libgcrypt P256 signature malleability via weak DER enforcement

Thu Jan 15 15:16:04 CET 2026

On Wed, 14 Jan 2026 16:52, Jeffrey Walton said:

> If you can provide a non-trivial Proof of Concept for a DoS or a wild
> memory write, then I would like to see it.

Yes, this would trigger action here on our site.  Gniibe documented this 
as https://dev.gnupg.org/T8032 and I added this comment:

  Some historic integer encoding glitches from Peter Gutmann's style guide:

    Some Microsoft software will generate negative values about 50% of the time
    whenever it encodes anything as an INTEGER because it ignores the fact that
    the top bit of an integer is the sign bit (this is still occurring in
    programs released as recently as early 1998).

    Telesec:
    The certificates encode INTEGER values incorrectly by setting the high bit,
    which makes them negative values.  This is particularly problematic with RSA
    keys since they use a hardwired exponent of 3,221,225,473 (!!!) which always
    has the high bit set (0xC0000001), so all the RSA certificates have invalid
    encodings.  This was corrected in late 1999.

    The encoding of the Certificate may follow the BER rather than the DER. At
    least one implementation uses the indefinite-length encoding form for the
    SEQUENCE.

  And I don't expect that that everything is correct now. As long as we
  don't have a clear security issue here, we should not add extra
  constraints on DER or even BER parsing.

Shalom-Salam,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260115/fcb2db51/attachment.sig>