Add additional DigestInfo checks. (1cfd255c) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+10 −0

Original line number	Diff line number	Diff line
		@@ -627,6 +627,16 @@

		Changes between 1.0.1g and 1.0.1h [5 Jun 2014]

		*) Add additional DigestInfo checks.

		Reencode DigestInto in DER and check against the original: this
		will reject any improperly encoded DigestInfo structures.

		Note: this is a precautionary measure OpenSSL and no attacks
		are currently known.

		[Steve Henson]

		*) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
		handshake can force the use of weak keying material in OpenSSL
		SSL/TLS clients and servers.

+20 −1

Original line number	Diff line number	Diff line
		@@ -143,6 +143,25 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
		return(ret);
		}

		/*
		* Check DigestInfo structure does not contain extraneous data by reencoding
		* using DER and checking encoding against original.
		*/
		static int rsa_check_digestinfo(X509_SIG sig, const unsigned char dinfo, int dinfolen)
		{
		unsigned char *der = NULL;
		int derlen;
		int ret = 0;
		derlen = i2d_X509_SIG(sig, &der);
		if (derlen <= 0)
		return 0;
		if (derlen == dinfolen && !memcmp(dinfo, der, derlen))
		ret = 1;
		OPENSSL_cleanse(der, derlen);
		OPENSSL_free(der);
		return ret;
		}

		int int_rsa_verify(int dtype, const unsigned char *m,
		unsigned int m_len,
		unsigned char rm, size_t prm_len,
		@@ -211,7 +230,7 @@ int int_rsa_verify(int dtype, const unsigned char *m,
		if (sig == NULL) goto err;

		/* Excess data can be used to create forgeries */
		if(p != s+i)
		if(p != s+i \|\| !rsa_check_digestinfo(sig, s, i))
		{
		RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
		goto err;