Skip to content

Robust signature decoding#115

Merged
tomato42 merged 8 commits intotlsfuzzer:masterfrom
tomato42:robust-sig-decode
Sep 27, 2019
Merged

Robust signature decoding#115
tomato42 merged 8 commits intotlsfuzzer:masterfrom
tomato42:robust-sig-decode

Conversation

@tomato42
Copy link
Member

@tomato42 tomato42 commented Sep 26, 2019

Ensure that the signature verification raises the same exception irrespective if the error is caused by mismatch of the hash value or because the encoding of the signature is invalid

fixes #114

@tomato42
strict error checking in DER decoding of integers and sequences
50e6d9f
@tomato42
consistent error messages for unexpected types
9916c85 
so that they have the same formatting as the ones for integer and
sequence types
@coveralls
Copy link

coveralls commented Sep 26, 2019

Coverage Status

Coverage increased (+0.5%) to 87.009% when pulling 932b7e3 on tomato42:robust-sig-decode into 72621b1 on warner:master.

@coveralls
Copy link

coveralls commented Sep 26, 2019
edited
Loading

Coverage Status

Coverage increased (+1.005%) to 87.489% when pulling b96e02e on tomato42:robust-sig-decode into 72621b1 on warner:master.

@tomato42
translate the UnexpectedDER exception to BadSignatureError
487f6d3 
the users of VerifyingKey.verify() and VerifyingKey.verify_digest()
should not need to use multiple exceptions to correctly catch invalid
signatures
@tomato42
give the same handling to string encoded signatures as to DER
8533e51 
Verify that strings of unexpected lengths are rejected with the
same BadSignatureError exception
@tomato42 tomato42 self-assigned this Sep 26, 2019
@rjrelyea
Copy link

rjrelyea commented Sep 26, 2019

it basically looks good with one exception:
line 138 in function remove_integer. You check for nbytes < 0x80 and say 'Negative integers not supported'. I think this is checking that the length of the integer is less than 128 bytes (1024 bits), not that the first bit of the integer is on (indicating that the integer is negative). This seems wrong. Either the error message or the code is wrong. I presume the latter since in RSA signatures, we often have integer lengths longer than 128 (like 2048 bit keys).

@tomato42
Copy link
Member Author

tomato42 commented Sep 27, 2019
edited
Loading

You check for nbytes < 0x80 and say 'Negative integers not supported'. I think this is checking that the length of the integer is less than 128 bytes (1024 bits),

no, nbytes is the first byte of the part of the buffer that represents the integer – it's the most significant byte – I'll rename the variable to make it more readable

@tomato42
fix length decoding
a655d6f 
the same issues as with decoding integers happen with the NIST521p curve
as it's large enough that the length encoding of some fields needs
to use multi-byte encoding
@tomato42
explicitly specify the distro to get py26 and py33
091ca06
@tomato42
make variable names in remove_integer more aproppriate
710e7c8
@tomato42
Copy link
Member Author

tomato42 commented Sep 27, 2019

@rjrelyea: updated, I've also added more checks to verify if the values are correct DER encodings (not just BER), so please take a second look

@rjrelyea
Copy link

rjrelyea commented Sep 27, 2019

OK, that looks good. nbytes was probably from the copy of dealing with the length field,
Your checks for minimal integer and minimal length encoding are correct.

@tomato42 tomato42 merged commit 434f5db into tlsfuzzer:master Sep 27, 2019
@tomato42 tomato42 deleted the robust-sig-decode branch September 27, 2019 18:49
This was referenced Sep 27, 2019
Closed
Closed
@opoplawski
Copy link

opoplawski commented Oct 5, 2019

Is there an ETA for a 0.14 release? I just got CVE bugs filed against this in Fedora. Thanks.

@tomato42
Copy link
Member Author

tomato42 commented Oct 5, 2019

@opoplawski actually, I'm working on 0.13.3 in #124 – there has been too little testing in master to consider it 0.14-worthy

@renovate renovate bot mentioned this pull request Oct 8, 2019
Merged
1 task
@tomato42 tomato42 added the bug unintended behaviour in ecdsa code label Oct 13, 2019
@tomato42 tomato42 added this to the v0.14 milestone Oct 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@tomato42 tomato42

Labels

bug unintended behaviour in ecdsa code

Projects

None yet

Milestone

v0.14

Development

Successfully merging this pull request may close these issues.

Inconsistent handling of malformed DER signatures

4 participants

@tomato42 @coveralls @rjrelyea @opoplawski