in src/rsa_support.c [215:276]
int OAEP_DECODE(int sha,const octet *p,octet *f)
{
int comp;
int x;
int t;
int i;
int k;
int olen=f->max-1;
int hlen;
int seedlen;
char dbmask[MAX_RSA_BYTES];
char seed[64];
char chash[64];
octet DBMASK= {0,sizeof(dbmask),dbmask};
octet SEED= {0,sizeof(seed),seed};
octet CHASH= {0,sizeof(chash),chash};
seedlen=hlen=sha;
if (olen<seedlen+hlen+1) return 1;
if (!OCT_pad(f,olen+1)) return 1;
hashit(sha,p,-1,&CHASH);
x=f->val[0];
for (i=seedlen; i<olen; i++)
DBMASK.val[i-seedlen]=f->val[i+1];
DBMASK.len=olen-seedlen;
MGF1(sha,&DBMASK,seedlen,&SEED);
for (i=0; i<seedlen; i++) SEED.val[i]^=f->val[i+1];
MGF1(sha,&SEED,olen-seedlen,f);
OCT_xor(&DBMASK,f);
comp=OCT_ncomp(&CHASH,&DBMASK,hlen);
OCT_shl(&DBMASK,hlen);
OCT_clear(&SEED);
OCT_clear(&CHASH);
for (k=0;; k++)
{
if (k>=DBMASK.len)
{
OCT_clear(&DBMASK);
return 1;
}
if (DBMASK.val[k]!=0) break;
}
t=DBMASK.val[k];
if (!comp || x!=0 || t!=0x01)
{
OCT_clear(&DBMASK);
return 1;
}
OCT_shl(&DBMASK,k+1);
OCT_copy(f,&DBMASK);
OCT_clear(&DBMASK);
return 0;
}