Add additional DigestInfo checks. (55614f89) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+9 −1

Original line number	Diff line number	Diff line
		@@ -4,7 +4,15 @@

		Changes between 1.0.1i and 1.0.1j [xx XXX xxxx]

		*)
		*) Add additional DigestInfo checks.

		Reencode DigestInto in DER and check against the original when
		verifying RSA signature: this will reject any improperly encoded
		DigestInfo structures.

		Note: this is a precautionary measure and no attacks are currently known.

		[Steve Henson]

		Changes between 1.0.1h and 1.0.1i [6 Aug 2014]

+20 −1

Original line number	Diff line number	Diff line
		@@ -151,6 +151,25 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
		return(ret);
		}

		/*
		* Check DigestInfo structure does not contain extraneous data by reencoding
		* using DER and checking encoding against original.
		*/
		static int rsa_check_digestinfo(X509_SIG sig, const unsigned char dinfo, int dinfolen)
		{
		unsigned char *der = NULL;
		int derlen;
		int ret = 0;
		derlen = i2d_X509_SIG(sig, &der);
		if (derlen <= 0)
		return 0;
		if (derlen == dinfolen && !memcmp(dinfo, der, derlen))
		ret = 1;
		OPENSSL_cleanse(der, derlen);
		OPENSSL_free(der);
		return ret;
		}

		int int_rsa_verify(int dtype, const unsigned char *m,
		unsigned int m_len,
		unsigned char rm, size_t prm_len,
		@@ -228,7 +247,7 @@ int int_rsa_verify(int dtype, const unsigned char *m,
		if (sig == NULL) goto err;

		/* Excess data can be used to create forgeries */
		if(p != s+i)
		if(p != s+i \|\| !rsa_check_digestinfo(sig, s, i))
		{
		RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
		goto err;