RT4148

Accept leading 0-byte in PKCS1 type 1 padding. Internally, the byte is stripped by BN_bn2bin but external callers may have other expectations. Reviewed-by: Kurt Roeckx<kurt@openssl.org>
author: Emilia Kasper <emilia@openssl.org> 2016-02-02 18:03:33 +0100
committer: Emilia Kasper <emilia@openssl.org> 2016-02-03 18:30:23 +0100
commit: ba2de73b185016e0a98e62f75b368ab6ae673919 (patch)
tree: 184eac5977e27c31f7cfbe1e3905ffd080f46f4d /crypto/rsa
parent: 20a5819f135cf55716cf4bea65deb24569016c9b (diff)
1 files changed, 22 insertions, 1 deletions
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index bba68c62bf..68d251bc0f 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -97,7 +97,28 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
     const unsigned char *p;
 
     p = from;
-    if ((num != (flen + 1)) || (*(p++) != 01)) {
+
+    /*
+     * The format is
+     * 00 || 01 || PS || 00 || D
+     * PS - padding string, at least 8 bytes of FF
+     * D  - data.
+     */
+
+    if (num < 11)
+        return -1;
+
+    /* Accept inputs with and without the leading 0-byte. */
+    if (num == flen) {
+        if ((*p++) != 0x00) {
+            RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
+                   RSA_R_INVALID_PADDING);
+            return -1;
+        }
+        flen--;
+    }
+
+    if ((num != (flen + 1)) || (*(p++) != 0x01)) {
         RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
                RSA_R_BLOCK_TYPE_IS_NOT_01);
         return (-1);
author	Emilia Kasper <emilia@openssl.org>	2016-02-02 18:03:33 +0100
committer	Emilia Kasper <emilia@openssl.org>	2016-02-03 18:30:23 +0100
commit	ba2de73b185016e0a98e62f75b368ab6ae673919 (patch)
tree	184eac5977e27c31f7cfbe1e3905ffd080f46f4d /crypto/rsa
parent	20a5819f135cf55716cf4bea65deb24569016c9b (diff)