Hi,
I attached an email I got back from Renaud Deraison which
basicly states that all the error case that DSA_do_verify()
checks are already checked before the call to DSA_do_verify()
and that DSA_do_verify() should not return -1.
Kurt
--- Begin Message ---
Hi Kurt,
On Jan 28, 2009, at 11:00 PM, Kurt Roeckx wrote:
[...]
I would like to start by saying that I have no idea how it works.
But I have to wonder why you call DSA_do_verify() if it the result
has no impact on the security.
We mostly do this to make sure the protocol works as expected.
Did you considered a man in the middle attack, where the attacker
could impersonate the 2 other parties and have full control over
the connection?
Yes, that was the point of my message -- we do opportunistic
encryption anyhow.
We also further investigated the use of that function and, given our
implementation, we do not believe that an attacker could submit a DSA
signature which would generate an error (since we verify the number of
bits, etc... prior to calling DSA_do_verify()).
It's still a bug, but it has no security implications.
Take care,
-- Renaud
--- End Message ---
