crypto/rsa: left-pad OAEP results when needed.

PKCS#1 v2.1 section 7.1.1 says that the result of an OAEP encryption is "an octet string of length $k$". Since we didn't left-pad the result it was previously possible for the result to be smaller when the most-significant byte was zero. Fixes #1519. R=rsc CC=golang-dev https://golang.org/cl/4175059
2024-11-22 04:34:39 -07:00 · 2011-02-18 11:31:10 -05:00 · 2011-02-18 11:31:10 -05:00 · 193709736f
commit 193709736f
parent 547918e363
2 changed files with 9 additions and 1 deletions
--- a/src/pkg/crypto/rsa/rsa.go
+++ b/src/pkg/crypto/rsa/rsa.go
@ -274,6 +274,14 @@ func EncryptOAEP(hash hash.Hash, rand io.Reader, pub *PublicKey, msg []byte, lab
 	m.SetBytes(em)
 	c := encrypt(new(big.Int), pub, m)
 	out = c.Bytes()
+
+	if len(out) < k {
+		// If the output is too small, we need to left-pad with zeros.
+		t := make([]byte, k)
+		copy(t[k-len(out):], out)
+		out = t
+	}
+
 	return
 }

--- a/src/pkg/crypto/rsa/rsa_test.go
+++ b/src/pkg/crypto/rsa/rsa_test.go
@ -66,7 +66,7 @@ func TestEncryptOAEP(t *testing.T) {
 				t.Errorf("#%d,%d error: %s", i, j, err)
 			}
 			if bytes.Compare(out, message.out) != 0 {
-				t.Errorf("#%d,%d bad result: %s (want %s)", i, j, out, message.out)
+				t.Errorf("#%d,%d bad result: %x (want %x)", i, j, out, message.out)
 			}
 		}
 	}