[openssl-users] Possible bug in DSA_verify() since CVE-2014-8275 patch (present in 1.0.1k and 1.0.1l)

[Dr. Stephen Henson]

On Fri, Jan 16, 2015, arnaud.mouiche at invoxia.com wrote:

> Hi all.
> 
> I was just checking the latest 1.0.1l version (running previously
> the 1.0.1i).
> some DSA signature check done with DSA_verify() are not working any
> more, for at least one private/public key I'm using.
> 
> The public key was generated from the private key, long time ago, as
> usual with command "openssl dsa -in key.priv -out key.pub -pubout"
> So, it is not a forged key.
> 
> Here is the various things I tried / see.
> I someone can tell me if this is an openssl issue, or simply the way
> I'm using openssl lib, I will appreciate.
> 
> 1) I imagine first that old generated keys are no more valid one to
> enforce the CVE-2014-8275 warning, yet,
> generating a new public key with the new openssl version lead to the
> same issue.
> 

No this should have no effect on previous keys.

CVE-2014-8275 makes signature checking for DSA/ECDSA more strict and some 
invalid encodings are no longer tolerated.

What produced the signature that is now being rejected? Is it OpenSSL or some
other library? How are you obtaining the length of the signature?

There are ways to workaround the stricter checks by reencoding the signature 
yourself or calling DSA_do_verify after decoding the signature yourself.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org