Google Git
Sign in
flutter/third_party/openssl/ba2de73b185016e0a98e62f75b368ab6ae673919^!/.
commit
ba2de73b185016e0a98e62f75b368ab6ae673919
[log]
author
Emilia Kasper <emilia@openssl.org>
Tue Feb 02 18:03:33 2016 +0100
committer
Emilia Kasper <emilia@openssl.org>
Wed Feb 03 18:30:23 2016 +0100
tree
184eac5977e27c31f7cfbe1e3905ffd080f46f4d
parent
20a5819f135cf55716cf4bea65deb24569016c9b [diff]
RT4148

Accept leading 0-byte in PKCS1 type 1 padding. Internally, the byte is
stripped by BN_bn2bin but external callers may have other expectations.

Reviewed-by: Kurt Roeckx<kurt@openssl.org>

diff --git a/CHANGES b/CHANGES
index d0d3a26..fc5b8cb 100644
--- a/CHANGES
+++ b/CHANGES

@@ -4,6 +4,10 @@
 
  Changes between 1.0.2f and 1.1.0  [xx XXX xxxx]
 
+  *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
+     the leading 0-byte.
+     [Emilia Käsper]
+
   *) CRIME protection: disable compression by default, even if OpenSSL is
      compiled with zlib enabled. Applications can still enable compression
      by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by

diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index bba68c6..68d251b 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c

@@ -97,7 +97,28 @@
     const unsigned char *p;
 
     p = from;
-    if ((num != (flen + 1)) || (*(p++) != 01)) {
+
+    /*
+     * The format is
+     * 00 || 01 || PS || 00 || D
+     * PS - padding string, at least 8 bytes of FF
+     * D  - data.
+     */
+
+    if (num < 11)
+        return -1;
+
+    /* Accept inputs with and without the leading 0-byte. */
+    if (num == flen) {
+        if ((*p++) != 0x00) {
+            RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
+                   RSA_R_INVALID_PADDING);
+            return -1;
+        }
+        flen--;
+    }
+
+    if ((num != (flen + 1)) || (*(p++) != 0x01)) {
         RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
                RSA_R_BLOCK_TYPE_IS_NOT_01);
         return (-1);