[openssl-dev] [openssl.org #4148] PCKS1 type 1 Padding check error

Özgan, Tolgahan Jonas via RT rt at openssl.org
Wed Nov 18 15:24:51 UTC 2015 

Dear List,
I have found a BUG in the function
" RSA_padding_check_PKCS1_type_1 "

The bug is reproducible in OpenSSL Versions 1.0.1e , 1.0.1p ,  1.0.1k and also in 1.0.2d (these are the versions I've tried) . After Inspecting the source code the bug can still be found in the actual development branch.

Description:
When a correctly formatted PKCS1 Type 1 data string is given to the method " RSA_padding_check_PKCS1_type_1 " it always results in:

OpenSSLError: Code:67567722 in file:rsa_pk1.c line:102.
OpenSSLError: Error Message: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01

Even when the message was originally padded by the corresponding OpenSSL Padding Function " RSA_padding_add_PKCS1_type_1"  the same error occurs.

Cause:
In the File crypto/rsa/rsa_pk1.c
Following check is made to determine the Block type of the padding string
                const unsigned char *p;
                p=from;
                if ((num != (flen+1)) || (*(p++) != 01))

the pointer p is incremented after the check therefore p is always the first octet of the padded string. In the Case of PKCS1 type 1 padding  always p=0, hence the error.
Notes:
Changing the check  to
if ((num != (flen+1)) || (*(++p) != 01))
results also in a failure since the next check of p expects p to be "0xff" .

Fix:
Adding an increment before the check:

const unsigned char *p;
p=from;
p++;  //NEW
if ((num != (flen+1)) || (*(p++) != 01))

fixes the problem.

Question:
What does the the first part of the Check , check exactly ?
Ie:
num != (flen+1)
 num being rsa_size and flen the length of the buffer where the message is stored.

Thanks




Dipl.-Inf T. Jonas Özgan
Cyber Analysis & Defense Department
Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE)
Fraunhoferstr. 20 | 53343 Wachtberg  | Germany
Tel: +49 228 9435-513 | Fax +49 228 9435-685
http://www.fkie.fraunhofer.de


-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

More information about the openssl-dev mailing list