when checking OAEP, signal just a single kind of 'decoding error'

crypto/rsa/rsa_oaep.c

@@ -94,20 +94,14 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
     int i, dblen, mlen = -1;
     const unsigned char *maskeddb;
     int lzero;
-    unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+    unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
 
     if (--num < 2 * SHA_DIGEST_LENGTH + 1)
-	{
+	goto decoding_err;
-	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
-	return (-1);
-	}
 
     lzero = num - flen;
     if (lzero < 0)
-	{
+	goto decoding_err;
-	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
-	return (-1);
-	}
     maskeddb = from - lzero + SHA_DIGEST_LENGTH;
     
     dblen = num - SHA_DIGEST_LENGTH;
@@ -129,7 +123,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
     SHA1(param, plen, phash);
 
     if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
-	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+	goto decoding_err;
     else
 	{
 	for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
@@ -152,6 +146,13 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
 	}
     OPENSSL_free(db);
     return (mlen);
+
+decoding_err:
+    /* to avoid chosen ciphertext attacks, the error message should not reveal
+     * which kind of decoding error happened */
+    RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+    if (db != NULL) OPENSSL_free(db);
+    return -1;
     }
 
 int MGF1(unsigned char *mask, long len,