[openssl-users] Possible bug in DSA_verify() since CVE-2014-8275 patch (present in 1.0.1k and 1.0.1l)

arnaud.mouiche at invoxia.com arnaud.mouiche at invoxia.com
Mon Jan 19 13:31:54 UTC 2015

Sorry, I didn't get my brain last friday. I was thinking the length 
enforcement concerns the public key, whereas it concerns the 
signature... stupid.

Indeed, in the streaming format I'm using, signature is stored on a 
fixed size field which is equal to DSA_size().
padding with \x00 is used to complete the signature, and unfortunately, 
the real signature length was not stored, thinking it was redundant with 
the information stored in the ASN1 format.

Thank you for helping me to point this flaw.


Le 16/01/2015 23:42, Dr. Stephen Henson a écrit :
> On Fri, Jan 16, 2015, arnaud.mouiche at invoxia.com wrote:
>> If you want to know about the signature, it was generating by signing the hash result
> Do you have a code snippet of how you are generating the signature? That is
> the code which calls DSA_sign()?
> I can think of one way that could be wrong. If you are using DSA_size(key) as
> the signature length instead of the length returned by DSA_sign() that will
> fail under some circumstances. That's because DSA_size() returns the
> maximum length of the signature whereas DSA_sign() returns the actual
> length which may be less. I
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list