Closed
Bug 1646520
Opened 4 years ago
Closed 4 years ago
QuickDER accepts invalid INTEGER encoding with arbitrary number of leading zeros
Categories
(NSS :: Libraries, defect, P2)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.54
People
(Reporter: kjacobs, Assigned: kjacobs)
Details
(Keywords: sec-other)
Attachments
(1 file)
DecodeItem
in quickder.c will accept INTEGER values with invalid encoding by removing an arbitrary number of leading zeros [1]. This causes a few ECDSA Wycheproof tests to fail.
X.690 states:
8.3.2 If the contents octets of an integer value encoding consist of more than one octet, then the bits of the first octet and bit 8 of the second octet:
1. shall not all be ones; and
2. shall not all be zero.
NOTE – These rules ensure that an integer value is always encoded in the smallest possible number of octets.
NSS should only permit one leading zero iff the MSB of the second byte is set. OpenSSL stopped accepting these invalid encodings between 1.0.1j and 1.0.1k CVE-2014-8275, and a tls-canary shows no regressions from enforcing this rule.
This is not a new issue (noted in bug 1064670), but we should fix it regardless.
[1] https://searchfox.org/mozilla-central/source/security/nss/lib/util/quickder.c#751-754
Assignee | ||
Updated•4 years ago
|
Severity: -- → S3
Priority: -- → P2
Assignee | ||
Comment 1•4 years ago
|
||
Assignee | ||
Comment 2•4 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.54
Updated•4 years ago
|
Group: crypto-core-security → core-security-release
Updated•3 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•