Do the error handling in pkey_rsa_decrypt in constant time

Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/8365) (cherry picked from commit 049e64cbb0)
2019-03-03 10:36:57 +01:00 · 2019-03-03 10:36:57 +01:00 · 930e031052
commit 930e031052
parent 25e410ee3c
1 changed files with 6 additions and 5 deletions
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
@ -7,6 +7,8 @@
 * https://www.openssl.org/source/license.html
 */

+#include "internal/constant_time_locl.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
@ -340,10 +342,9 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
        ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
                                  rctx->pad_mode);
    }
-    if (ret < 0)
-        return ret;
-    *outlen = ret;
-    return 1;
+    *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
+    ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
+    return ret;
 }

 static int check_padding_md(const EVP_MD *md, int padding)