[gnutls-dev] Buggy RSA/DSA signature verification

Simon Josefsson simon at josefsson.org
Wed Dec 27 21:31:07 CET 2006 

ludovic.courtes at laas.fr (Ludovic Courtès) writes:

> Hi,
>
> There seems to be a bug in `_gnutls_pkcs1_rsa_verify_sig ()': Basically,
> when verifying a DSA signature, it wrongfully assumes that the SHA1 hash
> is located at `&hash_concat->data[16]'.  In some cases, as visible in
> `_gnutls_verify_sig_params ()', the SHA1 hash is actually located
> `&hash_concat->data[15]' instead, because the PKCS#1 algorithm
> identifier for SHA1 is 15-octet-long, not 16.  In those cases,
> `_gnutls_pkcs1_rsa_verify_sig ()' fails to verify the signature and
> performs an off-by-one memory access.

Ah, right.  An important condition for this to happen is that TLS 1.2
is used, though.

> I don't know what the best way to fix `_gnutls_pkcs1_rsa_verify_sig ()'
> is.  Perhaps it could decode the header of HASH_CONCAT in order to
> determine the exact location of the hash value.  Alternatively, since
> the function is only used internally, we could change callers so that
> they provide it directly with the hash value in the `GNUTLS_PK_DSA'
> case.
>
> I'd be glad to help fix this based on your comments if you don't have
> time to do it.

I think we should change both the function parameters and the name of
the function -- it is quite confusing for the function to be called
_gnutls_pkcs1_rsa_verify_sig when it is actually responsible for
verifying both RSA and DSA signatures.  I have installed the patch
below.

When we support more than SHA-1, this will have to be revisited again,
but at least this will solve the immediate problem.

Thanks,
Simon

--- gnutls_sig.c	26 Nov 2006 12:10:10 +0100	2.54
+++ gnutls_sig.c	27 Dec 2006 21:28:44 +0100	
@@ -259,9 +259,10 @@
 
 
 static int
-_gnutls_pkcs1_rsa_verify_sig (gnutls_cert * cert,
+_gnutls_verify_sig (gnutls_cert * cert,
 			      const gnutls_datum_t * hash_concat,
-			      gnutls_datum_t * signature)
+		    gnutls_datum_t * signature,
+		    size_t sha1pos)
 {
   int ret;
   gnutls_datum_t vdata;
@@ -302,7 +303,7 @@
       break;
     case GNUTLS_PK_DSA:
 
-      vdata.data = &hash_concat->data[16];
+      vdata.data = &hash_concat->data[sha1pos];
       vdata.size = 20;		/* sha1 */
 
       /* verify signature */
@@ -380,7 +381,7 @@
   dconcat.data = concat;
   dconcat.size = 20 + 16;	/* md5+ sha */
 
-  ret = _gnutls_pkcs1_rsa_verify_sig (cert, &dconcat, signature);
+  ret = _gnutls_verify_sig (cert, &dconcat, signature, 16);
   if (ret < 0)
     {
       gnutls_assert ();
@@ -461,7 +462,7 @@
 
   dconcat.data = concat;
 
-  ret = _gnutls_pkcs1_rsa_verify_sig (cert, &dconcat, signature);
+  ret = _gnutls_verify_sig (cert, &dconcat, signature, dconcat.size - 20);
   if (ret < 0)
     {
       gnutls_assert ();

More information about the Gnutls-devel mailing list