From: Emilia Kasper Date: Tue, 2 Feb 2016 17:03:33 +0000 (+0100) Subject: RT4148 X-Git-Tag: OpenSSL_1_1_0-pre3~314 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=ba2de73b185016e0a98e62f75b368ab6ae673919;p=oweals%2Fopenssl.git RT4148 Accept leading 0-byte in PKCS1 type 1 padding. Internally, the byte is stripped by BN_bn2bin but external callers may have other expectations. Reviewed-by: Kurt Roeckx --- diff --git a/CHANGES b/CHANGES index d0d3a2629a..fc5b8cb0a7 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 1.0.2f and 1.1.0 [xx XXX xxxx] + *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without + the leading 0-byte. + [Emilia Käsper] + *) CRIME protection: disable compression by default, even if OpenSSL is compiled with zlib enabled. Applications can still enable compression by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index bba68c62bf..68d251bc0f 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -97,7 +97,28 @@ int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, const unsigned char *p; p = from; - if ((num != (flen + 1)) || (*(p++) != 01)) { + + /* + * The format is + * 00 || 01 || PS || 00 || D + * PS - padding string, at least 8 bytes of FF + * D - data. + */ + + if (num < 11) + return -1; + + /* Accept inputs with and without the leading 0-byte. */ + if (num == flen) { + if ((*p++) != 0x00) { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, + RSA_R_INVALID_PADDING); + return -1; + } + flen--; + } + + if ((num != (flen + 1)) || (*(p++) != 0x01)) { RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1, RSA_R_BLOCK_TYPE_IS_NOT_01); return (-1);