Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher

(CVE-2006-4339) Submitted by: Ben Laurie, Google Security Team Reviewed by: bmoeller, mjc, shenson
author: Mark J. Cox <mark@openssl.org> 2006-09-05 08:58:03 +0000
committer: Mark J. Cox <mark@openssl.org> 2006-09-05 08:58:03 +0000
commit: b79aa05e3babdbab92c6356f6e51f7bb43c41576 (patch)
tree: 1963310ff2983ec5cba1330c9a58b343f6e0b232 /crypto/rsa/rsa_sign.c
parent: 500b5a181df0e8e442e4cbf954213ff886b29df3 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index e5a015d1a6..e1b1714210 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -193,6 +193,23 @@ int int_rsa_verify(int dtype, const unsigned char *m,
 		sig=d2i_X509_SIG(NULL,&p,(long)i);
 
 		if (sig == NULL) goto err;
+
+		/* Excess data can be used to create forgeries */
+		if(p != s+i)
+			{
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+			goto err;
+			}
+
+		/* Parameters to the signature algorithm can also be used to
+		   create forgeries */
+		if(sig->algor->parameter
+		   && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL)
+			{
+			RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+			goto err;
+			}
+
 		sigtype=OBJ_obj2nid(sig->algor->algorithm);
author	Mark J. Cox <mark@openssl.org>	2006-09-05 08:58:03 +0000
committer	Mark J. Cox <mark@openssl.org>	2006-09-05 08:58:03 +0000
commit	b79aa05e3babdbab92c6356f6e51f7bb43c41576 (patch)
tree	1963310ff2983ec5cba1330c9a58b343f6e0b232 /crypto/rsa/rsa_sign.c
parent	500b5a181df0e8e442e4cbf954213ff886b29df3 (diff)