1
0
mirror of https://github.com/golang/go synced 2024-11-25 09:07:58 -07:00

crypto/rsa: left-pad OAEP results when needed.

PKCS#1 v2.1 section 7.1.1 says that the result of an OAEP encryption
is "an octet string of length $k$". Since we didn't left-pad the
result it was previously possible for the result to be smaller when
the most-significant byte was zero.

Fixes #1519.

R=rsc
CC=golang-dev
https://golang.org/cl/4175059
This commit is contained in:
Adam Langley 2011-02-18 11:31:10 -05:00
parent 547918e363
commit 193709736f
2 changed files with 9 additions and 1 deletions

View File

@ -274,6 +274,14 @@ func EncryptOAEP(hash hash.Hash, rand io.Reader, pub *PublicKey, msg []byte, lab
m.SetBytes(em) m.SetBytes(em)
c := encrypt(new(big.Int), pub, m) c := encrypt(new(big.Int), pub, m)
out = c.Bytes() out = c.Bytes()
if len(out) < k {
// If the output is too small, we need to left-pad with zeros.
t := make([]byte, k)
copy(t[k-len(out):], out)
out = t
}
return return
} }

View File

@ -66,7 +66,7 @@ func TestEncryptOAEP(t *testing.T) {
t.Errorf("#%d,%d error: %s", i, j, err) t.Errorf("#%d,%d error: %s", i, j, err)
} }
if bytes.Compare(out, message.out) != 0 { if bytes.Compare(out, message.out) != 0 {
t.Errorf("#%d,%d bad result: %s (want %s)", i, j, out, message.out) t.Errorf("#%d,%d bad result: %x (want %x)", i, j, out, message.out)
} }
} }
} }