/*
* - YACA_PADDING_PKCS1 & YACA_PADDING_PKCS1_SSLV23 are equal
* - YACA_PADDING_NONE checks only the input length
+ *
+ * Since openssl v3.2, the RSA_private_decrypt() method used with PKCS#1 padding
+ * doesn't return an error when it detects an error in padding,
+ * instead it returns a pseudo-randomly generated message.
+ *
*/
expected = YACA_ERROR_INVALID_PARAMETER;
if (p.padding == YACA_PADDING_NONE ||
(p.padding == YACA_PADDING_PKCS1 && padding == YACA_PADDING_PKCS1_SSLV23) ||
- (p.padding == YACA_PADDING_PKCS1_SSLV23 && padding == YACA_PADDING_PKCS1))
+ (p.padding == YACA_PADDING_PKCS1_SSLV23 && padding == YACA_PADDING_PKCS1) ||
+ p.padding == YACA_PADDING_PKCS1 || p.padding == YACA_PADDING_PKCS1_SSLV23)
expected = YACA_ERROR_NONE;
int ret = decrypt(p.padding, dec_key.get(),
* Shortened ciphertext. During encryption without padding OpenSSL allows
* input of length equal to the key length but during decryption it allows
* also shorter input. Yaca API does the same.
+ *
+ * Since openssl v3.2, the RSA_private_decrypt() method used with PKCS#1 padding
+ * doesn't return an error when it detects an error in padding,
+ * instead it returns a pseudo-randomly generated message.
+ *
*/
- if (padding != YACA_PADDING_NONE)
+ if (padding != YACA_PADDING_NONE &&
+ padding != YACA_PADDING_PKCS1 &&
+ padding != YACA_PADDING_PKCS1_SSLV23)
YACA_INVALID_PARAM(decrypt(padding, dec_key.get(),
ciphertext.get(), ciphertext_len - 1,
&tmp, &plaintext_len));
projects / platform / core / test / security-tests.git / commitdiff