[openssl-users] Possible bug in DSA_verify() since CVE-2014-8275 patch (present in 1.0.1k and 1.0.1l)
Dr. Stephen Henson
steve at openssl.org
Fri Jan 16 22:42:30 UTC 2015
On Fri, Jan 16, 2015, arnaud.mouiche at invoxia.com wrote:
>
>
> If you want to know about the signature, it was generating by signing the hash result
>
Do you have a code snippet of how you are generating the signature? That is
the code which calls DSA_sign()?
I can think of one way that could be wrong. If you are using DSA_size(key) as
the signature length instead of the length returned by DSA_sign() that will
fail under some circumstances. That's because DSA_size() returns the
maximum length of the signature whereas DSA_sign() returns the actual
length which may be less. I
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list