Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GeneralAuthenticate - RSA signature clobbering #2

Closed
makinako opened this issue Dec 20, 2017 · 1 comment
Closed

GeneralAuthenticate - RSA signature clobbering #2

makinako opened this issue Dec 20, 2017 · 1 comment
Assignees
@makinako
Labels
bug

Comments

@makinako
Copy link
Owner

The General Authenticate command takes a number of BET-TLV tags/objects as arguments (Request, Response, Challenge, Witness). When multiple tags are supplied, there is no clear direction as to which order these should be in, and this is evident in various middleware implementations.
When an INTERNAL AUTHENTICATE is performed (which is used for all RSA cryptographic operations), GeneralAuthenticate expects a Challenge and Response (request) to be presented.
A bug exists in OpenFIPS201 where if the Challenge is received before the response request, part of the resulting ciphertext may be clobbered. This is because the same buffer is used for the input and output.
@makinako makinako added the bug label Dec 20, 2017
@makinako makinako self-assigned this Dec 20, 2017
makinako added a commit that referenced this issue Jan 8, 2018
@makinako
Fixed signature clobbering bug (issue #2)
d7ffd46
@makinako
Copy link
Owner Author

makinako commented Jan 8, 2018

This issue has been resolved. Until beta6 is released this is not included in the latest binary release.

@makinako makinako closed this as completed Jan 8, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@makinako makinako

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@makinako