> [openssl-...@ml.breakpoint.cc - Sun Jan 23 20:16:44 2011]: > > At the end of the testsuite in test_builtin() happens the following: > - a previously created signature gets modified at a random spot > - this signaure is compared against the data which was used to create > the > signature. > > Now, in theory this should always fail in reality is passed sometimes. > The > modifcation algorith did the following: > | offset = sig[10] % 66; > | dirt = sig[11]; > | dirt = dirt ? dirt : 1; > | sig[offset] ^= dirt; > > If sig[10] is 0xa7 and sig[11] is 0x9e the last line envolves to: > | sig[35] ^= 0x9e; > > The signature consists of to BIGNUMs encoded as ASN1 string. sig[34] > and > sig[35] is the begin of the second and last number. sig[35] contains > the > length of this number and its content is 0x1e. Now, 0x9e ^ 0x1e = 0x80 > and this is a special value. It means that the length of the value is > "infinite" i.e. everything until the end of the stream. So the ASN1 > parser > considers the remaining data as the last element. Since there is > nothing > after it, it succeeds. This random modification was a zero change. > >
There are several bugs here. The ASN1 parser should reject indefinite length primitive encodings as that is illegal. The original modification routine for ECDSA signatures has another possible flaw: if the ASN1 is modified so it is no longer valid you could get an ASN1 parser error. That arguably isn't a good thing if you want to check signature verification failure. I think the simplest solution is to so the do_sign and do_verify functions instead which avoid the ASN1 parser totally and then you can modify a BIGNUM. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
