>Especially I'm unlucky with what happens if (flen < tlen).
>Then one shouldn't refuse the padding but prepend zero
>bytes since the the raw rsa op afterwards then takes
>num (=length of modulus) bytes as input.
In the no-padding mode, the application is responsible for doing the
padding. Prepending zero bytes makes absolutely no sense at all,
security-wise. This is most likely to occur when someone errorneously
uses RSA_NO_PADDING with a short unpadded session key. In that case,
throwing an error should be preferred to assuming that the programmer
might have meant to use an insecure encryption mode. In the unlikely
case that someone for some reason actually wants to do RSA with
prepended zero bytes, they can do so explicitely. I see no reason why
the code for it should be in OpenSSL.
It does however make sense to prepend one single zero byte. The
problem is that if you make it optional (i.e. prepend the zero byte
only if it is not already there), the decryption function cannot
recover the original data because it has no way of knowing whether the
zero byte was present in the input or not. In order to avoid
unnecessary complexity in the user-level decoding function, you have
to decide whether to always or never prepend a zero byte. For OpenSSL
it was decided, rightly IMHO, that RSA_NO_PADDING should really mean
no padding.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
