81d1998e09
does not contain more bytes than the RSA modulus 'n' - it does not check that the input is strictly *less* than 'n'. Whether this should be the case or not is open to debate - however, due to security problems with returning miscalculated CRT results, the 'rsa_mod_exp' implementation in rsa_eay.c now performs a public-key exponentiation to verify the CRT result and in the event of an error will instead recalculate and return a non-CRT (more expensive) mod_exp calculation. As the mod_exp of 'I' is equivalent to the mod_exp of 'I mod n', and the verify result is automatically between 0 and n-1 inclusive, the verify only matches the input if 'I' was less than 'n', otherwise even a correct CRT calculation is only congruent to 'I' (ie. they differ by a multiple of 'n'). Rather than rejecting correct calculations and doing redundant and slower ones instead, this changes the equality check in the verification code to a congruence check. |
||
|---|---|---|
| .. | ||
| .cvsignore | ||
| Makefile.ssl | ||
| rsa_asn1.c | ||
| rsa_chk.c | ||
| rsa_eay.c | ||
| rsa_err.c | ||
| rsa_gen.c | ||
| rsa_lib.c | ||
| rsa_none.c | ||
| rsa_null.c | ||
| rsa_oaep.c | ||
| rsa_pk1.c | ||
| rsa_saos.c | ||
| rsa_sign.c | ||
| rsa_ssl.c | ||
| rsa_test.c | ||
| rsa.h | ||