Use mbedtls_ct_memcmp in mbedtls_rsa_rsaes_oaep_decrypt

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2025-02-06 21:40:11 +00:00 · 2023-09-18 18:35:03 +01:00 · 2023-09-18 18:35:03 +01:00 · 66d6ac92e6
commit 66d6ac92e6
parent d337bd9bfe
1 changed files with 4 additions and 4 deletions
--- a/library/rsa.c
+++ b/library/rsa.c
@ -1541,7 +1541,8 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
 {
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    size_t ilen, i, pad_len;
-    unsigned char *p, bad, pad_done;
+    unsigned char *p, pad_done;
+    int bad;
    unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
    unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
    unsigned int hlen;
@ -1608,9 +1609,8 @@ int mbedtls_rsa_rsaes_oaep_decrypt(mbedtls_rsa_context *ctx,
    p += hlen; /* Skip seed */

    /* Check lHash */
-    for (i = 0; i < hlen; i++) {
-        bad |= lhash[i] ^ *p++;
-    }
+    bad |= mbedtls_ct_memcmp(lhash, p, hlen);
+    p += hlen;

    /* Get zero-padding len, but always read till end of buffer
     * (minus one, for the 01 byte) */