Re: [openssl.org #355] Bug: RSA_PKCS1_PADDING use in rsa/rsa_sign.c
Eric Cronin via RT wrote: At one point in time, RSA_PKCS1_PADDING was evidently #defined as '11', the size in bytes of the extra room needed for PKCS1 padding in an RSA block. In the current CVS version of OpenSSL it is #defined to 1 and is just used as a selector in switch statements. Except in rsa_sign.c: if(type == NID_md5_sha1) { ... i = SSL_SIG_LENGTH; } else { ... i=i2d_X509_SIG(sig,NULL); } j=RSA_size(rsa); if ((i-RSA_PKCS1_PADDING) j) ... Even if RSA_PKCS1_PADDING is replaced with 11, the logic is still wrong here I believe. It's if the hash *plus* the pad is greater than the keysize that you run into problems. If I'm completely missing the point of this check, I'd be interested in what the real reason for it is... muddling through this stuff makes my brain hurt. I think it's a bug (but not a very serious one, because RSA_padding_add_PKCS1_type_1() would detect the error (if you use the OpenSSL internal signing method)). I think the correct if-statement should be: --- /home/nla/openssl-SNAP-20021118/crypto/rsa/rsa_sign.c Mon Jun 11 03:01:50 2001 +++ crypto/rsa/rsa_sign.c Tue Nov 26 11:25:43 2002 @@ -113,7 +113,7 @@ i=i2d_X509_SIG(sig,NULL); } j=RSA_size(rsa); - if ((i-RSA_PKCS1_PADDING) j) + if ((i + 11) j) { RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); return(0); because at least 10 padding bytes are prepended (using EMSA-PKCS1-v1_5 padding) and the padded result should have one octet less than the modulus (see PKCS#1 RSASSA-PKCS1-v1_5 signature generation). Regards, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #355] Bug: RSA_PKCS1_PADDING use in rsa/rsa_sign.c
Your analysis is correct. Thanks. I've just committed a change. This ticket is now resolved. [[EMAIL PROTECTED] - Fri Nov 22 10:27:03 2002]: At one point in time, RSA_PKCS1_PADDING was evidently #defined as '11', the size in bytes of the extra room needed for PKCS1 padding in an RSA block. In the current CVS version of OpenSSL it is #defined to 1 and is just used as a selector in switch statements. Except in rsa_sign.c: if(type == NID_md5_sha1) { ... i = SSL_SIG_LENGTH; } else { ... i=i2d_X509_SIG(sig,NULL); } j=RSA_size(rsa); if ((i-RSA_PKCS1_PADDING) j) ... Even if RSA_PKCS1_PADDING is replaced with 11, the logic is still wrong here I believe. It's if the hash *plus* the pad is greater than the keysize that you run into problems. If I'm completely missing the point of this check, I'd be interested in what the real reason for it is... muddling through this stuff makes my brain hurt. Thanks, Eric -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #355] Bug: RSA_PKCS1_PADDING use in rsa/rsa_sign.c
At one point in time, RSA_PKCS1_PADDING was evidently #defined as '11', the size in bytes of the extra room needed for PKCS1 padding in an RSA block. In the current CVS version of OpenSSL it is #defined to 1 and is just used as a selector in switch statements. Except in rsa_sign.c: if(type == NID_md5_sha1) { ... i = SSL_SIG_LENGTH; } else { ... i=i2d_X509_SIG(sig,NULL); } j=RSA_size(rsa); if ((i-RSA_PKCS1_PADDING) j) ... Even if RSA_PKCS1_PADDING is replaced with 11, the logic is still wrong here I believe. It's if the hash *plus* the pad is greater than the keysize that you run into problems. If I'm completely missing the point of this check, I'd be interested in what the real reason for it is... muddling through this stuff makes my brain hurt. Thanks, Eric __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]