Tony Arcieri wrote: > > It's also worth noting that BERserk is one of many such incidents of this > coming up in practice: > https://cryptosense.com/why-pkcs1v1-5-signature-should-also-be-put-out-of-our-misery/
With the PKCS#1 v1.5 signature verification operation, as described in PKCS#1 v2.0 (rfc2437, Oct-1998, Section 8.1.2) https://tools.ietf.org/html/rfc2437#section-8.1.2 it is *IMPOSSIBLE* to create an implementation with a bug such as BERserk, because there is (on purpose) *NO* ASN.1 decoding step defined for this signature verification. A useful specification that is almost 2 decades old does not protect from clueless implementors, however. Heartbleed is also not part of the underlying specification. Anyhow some very seriously broken code, for a completely useless feature (within TLS, not DTLS), was created and shipped into large parts of the installed base... -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls