mirror of
https://github.com/openssl/openssl.git
synced 2025-03-25 20:00:44 +08:00
Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
(CVE-2006-4339) Submitted by: Ben Laurie, Google Security Team Reviewed by: bmoeller, mjc, shenson
This commit is contained in:
parent
500b5a181d
commit
b79aa05e3b
17
CHANGES
17
CHANGES
@ -4,6 +4,9 @@
|
||||
|
||||
Changes between 0.9.8b and 0.9.9 [xx XXX xxxx]
|
||||
|
||||
*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
|
||||
(CVE-2006-4339) [Ben Laurie and Google Security Team]
|
||||
|
||||
*) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
|
||||
Modify get_crl() to find a valid (unexpired) CRL if possible.
|
||||
[Steve Henson]
|
||||
@ -377,7 +380,12 @@
|
||||
*) Change 'Configure' script to enable Camellia by default.
|
||||
[NTT]
|
||||
|
||||
Changes between 0.9.8b and 0.9.8c [xx XXX xxxx]
|
||||
Changes between 0.9.8c and 0.9.8d [xx XXX xxxx]
|
||||
|
||||
Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
|
||||
|
||||
*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
|
||||
(CVE-2006-4339) [Ben Laurie and Google Security Team]
|
||||
|
||||
*) Add AES IGE and biIGE modes.
|
||||
[Ben Laurie]
|
||||
@ -1335,7 +1343,12 @@
|
||||
differing sizes.
|
||||
[Richard Levitte]
|
||||
|
||||
Changes between 0.9.7j and 0.9.7k [xx XXX xxxx]
|
||||
Changes between 0.9.7k and 0.9.7l [xx XXX xxxx]
|
||||
|
||||
Changes between 0.9.7j and 0.9.7k [05 Sep 2006]
|
||||
|
||||
*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
|
||||
(CVE-2006-4339) [Ben Laurie and Google Security Team]
|
||||
|
||||
*) Change the Unix randomness entropy gathering to use poll() when
|
||||
possible instead of select(), since the latter has some
|
||||
|
2
NEWS
2
NEWS
@ -7,7 +7,7 @@
|
||||
|
||||
Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
|
||||
|
||||
o Fix potential SSL 2.0 rollback, CAN-2005-2969
|
||||
o Fix potential SSL 2.0 rollback, CVE-2005-2969
|
||||
o Extended Windows CE support
|
||||
|
||||
Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
|
||||
|
@ -457,6 +457,7 @@ void ERR_load_RSA_strings(void);
|
||||
#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
|
||||
#define RSA_R_OAEP_DECODING_ERROR 121
|
||||
#define RSA_R_PADDING_CHECK_FAILED 114
|
||||
#define RSA_R_PKCS1_PADDING_TOO_SHORT 105
|
||||
#define RSA_R_P_NOT_PRIME 128
|
||||
#define RSA_R_Q_NOT_PRIME 129
|
||||
#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
|
||||
|
@ -640,6 +640,15 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
|
||||
{
|
||||
case RSA_PKCS1_PADDING:
|
||||
r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
|
||||
/* Generally signatures should be at least 2/3 padding, though
|
||||
this isn't possible for really short keys and some standard
|
||||
signature schemes, so don't check if the unpadded data is
|
||||
small. */
|
||||
if(r > 42 && 3*8*r >= BN_num_bits(rsa->n))
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
|
||||
goto err;
|
||||
}
|
||||
break;
|
||||
case RSA_X931_PADDING:
|
||||
r=RSA_padding_check_X931(to,num,buf,i,num);
|
||||
|
@ -160,6 +160,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
|
||||
{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
|
||||
{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
|
||||
{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
|
||||
{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"},
|
||||
{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
|
||||
{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},
|
||||
{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
|
||||
|
@ -193,6 +193,23 @@ int int_rsa_verify(int dtype, const unsigned char *m,
|
||||
sig=d2i_X509_SIG(NULL,&p,(long)i);
|
||||
|
||||
if (sig == NULL) goto err;
|
||||
|
||||
/* Excess data can be used to create forgeries */
|
||||
if(p != s+i)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Parameters to the signature algorithm can also be used to
|
||||
create forgeries */
|
||||
if(sig->algor->parameter
|
||||
&& ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
sigtype=OBJ_obj2nid(sig->algor->algorithm);
|
||||
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user