diff options
| author | Dmitri Shuralyov <dmitshur@golang.org> | 2020-05-06 00:20:47 -0400 |
|---|---|---|
| committer | Dmitri Shuralyov <dmitshur@golang.org> | 2020-05-07 18:24:58 -0400 |
| commit | a9d2e3abf772ee2c49394430545df1fa83699f04 (patch) | |
| tree | a274d976b131829762304aef7c5f38b8f732fa71 /src/crypto/rsa/rsa.go | |
| parent | c19c0a047b849cc1d63745b2e5e8d467cb4e815b (diff) | |
| parent | c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3 (diff) | |
| download | go-a9d2e3abf772ee2c49394430545df1fa83699f04.tar.gz go-a9d2e3abf772ee2c49394430545df1fa83699f04.zip | |
[dev.boringcrypto] all: merge master into dev.boringcrypto
Change-Id: Idd59c37d2fd759b0f73d2ee01b30f72ef4e9aee8
Diffstat (limited to 'src/crypto/rsa/rsa.go')
| -rw-r--r-- | src/crypto/rsa/rsa.go | 45 |
1 files changed, 9 insertions, 36 deletions
diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go index bd738f592c..4c67644ccb 100644 --- a/src/crypto/rsa/rsa.go +++ b/src/crypto/rsa/rsa.go @@ -458,33 +458,21 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l mgf1XOR(db, hash, seed) mgf1XOR(seed, hash, db) - var out []byte if boring.Enabled { var bkey *boring.PublicKeyRSA bkey, err = boringPublicKey(pub) if err != nil { return nil, err } - c, err := boring.EncryptRSANoPadding(bkey, em) - if err != nil { - return nil, err - } - out = c - } else { - m := new(big.Int) - m.SetBytes(em) - c := encrypt(new(big.Int), pub, m) - out = c.Bytes() + return boring.EncryptRSANoPadding(bkey, em) } - if len(out) < k { - // If the output is too small, we need to left-pad with zeros. - t := make([]byte, k) - copy(t[k-len(out):], out) - out = t - } + m := new(big.Int) + m.SetBytes(em) + c := encrypt(new(big.Int), pub, m) - return out, nil + out := make([]byte, k) + return c.FillBytes(out), nil } // ErrDecryption represents a failure to decrypt a message. @@ -670,12 +658,9 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext lHash := hash.Sum(nil) hash.Reset() - // Converting the plaintext number to bytes will strip any - // leading zeros so we may have to left pad. We do this unconditionally - // to avoid leaking timing information. (Although we still probably - // leak the number of leading zeros. It's not clear that we can do - // anything about this.) - em := leftPad(m.Bytes(), k) + // We probably leak the number of leading zeros. + // It's not clear that we can do anything about this. + em := m.FillBytes(make([]byte, k)) firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0) @@ -716,15 +701,3 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext return rest[index+1:], nil } - -// leftPad returns a new slice of length size. The contents of input are right -// aligned in the new slice. -func leftPad(input []byte, size int) (out []byte) { - n := len(input) - if n > size { - n = size - } - out = make([]byte, size) - copy(out[len(out)-n:], input) - return -} |