crypto/rsa: left-pad OAEP results when needed.

PKCS#1 v2.1 section 7.1.1 says that the result of an OAEP encryption
is "an octet string of length $k$". Since we didn't left-pad the
result it was previously possible for the result to be smaller when
the most-significant byte was zero.

Fixes #1519.

R=rsc
CC=golang-dev
https://golang.org/cl/4175059

diff --git a/src/pkg/crypto/rsa/rsa.go b/src/pkg/crypto/rsa/rsa.go
index c7a8d2053d8675a8425069ee77be8b43ee7e6912..faf914991d06310b54d6c2ddfbfc1d0680128a3c 100644 (file)
--- a/src/pkg/crypto/rsa/rsa.go
+++ b/src/pkg/crypto/rsa/rsa.go
@@ -274,6 +274,14 @@ func EncryptOAEP(hash hash.Hash, rand io.Reader, pub *PublicKey, msg []byte, lab
        m.SetBytes(em)
        c := encrypt(new(big.Int), pub, m)
        out = c.Bytes()
+
+       if len(out) < k {
+               // If the output is too small, we need to left-pad with zeros.
+               t := make([]byte, k)
+               copy(t[k-len(out):], out)
+               out = t
+       }
+
        return
 }
 

diff --git a/src/pkg/crypto/rsa/rsa_test.go b/src/pkg/crypto/rsa/rsa_test.go
index df1f17f17ced22e79e1b2e7a73480142510f666d..22d4576e8dd527afad8bc87f43fb517bb0356202 100644 (file)
--- a/src/pkg/crypto/rsa/rsa_test.go
+++ b/src/pkg/crypto/rsa/rsa_test.go
@@ -66,7 +66,7 @@ func TestEncryptOAEP(t *testing.T) {
                                t.Errorf("#%d,%d error: %s", i, j, err)
                        }
                        if bytes.Compare(out, message.out) != 0 {
-                               t.Errorf("#%d,%d bad result: %s (want %s)", i, j, out, message.out)
+                               t.Errorf("#%d,%d bad result: %x (want %x)", i, j, out, message.out)
                        }
                }
        }