An incompatibility has always existed between the format used for RSA (83cb7c46) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+7 −0

Original line number	Diff line number	Diff line
		@@ -267,6 +267,13 @@

		Changes between 1.0.0f and 1.0.1 [xx XXX xxxx]

		*) The format used for MDC2 RSA signatures is inconsistent between EVP
		and the RSA_sign/RSA_verify functions. This was made more apparent when
		OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
		those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
		the correct format in RSA_verify so both forms transparently work.
		[Steve Henson]

		*) Some servers which support TLS 1.0 can choke if we initially indicate
		support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
		encrypted premaster secret. As a workaround use the maximum pemitted

+16 −0

Original line number	Diff line number	Diff line
		@@ -182,6 +182,22 @@ int int_rsa_verify(int dtype, const unsigned char *m,
		i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);

		if (i <= 0) goto err;
		/* Oddball MDC2 case: signature can be OCTET STRING.
		* check for correct tag and length octets.
		*/
		if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10)
		{
		if (rm)
		{
		memcpy(rm, s + 2, 16);
		*prm_len = 16;
		ret = 1;
		}
		else if(memcmp(m, s + 2, 16))
		RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
		else
		ret = 1;
		}

		/* Special case: SSL signature */
		if(dtype == NID_md5_sha1) {