openssl security fixes, diff from markus@, ok & "commit it" djm@

http://www.openssl.org/news/secadv_20060928.txt for more
author: pvalchev <> 2006-10-04 07:10:32 +0000
committer: pvalchev <> 2006-10-04 07:10:32 +0000
commit: 2ae4a931445dd6121f260bcc0af2dde32a871cd0 (patch)
tree: 79c58b0010b91a2778efdc406095e24c85a41ae1 /src/lib/libcrypto/rsa
parent: c2d940ce6f2c3ef66262b7c1953e6286cf68b267 (diff)
download: openbsd-2ae4a931445dd6121f260bcc0af2dde32a871cd0.tar.gz
openbsd-2ae4a931445dd6121f260bcc0af2dde32a871cd0.tar.bz2
openbsd-2ae4a931445dd6121f260bcc0af2dde32a871cd0.zip
3 files changed, 51 insertions, 0 deletions
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 0b639cd37f..dbed701e89 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -154,6 +154,11 @@ struct rsa_st
        BN_BLINDING *blinding;
        };
+#define OPENSSL_RSA_MAX_MODULUS_BITS    16384
+#define OPENSSL_RSA_SMALL_MODULUS_BITS  3072
+#define OPENSSL_RSA_MAX_PUBEXP_BITS     64 /* exponent limit enforced for "small" modulus only */
 #define RSA_3   0x3L
 #define RSA_F4  0x10001L
@@ -386,6 +391,7 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_IQMP_NOT_INVERSE_OF_Q                      126
 #define RSA_R_KEY_SIZE_TOO_SMALL                         120
 #define RSA_R_LAST_OCTET_INVALID                         134
+#define RSA_R_MODULUS_TOO_LARGE                          105
 #define RSA_R_NULL_BEFORE_BLOCK_MISSING                  113
 #define RSA_R_N_DOES_NOT_EQUAL_P_Q                       127
 #define RSA_R_OAEP_DECODING_ERROR                        121
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index be4ac96ce3..610889dc80 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -295,6 +295,28 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
        BN_init(&f);
        BN_init(&ret);
+        if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
+                {
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
+                return -1;
+                }
+        if (BN_ucmp(rsa->n, rsa->e) <= 0)
+                {
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
+                return -1;
+                }
+        /* for large moduli, enforce exponent limit */
+        if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
+                {
+                if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
+                        return -1;
+                        }
+                }
        if ((ctx=BN_CTX_new()) == NULL) goto err;
        num=BN_num_bytes(rsa->n);
        if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
@@ -576,6 +598,28 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
+        if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
+                {
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
+                return -1;
+                }
+        if (BN_ucmp(rsa->n, rsa->e) <= 0)
+                {
+                RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
+                return -1;
+                }
+        /* for large moduli, enforce exponent limit */
+        if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
+                {
+                if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
+                        return -1;
+                        }
+                }
        BN_init(&f);
        BN_init(&ret);
        ctx=BN_CTX_new();
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index 2ec4b30ff7..ddcb28e663 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -129,6 +129,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
 {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
 {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL)    ,"key size too small"},
 {ERR_REASON(RSA_R_LAST_OCTET_INVALID)    ,"last octet invalid"},
+{ERR_REASON(RSA_R_MODULUS_TOO_LARGE)     ,"modulus too large"},
 {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
 {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q)  ,"n does not equal p q"},
 {ERR_REASON(RSA_R_OAEP_DECODING_ERROR)   ,"oaep decoding error"},
author	pvalchev <>	2006-10-04 07:10:32 +0000
committer	pvalchev <>	2006-10-04 07:10:32 +0000
commit	2ae4a931445dd6121f260bcc0af2dde32a871cd0 (patch)
tree	79c58b0010b91a2778efdc406095e24c85a41ae1 /src/lib/libcrypto/rsa
parent	c2d940ce6f2c3ef66262b7c1953e6286cf68b267 (diff)
download	openbsd-2ae4a931445dd6121f260bcc0af2dde32a871cd0.tar.gz openbsd-2ae4a931445dd6121f260bcc0af2dde32a871cd0.tar.bz2 openbsd-2ae4a931445dd6121f260bcc0af2dde32a871cd0.zip

diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h index 0b639cd37f..dbed701e89 100644 --- a/src/lib/libcrypto/rsa/rsa.h +++ b/src/lib/libcrypto/rsa/rsa.h
@@ -154,6 +154,11 @@ struct rsa_st
154	BN_BLINDING *blinding;	154	BN_BLINDING *blinding;
155	};	155	};
156		156
		157	#define OPENSSL_RSA_MAX_MODULUS_BITS 16384
		158
		159	#define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
		160	#define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "small" modulus only */
		161
157	#define RSA_3 0x3L	162	#define RSA_3 0x3L
158	#define RSA_F4 0x10001L	163	#define RSA_F4 0x10001L
159		164
@@ -386,6 +391,7 @@ void ERR_load_RSA_strings(void);
386	#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126	391	#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
387	#define RSA_R_KEY_SIZE_TOO_SMALL 120	392	#define RSA_R_KEY_SIZE_TOO_SMALL 120
388	#define RSA_R_LAST_OCTET_INVALID 134	393	#define RSA_R_LAST_OCTET_INVALID 134
		394	#define RSA_R_MODULUS_TOO_LARGE 105
389	#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113	395	#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
390	#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127	396	#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
391	#define RSA_R_OAEP_DECODING_ERROR 121	397	#define RSA_R_OAEP_DECODING_ERROR 121


diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c index be4ac96ce3..610889dc80 100644 --- a/src/lib/libcrypto/rsa/rsa_eay.c +++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -295,6 +295,28 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
295	BN_init(&f);	295	BN_init(&f);
296	BN_init(&ret);	296	BN_init(&ret);
297		297
		298	if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
		299	{
		300	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
		301	return -1;
		302	}
		303
		304	if (BN_ucmp(rsa->n, rsa->e) <= 0)
		305	{
		306	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
		307	return -1;
		308	}
		309
		310	/* for large moduli, enforce exponent limit */
		311	if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
		312	{
		313	if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
		314	{
		315	RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
		316	return -1;
		317	}
		318	}
		319
298	if ((ctx=BN_CTX_new()) == NULL) goto err;	320	if ((ctx=BN_CTX_new()) == NULL) goto err;
299	num=BN_num_bytes(rsa->n);	321	num=BN_num_bytes(rsa->n);
300	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)	322	if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL)
@@ -576,6 +598,28 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
576	unsigned char *buf=NULL;	598	unsigned char *buf=NULL;
577	BN_CTX *ctx=NULL;	599	BN_CTX *ctx=NULL;
578		600
		601	if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
		602	{
		603	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
		604	return -1;
		605	}
		606
		607	if (BN_ucmp(rsa->n, rsa->e) <= 0)
		608	{
		609	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
		610	return -1;
		611	}
		612
		613	/* for large moduli, enforce exponent limit */
		614	if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
		615	{
		616	if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
		617	{
		618	RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
		619	return -1;
		620	}
		621	}
		622
579	BN_init(&f);	623	BN_init(&f);
580	BN_init(&ret);	624	BN_init(&ret);
581	ctx=BN_CTX_new();	625	ctx=BN_CTX_new();


diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c index 2ec4b30ff7..ddcb28e663 100644 --- a/src/lib/libcrypto/rsa/rsa_err.c +++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -129,6 +129,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
129	{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},	129	{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
130	{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},	130	{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
131	{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},	131	{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
		132	{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
132	{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},	133	{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
133	{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},	134	{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
134	{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},	135	{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},