On Mon, Jan 19, 2015, arnaud.mouiche at invoxia.com wrote: > Indeed, in the streaming format I'm using, signature is stored on a > fixed size field which is equal to DSA_size(). > padding with \x00 is used to complete the signature, and > unfortunately, the real signature length was not stored, thinking it > was redundant with the information stored in the ASN1 format. > > Thank you for helping me to point this flaw. > Thanks for the update. The length information is encoded in the ASN.1 structrue but the fix for CVE-2014-8275 means that the supplied buffer length now has to be precise: it can't contain any trailing data. FYI it is possible to retrieve the "real length" of the DSA signature if you pad it in this way by decoding the result. Something like this (note: untested): const unsigned char *p = buf; DSA_SIG *s = d2i_DSA_SIG(NULL, &p, buflen); if (!s) /* Error */ DSA_SIG_free(s); real_sig_len = p - buf; Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
