diff options
author | Emilia Kasper <emilia@openssl.org> | 2016-02-02 18:03:33 +0100 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2016-02-03 18:30:23 +0100 |
commit | ba2de73b185016e0a98e62f75b368ab6ae673919 (patch) | |
tree | 184eac5977e27c31f7cfbe1e3905ffd080f46f4d /crypto/rsa | |
parent | 20a5819f135cf55716cf4bea65deb24569016c9b (diff) |
RT4148
Accept leading 0-byte in PKCS1 type 1 padding. Internally, the byte is
stripped by BN_bn2bin but external callers may have other expectations.
Reviewed-by: Kurt Roeckx<kurt@openssl.org>
Diffstat (limited to 'crypto/rsa')
-rw-r--r-- | crypto/rsa/rsa_pk1.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index bba68c62bf..68d251bc0f 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -97,7 +97,28 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, const unsigned char *p; p = from; - if ((num != (flen + 1)) || (*(p++) != 01)) { + + /* + * The format is + * 00 || 01 || PS || 00 || D + * PS - padding string, at least 8 bytes of FF + * D - data. + */ + + if (num < 11) + return -1; + + /* Accept inputs with and without the leading 0-byte. */ + if (num == flen) { + if ((*p++) != 0x00) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, + RSA_R_INVALID_PADDING); + return -1; + } + flen--; + } + + if ((num != (flen + 1)) || (*(p++) != 0x01)) { RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, RSA_R_BLOCK_TYPE_IS_NOT_01); return (-1); |