Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher

(CVE-2006-4339) Submitted by: Ben Laurie, Google Security Team Reviewed by: bmoeller, mjc, shenson
author: Mark J. Cox <mark@openssl.org> 2006-09-05 08:58:03 +0000
committer: Mark J. Cox <mark@openssl.org> 2006-09-05 08:58:03 +0000
commit: b79aa05e3babdbab92c6356f6e51f7bb43c41576 (patch)
tree: 1963310ff2983ec5cba1330c9a58b343f6e0b232 /crypto/rsa/rsa_eay.c
parent: 500b5a181df0e8e442e4cbf954213ff886b29df3 (diff)
download: openssl-b79aa05e3babdbab92c6356f6e51f7bb43c41576.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index c6ceaee6e7..863a45a975 100644
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -640,6 +640,15 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
 		{
 	case RSA_PKCS1_PADDING:
 		r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+		/* Generally signatures should be at least 2/3 padding, though
+		   this isn't possible for really short keys and some standard
+		   signature schemes, so don't check if the unpadded data is
+		   small. */
+		if(r > 42 && 3*8*r >= BN_num_bits(rsa->n))
+			{
+			RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
+			goto err;
+			}
 		break;
 	case RSA_X931_PADDING:
 		r=RSA_padding_check_X931(to,num,buf,i,num);
author	Mark J. Cox <mark@openssl.org>	2006-09-05 08:58:03 +0000
committer	Mark J. Cox <mark@openssl.org>	2006-09-05 08:58:03 +0000
commit	b79aa05e3babdbab92c6356f6e51f7bb43c41576 (patch)
tree	1963310ff2983ec5cba1330c9a58b343f6e0b232 /crypto/rsa/rsa_eay.c
parent	500b5a181df0e8e442e4cbf954213ff886b29df3 (diff)
download	openssl-b79aa05e3babdbab92c6356f6e51f7bb43c41576.tar.gz