Page MenuHome GnuPG
Create Task
Maniphest T8032

libksba: Input validation for DER encoded INTEGER
Open, LowPublic
Actions

Description

libksba should validate input of DER encoded INTEGER to reject invalid data representation (like extra leading zeros/0xff).

X.690 says:

8.3 Encoding of an integer value
8.3.1 The encoding of an integer value shall be primitive. The contents octets shall consist of one or more octets.
8.3.2 If the contents octets of an integer value encoding consist of more than one octet, then the bits of the first octet and bit 8 of the second octet:
a) shall not all be ones; and
b) shall not all be zero.
NOTE – These rules ensure that an integer value is always encoded in the smallest possible number of octets.
8.3.3 The contents octets shall be a two's complement binary number equal to the integer value, and consisting of bits 8 to 1 of the first octet, followed by bits 8 to 1 of the second octet, followed by bits 8 to 1 of each octet in turn up to and including the last octet of the contents octets.
NOTE – The value of a two's complement binary number is derived by numbering the bits in the contents octets, starting with bit 1 of the last octet as bit zero and ending the numbering with bit 8 of the first octet. Each bit is assigned a numerical value of 2^N, where N is its position in the above numbering sequence. The value of the two's complement binary number is obtained by summing the numerical values assigned to each bit for those bits which are set to one, excluding bit 8 of the first octet, and then reducing this value by the numerical value assigned to bit 8 of the first octet if that bit is set to one.

libksba should validate input of DER encoded data (of any type) to reject non-canonical representations.

X.690 says:

10.1 Length forms
The definite form of length encoding shall be used, encoded in the minimum number of octets. [Contrast with 8.1.3.2 b).]

Details

External Link
https://lists.gnupg.org/pipermail/gnupg-devel/2026-January/036133.html

Event Timeline

gniibe created this task.Wed, Jan 14, 3:02 AM
gniibe added a project: S/MIME.
werner added a subscriber: werner.EditedWed, Jan 14, 10:07 AM

Some historic integer encoding glitches from Peter Gutmann's style guide:

Some Microsoft software will generate negative values about 50% of the time
whenever it encodes anything as an INTEGER because it ignores the fact that
the top bit of an integer is the sign bit (this is still occurring in
programs released as recently as early 1998).
Telesec:
The certificates encode INTEGER values incorrectly by setting the high bit,
which makes them negative values.  This is particularly problematic with RSA
keys since they use a hardwired exponent of 3,221,225,473 (!!!) which always
has the high bit set (0xC0000001), so all the RSA certificates have invalid
encodings.  This was corrected in late 1999.

The encoding of the Certificate may follow the BER rather than the DER. At
least one implementation uses the indefinite-length encoding form for the
SEQUENCE.

And I don't expect that that everything is correct now. As long as we don't have a clear security issue here, we should not add extra constraints on DER or even BER parsing.

thesamesam added a subscriber: thesamesam.Wed, Jan 14, 8:24 PM
werner triaged this task as Low priority.Fri, Jan 16, 11:01 AM

See the gnupg-devel mailing list for more discussions. Subject: libgcrypt P256 signature malleability via weak DER enforcement"