I guess the purpose of the flag RSA_NO_PADDING is to provide a kind of raw RSA operation but to make sure the input is shorter then the modulus. I'm really not sure but it shows up as broken while I tested. The reason is that the prepended zero byte is not preserved after decryption. I appended diffs to make this work (in the sence I explained above). The question is it usefull to have a "padding" procedure that just checks wether the input is less then the modulus (not the length in bytes but the length in bits or even make a BN_cmp()). This would take advantage of the implementented Montgomery optimizations for raw RSA ops (compared to just using the BN_mod_exp() function) ---------------- bash-2.01$ diff rsa_none.c rsa_none.c.org 91c91 < //from++; --- > from++; 97c97 < if (flen+1 > num) --- > if (flen+1 >= num) 104c104 < j=flen+1; /* one for type and one for the prepended 0. */ --- > j=flen-1; /* one for type and one for the prepended 0. */ 107,108c107,108 < memcpy(to,from,flen); < return(flen); --- > memcpy(to,from,j); > return(j); ---------------- BTW the rsa key gen procedure loops endless if the desired keylength is less then 32 Bit. I've not yet checked why. -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 Erfurt WWW.SmartRing.de ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]