Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher

(CVE-2006-4339)

Submitted by: Ben Laurie, Google Security Team
Reviewed by: bmoeller, mjc, shenson

diff --git a/CHANGES b/CHANGES
index 36f46eb159ed9c473baf8e44783edad27c6acee6..639b2323fc0d7af4be887999bc9f879d674b1d27 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 0.9.8b and 0.9.9  [xx XXX xxxx]
 
+  *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
+     (CVE-2006-4339)  [Ben Laurie and Google Security Team]
+
   *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
      Modify get_crl() to find a valid (unexpired) CRL if possible.
      [Steve Henson]
@@ -377,7 +380,12 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
 
- Changes between 0.9.8b and 0.9.8c  [xx XXX xxxx]
+ Changes between 0.9.8c and 0.9.8d  [xx XXX xxxx]
+
+ Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]
+
+  *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
+     (CVE-2006-4339)  [Ben Laurie and Google Security Team]
 
   *) Add AES IGE and biIGE modes.
      [Ben Laurie]
@@ -1335,7 +1343,12 @@
      differing sizes.
      [Richard Levitte]
 
- Changes between 0.9.7j and 0.9.7k  [xx XXX xxxx]
+ Changes between 0.9.7k and 0.9.7l  [xx XXX xxxx]
+
+ Changes between 0.9.7j and 0.9.7k  [05 Sep 2006]
+
+  *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
+     (CVE-2006-4339)  [Ben Laurie and Google Security Team]
 
   *) Change the Unix randomness entropy gathering to use poll() when
      possible instead of select(), since the latter has some

diff --git a/NEWS b/NEWS
index bbb29ee9eb21a272a7ef233003ee64121aa0dc88..0937c96ff91f47fb86ad3348d0cb907581f1884c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,7 @@
 
   Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
 
-      o Fix potential SSL 2.0 rollback, CAN-2005-2969
+      o Fix potential SSL 2.0 rollback, CVE-2005-2969
       o Extended Windows CE support
 
   Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:

diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h
index 31f3792a4cf2c457fa1fcc099b5f136d588dacf2..c8b6a814a0983dc3ccd34a0a958483ce25a886c4 100644 (file)
--- a/crypto/rsa/rsa.h
+++ b/crypto/rsa/rsa.h
@@ -457,6 +457,7 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_N_DOES_NOT_EQUAL_P_Q                      127
 #define RSA_R_OAEP_DECODING_ERROR                       121
 #define RSA_R_PADDING_CHECK_FAILED                      114
+#define RSA_R_PKCS1_PADDING_TOO_SHORT                   105
 #define RSA_R_P_NOT_PRIME                               128
 #define RSA_R_Q_NOT_PRIME                               129
 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED              130

diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index c6ceaee6e731689448c0d9c1ab35a43b2887b929..863a45a9758523056158ebf15fcb86e43ddce7e5 100644 (file)
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -640,6 +640,15 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                {
        case RSA_PKCS1_PADDING:
                r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+               /* Generally signatures should be at least 2/3 padding, though
+                  this isn't possible for really short keys and some standard
+                  signature schemes, so don't check if the unpadded data is
+                  small. */
+               if(r > 42 && 3*8*r >= BN_num_bits(rsa->n))
+                       {
+                       RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
+                       goto err;
+                       }
                break;
        case RSA_X931_PADDING:
                r=RSA_padding_check_X931(to,num,buf,i,num);

diff --git a/crypto/rsa/rsa_err.c b/crypto/rsa/rsa_err.c
index 163b143a73c3e478a9f454d9de68fdd774da1a67..1a7f8b77196ac8e8373520e77edb1945f2210585 100644 (file)
--- a/crypto/rsa/rsa_err.c
+++ b/crypto/rsa/rsa_err.c
@@ -160,6 +160,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
 {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q)  ,"n does not equal p q"},
 {ERR_REASON(RSA_R_OAEP_DECODING_ERROR)   ,"oaep decoding error"},
 {ERR_REASON(RSA_R_PADDING_CHECK_FAILED)  ,"padding check failed"},
+{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"},
 {ERR_REASON(RSA_R_P_NOT_PRIME)           ,"p not prime"},
 {ERR_REASON(RSA_R_Q_NOT_PRIME)           ,"q not prime"},
 {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},

diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index e5a015d1a66efea4c19a064b6198b9927e7e2200..e1b1714210f122d2fc9d84a3daa00d2d80721cce 100644 (file)
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -193,6 +193,23 @@ int int_rsa_verify(int dtype, const unsigned char *m,
                sig=d2i_X509_SIG(NULL,&p,(long)i);
 
                if (sig == NULL) goto err;
+
+               /* Excess data can be used to create forgeries */
+               if(p != s+i)
+                       {
+                       RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+                       goto err;
+                       }
+
+               /* Parameters to the signature algorithm can also be used to
+                  create forgeries */
+               if(sig->algor->parameter
+                  && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL)
+                       {
+                       RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+                       goto err;
+                       }
+
                sigtype=OBJ_obj2nid(sig->algor->algorithm);