashsz;
   int rc = -1;
@@ -157,8 +164,7 @@ int oaep_decode(const void *buf, size_t sz, dstr *d, void *p)
 
   /* --- Decrypt the message --- */
 
-  if (*q != 0)
-    goto fail;
+  bad = *q;
   q++; sz--;
   mq = q + hsz;
   qq = q + sz;
@@ -178,21 +184,19 @@ int oaep_decode(const void *buf, size_t sz, dstr *d, void *p)
   h->ops->hash(h, o->ep, o->epsz);
   h->ops->done(h, q);
   h->ops->destroy(h);
-  if (memcmp(q, mq, hsz) != 0)
-    goto fail;
+  bad |= memcmp(q, mq, hsz);
 
   /* --- Now find the start of the actual message --- */
 
   pp = mq + hsz;
   while (*pp == 0 && pp < qq)
     pp++;
-  if (pp >= qq || *pp++ != 1)
-    return (-1);
+  bad |= (pp >= qq) | (*pp++ != 1);
   n = qq - pp;
   dstr_putm(d, pp, n);
-  rc = n;
+  if (!bad)
+    rc = n;
 
-fail:
   x_free(d->a, q);
   return (rc);
 }