Eric Cronin via RT wrote:
> At one point in time, RSA_PKCS1_PADDING was evidently #defined as '11',
> the size in bytes of the extra room needed for PKCS1 padding in an RSA
> block. In the current CVS version of OpenSSL it is #defined to 1 and
> is just used as a selector in switch statements. Except in rsa_sign.c:
>
> if(type == NID_md5_sha1) {
> ...
> i = SSL_SIG_LENGTH;
> } else {
> ...
> i=i2d_X509_SIG(&sig,NULL);
> }
> j=RSA_size(rsa);
> if ((i-RSA_PKCS1_PADDING) > j)
> ...
>
> Even if RSA_PKCS1_PADDING is replaced with 11, the logic is still wrong
> here I believe. It's if the hash *plus* the pad is greater than the
> keysize that you run into problems.
>
> If I'm completely missing the point of this check, I'd be interested in
> what the real reason for it is... muddling through this stuff makes my
> brain hurt.
I think it's a bug (but not a very serious one, because
RSA_padding_add_PKCS1_type_1() would detect the error (if
you use the OpenSSL internal signing method)). I think
the correct if-statement should be:
--- /home/nla/openssl-SNAP-20021118/crypto/rsa/rsa_sign.c Mon Jun
11 03:01:50 2001
+++ crypto/rsa/rsa_sign.c Tue Nov 26 11:25:43 2002
@@ -113,7 +113,7 @@
i=i2d_X509_SIG(&sig,NULL);
}
j=RSA_size(rsa);
- if ((i-RSA_PKCS1_PADDING) > j)
+ if ((i + 11) > j)
{
RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
return(0);
because at least 10 padding bytes are prepended (using EMSA-PKCS1-v1_5
padding) and the padded result should have one octet less than the
modulus (see PKCS#1 RSASSA-PKCS1-v1_5 signature generation).
Regards,
Nils
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
