Re: [RFC PATCH] crypto: RSA padding transform

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6 September 2015 at 23:17, Stephan Mueller <smueller@xxxxxxxxxx> wrote:
> Am Sonntag, 6. September 2015, 16:33:26 schrieb Andrzej Zaborowski:
>
> Hi Andrzej,
>
>>>> +     for (pos = 2; pos < child_req->dst_len; pos++)
>>>> +             if (dst[pos] == 0x00)
>>>> +                     break;
>>>
>>> What happens if the padding has a 0x00 in its pseudo random data?
>>
>>The pseudo random bytes must all be non-zero for the padding to be
>>unambiguous (RFC3447 iirc).  If there's a 0x00 in the first 8 bytes
>
> I see, I did not know that detail. Now, you use prandom_u32_max to generate
> the padding in case of encryption/signing. I do not see any code that filters
> out any 0x00 that may be generated by this call.

Specifically I use 1 + prandom_u32_max(255) which should give me
numbers > 0 although it can't be perfectly uniform.

Best regards
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux