diff options
| author | jp161948 <none@none> | 2006-09-11 09:53:10 -0700 |
|---|---|---|
| committer | jp161948 <none@none> | 2006-09-11 09:53:10 -0700 |
| commit | b52e6db712bfb5196fe24c8bf5e6b82e3fd7f993 (patch) | |
| tree | 53864f8e3def610a7f1b188dcdb8b671640d2fdf /usr/src | |
| parent | d19d822796ad55c5dba63d1edee11792d6465eb7 (diff) | |
| download | illumos-joyent-b52e6db712bfb5196fe24c8bf5e6b82e3fd7f993.tar.gz | |
6467218 fix RSA signature forgery (CVE-2006-4339)
Diffstat (limited to 'usr/src')
| -rw-r--r-- | usr/src/common/openssl/crypto/rsa/rsa.h | 1 | ||||
| -rw-r--r-- | usr/src/common/openssl/crypto/rsa/rsa_eay.c | 9 | ||||
| -rw-r--r-- | usr/src/common/openssl/crypto/rsa/rsa_err.c | 1 | ||||
| -rw-r--r-- | usr/src/common/openssl/crypto/rsa/rsa_sign.c | 17 |
4 files changed, 28 insertions, 0 deletions
diff --git a/usr/src/common/openssl/crypto/rsa/rsa.h b/usr/src/common/openssl/crypto/rsa/rsa.h index a1ca34760c..baf8bc51e3 100644 --- a/usr/src/common/openssl/crypto/rsa/rsa.h +++ b/usr/src/common/openssl/crypto/rsa/rsa.h @@ -413,6 +413,7 @@ void ERR_load_RSA_strings(void); #define RSA_R_OAEP_DECODING_ERROR 121 #define RSA_R_SLEN_RECOVERY_FAILED 135 #define RSA_R_PADDING_CHECK_FAILED 114 +#define RSA_R_PKCS1_PADDING_TOO_SHORT 105 #define RSA_R_P_NOT_PRIME 128 #define RSA_R_Q_NOT_PRIME 129 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130 diff --git a/usr/src/common/openssl/crypto/rsa/rsa_eay.c b/usr/src/common/openssl/crypto/rsa/rsa_eay.c index 56da944845..306a1fea21 100644 --- a/usr/src/common/openssl/crypto/rsa/rsa_eay.c +++ b/usr/src/common/openssl/crypto/rsa/rsa_eay.c @@ -617,6 +617,15 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, { case RSA_PKCS1_PADDING: r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); + /* Generally signatures should be at least 2/3 padding, though + this isn't possible for really short keys and some standard + signature schemes, so don't check if the unpadded data is + small. */ + if(r > 42 && 3*8*r >= BN_num_bits(rsa->n)) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT); + goto err; + } break; case RSA_X931_PADDING: r=RSA_padding_check_X931(to,num,buf,i,num); diff --git a/usr/src/common/openssl/crypto/rsa/rsa_err.c b/usr/src/common/openssl/crypto/rsa/rsa_err.c index cfb1e908aa..dfb0816c8a 100644 --- a/usr/src/common/openssl/crypto/rsa/rsa_err.c +++ b/usr/src/common/openssl/crypto/rsa/rsa_err.c @@ -143,6 +143,7 @@ static ERR_STRING_DATA RSA_str_reasons[]= {ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"}, {ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"}, {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"}, +{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"}, {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"}, {ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"}, {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"}, diff --git a/usr/src/common/openssl/crypto/rsa/rsa_sign.c b/usr/src/common/openssl/crypto/rsa/rsa_sign.c index 230ec6d7ea..71aabeea1b 100644 --- a/usr/src/common/openssl/crypto/rsa/rsa_sign.c +++ b/usr/src/common/openssl/crypto/rsa/rsa_sign.c @@ -185,6 +185,23 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, sig=d2i_X509_SIG(NULL,&p,(long)i); if (sig == NULL) goto err; + + /* Excess data can be used to create forgeries */ + if(p != s+i) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + + /* Parameters to the signature algorithm can also be used to + create forgeries */ + if(sig->algor->parameter + && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + sigtype=OBJ_obj2nid(sig->algor->algorithm); |