From: Adam Langley <agl@golang.org>
Date: Fri, 18 Feb 2011 16:31:10 +0000 (-0500)
Subject: crypto/rsa: left-pad OAEP results when needed.
X-Git-Tag: weekly.2011-02-24~66
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=193709736fd7d43c407bf73841fa6dbfca8fbbb3;p=gostls13.git

crypto/rsa: left-pad OAEP results when needed.

PKCS#1 v2.1 section 7.1.1 says that the result of an OAEP encryption
is "an octet string of length $k$". Since we didn't left-pad the
result it was previously possible for the result to be smaller when
the most-significant byte was zero.

Fixes #1519.

R=rsc
CC=golang-dev
https://golang.org/cl/4175059
---

diff --git a/src/pkg/crypto/rsa/rsa.go b/src/pkg/crypto/rsa/rsa.go
index c7a8d2053d..faf914991d 100644
--- a/src/pkg/crypto/rsa/rsa.go
+++ b/src/pkg/crypto/rsa/rsa.go
@@ -274,6 +274,14 @@ func EncryptOAEP(hash hash.Hash, rand io.Reader, pub *PublicKey, msg []byte, lab
 	m.SetBytes(em)
 	c := encrypt(new(big.Int), pub, m)
 	out = c.Bytes()
+
+	if len(out) < k {
+		// If the output is too small, we need to left-pad with zeros.
+		t := make([]byte, k)
+		copy(t[k-len(out):], out)
+		out = t
+	}
+
 	return
 }
 
diff --git a/src/pkg/crypto/rsa/rsa_test.go b/src/pkg/crypto/rsa/rsa_test.go
index df1f17f17c..22d4576e8d 100644
--- a/src/pkg/crypto/rsa/rsa_test.go
+++ b/src/pkg/crypto/rsa/rsa_test.go
@@ -66,7 +66,7 @@ func TestEncryptOAEP(t *testing.T) {
 				t.Errorf("#%d,%d error: %s", i, j, err)
 			}
 			if bytes.Compare(out, message.out) != 0 {
-				t.Errorf("#%d,%d bad result: %s (want %s)", i, j, out, message.out)
+				t.Errorf("#%d,%d bad result: %x (want %x)", i, j, out, message.out)
 			}
 		}
 	}