Re: Padding mode for RSA_private_decrypt()...
Mounir IDRASSI wrote in message To my knowledge, SSLV2, SSLV3 and TLS1.0 all use PKCS#1 Block Type 2 padding. Are you sure about this? I'm writing a server and I occasionally get the error I reported; however, if what you are saying is true, the error may be indicative of another problem. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Padding mode for RSA_private_decrypt()...
Michael S. Zick wrote in message The padding is added to the **plain text** After decryption, the server can determine the padding present. I'm writing a server and I usually just call RSA_private_decrypt(..., RSA_PKCS1_PADDING). Everything works fine most of the time but sometimes I get that error. In your last sentence, did you mean that the server can determine the padding mode? If so, how? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Padding mode for RSA_private_decrypt()...
On Mon, Nov 09, 2009, barcaroller wrote: Mounir IDRASSI wrote in message To my knowledge, SSLV2, SSLV3 and TLS1.0 all use PKCS#1 Block Type 2 padding. Are you sure about this? I'm writing a server and I occasionally get the error I reported; however, if what you are saying is true, the error may be indicative of another problem. Yes it is true. If the data is corrpupted somehow or if there is a bug in the RSA implementation (server or client) then you can get that error. You can get subtle errors which only show up occasionally. If you log the received data when you get that error you can check it with rsautl and the private key. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Padding mode for RSA_private_decrypt()...
Hi, Take a look at function get_client_master_key in the file s2_srv.c, and specifically at the line where a call to ssl_rsa_private_decrypt is made : in it, the decision to use RSA_PKCS1_PADDING or RSA_SSLV23_PADDING is made depending on the value of the member ssl2_rollback of the ssl2_state_st structure. This member is set in the function ssl23_get_client_hello in the file s23_srv, depending on the options of the SSL options. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr barcaroller wrote: Michael S. Zick wrote in message The padding is added to the **plain text** After decryption, the server can determine the padding present. I'm writing a server and I usually just call RSA_private_decrypt(..., RSA_PKCS1_PADDING). Everything works fine most of the time but sometimes I get that error. In your last sentence, did you mean that the server can determine the padding mode? If so, how? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Padding mode for RSA_private_decrypt()...
Mounir IDRASSI wrote in message ... You simply can't guess the padding mode if you don't know it in advance. Imagine the security consequences if this was possible : it would mean that an attacker can have information about the clear text without having access to the private key!! Okay, but the SSL client uses RSA_public_encrypt() with a padding value that is unknown to the SSL server, which uses RSA_private_decrypt() later on. How can the SSL server know in advance what padding mode the SSL client is going to use? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Padding mode for RSA_private_decrypt()...
On Sun November 8 2009, barcaroller wrote: Mounir IDRASSI wrote in message ... You simply can't guess the padding mode if you don't know it in advance. Imagine the security consequences if this was possible : it would mean that an attacker can have information about the clear text without having access to the private key!! Okay, but the SSL client uses RSA_public_encrypt() with a padding value that is unknown to the SSL server, which uses RSA_private_decrypt() later on. How can the SSL server know in advance what padding mode the SSL client is going to use? The padding is added to the **plain text** After decryption, the server can determine the padding present. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Padding mode for RSA_private_decrypt()...
Hi, Which version of SSL/TLS are you talking about? To my knowledge, SSLV2, SSLV3 and TLS1.0 all use PKCS#1 Block Type 2 padding (in case of SSL V2 rollback, that last eight padding bytes are not random and are set to 0x03 but this special case is detect at the protocol level). Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr barcaroller wrote: Mounir IDRASSI wrote in message ... You simply can't guess the padding mode if you don't know it in advance. Imagine the security consequences if this was possible : it would mean that an attacker can have information about the clear text without having access to the private key!! Okay, but the SSL client uses RSA_public_encrypt() with a padding value that is unknown to the SSL server, which uses RSA_private_decrypt() later on. How can the SSL server know in advance what padding mode the SSL client is going to use? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Padding mode for RSA_private_decrypt()...
How can I tell what the padding mode was before I attempt to decrypt data. For example, when I use RSA_private_decrypt(encsize, encdata, decdata, privkey, RSA_PKCS1_PADDING) I sometimes (but not always) get the following error: error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Padding mode for RSA_private_decrypt()...
Hi, You simply can't guess the padding mode if you don't know it in advance. Imagine the security consequences if this was possible : it would mean that an attacker can have information about the clear text without having access to the private key!! Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr barcaroller wrote: How can I tell what the padding mode was before I attempt to decrypt data. For example, when I use RSA_private_decrypt(encsize, encdata, decdata, privkey, RSA_PKCS1_PADDING) I sometimes (but not always) get the following error: error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org