+ int i, dblen, mlen = -1;
+ const unsigned char *maskeddb;
+ int lzero;
+ unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+ unsigned char *padded_from;
+ int bad = 0;
+
+ if (--num < 2 * SHA_DIGEST_LENGTH + 1)
+ /* 'num' is the length of the modulus, i.e. does not depend on the
+ * particular ciphertext. */
+ goto decoding_err;
+
+ lzero = num - flen;
+ if (lzero < 0)
+ {
+ /* signalling this error immediately after detection might allow
+ * for side-channel attacks (e.g. timing if 'plen' is huge
+ * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
+ * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
+ * so we use a 'bad' flag */
+ bad = 1;
+ lzero = 0;
+ flen = num; /* don't overflow the memcpy to padded_from */
+ }