diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2014-09-29 12:16:13 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2014-09-29 12:31:29 +0100 |
| commit | 5a7fc89394bb11dc8ac578d23d77762d2d58fff2 (patch) | |
| tree | a6a17746b05b34d6ad4e629ca8388d63efb28502 | |
| parent | 116fd3732a873976aeb0baff401c8f618171e6bb (diff) | |
Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.
Note: this is a precautionary measure, there is no known attack
which can exploit this.
Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
| -rw-r--r-- | CHANGES | 10 | ||||
| -rw-r--r-- | crypto/rsa/rsa_sign.c | 21 |
2 files changed, 29 insertions, 2 deletions
@@ -4,7 +4,15 @@ Changes between 0.9.8zb and 0.9.8zc [xx XXX xxxx] - *) + *) Add additional DigestInfo checks. + + Reencode DigestInto in DER and check against the original when + verifying RSA signature: this will reject any improperly encoded + DigestInfo structures. + + Note: this is a precautionary measure and no attacks are currently known. + + [Steve Henson] Changes between 0.9.8za and 0.9.8zb [6 Aug 2014] diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 743dfd7650..de6ceeb0be 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -155,6 +155,25 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, return(ret); } +/* + * Check DigestInfo structure does not contain extraneous data by reencoding + * using DER and checking encoding against original. + */ +static int rsa_check_digestinfo(X509_SIG *sig, const unsigned char *dinfo, int dinfolen) + { + unsigned char *der = NULL; + int derlen; + int ret = 0; + derlen = i2d_X509_SIG(sig, &der); + if (derlen <= 0) + return 0; + if (derlen == dinfolen && !memcmp(dinfo, der, derlen)) + ret = 1; + OPENSSL_cleanse(der, derlen); + OPENSSL_free(der); + return ret; + } + int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, RSA *rsa) { @@ -215,7 +234,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, if (sig == NULL) goto err; /* Excess data can be used to create forgeries */ - if(p != s+i) + if(p != s+i || !rsa_check_digestinfo(sig, s, i)) { RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); goto err; |