Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/rsa: EncryptOAEP returning data with unexpected/inconsistent length #1519

Closed
gopherbot opened this issue Feb 16, 2011 · 3 comments
Closed

Comments

@gopherbot
Copy link

by reuben.bond:

What steps will reproduce the problem?
1. Download rsa_test.go (attached, credit to wrtp from #go-nuts for writing it) into
$GOROOT/src/pkg/crypto/rsa
  - File includes 1 test case and a method, TestEncryptOAEP2
  - TestEncryptOAEP2 runs an infinite loop trying to encrypt random, short messages and testing the length of the encrypted result.
  - The same effect can be achieved by using random seeds on a fixed message (I think)
2. Run gotest
3. Wait for error

What is the expected output?
Loops indefinitely, no error

What do you see instead?
gotest fails in under a minute

Which compiler are you using (5g, 6g, 8g, gccgo)?
6g

Which operating system are you using?
Ubuntu Linux

Which revision are you using?  (hg identify)
1d32c7df56c8+ tip

Why this may be important: When attempting to encrypt more than ((pub.N.BitLen() + 7) /
8 - 2*hash.Size()-2) bytes, the result of subsequent calls to rsa.EncryptOAEP over
smaller slices of data can be appended to each other to form the resulting data (I
believe this is considered secure). A non-constant output length creates programming
overhead for programmers, presenting them with two solutions:
  * Account for the behaviour by associating "block length" information with each encrypted block, or
  * Manually pad-out the encryption result to the expected length

Further Information: The C implementation of RSAES-OAEP at
http://www.rsa.com/products/bsafe/documentation/cryptoc_621_dev_guide/group__AD__CRC__OAEP.html
seems to use a constant blockLength, so it seems that a constant length is
"expected behaviour" according to RSA

Workaround: prepend the resulting encrypted data block with the difference between
expected and actual length of output data.
eg: encrypted = append(make([]byte, expectedLen - len(encrypted)), encrypted). In
practice, it seems that this difference is up to 1 byte.

PS: I hope this bug report is informative and useful, if I could have improved it,
please let me know.

Attachments:

  1. rsa_test.go (12183 bytes)
@rsc
Copy link
Contributor

rsc commented Feb 16, 2011

Comment 1:

Owner changed to a...@golang.org.

@robpike
Copy link
Contributor

robpike commented Feb 16, 2011

Comment 2:

Status changed to Accepted.

@agl
Copy link
Contributor

agl commented Feb 18, 2011

Comment 3:

This issue was closed by revision 1937097.

Status changed to Fixed.

@mikioh mikioh changed the title rsa.EncryptOAEP returning data with unexpected/inconsistent length crypto/rsa: EncryptOAEP returning data with unexpected/inconsistent length Jan 14, 2015
@golang golang locked and limited conversation to collaborators Jun 24, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants