[gnutls-dev] Buggy RSA/DSA signature verification

Ludovic Courtès ludovic.courtes at laas.fr
Mon Dec 18 18:28:35 CET 2006


There seems to be a bug in `_gnutls_pkcs1_rsa_verify_sig ()': Basically,
when verifying a DSA signature, it wrongfully assumes that the SHA1 hash
is located at `&hash_concat->data[16]'.  In some cases, as visible in
`_gnutls_verify_sig_params ()', the SHA1 hash is actually located
`&hash_concat->data[15]' instead, because the PKCS#1 algorithm
identifier for SHA1 is 15-octet-long, not 16.  In those cases,
`_gnutls_pkcs1_rsa_verify_sig ()' fails to verify the signature and
performs an off-by-one memory access.

I don't know what the best way to fix `_gnutls_pkcs1_rsa_verify_sig ()'
is.  Perhaps it could decode the header of HASH_CONCAT in order to
determine the exact location of the hash value.  Alternatively, since
the function is only used internally, we could change callers so that
they provide it directly with the hash value in the `GNUTLS_PK_DSA'

I'd be glad to help fix this based on your comments if you don't have
time to do it.


More information about the Gnutls-devel mailing list