openssl/openssl

RSA_sign and RSA_verify should not accept messages not matching the length of the specified hash

Open

#26.215 aberto em 19 de dez. de 2024

Ver no GitHub
 (7 comments) (0 reactions) (0 assignees)C (11.262 forks)batch import
branch: masterhelp wantedtriaged: feature

Métricas do repositório

Stars
 (30.157 stars)
Métricas de merge de PR
 (Nenhuma PRs mesclada em 30d)

Description

Hi,

I am using OpenSSL to perform RSA signing and verification in C. Below are the relevant code snippets for these operations:

Signing

RSA* key = RSA_new();
[...]
rc = RSA_sign(NID_md5, msg, (unsigned int)msg_size, sig, &siglen, key);
[...]
RSA_free(key);

Verification

RSA* key = RSA_new();
[...]
rc = RSA_verify(NID_md5, msg, (unsigned int)msg_size, sig, siglen, key);
[...]
RSA_free(key);

When both the signing and verification are performed using the same OpenSSL version, everything works perfectly. However, when the signature is created with OpenSSL 1.1.1c and verified with OpenSSL 3.1.7, the verification fails. (I guess the same happen when the signature is created with OpenSSL 3.1.7 and verified with OpenSSL 1.1.1c but I did not tried it)

After investigating, I found that the issue appears to be related to the encode_pkcs1 function, which returns a different length depending on the OpenSSL version:

  • OpenSSL 3.1.7: Returns a length of 141.
  • OpenSSL 1.1.1c: Returns a length of 142.

In my case, the message (msg) has a length of 123 bytes.

Do you have any idea what could be causing this discrepancy or how to resolve it?

Guia do colaborador