Use mbedtls_ct_memcmp in mbedtls_rsa_rsaes_oaep_decrypt Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>

commit: 954a2da1e49fdf8e3c0fdb9cac28727e6ee46a3a [log] [tgz]
author: Dave Rodgman <dave.rodgman@arm.com> Wed Sep 20 14:10:35 2023 +0100
committer: Dave Rodgman <dave.rodgman@arm.com> Wed Sep 20 15:14:28 2023 +0100
tree: 891cb25b4281fad160ea51530e2720e92ed0bb8a
parent: c280520999caa75ae40bb0391a5ec7b5a10cd5de [diff] [blame]
diff --git a/library/rsa.c b/library/rsa.c
index f44b2c3..01d0eb0 100644
--- a/library/rsa.c
+++ b/library/rsa.c

@@ -1351,7 +1351,8 @@
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     size_t ilen, i, pad_len;
-    unsigned char *p, bad, pad_done;
+    unsigned char *p, pad_done;
+    int bad;
     unsigned char buf[MBEDTLS_MPI_MAX_SIZE];
     unsigned char lhash[MBEDTLS_MD_MAX_SIZE];
     unsigned int hlen;
@@ -1439,9 +1440,8 @@
     p += hlen; /* Skip seed */
 
     /* Check lHash */
-    for (i = 0; i < hlen; i++) {
-        bad |= lhash[i] ^ *p++;
-    }
+    bad |= mbedtls_ct_memcmp(lhash, p, hlen);
+    p += hlen;
 
     /* Get zero-padding len, but always read till end of buffer
      * (minus one, for the 01 byte) */
commit	954a2da1e49fdf8e3c0fdb9cac28727e6ee46a3a	[log] [tgz]
author	Dave Rodgman <dave.rodgman@arm.com>	Wed Sep 20 14:10:35 2023 +0100
committer	Dave Rodgman <dave.rodgman@arm.com>	Wed Sep 20 15:14:28 2023 +0100
tree	891cb25b4281fad160ea51530e2720e92ed0bb8a
parent	c280520999caa75ae40bb0391a5ec7b5a10cd5de [diff] [blame]