openssl/openssl-0.9.8b-cve-2006-4339.patch

*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
(CVE-2006-4339)  [Ben Laurie; Google Security Team]
openssl/crypto/rsa/rsa.h     1.55.2.4 -> 1.55.2.5

--- openssl/crypto/rsa/rsa.h 2006/01/09 16:05:18 1.55.2.4
+++ openssl/crypto/rsa/rsa.h 2006/09/05 08:25:42 1.55.2.5
@@ -412,6 +412,7 @@
 #define RSA_R_N_DOES_NOT_EQUAL_P_Q			 127
 #define RSA_R_OAEP_DECODING_ERROR			 121
 #define RSA_R_PADDING_CHECK_FAILED			 114
+#define RSA_R_PKCS1_PADDING_TOO_SHORT			 105
 #define RSA_R_P_NOT_PRIME				 128
 #define RSA_R_Q_NOT_PRIME				 129
 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED		 130

openssl/crypto/rsa/rsa_eay.c     1.46.2.4 -> 1.46.2.5

--- openssl/crypto/rsa/rsa_eay.c 2006/06/14 08:51:40 1.46.2.4
+++ openssl/crypto/rsa/rsa_eay.c 2006/09/05 08:25:42 1.46.2.5
@@ -640,6 +640,15 @@
 		{
 	case RSA_PKCS1_PADDING:
 		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+		/* Generally signatures should be at least 2/3 padding, though
+		   this isn't possible for really short keys and some standard
+		   signature schemes, so don't check if the unpadded data is
+		   small. */
+		if(r > 42 && 3*8*r >= BN_num_bits(rsa->n))
+			{
+			RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
+			goto err;
+			}
 		break;
 	case RSA_X931_PADDING:
 		r=RSA_padding_check_X931(to,num,buf,i,num);

openssl/crypto/rsa/rsa_err.c     1.17.2.3 -> 1.17.2.4

--- openssl/crypto/rsa/rsa_err.c 2006/01/09 16:05:18 1.17.2.3
+++ openssl/crypto/rsa/rsa_err.c 2006/09/05 08:25:42 1.17.2.4
@@ -142,6 +142,7 @@
 {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q)  ,"n does not equal p q"},
 {ERR_REASON(RSA_R_OAEP_DECODING_ERROR)   ,"oaep decoding error"},
 {ERR_REASON(RSA_R_PADDING_CHECK_FAILED)  ,"padding check failed"},
+{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"},
 {ERR_REASON(RSA_R_P_NOT_PRIME)           ,"p not prime"},
 {ERR_REASON(RSA_R_Q_NOT_PRIME)           ,"q not prime"},
 {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},

openssl/crypto/rsa/rsa_sign.c     1.21 -> 1.21.2.1

--- openssl/crypto/rsa/rsa_sign.c 2005/04/26 22:07:17 1.21
+++ openssl/crypto/rsa/rsa_sign.c 2006/09/05 08:25:42 1.21.2.1
@@ -185,6 +185,23 @@
 		sig=d2i_X509_SIG(NULL,&p,(long)i);
 
 		if (sig == NULL) goto err;
+
+		/* Excess data can be used to create forgeries */
+		if(p != s+i)
+			{
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+			goto err;
+			}
+
+		/* Parameters to the signature algorithm can also be used to
+		   create forgeries */
+		if(sig->algor->parameter
+		   && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL)
+			{
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+			goto err;
+			}
+
 		sigtype=OBJ_obj2nid(sig->algor->algorithm);
- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180) 2006-09-05 13:44:39 +00:00			`*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher`
			`(CVE-2006-4339) [Ben Laurie; Google Security Team]`
			`openssl/crypto/rsa/rsa.h 1.55.2.4 -> 1.55.2.5`

			`--- openssl/crypto/rsa/rsa.h 2006/01/09 16:05:18 1.55.2.4`
			`+++ openssl/crypto/rsa/rsa.h 2006/09/05 08:25:42 1.55.2.5`
			`@@ -412,6 +412,7 @@`
			`#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127`
			`#define RSA_R_OAEP_DECODING_ERROR 121`
			`#define RSA_R_PADDING_CHECK_FAILED 114`
			`+#define RSA_R_PKCS1_PADDING_TOO_SHORT 105`
			`#define RSA_R_P_NOT_PRIME 128`
			`#define RSA_R_Q_NOT_PRIME 129`
			`#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130`

			`openssl/crypto/rsa/rsa_eay.c 1.46.2.4 -> 1.46.2.5`

			`--- openssl/crypto/rsa/rsa_eay.c 2006/06/14 08:51:40 1.46.2.4`
			`+++ openssl/crypto/rsa/rsa_eay.c 2006/09/05 08:25:42 1.46.2.5`
			`@@ -640,6 +640,15 @@`
			`{`
			`case RSA_PKCS1_PADDING:`
			`r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);`
			`+ /* Generally signatures should be at least 2/3 padding, though`
			`+ this isn't possible for really short keys and some standard`
			`+ signature schemes, so don't check if the unpadded data is`
			`+ small. */`
			`+ if(r > 42 && 38r >= BN_num_bits(rsa->n))`
			`+ {`
			`+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);`
			`+ goto err;`
			`+ }`
			`break;`
			`case RSA_X931_PADDING:`
			`r=RSA_padding_check_X931(to,num,buf,i,num);`

			`openssl/crypto/rsa/rsa_err.c 1.17.2.3 -> 1.17.2.4`

			`--- openssl/crypto/rsa/rsa_err.c 2006/01/09 16:05:18 1.17.2.3`
			`+++ openssl/crypto/rsa/rsa_err.c 2006/09/05 08:25:42 1.17.2.4`
			`@@ -142,6 +142,7 @@`
			`{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},`
			`{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},`
			`{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},`
			`+{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"},`
			`{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},`
			`{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},`
			`{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},`

			`openssl/crypto/rsa/rsa_sign.c 1.21 -> 1.21.2.1`

			`--- openssl/crypto/rsa/rsa_sign.c 2005/04/26 22:07:17 1.21`
			`+++ openssl/crypto/rsa/rsa_sign.c 2006/09/05 08:25:42 1.21.2.1`
			`@@ -185,6 +185,23 @@`
			`sig=d2i_X509_SIG(NULL,&p,(long)i);`

			`if (sig == NULL) goto err;`
			`+`
			`+ /* Excess data can be used to create forgeries */`
			`+ if(p != s+i)`
			`+ {`
			`+ RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);`
			`+ goto err;`
			`+ }`
			`+`
			`+ /* Parameters to the signature algorithm can also be used to`
			`+ create forgeries */`
			`+ if(sig->algor->parameter`
			`+ && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL)`
			`+ {`
			`+ RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);`
			`+ goto err;`
			`+ }`
			`+`
			`sigtype=OBJ_obj2nid(sig->algor->algorithm);`