-
Notifications
You must be signed in to change notification settings - Fork 793
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid range check in DSA signature verification #286
Comments
Combined with the fact that the modular inverse implementation returns 0 when the inverse does not exist this allows for easy, universal DSA signature verification bypass. |
My suggested fix is to |
To note, this vulnerability was found by Daniel Bleichenbacher of Google, I'm merely reporting this. |
Noted. Tell Daniel thanks and that he is owed a beer by whiteout :) |
I created a pull request with the fix. #288 |
r and s parameters in DSA should satisfy the condition:
0 < r′ < q
and0 < s′ < q
, see e.g. FIPS 186-4 4.7.Instead you're checking
0 <= r′ <= q
and0 <= s′ <= q
(https://github.com/openpgpjs/openpgpjs/blob/master/src/crypto/public_key/dsa.js#L105-L111)Edited: This vulnerability was found by Daniel Bleichenbacher of Google.
The text was updated successfully, but these errors were encountered: