Fix CVD dsig verification when hash starts with zeros

Occasionally the MD5 hash for RSA-based digital signature verification begins with zeros. A bug in how we convert the RSA decoded plain text from a big number back to a hex string causes it to write the number to the far left of the plain text buffer. If the number is smaller than a hash, then zero-padding ends up on the right when it should've been on the left. Additional fix: BN_bn2bin() will write zero bytes if the bignum is 0. So there is no point "error checking" the BN_bn2bin() call. Thanks to Tom Judge for noticing these shenanigans. Ref: openssl/openssl#2101 Side note: BN_num_bytes() will also return 0 if the bignum is 0, which is fine.
Cisco-Talos · Dec 4, 2024 · b8795fd · b8795fd
1 parent d6d25c3
commit b8795fd
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/libclamav/dsig.c b/libclamav/dsig.c
@@ -88,7 +88,7 @@ static unsigned char *cli_decodesig(const char *sig, unsigned int plen, BIGNUM *
     BIGNUM *r = NULL, *p = NULL, *c = NULL;
     BN_CTX *bn_ctx = NULL;
     unsigned int bn_bytes;
-    ;
+    unsigned char *plain_offset = NULL;
 
     r = BN_new();
     if (!r) {
@@ -144,9 +144,12 @@ static unsigned char *cli_decodesig(const char *sig, unsigned int plen, BIGNUM *
         cli_errmsg("cli_decodesig: Can't allocate memory for 'plain'\n");
         goto done;
     }
-    if (!BN_bn2bin(p, plain)) {
-        goto done;
-    }
+
+    // If bn_bytes is smaller than plen, we need to offset the plain buffer.
+    // If we didn't, then a hash that should start with 00 would end with 00 instead.
+    plain_offset = plain + plen - bn_bytes;
+
+    BN_bn2bin(p, plain_offset);
 
     ret_sig = plain;
     plain   = NULL;