From df20b6e79b97b59a373abf44108fedc6f2d60159 Mon Sep 17 00:00:00 2001
From: "Mark J. Cox" <mark@openssl.org>
Date: Tue, 5 Sep 2006 08:25:42 +0000
Subject: [PATCH] Avoid PKCS #1 v1.5 signature attack discovered by Daniel
 Bleichenbacher (CVE-2006-4339)

Submitted by:  Ben Laurie, Google Security Team
Reviewed by: bmoeller, mjc, shenson
---
 CHANGES               |  6 ++++++
 NEWS                  | 13 +++++++++++--
 crypto/rsa/rsa.h      |  1 +
 crypto/rsa/rsa_eay.c  |  9 +++++++++
 crypto/rsa/rsa_err.c  |  1 +
 crypto/rsa/rsa_sign.c | 17 +++++++++++++++++
 6 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 3cc7910671..50ececbe66 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 0.9.8b and 0.9.8c  [xx XXX xxxx]
 
+  *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
+     (CVE-2006-4339)  [Ben Laurie and Google Security Team]
+
   *) Add AES IGE and biIGE modes.
      [Ben Laurie]
 
@@ -962,6 +965,9 @@
 
  Changes between 0.9.7j and 0.9.7k  [xx XXX xxxx]
 
+  *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
+     (CVE-2006-4339)  [Ben Laurie and Google Security Team]
+
   *) Change the Unix randomness entropy gathering to use poll() when
      possible instead of select(), since the latter has some
      undesirable limitations.
diff --git a/NEWS b/NEWS
index 4cdfbf4377..6bda70f39b 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c:
+
+      o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
+      o New cipher Camellia
+
   Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b:
 
       o Cipher string fixes.
@@ -17,7 +22,7 @@
 
   Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
 
-      o Fix potential SSL 2.0 rollback, CAN-2005-2969
+      o Fix potential SSL 2.0 rollback, CVE-2005-2969
       o Extended Windows CE support
 
   Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
@@ -94,6 +99,10 @@
       o Added initial support for Win64.
       o Added alternate pkg-config files.
 
+  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k:
+
+      o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
+
   Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:
 
       o Visual C++ 2005 fixes.
@@ -105,7 +114,7 @@
 
   Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:
 
-      o Fix SSL 2.0 Rollback, CAN-2005-2969
+      o Fix SSL 2.0 Rollback, CVE-2005-2969
       o Allow use of fixed-length exponent on DSA signing
       o Default fixed-window RSA, DSA, DH private-key operations
 
diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h
index d302254bb1..ce6f54ffed 100644
--- a/crypto/rsa/rsa.h
+++ b/crypto/rsa/rsa.h
@@ -412,6 +412,7 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_N_DOES_NOT_EQUAL_P_Q			 127
 #define RSA_R_OAEP_DECODING_ERROR			 121
 #define RSA_R_PADDING_CHECK_FAILED			 114
+#define RSA_R_PKCS1_PADDING_TOO_SHORT			 105
 #define RSA_R_P_NOT_PRIME				 128
 #define RSA_R_Q_NOT_PRIME				 129
 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED		 130
diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index 69cabd2716..d6e07a2c5c 100644
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -640,6 +640,15 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
 		{
 	case RSA_PKCS1_PADDING:
 		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+		/* Generally signatures should be at least 2/3 padding, though
+		   this isn't possible for really short keys and some standard
+		   signature schemes, so don't check if the unpadded data is
+		   small. */
+		if(r > 42 && 3*8*r >= BN_num_bits(rsa->n))
+			{
+			RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
+			goto err;
+			}
 		break;
 	case RSA_X931_PADDING:
 		r=RSA_padding_check_X931(to,num,buf,i,num);
diff --git a/crypto/rsa/rsa_err.c b/crypto/rsa/rsa_err.c
index f82b2d6ad9..584adb0205 100644
--- a/crypto/rsa/rsa_err.c
+++ b/crypto/rsa/rsa_err.c
@@ -142,6 +142,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
 {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q)  ,"n does not equal p q"},
 {ERR_REASON(RSA_R_OAEP_DECODING_ERROR)   ,"oaep decoding error"},
 {ERR_REASON(RSA_R_PADDING_CHECK_FAILED)  ,"padding check failed"},
+{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"},
 {ERR_REASON(RSA_R_P_NOT_PRIME)           ,"p not prime"},
 {ERR_REASON(RSA_R_Q_NOT_PRIME)           ,"q not prime"},
 {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index 230ec6d7ea..71aabeea1b 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -185,6 +185,23 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
 		sig=d2i_X509_SIG(NULL,&p,(long)i);
 
 		if (sig == NULL) goto err;
+
+		/* Excess data can be used to create forgeries */
+		if(p != s+i)
+			{
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+			goto err;
+			}
+
+		/* Parameters to the signature algorithm can also be used to
+		   create forgeries */
+		if(sig->algor->parameter
+		   && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL)
+			{
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+			goto err;
+			}
+
 		sigtype=OBJ_obj2nid(sig->algor->algorithm);
 
 
-- 
2.40.0