{
case RSA_PKCS1_PADDING:
r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+ /* Generally signatures should be at least 2/3 padding, though
+ this isn't possible for really short keys and some standard
+ signature schemes, so don't check if the unpadded data is
+ small. */
+ if(r > 42 && 3*8*r >= BN_num_bits(rsa->n))
+ {
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
+ goto err;
+ }
break;
case RSA_X931_PADDING:
r=RSA_padding_check_X931(to,num,buf,i,num);