I noticed the exact same code being present in the mozilla 1.7.13 source ... I wonder what the correct consequence would be? Have us crypto people proof-read all relevant source code? Better educate developers?
Interestingly the attacker's playground between the 0, 1, 0 and the hash gets bigger with larger key sizes, so I wonder if attacks get easier for longer keys... Cheers, Ulrich > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > For another example of just how badly this kind of thing can > be done, look at this code excerpt from Firefox version > 1.5.0.7, which is the fixed version. There are two PKCS-1 > parsing functions, one which returns the hash and its prefix, > the other of which is given the hash and asked whether it > matches the RSA-signed value. This is from the latter one: > > /* > * check the padding that was used > */ > if (buffer[0] != 0 || buffer[1] != 1) > goto loser; > for (i = 2; i < modulus_len - hash_len - 1; i++) { > if (buffer[i] == 0) > break; > if (buffer[i] != 0xff) > goto loser; > } > > /* > * make sure we get the same results > */ > if (PORT_Memcmp(buffer + modulus_len - hash_len, hash, > hash_len) != 0) > goto loser; > > PORT_Free(buffer); > return SECSuccess; > > Here, buffer holds the result of the RSA exponentiation, of > size modulus_len, and we are passed hash of size hash_len to compare. > > I don't think this code is used, fortunately. It will accept > anything of the form 0, 1, 0, garbage, hash. Just goes to > show how easy it is to get this kind of parsing wrong. > > (Note, this is from > mozilla/security/nss/lib/softoken/rsawrapr.c:RSA_CheckSign()) > --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
