RSA_sign and RSA_verify should not accept messages not matching the length of the specified hash
#26.215 aberto em 19 de dez. de 2024
Métricas do repositório
- Stars
- (30.157 stars)
- Métricas de merge de PR
- (Nenhuma PRs mesclada em 30d)
Description
Hi,
I am using OpenSSL to perform RSA signing and verification in C. Below are the relevant code snippets for these operations:
Signing
RSA* key = RSA_new();
[...]
rc = RSA_sign(NID_md5, msg, (unsigned int)msg_size, sig, &siglen, key);
[...]
RSA_free(key);
Verification
RSA* key = RSA_new();
[...]
rc = RSA_verify(NID_md5, msg, (unsigned int)msg_size, sig, siglen, key);
[...]
RSA_free(key);
When both the signing and verification are performed using the same OpenSSL version, everything works perfectly. However, when the signature is created with OpenSSL 1.1.1c and verified with OpenSSL 3.1.7, the verification fails. (I guess the same happen when the signature is created with OpenSSL 3.1.7 and verified with OpenSSL 1.1.1c but I did not tried it)
After investigating, I found that the issue appears to be related to the encode_pkcs1 function, which returns a different length depending on the OpenSSL version:
- OpenSSL 3.1.7: Returns a length of 141.
- OpenSSL 1.1.1c: Returns a length of 142.
In my case, the message (msg) has a length of 123 bytes.
Do you have any idea what could be causing this discrepancy or how to resolve it?