[openssl-users] Possible bug in DSA_verify() since CVE-2014-8275 patch (present in 1.0.1k and 1.0.1l)

arnaud.mouiche at invoxia.com arnaud.mouiche at invoxia.com
Fri Jan 16 19:19:36 UTC 2015 

Le 16/01/2015 19:57, Dr. Stephen Henson a écrit :
> On Fri, Jan 16, 2015, arnaud.mouiche at invoxia.com wrote:
>
>> Hi all.
>>
>> I was just checking the latest 1.0.1l version (running previously
>> the 1.0.1i).
>> some DSA signature check done with DSA_verify() are not working any
>> more, for at least one private/public key I'm using.
>>
>> The public key was generated from the private key, long time ago, as
>> usual with command "openssl dsa -in key.priv -out key.pub -pubout"
>> So, it is not a forged key.
>>
>> Here is the various things I tried / see.
>> I someone can tell me if this is an openssl issue, or simply the way
>> I'm using openssl lib, I will appreciate.
>>
>> 1) I imagine first that old generated keys are no more valid one to
>> enforce the CVE-2014-8275 warning, yet,
>> generating a new public key with the new openssl version lead to the
>> same issue.
>>
> No this should have no effect on previous keys.
>
> CVE-2014-8275 makes signature checking for DSA/ECDSA more strict and some
> invalid encodings are no longer tolerated.
>
> What produced the signature that is now being rejected? Is it OpenSSL or some
> other library? How are you obtaining the length of the signature?

DSA_verify() stops at the public key length check, and don't even check the signature.
I'm only using openssl tools/lib
- the private key was generate few years ago with openssl (don't remember the version)
- the public key was generated with openssl with "openssl dsa -in key.priv -out key.pub -pubout"
and the resulting public key file, is rejected by DSA_verify() (even if I'm using last 1.0.1l version to generate this public key file
- the signature is DSA signing of a sha256 hash

If you want to know about the signature, it was generating by signing the hash result

>
> There are ways to workaround the stricter checks by reencoding the signature
> yourself or calling DSA_do_verify after decoding the signature yourself.
I have no issue to hack my tools to make it work by calling 
DSA_do_verify() directly (ie. skipping the public key length)
Yet, I worry about any other software (not mine) that may failed for the 
same reasons, whereas working fine before.
Again, the public key was generated by openssl itself. It seems wrong 
that openssl didn't like it now.

Regards,
arnaud
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list