crypto/rsa: left-pad OAEP results when needed.

PKCS#1 v2.1 section 7.1.1 says that the result of an OAEP encryption is "an octet string of length $k$". Since we didn't left-pad the result it was previously possible for the result to be smaller when the most-significant byte was zero. Fixes #1519. R=rsc CC=golang-dev https://golang.org/cl/4175059

crypto/rsa: left-pad OAEP results when needed.
PKCS#1 v2.1 section 7.1.1 says that the result of an OAEP encryption is "an octet string of length $k$". Since we didn't left-pad the result it was previously possible for the result to be smaller when the most-significant byte was zero. Fixes #1519. R=rsc CC=golang-dev https://golang.org/cl/4175059
19370973 · Adam Langley · 547918e3 · 19370973 · 19370973
Commit 19370973 authored Feb 18, 2011 by Adam Langley
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 1 deletion

src/pkg/crypto/rsa/rsa.go src/pkg/crypto/rsa/rsa.go +8 -0

src/pkg/crypto/rsa/rsa_test.go src/pkg/crypto/rsa/rsa_test.go +1 -1

No files found.
--- a/src/pkg/crypto/rsa/rsa.go
+++ b/src/pkg/crypto/rsa/rsa.go
@@ -274,6 +274,14 @@ func EncryptOAEP(hash hash.Hash, rand io.Reader, pub *PublicKey, msg []byte, lab
 	m.SetBytes(em)
 	c := encrypt(new(big.Int), pub, m)
 	out = c.Bytes()
+
+	if len(out) < k {
+		// If the output is too small, we need to left-pad with zeros.
+		t := make([]byte, k)
+		copy(t[k-len(out):], out)
+		out = t
+	}
+
 	return
 }


--- a/src/pkg/crypto/rsa/rsa_test.go
+++ b/src/pkg/crypto/rsa/rsa_test.go
@@ -66,7 +66,7 @@ func TestEncryptOAEP(t *testing.T) {
 				t.Errorf("#%d,%d error: %s", i, j, err)
 			}
 			if bytes.Compare(out, message.out) != 0 {
-				t.Errorf("#%d,%d bad result: %s (want %s)", i, j, out, message.out)
+				t.Errorf("#%d,%d bad result: %x (want %x)", i, j, out, message.out)
 			}
 		}
 	}