crypto/rsa: left-pad OAEP results when needed.
PKCS#1 v2.1 section 7.1.1 says that the result of an OAEP encryption
is "an octet string of length $k$". Since we didn't left-pad the
result it was previously possible for the result to be smaller when
the most-significant byte was zero.
Fixes #1519.
R=rsc
CC=golang-dev
https://golang.org/cl/4175059
diff --git a/src/pkg/crypto/rsa/rsa.go b/src/pkg/crypto/rsa/rsa.go
index c7a8d20..faf9149 100644
--- a/src/pkg/crypto/rsa/rsa.go
+++ b/src/pkg/crypto/rsa/rsa.go
@@ -274,6 +274,14 @@
m.SetBytes(em)
c := encrypt(new(big.Int), pub, m)
out = c.Bytes()
+
+ if len(out) < k {
+ // If the output is too small, we need to left-pad with zeros.
+ t := make([]byte, k)
+ copy(t[k-len(out):], out)
+ out = t
+ }
+
return
}
diff --git a/src/pkg/crypto/rsa/rsa_test.go b/src/pkg/crypto/rsa/rsa_test.go
index df1f17f..22d4576 100644
--- a/src/pkg/crypto/rsa/rsa_test.go
+++ b/src/pkg/crypto/rsa/rsa_test.go
@@ -66,7 +66,7 @@
t.Errorf("#%d,%d error: %s", i, j, err)
}
if bytes.Compare(out, message.out) != 0 {
- t.Errorf("#%d,%d bad result: %s (want %s)", i, j, out, message.out)
+ t.Errorf("#%d,%d bad result: %x (want %x)", i, j, out, message.out)
}
}
}
