Created attachment 658152 [details] Fix DSA2 keysize calculation on verify Description of problem: There seems to be a bits vs bytes mixup in the way DSA2 keysize is calculated in PK11_Verify(), causing it to fail due to not finding a slot that can handle it: unsigned int length = 0; if ((mech.mechanism == CKM_DSA) && /* 129 is 1024 bits translated to bytes and * padded with an optional '0' to maintain a * positive sign */ (key->u.dsa.params.prime.len > 129)) { /* we need to get a slot that not only can do DSA, but can do DSA2 * key lengths */ length = key->u.dsa.params.prime.len; if (key->u.dsa.params.prime.data[0] == 0) { length --; } } slot = PK11_GetBestSlotWithAttributes(mech.mechanism, CKF_VERIFY,length,wincx); Note the comment about 129 bytes vs 1024 bits translation. However the prime length in bytes is passed as-is to PK11_GetBestSlotWithAttributes() which expects the key size in bits (if specified). With a bit of debugging output added, an attempt to verify a signature created with 2048bit DSA key: vfy_VerifyDigest: dsa key (2), len 64 PK11_Verify: slot (nil) PK11_Verify: DSA length 256 PK11_GetBestSlotMultipleWithAttributes: mech_count 1 PK11_GetBestSlotMultipleWithAttributes: looking at le 0x1d8b2a0 pk11_filterSlot: need ks 256, min 512 max 3072 -> keysize bad 256 bit keysize is of course invalid for DSA so it goes downhill from there. With the attached patch to convert the keysize to bits before the slot lookup the above debug foobar looks like: vfy_VerifyDigest: dsa key (2), len 64 PK11_Verify: slot (nil) PK11_Verify: DSA length 2048 PK11_GetBestSlotMultipleWithAttributes: mech_count 1 PK11_GetBestSlotMultipleWithAttributes: looking at le 0x1d500c0 pk11_filterSlot: need ks 2048, min 512 max 3072 PK11_GetBestSlotMultipleWithAttributes: returning slot 0x1cdcbf0 PK11_Verify: best slot 0x1cdcbf0, length 2048 [...] ...and the verification actually succeeds. Version-Release number of selected component (if applicable): nss-3.14-7.fc18.x86_64, versions prior to 3.14 didn't support DSA2 at all AFAIK. How reproducible: Fully reproducable. Unfortunately I dont have a nice isolated test-case I could represent here, I stumbled on this while adding DSA2 support to upstream RPM. Without the DSA2 keysize patch: [pmatilai@localhost rpm]$ ./rpmkeys -Kv /tmp/telnet-0.17-51.fc16.x86_64.rpm /tmp/telnet-0.17-51.fc16.x86_64.rpm: Header V4 DSA/SHA256 Signature, key ID 0e5b82e0: BAD Header SHA1 digest: OK (2a2c6961886dc49a1d71c4613c9e7b79ceea3c49) MD5 digest: OK (bc60b6d23e72d68765be41012f4f5758) V4 DSA/SHA256 Signature, key ID 0e5b82e0: BAD [pmatilai@localhost rpm]$ ...and with it: [pmatilai@localhost rpm]$ ./rpmkeys -Kv /tmp/telnet-0.17-51.fc16.x86_64.rpm /tmp/telnet-0.17-51.fc16.x86_64.rpm: Header V4 DSA/SHA256 Signature, key ID 0e5b82e0: OK Header SHA1 digest: OK (2a2c6961886dc49a1d71c4613c9e7b79ceea3c49) MD5 digest: OK (bc60b6d23e72d68765be41012f4f5758) V4 DSA/SHA256 Signature, key ID 0e5b82e0: OK [pmatilai@localhost rpm]$
BTW the bytes -> bits conversion is present in the patch at https://bugzilla.mozilla.org/show_bug.cgi?id=475578#c34: Note the "length*BITS_PER_BYTE" calculation in https://bugzilla.mozilla.org/attachment.cgi?id=636377&action=diff#mozilla/security/nss/lib/pk11wrap/pk11obj.c_sec7, that's exactly the same thing I'm talking about here. However that calculation is not present in what eventually got committed to nss cvs and so its not in 3.14 either.
Ping? This issue is still present in nss-3.14.3. If I should take this directly to upstream just say so, I reported this here out of being lazy: to avoid having to setup mozilla.org bugzilla account just for a tiny, obvious-looking drive-by patch when you guys obviously talk with upstream regularly and I dont, nor do I have any plans to regularly contribute to NSS.
(In reply to comment #2) Thank you Panu, see upstream https://bugzilla.mozilla.org/show_bug.cgi?id=846775.
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.