Problem/bug report for "bad decrypted len" error in OpenSSH

Nils Larsch larsch at
Tue Jun 17 18:38:35 EST 2003

Markus Friedl wrote:
> replace
>         if (len != hlen + oidlen) {
> with
>         if (len < hlen + oidlen) {
> instead of deleting lines.

Hi Markus,

are you sure this is correct ? As far as I understand PKCS#1
(in this case the RSASSA-PKCS1-v1_5-Verfiy (8.2.2) function)
should the signature verification return "invalid signature"
in this case (because the second encoded message would not
contain this additional byte). From the error messange:
sshd[1224] error: bad decrypted len: 36 != 20 + 15
and the fact that disabling this checks results in a
successful signature verification I guess that the decrypted
content has the form decrypted = DigestInfo || hash || x, where
x is a (unknown) byte. I think it's a bug in the signature
generation (the x byte shouldn't be there).


More information about the openssh-unix-dev mailing list