[43900] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Why the exponent 3 error happened:

daemon@ATHENA.MIT.EDU ("Hal Finney")
Sun Sep 17 11:25:49 2006

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: cryptography@metzdowd.com
Date: Sat, 16 Sep 2006 21:00:57 -0700 (PDT)
From: hal@finney.org ("Hal Finney")

For another example of just how badly this kind of thing can be done,
look at this code excerpt from Firefox version 1.5.0.7, which is the
fixed version.  There are two PKCS-1 parsing functions, one which returns
the hash and its prefix, the other of which is given the hash and asked
whether it matches the RSA-signed value.  This is from the latter one:

    /*
     * check the padding that was used
     */
    if (buffer[0] != 0 || buffer[1] != 1)
        goto loser;
    for (i = 2; i < modulus_len - hash_len - 1; i++) {
        if (buffer[i] == 0)
            break;
        if (buffer[i] != 0xff)
            goto loser;
    }

    /*
     * make sure we get the same results
     */
    if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, hash_len) != 0)
        goto loser;

    PORT_Free(buffer);
    return SECSuccess;

Here, buffer holds the result of the RSA exponentiation, of size
modulus_len, and we are passed hash of size hash_len to compare.

I don't think this code is used, fortunately.  It will accept anything
of the form 0, 1, 0, garbage, hash.  Just goes to show how easy it is
to get this kind of parsing wrong.

(Note, this is from mozilla/security/nss/lib/softoken/rsawrapr.c:RSA_CheckSign())

Hal Finney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post