From: Mark J. Cox Date: Tue, 5 Sep 2006 08:24:14 +0000 (+0000) Subject: Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher X-Git-Tag: OpenSSL_0_9_7k~1 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ffa0407233f88a6592828cf668d80f8d9c1242d8;p=openssl Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher (CVE-2006-4339) [Ben Laurie and Google Security Team] Submitted by: Ben Laurie, Google Security Team Reviewed by: bmoeller, mjc, shenson --- diff --git a/CHANGES b/CHANGES index f2d42a2847..9638eee0cf 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,9 @@ Changes between 0.9.7j and 0.9.7k [xx XXX xxxx] + *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher + (CVE-2006-4339) [Ben Laurie and Google Security Team] + *) Change the Unix randomness entropy gathering to use poll() when possible instead of select(), since the latter has some undesirable limitations. diff --git a/NEWS b/NEWS index 49b443ed4d..04c7b10b96 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k: + + o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339 + Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j: o Update Windows build system for FIPS. @@ -15,7 +19,7 @@ Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h: - o Fix SSL 2.0 Rollback, CAN-2005-2969 + o Fix SSL 2.0 Rollback, CVE-2005-2969 o Allow use of fixed-length exponent on DSA signing o Default fixed-window RSA, DSA, DH private-key operations diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h index 0b639cd37f..2ebf1ea41e 100644 --- a/crypto/rsa/rsa.h +++ b/crypto/rsa/rsa.h @@ -390,6 +390,7 @@ void ERR_load_RSA_strings(void); #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 #define RSA_R_OAEP_DECODING_ERROR 121 #define RSA_R_PADDING_CHECK_FAILED 114 +#define RSA_R_PKCS1_PADDING_TOO_SHORT 105 #define RSA_R_P_NOT_PRIME 128 #define RSA_R_Q_NOT_PRIME 129 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130 diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 021b92f9d0..eea7d2e049 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -651,6 +651,15 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, { case RSA_PKCS1_PADDING: r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); + /* Generally signatures should be at least 2/3 padding, though + this isn't possible for really short keys and some standard + signature schemes, so don't check if the unpadded data is + small. */ + if(r > 42 && 3*8*r >= BN_num_bits(rsa->n)) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT); + goto err; + } break; case RSA_NO_PADDING: r=RSA_padding_check_none(to,num,buf,i,num); diff --git a/crypto/rsa/rsa_err.c b/crypto/rsa/rsa_err.c index 2ec4b30ff7..7a2fe52f21 100644 --- a/crypto/rsa/rsa_err.c +++ b/crypto/rsa/rsa_err.c @@ -134,6 +134,7 @@ static ERR_STRING_DATA RSA_str_reasons[]= {ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"}, {ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"}, {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, +{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"}, {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, {ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"}, {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"}, diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index cee09eccb1..db86f1ac58 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -185,6 +185,23 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, sig=d2i_X509_SIG(NULL,&p,(long)i); if (sig == NULL) goto err; + + /* Excess data can be used to create forgeries */ + if(p != s+i) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + + /* Parameters to the signature algorithm can also be used to + create forgeries */ + if(sig->algor->parameter + && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + sigtype=OBJ_obj2nid(sig->algor->algorithm);