- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)

2006-09-05 13:44:39 +00:00 · 2006-09-05 13:44:39 +00:00 · ba40f6bb66
parent 2020821670
commit ba40f6bb66
2 changed files with 83 additions and 1 deletions
--- a/openssl-0.9.8b-cve-2006-4339.patch
+++ b/openssl-0.9.8b-cve-2006-4339.patch
@ -0,0 +1,77 @@
+*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
+(CVE-2006-4339)  [Ben Laurie; Google Security Team]
+openssl/crypto/rsa/rsa.h     1.55.2.4 -> 1.55.2.5
+
+--- openssl/crypto/rsa/rsa.h 2006/01/09 16:05:18 1.55.2.4
+++ openssl/crypto/rsa/rsa.h 2006/09/05 08:25:42 1.55.2.5
+@@ -412,6 +412,7 @@
+ #define RSA_R_N_DOES_NOT_EQUAL_P_Q			 127
+ #define RSA_R_OAEP_DECODING_ERROR			 121
+ #define RSA_R_PADDING_CHECK_FAILED			 114
+#define RSA_R_PKCS1_PADDING_TOO_SHORT			 105
+ #define RSA_R_P_NOT_PRIME				 128
+ #define RSA_R_Q_NOT_PRIME				 129
+ #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED		 130
+
+openssl/crypto/rsa/rsa_eay.c     1.46.2.4 -> 1.46.2.5
+
+--- openssl/crypto/rsa/rsa_eay.c 2006/06/14 08:51:40 1.46.2.4
+++ openssl/crypto/rsa/rsa_eay.c 2006/09/05 08:25:42 1.46.2.5
+@@ -640,6 +640,15 @@
+ 		{
+ 	case RSA_PKCS1_PADDING:
+ 		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+		/* Generally signatures should be at least 2/3 padding, though
+		   this isn't possible for really short keys and some standard
+		   signature schemes, so don't check if the unpadded data is
+		   small. */
+		if(r > 42 && 3*8*r >= BN_num_bits(rsa->n))
+			{
+			RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
+			goto err;
+			}
+ 		break;
+ 	case RSA_X931_PADDING:
+ 		r=RSA_padding_check_X931(to,num,buf,i,num);
+
+openssl/crypto/rsa/rsa_err.c     1.17.2.3 -> 1.17.2.4
+
+--- openssl/crypto/rsa/rsa_err.c 2006/01/09 16:05:18 1.17.2.3
+++ openssl/crypto/rsa/rsa_err.c 2006/09/05 08:25:42 1.17.2.4
+@@ -142,6 +142,7 @@
+ {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q)  ,"n does not equal p q"},
+ {ERR_REASON(RSA_R_OAEP_DECODING_ERROR)   ,"oaep decoding error"},
+ {ERR_REASON(RSA_R_PADDING_CHECK_FAILED)  ,"padding check failed"},
+{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"},
+ {ERR_REASON(RSA_R_P_NOT_PRIME)           ,"p not prime"},
+ {ERR_REASON(RSA_R_Q_NOT_PRIME)           ,"q not prime"},
+ {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
+
+openssl/crypto/rsa/rsa_sign.c     1.21 -> 1.21.2.1
+
+--- openssl/crypto/rsa/rsa_sign.c 2005/04/26 22:07:17 1.21
+++ openssl/crypto/rsa/rsa_sign.c 2006/09/05 08:25:42 1.21.2.1
+@@ -185,6 +185,23 @@
+ 		sig=d2i_X509_SIG(NULL,&p,(long)i);
+ 
+ 		if (sig == NULL) goto err;
+
+		/* Excess data can be used to create forgeries */
+		if(p != s+i)
+			{
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+			goto err;
+			}
+
+		/* Parameters to the signature algorithm can also be used to
+		   create forgeries */
+		if(sig->algor->parameter
+		   && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL)
+			{
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+			goto err;
+			}
+
+ 		sigtype=OBJ_obj2nid(sig->algor->algorithm);
+ 
+ 
--- a/openssl.spec
+++ b/openssl.spec
@ -21,7 +21,7 @@
 Summary: The OpenSSL toolkit
 Name: openssl
 Version: 0.9.8b
-Release: 5
+Release: 6
 Source: openssl-%{version}-usa.tar.bz2
 Source1: hobble-openssl
 Source2: Makefile.certificate
@ -55,6 +55,7 @@ Patch52: openssl-0.9.8b-pkcs12-fix.patch
 Patch53: openssl-0.9.8b-bn-threadsafety.patch
 Patch54: openssl-0.9.8b-aes-cachecol.patch
 Patch55: openssl-0.9.8b-pkcs7-leak.patch
+Patch56: openssl-0.9.8b-cve-2006-4339.patch

 License: BSDish
 Group: System Environment/Libraries
@ -119,6 +120,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch53 -p1 -b .bn-threadsafety
 %patch54 -p1 -b .cachecol
 %patch55 -p1 -b .pkcs7-leak
+%patch56 -p1 -b .short-padding

 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@ -353,6 +355,9 @@ rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint
 %postun -p /sbin/ldconfig

 %changelog
+* Tue Sep  9 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-6
+- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)
+
 * Wed Aug  2 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8b-5
 - set buffering to none on stdio/stdout FILE when bufsize is set (#200580)
  patch by IBM