Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher (b79aa05e) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+15 −2

Original line number	Diff line number	Diff line
		@@ -4,6 +4,9 @@

		Changes between 0.9.8b and 0.9.9 [xx XXX xxxx]

		*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
		(CVE-2006-4339) [Ben Laurie and Google Security Team]

		*) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
		Modify get_crl() to find a valid (unexpired) CRL if possible.
		[Steve Henson]
		@@ -377,7 +380,12 @@
		*) Change 'Configure' script to enable Camellia by default.
		[NTT]

		Changes between 0.9.8b and 0.9.8c [xx XXX xxxx]
		Changes between 0.9.8c and 0.9.8d [xx XXX xxxx]

		Changes between 0.9.8b and 0.9.8c [05 Sep 2006]

		*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
		(CVE-2006-4339) [Ben Laurie and Google Security Team]

		*) Add AES IGE and biIGE modes.
		[Ben Laurie]
		@@ -1335,7 +1343,12 @@
		differing sizes.
		[Richard Levitte]

		Changes between 0.9.7j and 0.9.7k [xx XXX xxxx]
		Changes between 0.9.7k and 0.9.7l [xx XXX xxxx]

		Changes between 0.9.7j and 0.9.7k [05 Sep 2006]

		*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
		(CVE-2006-4339) [Ben Laurie and Google Security Team]

		*) Change the Unix randomness entropy gathering to use poll() when
		possible instead of select(), since the latter has some

+1 −1

Original line number	Diff line number	Diff line
		@@ -7,7 +7,7 @@

		Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:

		o Fix potential SSL 2.0 rollback, CAN-2005-2969
		o Fix potential SSL 2.0 rollback, CVE-2005-2969
		o Extended Windows CE support

		Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:

+1 −0

Original line number	Diff line number	Diff line
		@@ -457,6 +457,7 @@ void ERR_load_RSA_strings(void);
		#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
		#define RSA_R_OAEP_DECODING_ERROR 121
		#define RSA_R_PADDING_CHECK_FAILED 114
		#define RSA_R_PKCS1_PADDING_TOO_SHORT 105
		#define RSA_R_P_NOT_PRIME 128
		#define RSA_R_Q_NOT_PRIME 129
		#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130

+9 −0

Original line number	Diff line number	Diff line
		@@ -640,6 +640,15 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
		{
		case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
		/* Generally signatures should be at least 2/3 padding, though
		this isn't possible for really short keys and some standard
		signature schemes, so don't check if the unpadded data is
		small. */
		if(r > 42 && 38r >= BN_num_bits(rsa->n))
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
		goto err;
		}
		break;
		case RSA_X931_PADDING:
		r=RSA_padding_check_X931(to,num,buf,i,num);

+1 −0

Original line number	Diff line number	Diff line
		@@ -160,6 +160,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
		{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
		{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
		{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
		{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"},
		{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
		{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},
		{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},