Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher (df20b6e7) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+6 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,9 @@

		Changes between 0.9.8b and 0.9.8c [xx XXX xxxx]

		*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
		(CVE-2006-4339) [Ben Laurie and Google Security Team]

		*) Add AES IGE and biIGE modes.
		[Ben Laurie]

		@@ -962,6 +965,9 @@

		Changes between 0.9.7j and 0.9.7k [xx XXX xxxx]

		*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
		(CVE-2006-4339) [Ben Laurie and Google Security Team]

		*) Change the Unix randomness entropy gathering to use poll() when
		possible instead of select(), since the latter has some
		undesirable limitations.

+11 −2

Original line number	Diff line number	Diff line
		@@ -5,6 +5,11 @@
		This file gives a brief overview of the major changes between each OpenSSL
		release. For more details please read the CHANGES file.

		Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c:

		o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
		o New cipher Camellia

		Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b:

		o Cipher string fixes.
		@@ -17,7 +22,7 @@

		Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:

		o Fix potential SSL 2.0 rollback, CAN-2005-2969
		o Fix potential SSL 2.0 rollback, CVE-2005-2969
		o Extended Windows CE support

		Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
		@@ -94,6 +99,10 @@
		o Added initial support for Win64.
		o Added alternate pkg-config files.

		Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k:

		o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339

		Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:

		o Visual C++ 2005 fixes.
		@@ -105,7 +114,7 @@

		Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:

		o Fix SSL 2.0 Rollback, CAN-2005-2969
		o Fix SSL 2.0 Rollback, CVE-2005-2969
		o Allow use of fixed-length exponent on DSA signing
		o Default fixed-window RSA, DSA, DH private-key operations

+1 −0

Original line number	Diff line number	Diff line
		@@ -412,6 +412,7 @@ void ERR_load_RSA_strings(void);
		#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
		#define RSA_R_OAEP_DECODING_ERROR 121
		#define RSA_R_PADDING_CHECK_FAILED 114
		#define RSA_R_PKCS1_PADDING_TOO_SHORT 105
		#define RSA_R_P_NOT_PRIME 128
		#define RSA_R_Q_NOT_PRIME 129
		#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130

+9 −0

Original line number	Diff line number	Diff line
		@@ -640,6 +640,15 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
		{
		case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
		/* Generally signatures should be at least 2/3 padding, though
		this isn't possible for really short keys and some standard
		signature schemes, so don't check if the unpadded data is
		small. */
		if(r > 42 && 38r >= BN_num_bits(rsa->n))
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
		goto err;
		}
		break;
		case RSA_X931_PADDING:
		r=RSA_padding_check_X931(to,num,buf,i,num);

+1 −0

Original line number	Diff line number	Diff line
		@@ -142,6 +142,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
		{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
		{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
		{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
		{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"},
		{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
		{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},
		{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},