Eric Cronin via RT wrote: > At one point in time, RSA_PKCS1_PADDING was evidently #defined as '11', > the size in bytes of the extra room needed for PKCS1 padding in an RSA > block. In the current CVS version of OpenSSL it is #defined to 1 and > is just used as a selector in switch statements. Except in rsa_sign.c: > > if(type == NID_md5_sha1) { > ... > i = SSL_SIG_LENGTH; > } else { > ... > i=i2d_X509_SIG(&sig,NULL); > } > j=RSA_size(rsa); > if ((i-RSA_PKCS1_PADDING) > j) > ... > > Even if RSA_PKCS1_PADDING is replaced with 11, the logic is still wrong > here I believe. It's if the hash *plus* the pad is greater than the > keysize that you run into problems. > > If I'm completely missing the point of this check, I'd be interested in > what the real reason for it is... muddling through this stuff makes my > brain hurt.
I think it's a bug (but not a very serious one, because RSA_padding_add_PKCS1_type_1() would detect the error (if you use the OpenSSL internal signing method)). I think the correct if-statement should be: --- /home/nla/openssl-SNAP-20021118/crypto/rsa/rsa_sign.c Mon Jun 11 03:01:50 2001 +++ crypto/rsa/rsa_sign.c Tue Nov 26 11:25:43 2002 @@ -113,7 +113,7 @@ i=i2d_X509_SIG(&sig,NULL); } j=RSA_size(rsa); - if ((i-RSA_PKCS1_PADDING) > j) + if ((i + 11) > j) { RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); return(0); because at least 10 padding bytes are prepended (using EMSA-PKCS1-v1_5 padding) and the padded result should have one octet less than the modulus (see PKCS#1 RSASSA-PKCS1-v1_5 signature generation). Regards, Nils ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]