+ good &= found_one_byte;
+
+ /*
+ * At this point |good| is zero unless the plaintext was valid,
+ * so plaintext-awareness ensures timing side-channels are no longer a
+ * concern.
+ */
+ msg_index = one_index + 1;
+ mlen = dblen - msg_index;
+
+ /*
+ * For good measure, do this check in constant time as well.
+ */
+ good &= constant_time_ge(tlen, mlen);
+
+ /*
+ * Move the result in-place by |dblen|-|mdlen|-1-|mlen| bytes to the left.
+ * Then if |good| move |mlen| bytes from |db|+|mdlen|+1 to |to|.
+ * Otherwise leave |to| unchanged.
+ * Copy the memory back in a way that does not reveal the size of
+ * the data being copied via a timing side channel. This requires copying
+ * parts of the buffer multiple times based on the bits set in the real
+ * length. Clear bits do a non-copy with identical access pattern.
+ * The loop below has overall complexity of O(N*log(N)).
+ */
+ tlen = constant_time_select_int(constant_time_lt(dblen - mdlen - 1, tlen),
+ dblen - mdlen - 1, tlen);
+ for (msg_index = 1; msg_index < dblen - mdlen - 1; msg_index <<= 1) {
+ mask = ~constant_time_eq(msg_index & (dblen - mdlen - 1 - mlen), 0);
+ for (i = mdlen + 1; i < dblen - msg_index; i++)
+ db[i] = constant_time_select_8(mask, db[i + msg_index], db[i]);
+ }
+ for (i = 0; i < tlen; i++) {
+ mask = good & constant_time_lt(i, mlen);
+ to[i] = constant_time_select_8(mask, db[i + mdlen + 1], to[i]);
+ }
+
+ /*
+ * To avoid chosen ciphertext attacks, the error message should not
+ * reveal which kind of decoding error happened.
+ */
+ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
+ RSA_R_OAEP_DECODING_ERROR);
+ err_clear_last_constant_time(1 & good);
+ cleanup:
+ OPENSSL_cleanse(seed, sizeof(seed));
+ OPENSSL_clear_free(db, dblen);
+ OPENSSL_clear_free(em, num);
+
+ return constant_time_select_int(good, mlen, -1);
+}
+
+int PKCS1_MGF1(unsigned char *mask, long len,
+ const unsigned char *seed, long seedlen, const EVP_MD *dgst)
+{