[gnutls-dev] Buggy RSA/DSA signature verification

gnutls-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gnutls-dev] Buggy RSA/DSA signature verification

From:	Ludovic Courtès
Subject:	[gnutls-dev] Buggy RSA/DSA signature verification
Date:	Mon, 18 Dec 2006 18:28:35 +0100
User-agent:	Gnus/5.110006 (No Gnus v0.6) Emacs/21.4 (gnu/linux)

Hi,

There seems to be a bug in `_gnutls_pkcs1_rsa_verify_sig ()': Basically,
when verifying a DSA signature, it wrongfully assumes that the SHA1 hash
is located at `&hash_concat->data[16]'.  In some cases, as visible in
`_gnutls_verify_sig_params ()', the SHA1 hash is actually located
`&hash_concat->data[15]' instead, because the PKCS#1 algorithm
identifier for SHA1 is 15-octet-long, not 16.  In those cases,
`_gnutls_pkcs1_rsa_verify_sig ()' fails to verify the signature and
performs an off-by-one memory access.

I don't know what the best way to fix `_gnutls_pkcs1_rsa_verify_sig ()'
is.  Perhaps it could decode the header of HASH_CONCAT in order to
determine the exact location of the hash value.  Alternatively, since
the function is only used internally, we could change callers so that
they provide it directly with the hash value in the `GNUTLS_PK_DSA'
case.

I'd be glad to help fix this based on your comments if you don't have
time to do it.

Thanks,
Ludovic.

[Prev in Thread]

Current Thread

[Next in Thread]

[gnutls-dev] Buggy RSA/DSA signature verification, Ludovic Courtès <=
- Re: [gnutls-dev] Buggy RSA/DSA signature verification, Simon Josefsson, 2006/12/27

Prev by Date: Re: [gnutls-dev] [PATCH] Authority key ID bug in certtool
Next by Date: [gnutls-dev] Server->client cert. request not TLS 1.2-compatible
Previous by thread: [gnutls-dev] [PATCH] Authority key ID bug in certtool
Next by thread: Re: [gnutls-dev] Buggy RSA/DSA signature verification
Index(es):
- Date
- Thread