Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher (ffa04072) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+3 −0

Original line number	Diff line number	Diff line
		@@ -4,6 +4,9 @@

		Changes between 0.9.7j and 0.9.7k [xx XXX xxxx]

		*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
		(CVE-2006-4339) [Ben Laurie and Google Security Team]

		*) Change the Unix randomness entropy gathering to use poll() when
		possible instead of select(), since the latter has some
		undesirable limitations.

+5 −1

Original line number	Diff line number	Diff line
		@@ -5,6 +5,10 @@
		This file gives a brief overview of the major changes between each OpenSSL
		release. For more details please read the CHANGES file.

		Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k:

		o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339

		Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:

		o Update Windows build system for FIPS.
		@@ -15,7 +19,7 @@

		Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:

		o Fix SSL 2.0 Rollback, CAN-2005-2969
		o Fix SSL 2.0 Rollback, CVE-2005-2969
		o Allow use of fixed-length exponent on DSA signing
		o Default fixed-window RSA, DSA, DH private-key operations

+1 −0

Original line number	Diff line number	Diff line
		@@ -390,6 +390,7 @@ void ERR_load_RSA_strings(void);
		#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
		#define RSA_R_OAEP_DECODING_ERROR 121
		#define RSA_R_PADDING_CHECK_FAILED 114
		#define RSA_R_PKCS1_PADDING_TOO_SHORT 105
		#define RSA_R_P_NOT_PRIME 128
		#define RSA_R_Q_NOT_PRIME 129
		#define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130

+9 −0

Original line number	Diff line number	Diff line
		@@ -651,6 +651,15 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
		{
		case RSA_PKCS1_PADDING:
		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
		/* Generally signatures should be at least 2/3 padding, though
		this isn't possible for really short keys and some standard
		signature schemes, so don't check if the unpadded data is
		small. */
		if(r > 42 && 38r >= BN_num_bits(rsa->n))
		{
		RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
		goto err;
		}
		break;
		case RSA_NO_PADDING:
		r=RSA_padding_check_none(to,num,buf,i,num);

+1 −0

Original line number	Diff line number	Diff line
		@@ -134,6 +134,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
		{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
		{ERR_REASON(RSA_R_SLEN_RECOVERY_FAILED) ,"salt length recovery failed"},
		{ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
		{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"},
		{ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
		{ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},
		{ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},