[Pkg-openssl-changes] r160 - in openssl/branches/openssl0.9.7: crypto/rsa debian

[Kurt Roeckx]

Author: kroeckx
Date: 2006-09-05 20:01:08 +0000 (Tue, 05 Sep 2006)
New Revision: 160

Modified:
   openssl/branches/openssl0.9.7/crypto/rsa/rsa.h
   openssl/branches/openssl0.9.7/crypto/rsa/rsa_eay.c
   openssl/branches/openssl0.9.7/crypto/rsa/rsa_err.c
   openssl/branches/openssl0.9.7/crypto/rsa/rsa_sign.c
   openssl/branches/openssl0.9.7/debian/changelog
Log:
Fix RSA Signature Forgery (CVE-2006-4339) using patch provided by upstream.


Modified: openssl/branches/openssl0.9.7/crypto/rsa/rsa.h
===================================================================
--- openssl/branches/openssl0.9.7/crypto/rsa/rsa.h	2006-09-05 19:58:24 UTC (rev 159)
+++ openssl/branches/openssl0.9.7/crypto/rsa/rsa.h	2006-09-05 20:01:08 UTC (rev 160)
@@ -391,6 +391,7 @@
 #define RSA_R_OAEP_DECODING_ERROR			 121
 #define RSA_R_SLEN_RECOVERY_FAILED			 135
 #define RSA_R_PADDING_CHECK_FAILED			 114
+#define RSA_R_PKCS1_PADDING_TOO_SHORT			 105
 #define RSA_R_P_NOT_PRIME				 128
 #define RSA_R_Q_NOT_PRIME				 129
 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED		 130

Modified: openssl/branches/openssl0.9.7/crypto/rsa/rsa_eay.c
===================================================================
--- openssl/branches/openssl0.9.7/crypto/rsa/rsa_eay.c	2006-09-05 19:58:24 UTC (rev 159)
+++ openssl/branches/openssl0.9.7/crypto/rsa/rsa_eay.c	2006-09-05 20:01:08 UTC (rev 160)
@@ -627,6 +627,15 @@
 		{
 	case RSA_PKCS1_PADDING:
 		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+		/* Generally signatures should be at least 2/3 padding, though
+		   this isn't possible for really short keys and some standard
+		   signature schemes, so don't check if the unpadded data is
+		   small. */
+		if(r > 42 && 3*8*r >= BN_num_bits(rsa->n))
+			{
+			RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
+			goto err;
+			}
 		break;
 	case RSA_NO_PADDING:
 		r=RSA_padding_check_none(to,num,buf,i,num);

Modified: openssl/branches/openssl0.9.7/crypto/rsa/rsa_err.c
===================================================================
--- openssl/branches/openssl0.9.7/crypto/rsa/rsa_err.c	2006-09-05 19:58:24 UTC (rev 159)
+++ openssl/branches/openssl0.9.7/crypto/rsa/rsa_err.c	2006-09-05 20:01:08 UTC (rev 160)
@@ -134,6 +134,7 @@
 {ERR_REASON(RSA_R_OAEP_DECODING_ERROR)   ,"oaep decoding error"},
 {ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED)  ,"salt length recovery failed"},
 {ERR_REASON(RSA_R_PADDING_CHECK_FAILED)  ,"padding check failed"},
+{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"},
 {ERR_REASON(RSA_R_P_NOT_PRIME)           ,"p not prime"},
 {ERR_REASON(RSA_R_Q_NOT_PRIME)           ,"q not prime"},
 {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},

Modified: openssl/branches/openssl0.9.7/crypto/rsa/rsa_sign.c
===================================================================
--- openssl/branches/openssl0.9.7/crypto/rsa/rsa_sign.c	2006-09-05 19:58:24 UTC (rev 159)
+++ openssl/branches/openssl0.9.7/crypto/rsa/rsa_sign.c	2006-09-05 20:01:08 UTC (rev 160)
@@ -185,6 +185,23 @@
 		sig=d2i_X509_SIG(NULL,&p,(long)i);
 
 		if (sig == NULL) goto err;
+
+		/* Excess data can be used to create forgeries */
+		if(p != s+i)
+			{
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+			goto err;
+			}
+
+		/* Parameters to the signature algorithm can also be used to
+		   create forgeries */
+		if(sig->algor->parameter
+		   && sig->algor->parameter->type != V_ASN1_NULL)
+			{
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+			goto err;
+			}
+
 		sigtype=OBJ_obj2nid(sig->algor->algorithm);
 
 

Modified: openssl/branches/openssl0.9.7/debian/changelog
===================================================================
--- openssl/branches/openssl0.9.7/debian/changelog	2006-09-05 19:58:24 UTC (rev 159)
+++ openssl/branches/openssl0.9.7/debian/changelog	2006-09-05 20:01:08 UTC (rev 160)
@@ -1,3 +1,10 @@
+openssl097 (0.9.7i-2) unstable; urgency=high
+
+  * Fix RSA Signature Forgery (CVE-2006-4339) using patch provided
+    by upstream.
+
+ -- Kurt Roeckx <kurt at roeckx.be>  Tue,  5 Sep 2006 19:59:47 +0000
+
 openssl097 (0.9.7i-1) unstable; urgency=high
 
   * New upstream release