Summary
An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack.
Details
In dsaVerify function, it checks whether the value of the signature is legal by calling function checkValue, namely, whether r and s are both in the interval [1, q - 1]. However, the second line of the checkValue function wrongly checks the upper bound of the passed parameters, since the value of b.cmp(q) can only be 0, 1 and -1, and it can never be greater than q.
In this way, although the values of s cannot be 0, an attacker can achieve the same effect as zero by setting its value to q, and then send (r, s) = (1, q) to pass the verification of any public key.
Impact
All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability.
Fix PR:
Since the temporary private fork was deleted, here's a webarchive of the PR discussion and diff pages: PR webarchive.zip
Summary
An upper bound check issue in
dsaVerifyfunction allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack.Details
In
dsaVerifyfunction, it checks whether the value of the signature is legal by calling functioncheckValue, namely, whetherrandsare both in the interval[1, q - 1]. However, the second line of thecheckValuefunction wrongly checks the upper bound of the passed parameters, since the value ofb.cmp(q)can only be0,1and-1, and it can never be greater thanq.In this way, although the values of
scannot be0, an attacker can achieve the same effect as zero by setting its value toq, and then send(r, s) = (1, q)to pass the verification of any public key.Impact
All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability.
Fix PR:
Since the temporary private fork was deleted, here's a webarchive of the PR discussion and diff pages: PR webarchive.zip