summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDr. Stephen Henson <steve@openssl.org>2014-09-25 23:28:48 +0100
committerDr. Stephen Henson <steve@openssl.org>2014-09-29 12:30:47 +0100
commitad8b2043860e7c02d6f28b5b9a4563b92f027f98 (patch)
treec3fea37bee3fec398c22c078efb9e285e03a9f61
parent7b7aef9bfd1e7e9b449db0c6a54f788d2adcb671 (diff)
Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this will reject any improperly encoded DigestInfo structures. Note: this is a precautionary measure, there is no known attack which can exploit this. Thanks to Brian Smith for reporting this issue. Reviewed-by: Tim Hudson <tjh@openssl.org>
-rw-r--r--CHANGES10
-rw-r--r--crypto/rsa/rsa_sign.c21
2 files changed, 29 insertions, 2 deletions
diff --git a/CHANGES b/CHANGES
index 893a60575d..ecb0b416b3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,15 @@
Changes between 1.0.0n and 1.0.0o [xx XXX xxxx]
- *)
+ *) Add additional DigestInfo checks.
+
+ Reencode DigestInto in DER and check against the original when
+ verifying RSA signature: this will reject any improperly encoded
+ DigestInfo structures.
+
+ Note: this is a precautionary measure and no attacks are currently known.
+
+ [Steve Henson]
Changes between 1.0.0m and 1.0.0n [6 Aug 2014]
diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index 0be4ec7fb0..e8ae352a3f 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -143,6 +143,25 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
return(ret);
}
+/*
+ * Check DigestInfo structure does not contain extraneous data by reencoding
+ * using DER and checking encoding against original.
+ */
+static int rsa_check_digestinfo(X509_SIG *sig, const unsigned char *dinfo, int dinfolen)
+ {
+ unsigned char *der = NULL;
+ int derlen;
+ int ret = 0;
+ derlen = i2d_X509_SIG(sig, &der);
+ if (derlen <= 0)
+ return 0;
+ if (derlen == dinfolen && !memcmp(dinfo, der, derlen))
+ ret = 1;
+ OPENSSL_cleanse(der, derlen);
+ OPENSSL_free(der);
+ return ret;
+ }
+
int int_rsa_verify(int dtype, const unsigned char *m,
unsigned int m_len,
unsigned char *rm, size_t *prm_len,
@@ -195,7 +214,7 @@ int int_rsa_verify(int dtype, const unsigned char *m,
if (sig == NULL) goto err;
/* Excess data can be used to create forgeries */
- if(p != s+i)
+ if(p != s+i || !rsa_check_digestinfo(sig, s, i))
{
RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
goto err;