From ba2de73b185016e0a98e62f75b368ab6ae673919 Mon Sep 17 00:00:00 2001
From: Emilia Kasper <emilia@openssl.org>
Date: Tue, 2 Feb 2016 18:03:33 +0100
Subject: RT4148

Accept leading 0-byte in PKCS1 type 1 padding. Internally, the byte is
stripped by BN_bn2bin but external callers may have other expectations.

Reviewed-by: Kurt Roeckx<kurt@openssl.org>
---
 CHANGES | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'CHANGES')

diff --git a/CHANGES b/CHANGES
index d0d3a2629a..fc5b8cb0a7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 1.0.2f and 1.1.0  [xx XXX xxxx]
 
+  *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
+     the leading 0-byte.
+     [Emilia Käsper]
+
   *) CRIME protection: disable compression by default, even if OpenSSL is
      compiled with zlib enabled. Applications can still enable compression
      by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
-- 
cgit v1.2.3