[openssl-commits] [openssl] master update

Emilia Kasper emilia at openssl.org
Wed Feb 3 17:30:43 UTC 2016 

The branch master has been updated
       via  ba2de73b185016e0a98e62f75b368ab6ae673919 (commit)
      from  20a5819f135cf55716cf4bea65deb24569016c9b (commit)


- Log -----------------------------------------------------------------
commit ba2de73b185016e0a98e62f75b368ab6ae673919
Author: Emilia Kasper <emilia at openssl.org>
Date:   Tue Feb 2 18:03:33 2016 +0100

    RT4148
    
    Accept leading 0-byte in PKCS1 type 1 padding. Internally, the byte is
    stripped by BN_bn2bin but external callers may have other expectations.
    
    Reviewed-by: Kurt Roeckx<kurt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES              |  4 ++++
 crypto/rsa/rsa_pk1.c | 23 ++++++++++++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index d0d3a26..fc5b8cb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 1.0.2f and 1.1.0  [xx XXX xxxx]
 
+  *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
+     the leading 0-byte.
+     [Emilia Käsper]
+
   *) CRIME protection: disable compression by default, even if OpenSSL is
      compiled with zlib enabled. Applications can still enable compression
      by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index bba68c6..68d251b 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -97,7 +97,28 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
     const unsigned char *p;
 
     p = from;
-    if ((num != (flen + 1)) || (*(p++) != 01)) {
+
+    /*
+     * The format is
+     * 00 || 01 || PS || 00 || D
+     * PS - padding string, at least 8 bytes of FF
+     * D  - data.
+     */
+
+    if (num < 11)
+        return -1;
+
+    /* Accept inputs with and without the leading 0-byte. */
+    if (num == flen) {
+        if ((*p++) != 0x00) {
+            RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
+                   RSA_R_INVALID_PADDING);
+            return -1;
+        }
+        flen--;
+    }
+
+    if ((num != (flen + 1)) || (*(p++) != 0x01)) {
         RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1,
                RSA_R_BLOCK_TYPE_IS_NOT_01);
         return (-1);

More information about the openssl-commits mailing list