aboutsummaryrefslogtreecommitdiffstats
path: root/src/pk_pad/eme1
diff options
context:
space:
mode:
Diffstat (limited to 'src/pk_pad/eme1')
-rw-r--r--src/pk_pad/eme1/eme1.cpp8
1 files changed, 8 insertions, 0 deletions
diff --git a/src/pk_pad/eme1/eme1.cpp b/src/pk_pad/eme1/eme1.cpp
index b5f2af6d3..e5db17df6 100644
--- a/src/pk_pad/eme1/eme1.cpp
+++ b/src/pk_pad/eme1/eme1.cpp
@@ -42,6 +42,14 @@ SecureVector<byte> EME1::pad(const byte in[], u32bit in_length,
SecureVector<byte> EME1::unpad(const byte in[], u32bit in_length,
u32bit key_length) const
{
+ /*
+ Must be careful about error messages here; if an attacker can
+ distinguish them, it is easy to use the differences as an oracle to
+ find the secret key, as described in "A Chosen Ciphertext Attack on
+ RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in
+ PKCS #1 v2.0", James Manger, Crypto 2001
+ */
+
key_length /= 8;
if(in_length > key_length)
throw Decoding_Error("Invalid EME1 encoding");