From 1cfd255c9123cdb4637cc9a65c6665fe4a06c6d5 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 25 Sep 2014 23:28:48 +0100 Subject: [PATCH] Add additional DigestInfo checks. Reencode DigestInto in DER and check against the original: this will reject any improperly encoded DigestInfo structures. Note: this is a precautionary measure, there is no known attack which can exploit this. Thanks to Brian Smith for reporting this issue. Reviewed-by: Tim Hudson --- CHANGES | 10 ++++++++++ crypto/rsa/rsa_sign.c | 21 ++++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 845b6be560..19c9f9c519 100644 --- a/CHANGES +++ b/CHANGES @@ -627,6 +627,16 @@ Changes between 1.0.1g and 1.0.1h [5 Jun 2014] + *) Add additional DigestInfo checks. + + Reencode DigestInto in DER and check against the original: this + will reject any improperly encoded DigestInfo structures. + + Note: this is a precautionary measure OpenSSL and no attacks + are currently known. + + [Steve Henson] + *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index fa3239ab30..748292550d 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -143,6 +143,25 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, return(ret); } +/* + * Check DigestInfo structure does not contain extraneous data by reencoding + * using DER and checking encoding against original. + */ +static int rsa_check_digestinfo(X509_SIG *sig, const unsigned char *dinfo, int dinfolen) + { + unsigned char *der = NULL; + int derlen; + int ret = 0; + derlen = i2d_X509_SIG(sig, &der); + if (derlen <= 0) + return 0; + if (derlen == dinfolen && !memcmp(dinfo, der, derlen)) + ret = 1; + OPENSSL_cleanse(der, derlen); + OPENSSL_free(der); + return ret; + } + int int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len, unsigned char *rm, size_t *prm_len, @@ -211,7 +230,7 @@ int int_rsa_verify(int dtype, const unsigned char *m, if (sig == NULL) goto err; /* Excess data can be used to create forgeries */ - if(p != s+i) + if(p != s+i || !rsa_check_digestinfo(sig, s, i)) { RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE); goto err; -- 2.25.1