PuTTY bug rsa-sha2-padding

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Privacy | Changes | Wishlist

summary: RSA signatures using SHA-2 hash lacked required padding
class: bug: This is clearly an actual problem we want fixed.
absent-in: 1243be890a9c9f838dd3d1c2a0d21c06c44b727c
present-in: 33de96ffa96c19955a4f078a9235e0c7284670dd 0.75 0.76 0.77 0.78 0.79 0.80 0.81
fixed-in: a5bcf3d384e1bf15a51a6923c3724cbbee022d8e (0.82)

The original specification for RSA signatures in SSH-2, with the algorithm name ssh-rsa and including a SHA-1 hash of the message being signed, specified that the RSA signature integer is transmitted without padding: that is, with no leading zero bytes. So if the signature integer fits into fewer bytes than the key modulus – which happens somewhere between 1/128 and 1/256 of the time, depending on the modulus itself – then the signature would be one byte shorter than the rest of the time.

The newer specification for RSA which updated it to SHA-2, with algorithm names rsa-sha2-256 and rsa-sha2-512, decided (I think rightly) that that was a bad design decision, and that it was better to require the signature to be the same length as the modulus always, in particular so that traffic analysis didn't give a clue about when this shortening had happened.

We didn't notice this change of the spec in amongst the more obvious changes, so PuTTY 0.81 and before still sometimes shorten RSA signatures. Most servers tolerate this, but just occasionally a picky one shows up, and it's not wrong to complain.

One particular picky server is the one in the Go cryptography libraries. This server will close the SSH connection without any explanation or error message if it receives a short RSA signature on a SHA-2 hash.


If you want to comment on this web site, see the Feedback page.
Audit trail for this bug.
(last revision of this bug record was at 2024-11-17 18:43:50 +0000)