From 193709736fd7d43c407bf73841fa6dbfca8fbbb3 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Fri, 18 Feb 2011 11:31:10 -0500 Subject: [PATCH] crypto/rsa: left-pad OAEP results when needed. PKCS#1 v2.1 section 7.1.1 says that the result of an OAEP encryption is "an octet string of length $k$". Since we didn't left-pad the result it was previously possible for the result to be smaller when the most-significant byte was zero. Fixes #1519. R=rsc CC=golang-dev https://golang.org/cl/4175059 --- src/pkg/crypto/rsa/rsa.go | 8 ++++++++ src/pkg/crypto/rsa/rsa_test.go | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/pkg/crypto/rsa/rsa.go b/src/pkg/crypto/rsa/rsa.go index c7a8d2053d..faf914991d 100644 --- a/src/pkg/crypto/rsa/rsa.go +++ b/src/pkg/crypto/rsa/rsa.go @@ -274,6 +274,14 @@ func EncryptOAEP(hash hash.Hash, rand io.Reader, pub *PublicKey, msg []byte, lab m.SetBytes(em) c := encrypt(new(big.Int), pub, m) out = c.Bytes() + + if len(out) < k { + // If the output is too small, we need to left-pad with zeros. + t := make([]byte, k) + copy(t[k-len(out):], out) + out = t + } + return } diff --git a/src/pkg/crypto/rsa/rsa_test.go b/src/pkg/crypto/rsa/rsa_test.go index df1f17f17c..22d4576e8d 100644 --- a/src/pkg/crypto/rsa/rsa_test.go +++ b/src/pkg/crypto/rsa/rsa_test.go @@ -66,7 +66,7 @@ func TestEncryptOAEP(t *testing.T) { t.Errorf("#%d,%d error: %s", i, j, err) } if bytes.Compare(out, message.out) != 0 { - t.Errorf("#%d,%d bad result: %s (want %s)", i, j, out, message.out) + t.Errorf("#%d,%d bad result: %x (want %x)", i, j, out, message.out) } } } -- 2.50.0