xml-security-c fix for etch (1.2.1)

[Russ Allbery]

I believe this is the corresponding security fix for etch, which has
xml-security-c 1.2.1.  It looks like some functions were moved into a more
generic class that had more class variables in later versions, but the
same code still seemed to be present.

I'd appreciate additional eyes on this, since I can't easily test that the
fix accomplishes what it's supposed to.  I'm not sure how to run the test
suite successfully, which would help.

diff --git a/src/dsig/DSIGSignature.cpp b/src/dsig/DSIGSignature.cpp
index 2a32474..c23c9cc 100644
--- a/src/dsig/DSIGSignature.cpp
+++ b/src/dsig/DSIGSignature.cpp
@@ -993,6 +993,14 @@ bool DSIGSignature::verifySignatureOnlyInternal(void) {
 
 	}
 
+	// FIX: CVE-2009-0217
+
+	if (mp_signedInfo == NULL
+            || (mp_signedInfo->getHMACOutputLength() > 0 && mp_signedInfo->getHMACOutputLength() < 80)) {
+		throw XSECException(XSECException::SigVfyError,
+				    "DSIGSignature::verify() - HMACOutputLength is unsafe");
+	}
+
 	// Try to find a key
 	if (mp_signingKey == NULL) {
 
@@ -1023,6 +1031,7 @@ bool DSIGSignature::verifySignatureOnlyInternal(void) {
 
 	// Now set up to verify
 	bool sigVfyRet = false;
+	unsigned int outputLength = mp_signedInfo->getHMACOutputLength();
 
 	switch (mp_signingKey->getKeyType()) {
 
@@ -1074,10 +1083,17 @@ bool DSIGSignature::verifySignatureOnlyInternal(void) {
 	case (XSECCryptoKey::KEY_HMAC) :
 
 		// Already done - just compare calculated value with read value
+
+		// FIX: CVE-2009-0217
+		if (outputLength > 0 && (outputLength < 80 || outputLength < hashLen / 2)) {
+			throw XSECException(XSECException::SigVfyError,
+					    "HMACOutputLength set to unsafe value.");
+		}
+
 		sigVfyRet = compareBase64StringToRaw(m_signatureValueSB, 
 			hash, 
 			hashLen,
-			mp_signedInfo->getHMACOutputLength());
+			outputLength);
 		if (!sigVfyRet)
 			m_errStr.sbXMLChCat("HMAC Validation of <SignedInfo> failed");
 
@@ -1174,6 +1190,7 @@ void DSIGSignature::sign(void) {
 	char b64Buf[1024];
 	unsigned int b64Len;
 	safeBuffer b64SB;
+	unsigned int outputLength = mp_signedInfo->getHMACOutputLength();
 	
 	switch (mp_signingKey->getKeyType()) {
 
@@ -1249,11 +1266,17 @@ void DSIGSignature::sign(void) {
 		}
 
 		// Signature already created, so just translate to base 64 and enter string
+
+		// FIX: CVE-2009-0217
+		if (outputLength > 0 && (outputLength < 80 || outputLength < hashLen / 2)) {
+			throw XSECException(XSECException::SigningError,
+					    "HMACOutputLength set to unsafe value.");
+		}
 		
 		convertRawToBase64String(b64SB, 
 								hash, 
 								hashLen, 
-								mp_signedInfo->getHMACOutputLength());
+								outputLength);
 		
 		strncpy(b64Buf, (char *) b64SB.rawBuffer(), 1024);
 		break;


-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>