On Tue, 2004-03-23 at 13:03, Richard Levitte - VMS Whacker wrote:
> In message <[EMAIL PROTECTED]> on Tue, 23 Mar 2004 10:48:00 -0800, Jose
> Castejon-Amenedo <[EMAIL PROTECTED]> said:
>
> Jose.Castejon-Amenedo> OK. I would like to add to what you
> Jose.Castejon-Amenedo> (correctly) wrote earlier on: a 1,024-bit RSA
> Jose.Castejon-Amenedo> key works on 1,024 bits of input and returns
> Jose.Castejon-Amenedo> 1,024 bits of output. The actual numerical
> Jose.Castejon-Amenedo> value of the input can be any positive integer
> Jose.Castejon-Amenedo> smaller than the RSA modulus. In order to have
> Jose.Castejon-Amenedo> 1,024 bits worth of input, a left-padding with
> Jose.Castejon-Amenedo> zeros is assumed by RSA_NO_PADDING.
>
> Since this seems to be a little bit confusing, I made a change to
> doc/crypto/RSA_public_encrypt.pod to make things a bit clearer. The
> relevant paragraph now says this:
>
> B<flen> must be less than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
> based padding modes, less than RSA_size(B<rsa>) - 41 for
> RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
> The random number generator must be seeded prior to calling
> RSA_public_encrypt().
It might be worth the while specifying that the fact that the size of
the buffer has to be exactly RSA_size(B<rsa>) for RSA_NO_PADDING does
NOT imply that only payloads exactly that size can be processed.
I think it would be useful to underline that a padding with zeroes is
admissible, and in general should be done by the caller, if payloads
shorter than the size of the buffer are to be operated on.
I guess that, as somebody else remarked, the RSA_NO_PADDING label is a
bit unfortunate.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
