ECDSA doesn't reject invalid digests when signing
Closed, ResolvedPublic

Description

This is a behavioural difference between DSA and ECDSA.

If you try to sign something with a 2048-bit DSA key using a SHA1 digest, gpg
will reject the attempt as invalid:

+ gpg --digest-algo SHA1 --clearsign < input > output
gpg: signing failed: Invalid length
gpg: [stdin]: clearsign failed: Invalid length

With ECDSA, the signing step succeeds, but verification fails:

+ gpg --digest-algo SHA1 --clearsign < input > output
+ gpg --verify output
gpg: Signature made Fri 23 Sep 2016 11:38:08 PDT
gpg: using ECDSA key B009EAE105AAB839
gpg: ECDSA key B009EAE105AAB839 requires a 256 bit or larger hash (hash is SHA1)
gpg: Can't check signature: General error

We should prevent the signing from succeeding if we're never going to accept the
signature as valid.

Will add a couple of patches for do_encode_dsa to fix this.

steven added a subscriber: steven.

Fix check for 521-bit ECDSA

Fix digest length check when signing for ECDSA

gniibe claimed this task.Sep 27 2016, 6:59 AM
gniibe added a subscriber: gniibe.

Thank you for your fixes and the specific test case.
Indeed, it's a bug.
I'm going to apply changes, but I think that it's better to have same code
pattern of g10/seskey.c (the part of verification).

werner added a subscriber: werner.Nov 29 2016, 3:09 PM

Released with 2.1.16.

werner closed this task as Resolved.Nov 29 2016, 3:09 PM
werner removed a project: Testing.