For another example of just how badly this kind of thing can be done,
look at this code excerpt from Firefox version, which is the
fixed version.  There are two PKCS-1 parsing functions, one which returns
the hash and its prefix, the other of which is given the hash and asked
whether it matches the RSA-signed value.  This is from the latter one:

     * check the padding that was used
    if (buffer[0] != 0 || buffer[1] != 1)
        goto loser;
    for (i = 2; i < modulus_len - hash_len - 1; i++) {
        if (buffer[i] == 0)
        if (buffer[i] != 0xff)
            goto loser;

     * make sure we get the same results
    if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, hash_len) != 0)
        goto loser;

    return SECSuccess;

Here, buffer holds the result of the RSA exponentiation, of size
modulus_len, and we are passed hash of size hash_len to compare.

I don't think this code is used, fortunately.  It will accept anything
of the form 0, 1, 0, garbage, hash.  Just goes to show how easy it is
to get this kind of parsing wrong.

(Note, this is from 

Hal Finney

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to