Page MenuHome GnuPG
Create Task
Maniphest T2702

ECDSA doesn't reject invalid digests when signing
Closed, ResolvedPublic
Actions

Description

This is a behavioural difference between DSA and ECDSA.

If you try to sign something with a 2048-bit DSA key using a SHA1 digest, gpg
will reject the attempt as invalid:

+ gpg --digest-algo SHA1 --clearsign < input > output
gpg: signing failed: Invalid length
gpg: [stdin]: clearsign failed: Invalid length

With ECDSA, the signing step succeeds, but verification fails:

+ gpg --digest-algo SHA1 --clearsign < input > output
+ gpg --verify output
gpg: Signature made Fri 23 Sep 2016 11:38:08 PDT
gpg: using ECDSA key B009EAE105AAB839
gpg: ECDSA key B009EAE105AAB839 requires a 256 bit or larger hash (hash is SHA1)
gpg: Can't check signature: General error

We should prevent the signing from succeeding if we're never going to accept the
signature as valid.

Will add a couple of patches for do_encode_dsa to fix this.

Related Objects

Event Timeline

steven added projects: gnupg, Bug Report.Sep 23 2016, 9:14 PM
steven added a subscriber: steven.

Fix check for 521-bit ECDSA

steven added a comment.Sep 23 2016, 9:15 PM

D384: 889_0001-do_encode_dsa-fix-incorrect-check-for-521-bit-ECDSA.patch

steven added a comment.Sep 23 2016, 9:15 PM

Fix digest length check when signing for ECDSA

steven added a comment.Sep 23 2016, 9:15 PM

D383: 890_0002-do_encode_dsa-make-digest-length-checks-match-those-.patch

gniibe claimed this task.Sep 27 2016, 6:59 AM
gniibe added a subscriber: gniibe.

Thank you for your fixes and the specific test case.
Indeed, it's a bug.
I'm going to apply changes, but I think that it's better to have same code
pattern of g10/seskey.c (the part of verification).

gniibe added a project: Restricted Project.Sep 27 2016, 7:09 AM

Fixed in: 98bc6f480ac973dccce90378dc021a2e24e58704

werner added a subscriber: werner.Nov 29 2016, 3:09 PM

Released with 2.1.16.

werner closed this task as Resolved.Nov 29 2016, 3:09 PM
werner removed a project: Restricted Project.