*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher (CVE-2006-4339) [Ben Laurie; Google Security Team] openssl/crypto/rsa/rsa.h 1.55.2.4 -> 1.55.2.5 --- openssl/crypto/rsa/rsa.h 2006/01/09 16:05:18 1.55.2.4 +++ openssl/crypto/rsa/rsa.h 2006/09/05 08:25:42 1.55.2.5 @@ -412,6 +412,7 @@ #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 #define RSA_R_OAEP_DECODING_ERROR 121 #define RSA_R_PADDING_CHECK_FAILED 114 +#define RSA_R_PKCS1_PADDING_TOO_SHORT 105 #define RSA_R_P_NOT_PRIME 128 #define RSA_R_Q_NOT_PRIME 129 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130 openssl/crypto/rsa/rsa_eay.c 1.46.2.4 -> 1.46.2.5 --- openssl/crypto/rsa/rsa_eay.c 2006/06/14 08:51:40 1.46.2.4 +++ openssl/crypto/rsa/rsa_eay.c 2006/09/05 08:25:42 1.46.2.5 @@ -640,6 +640,15 @@ { case RSA_PKCS1_PADDING: r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); + /* Generally signatures should be at least 2/3 padding, though + this isn't possible for really short keys and some standard + signature schemes, so don't check if the unpadded data is + small. */ + if(r > 42 && 3*8*r >= BN_num_bits(rsa->n)) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT); + goto err; + } break; case RSA_X931_PADDING: r=RSA_padding_check_X931(to,num,buf,i,num); openssl/crypto/rsa/rsa_err.c 1.17.2.3 -> 1.17.2.4 --- openssl/crypto/rsa/rsa_err.c 2006/01/09 16:05:18 1.17.2.3 +++ openssl/crypto/rsa/rsa_err.c 2006/09/05 08:25:42 1.17.2.4 @@ -142,6 +142,7 @@ {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"}, {ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"}, {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, +{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"}, {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, {ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"}, {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"}, openssl/crypto/rsa/rsa_sign.c 1.21 -> 1.21.2.1 --- openssl/crypto/rsa/rsa_sign.c 2005/04/26 22:07:17 1.21 +++ openssl/crypto/rsa/rsa_sign.c 2006/09/05 08:25:42 1.21.2.1 @@ -185,6 +185,23 @@ sig=d2i_X509_SIG(NULL,&p,(long)i); if (sig == NULL) goto err; + + /* Excess data can be used to create forgeries */ + if(p != s+i) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + + /* Parameters to the signature algorithm can also be used to + create forgeries */ + if(sig->algor->parameter + && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + sigtype=OBJ_obj2nid(sig->algor->algorithm);