"Leichter, Jerry" <[EMAIL PROTECTED]> writes:

> Granted, one or more implementations got this wrong.  (Has anyone looked
> to see if all the incorrect code all descends from a common root, way
> back when?)

We have at least three independent widely used implementations that
got things wrong: OpenSSL, Mozilla NSS, and GnuTLS.

However, note that this isn't a single problem; we are talking about
at least two related problems.  Some implementations are vulnerable to
only one of them.

The first problem was ignoring data _after_ the ASN.1 blob.
Vulnerable: OpenSSL, NSS?

The second problem was ignoring data _in_ the ASN.1 blob, in
particular, in the parameters field.  Vulnerable: OpenSSL, GnuTLS,

A several year old paper by Kaliski discussed using the ASN.1 OID to
store data in.  It has slightly different properties, but the lesson
in this context is that implementations must properly check the ASN.1
OID field too.

> Until we know whether this is *one* mistake that was copied from
> implementation to implementation, or the same mistake made by
> multiple developers, it's really premature to draw any conclusions.

I hope that I convinced you that this isn't an open question.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to