[openssl-users] Possible bug in DSA_verify() since CVE-2014-8275 patch (present in 1.0.1k and 1.0.1l)

Dr. Stephen Henson steve at openssl.org
Mon Jan 19 14:24:35 UTC 2015

On Mon, Jan 19, 2015, arnaud.mouiche at invoxia.com wrote:

> Indeed, in the streaming format I'm using, signature is stored on a
> fixed size field which is equal to DSA_size().
> padding with \x00 is used to complete the signature, and
> unfortunately, the real signature length was not stored, thinking it
> was redundant with the information stored in the ASN1 format.
> Thank you for helping me to point this flaw.

Thanks for the update.

The length information is encoded in the ASN.1 structrue but the fix for
CVE-2014-8275 means that the supplied buffer length now has to be precise:
it can't contain any trailing data.

FYI it is possible to retrieve the "real length" of the DSA signature if you
pad it in this way by decoding the result.

Something like this (note: untested):

const unsigned char *p = buf;
DSA_SIG *s = d2i_DSA_SIG(NULL, &p, buflen);
if (!s)
	/* Error */

real_sig_len = p - buf;

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list