diff options
| author | Filippo Valsorda <filippo@golang.org> | 2020-04-27 21:52:38 -0400 |
|---|---|---|
| committer | Filippo Valsorda <filippo@golang.org> | 2020-05-05 00:36:44 +0000 |
| commit | c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3 (patch) | |
| tree | 099593dca9e78212c29c48640fe0427c24f9e31c /src/crypto/rsa/rsa.go | |
| parent | b5f7ff4aa9c1fef6437f350595caae4ee4b5708d (diff) | |
| download | go-c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3.tar.gz go-c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3.zip | |
math/big: add (*Int).FillBytes
Replaced almost every use of Bytes with FillBytes.
Note that the approved proposal was for
func (*Int) FillBytes(buf []byte)
while this implements
func (*Int) FillBytes(buf []byte) []byte
because the latter was far nicer to use in all callsites.
Fixes #35833
Change-Id: Ia912df123e5d79b763845312ea3d9a8051343c0a
Reviewed-on: https://go-review.googlesource.com/c/go/+/230397
Reviewed-by: Robert Griesemer <gri@golang.org>
Diffstat (limited to 'src/crypto/rsa/rsa.go')
| -rw-r--r-- | src/crypto/rsa/rsa.go | 32 |
1 files changed, 5 insertions, 27 deletions
diff --git a/src/crypto/rsa/rsa.go b/src/crypto/rsa/rsa.go index b4bfa13def..28eb5926c1 100644 --- a/src/crypto/rsa/rsa.go +++ b/src/crypto/rsa/rsa.go @@ -416,16 +416,9 @@ func EncryptOAEP(hash hash.Hash, random io.Reader, pub *PublicKey, msg []byte, l m := new(big.Int) m.SetBytes(em) c := encrypt(new(big.Int), pub, m) - out := c.Bytes() - if len(out) < k { - // If the output is too small, we need to left-pad with zeros. - t := make([]byte, k) - copy(t[k-len(out):], out) - out = t - } - - return out, nil + out := make([]byte, k) + return c.FillBytes(out), nil } // ErrDecryption represents a failure to decrypt a message. @@ -597,12 +590,9 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext lHash := hash.Sum(nil) hash.Reset() - // Converting the plaintext number to bytes will strip any - // leading zeros so we may have to left pad. We do this unconditionally - // to avoid leaking timing information. (Although we still probably - // leak the number of leading zeros. It's not clear that we can do - // anything about this.) - em := leftPad(m.Bytes(), k) + // We probably leak the number of leading zeros. + // It's not clear that we can do anything about this. + em := m.FillBytes(make([]byte, k)) firstByteIsZero := subtle.ConstantTimeByteEq(em[0], 0) @@ -643,15 +633,3 @@ func DecryptOAEP(hash hash.Hash, random io.Reader, priv *PrivateKey, ciphertext return rest[index+1:], nil } - -// leftPad returns a new slice of length size. The contents of input are right -// aligned in the new slice. -func leftPad(input []byte, size int) (out []byte) { - n := len(input) - if n > size { - n = size - } - out = make([]byte, size) - copy(out[len(out)-n:], input) - return -} |