diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2012-02-15 14:00:09 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2012-02-15 14:00:09 +0000 |
| commit | 16b7c81d55e528edd5186004ec0691e1461faeab (patch) | |
| tree | fead9e97dc17a001801d9381b662922d9d70338a /crypto/rsa | |
| parent | 424ba8b58871dcda97f115894bd0ddc6d120d579 (diff) | |
| download | openssl-new-16b7c81d55e528edd5186004ec0691e1461faeab.tar.gz | |
An incompatibility has always existed between the format used for RSA
signatures and MDC2 using EVP or RSA_sign. This has become more apparent
when the dgst utility in OpenSSL 1.0.0 and later switched to using the
EVP_DigestSign functions which call RSA_sign.
This means that the signature format OpenSSL 1.0.0 and later used with
dgst -sign and MDC2 is incompatible with previous versions.
Add detection in RSA_verify so either format works.
Note: MDC2 is disabled by default in OpenSSL and very rarely used in practice.
Diffstat (limited to 'crypto/rsa')
| -rw-r--r-- | crypto/rsa/rsa_sign.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 2ccadb73d8..b6f6037ae0 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -199,6 +199,22 @@ int int_rsa_verify(int dtype, const unsigned char *m, i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); if (i <= 0) goto err; + /* Oddball MDC2 case: signature can be OCTET STRING. + * check for correct tag and length octets. + */ + if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10) + { + if (rm) + { + memcpy(rm, s + 2, 16); + *prm_len = 16; + ret = 1; + } + else if(memcmp(m, s + 2, 16)) + RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + else + ret = 1; + } /* Special case: SSL signature */ if(dtype == NID_md5_sha1) { |