rsa: Fix decoding of PKCS#1 v1.5 and OAEP padding.
* src/Makefile.am (libgcrypt_la_SOURCES): Add const-time.h and const-time.c. * src/const-time.h (ct_not_equal_byte, sexp_null_cond): New. (ct_memequal): New from NetBSD, modified return type and name. * src/const-time.c: New. * cipher/rsa-common.c (_gcry_rsa_pkcs1_decode_for_enc): Examine whole sequence of the byte-array. Use N0 to find the separator position, with ct_not_equal_byte. Return the MPI even when the case of an error. * cipher/rsa-common.c (_gcry_rsa_oaep_decode): Use ct_memequal to check LHASH. Examine all the sequence of the byte-array. Use N1 to find the separator of 0x01. Return the MPI even when the case of an error. * cipher/rsa.c (rsa_decrypt): Always build a SEXP.
Cherry-pick master commit of:
34c20427926010d6fa95b1666e4b1b60f60a8742
Note: For architecture(s) which may result branch in comparison of
byte, configure script should emit POSSIBLE_BRANCH_IN_BYTE_COMPARISON.
- Reported-by: Hubert Kario <hkario@redhat.com>
- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>