Possible bug in DSA_verify() since CVE-2014-8275 patch (present in 1.0.1k and 1.0.1l)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jan 16, 2015, arnaud.mouiche at invoxia.com wrote:

> 
> 
> If you want to know about the signature, it was generating by signing the hash result
> 

Do you have a code snippet of how you are generating the signature? That is
the code which calls DSA_sign()?

I can think of one way that could be wrong. If you are using DSA_size(key) as
the signature length instead of the length returned by DSA_sign() that will
fail under some circumstances. That's because DSA_size() returns the 
maximum length of the signature whereas DSA_sign() returns the actual
length which may be less. I

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux