crypto/rsa: pss may have wrong salt length #42741

zhangzhanli · 2020-11-20T09:18:16Z

crypto/rsa/pss.go : 272 in latest version of go

When PSSOptions's saltLength is PSSSaltLengthAuto, we just try to maximize the length of salt. But there are some problems with it where the bit length of N of private key is congruent to 1 module 8. (i.e. bitlen(N) == 8k + 1) . Under these situations, when checking emLen in crypto/rsa/pss.go : 50 which is equal to hLen+sLen+1, we will alway get an error "key size too small for PSS signature". And I didn't see there are such problems with openssl. So, maybe we need a change?

martisch · 2020-11-20T10:43:22Z

Cc @FiloSottile

FiloSottile · 2020-12-02T01:18:24Z

Yep, this is broken and has been broken at least since Go 1.13, so not a Go 1.16 fix. Scheduling for 1.17, thank you!

https://play.golang.org/p/hgTw2zJW2OI

zhangzhanli changed the title ~~rsa pss may has wrong salt length~~ rsa pss may have wrong salt length Nov 20, 2020

martisch changed the title ~~rsa pss may have wrong salt length~~ crypto/rsa: pss may have wrong salt length Nov 20, 2020

martisch added the NeedsInvestigation label Nov 20, 2020

FiloSottile added this to the Go1.17 milestone Dec 2, 2020

golang / go

crypto/rsa: pss may have wrong salt length #42741

crypto/rsa: pss may have wrong salt length #42741

zhangzhanli commented Nov 20, 2020 •

edited

martisch commented Nov 20, 2020

FiloSottile commented Dec 2, 2020

golang / go

crypto/rsa: pss may have wrong salt length #42741

crypto/rsa: pss may have wrong salt length #42741

Comments

zhangzhanli commented Nov 20, 2020 • edited

martisch commented Nov 20, 2020

FiloSottile commented Dec 2, 2020

zhangzhanli commented Nov 20, 2020 •

edited