Closed Bug 1646520 Opened 4 years ago Closed 4 years ago

QuickDER accepts invalid INTEGER encoding with arbitrary number of leading zeros

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kjacobs, Assigned: kjacobs)

Details

(Keywords: sec-other)

Attachments

(1 file)

Bug 1646520 - Stricter leading-zero checks for ASN.1 INTEGER values.
47 bytes, text/x-phabricator-request
Details | Review

DecodeItem in quickder.c will accept INTEGER values with invalid encoding by removing an arbitrary number of leading zeros [1]. This causes a few ECDSA Wycheproof tests to fail.

X.690 states:

8.3.2 If the contents octets of an integer value encoding consist of more than one octet, then the bits of the first octet and bit 8 of the second octet:
   1. shall not all be ones; and
   2.  shall not all be zero.
NOTE – These rules ensure that an integer value is always encoded in the smallest possible number of octets.

NSS should only permit one leading zero iff the MSB of the second byte is set. OpenSSL stopped accepting these invalid encodings between 1.0.1j and 1.0.1k CVE-2014-8275, and a tls-canary shows no regressions from enforcing this rule.

This is not a new issue (noted in bug 1064670), but we should fix it regardless.

[1] https://searchfox.org/mozilla-central/source/security/nss/lib/util/quickder.c#751-754

Severity: -- → S3
Priority: -- → P2

https://hg.mozilla.org/projects/nss/rev/2bd2f3267dc5e96aabe1145d698a817f37bc8f4c

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.54
Group: crypto-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: