From: mdw <mdw>
Date: Sun, 13 Jan 2002 13:50:21 +0000 (+0000)
Subject: Allow only one error return, to frustrate Manger's attack against OAEP.
X-Git-Url: https://git.distorted.org.uk/u/mdw/catacomb/commitdiff_plain/2730bf3313ce14f0a1c95d82a07e18d0fa0fb33c

Allow only one error return, to frustrate Manger's attack against OAEP.
---

diff --git a/oaep.c b/oaep.c
index becd058..d439f7c 100644
--- a/oaep.c
+++ b/oaep.c
@@ -1,6 +1,6 @@
 /* -*-c-*-
  *
- * $Id: oaep.c,v 1.3 2001/02/22 09:04:39 mdw Exp $
+ * $Id: oaep.c,v 1.4 2002/01/13 13:50:21 mdw Exp $
  *
  * Optimal asymmetric encryption packing
  *
@@ -30,6 +30,9 @@
 /*----- Revision history --------------------------------------------------* 
  *
  * $Log: oaep.c,v $
+ * Revision 1.4  2002/01/13 13:50:21  mdw
+ * Allow only one error return, to frustrate Manger's attack against OAEP.
+ *
  * Revision 1.3  2001/02/22 09:04:39  mdw
  * Fix memory leaks.
  *
@@ -157,8 +160,6 @@ int oaep_decode(const void *buf, size_t sz, dstr *d, void *p)
 
   /* --- Decrypt the message --- */
 
-  if (*q != 0)
-    goto fail;
   q++; sz--;
   mq = q + hsz;
   qq = q + sz;
@@ -178,7 +179,7 @@ int oaep_decode(const void *buf, size_t sz, dstr *d, void *p)
   h->ops->hash(h, o->ep, o->epsz);
   h->ops->done(h, q);
   h->ops->destroy(h);
-  if (memcmp(q, mq, hsz) != 0)
+  if ((memcmp(q, mq, hsz) != 0) || (*q != 0))
     goto fail;
 
   /* --- Now find the start of the actual message --- */