Re: [openssl.org #355] Bug: RSA_PKCS1_PADDING use in rsa/rsa_sign.c
Eric Cronin via RT wrote:
At one point in time, RSA_PKCS1_PADDING was evidently #defined as '11',
the size in bytes of the extra room needed for PKCS1 padding in an RSA
block. In the current CVS version of OpenSSL it is #defined to 1 and
is just used as a selector in switch statements. Except in rsa_sign.c:
if(type == NID_md5_sha1) {
...
i = SSL_SIG_LENGTH;
} else {
...
i=i2d_X509_SIG(sig,NULL);
}
j=RSA_size(rsa);
if ((i-RSA_PKCS1_PADDING) j)
...
Even if RSA_PKCS1_PADDING is replaced with 11, the logic is still wrong
here I believe. It's if the hash *plus* the pad is greater than the
keysize that you run into problems.
If I'm completely missing the point of this check, I'd be interested in
what the real reason for it is... muddling through this stuff makes my
brain hurt.
I think it's a bug (but not a very serious one, because
RSA_padding_add_PKCS1_type_1() would detect the error (if
you use the OpenSSL internal signing method)). I think
the correct if-statement should be:
--- /home/nla/openssl-SNAP-20021118/crypto/rsa/rsa_sign.c Mon Jun
11 03:01:50 2001
+++ crypto/rsa/rsa_sign.c Tue Nov 26 11:25:43 2002
@@ -113,7 +113,7 @@
i=i2d_X509_SIG(sig,NULL);
}
j=RSA_size(rsa);
- if ((i-RSA_PKCS1_PADDING) j)
+ if ((i + 11) j)
{
RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
return(0);
because at least 10 padding bytes are prepended (using EMSA-PKCS1-v1_5
padding) and the padded result should have one octet less than the
modulus (see PKCS#1 RSASSA-PKCS1-v1_5 signature generation).
Regards,
Nils
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
[openssl.org #355] Bug: RSA_PKCS1_PADDING use in rsa/rsa_sign.c
Your analysis is correct. Thanks. I've just committed a change.
This ticket is now resolved.
[[EMAIL PROTECTED] - Fri Nov 22 10:27:03 2002]:
At one point in time, RSA_PKCS1_PADDING was evidently #defined as
'11',
the size in bytes of the extra room needed for PKCS1 padding in an
RSA
block. In the current CVS version of OpenSSL it is #defined to 1
and
is just used as a selector in switch statements. Except in
rsa_sign.c:
if(type == NID_md5_sha1) {
...
i = SSL_SIG_LENGTH;
} else {
...
i=i2d_X509_SIG(sig,NULL);
}
j=RSA_size(rsa);
if ((i-RSA_PKCS1_PADDING) j)
...
Even if RSA_PKCS1_PADDING is replaced with 11, the logic is still
wrong
here I believe. It's if the hash *plus* the pad is greater than
the
keysize that you run into problems.
If I'm completely missing the point of this check, I'd be
interested
in
what the real reason for it is... muddling through this stuff
makes
my
brain hurt.
Thanks,
Eric
--
Richard Levitte
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
[openssl.org #355] Bug: RSA_PKCS1_PADDING use in rsa/rsa_sign.c
At one point in time, RSA_PKCS1_PADDING was evidently #defined as '11',
the size in bytes of the extra room needed for PKCS1 padding in an RSA
block. In the current CVS version of OpenSSL it is #defined to 1 and
is just used as a selector in switch statements. Except in rsa_sign.c:
if(type == NID_md5_sha1) {
...
i = SSL_SIG_LENGTH;
} else {
...
i=i2d_X509_SIG(sig,NULL);
}
j=RSA_size(rsa);
if ((i-RSA_PKCS1_PADDING) j)
...
Even if RSA_PKCS1_PADDING is replaced with 11, the logic is still wrong
here I believe. It's if the hash *plus* the pad is greater than the
keysize that you run into problems.
If I'm completely missing the point of this check, I'd be interested in
what the real reason for it is... muddling through this stuff makes my
brain hurt.
Thanks,
Eric
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
