-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+
http://www.openssl.org/news/secadv_20060905.txt
(This patch was updated Tue Sep 5 15:54:30 UTC 2006 to also work
against 0.9.6)
-Index: crypto/rsa/rsa.h
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa.h,v
-retrieving revision 1.55.2.4
-diff -u -r1.55.2.4 rsa.h
-- - --- crypto/rsa/rsa.h 9 Jan 2006 16:05:18 -0000 1.55.2.4
-+++ crypto/rsa/rsa.h 4 Sep 2006 15:16:54 -0000
-@@ -412,6 +412,7 @@
- #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
- #define RSA_R_OAEP_DECODING_ERROR 121
- #define RSA_R_PADDING_CHECK_FAILED 114
-+#define RSA_R_PKCS1_PADDING_TOO_SHORT 105
- #define RSA_R_P_NOT_PRIME 128
- #define RSA_R_Q_NOT_PRIME 129
- #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130
-Index: crypto/rsa/rsa_eay.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v
-retrieving revision 1.46.2.4
-diff -u -r1.46.2.4 rsa_eay.c
-- - --- crypto/rsa/rsa_eay.c 14 Jun 2006 08:51:40 -0000 1.46.2.4
-+++ crypto/rsa/rsa_eay.c 4 Sep 2006 15:16:56 -0000
-@@ -640,6 +640,15 @@
- {
- case RSA_PKCS1_PADDING:
- r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
-+ /* Generally signatures should be at least 2/3 padding, though
-+ this isn't possible for really short keys and some standard
-+ signature schemes, so don't check if the unpadded data is
-+ small. */
-+ if(r > 42 && 3*8*r >= BN_num_bits(rsa->n))
-+ {
-+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
-+ goto err;
-+ }
- break;
- case RSA_X931_PADDING:
- r=RSA_padding_check_X931(to,num,buf,i,num);
-Index: crypto/rsa/rsa_err.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_err.c,v
-retrieving revision 1.17.2.3
-diff -u -r1.17.2.3 rsa_err.c
-- - --- crypto/rsa/rsa_err.c 9 Jan 2006 16:05:18 -0000 1.17.2.3
-+++ crypto/rsa/rsa_err.c 4 Sep 2006 15:16:57 -0000
-@@ -142,6 +142,7 @@
- {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
- {ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
- {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) ,"padding check failed"},
-+{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"},
- {ERR_REASON(RSA_R_P_NOT_PRIME) ,"p not prime"},
- {ERR_REASON(RSA_R_Q_NOT_PRIME) ,"q not prime"},
- {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
+(This patch was updated Wed Sep 6 08:37:55 UTC 2006 to remove the
+changes to rsa_eay.c/rsa.h/rsa_err.c which were not necessary to
+correct this vulnerability)
+
Index: crypto/rsa/rsa_sign.c
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_sign.c,v
retrieving revision 1.21
diff -u -r1.21 rsa_sign.c
-- - --- crypto/rsa/rsa_sign.c 26 Apr 2005 22:07:17 -0000 1.21
+- - - --- crypto/rsa/rsa_sign.c 26 Apr 2005 22:07:17 -0000 1.21
+++ crypto/rsa/rsa_sign.c 4 Sep 2006 15:16:57 -0000
@@ -185,6 +185,23 @@
sig=d2i_X509_SIG(NULL,&p,(long)i);
+
sigtype=OBJ_obj2nid(sig->algor->algorithm);
-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
-iQCVAwUBRP2d3O6tTP1JpWPZAQItiwQAiu1u2rDI9Nbkl9vK2weJofaQ+Yb/fSqM
-u8BHg9ujupYnalswGd6ShUuiYPoNN3qwrh2/5bsy+iDCCY4rBedyLTH/pbYQ/yso
-AXBVX7HuYtB2N3LjIeFgO/JtYJgMkjOpSNGVVAcdVxRkiwZm/JD61c5P00gFTkuD
-YA0f4oRsRGU=
-=p7+E
+iQCVAwUBRP6JWe6tTP1JpWPZAQLssAP+LZH3morviQ2DEN7yWRpVuCsP31850Ma7
+9OjH1wEkAbA3rX2XmDxYFd6dJBanksgdXUqLHlm8w8Q9aA+FKPmyFSaQ74N7nHgE
+iDGws5w1PE1U/sigQvz9FoY5DgCU0l/L+MOoj+UaIiueafLCgO4VpwB1EftXymsS
+eCQDyyI37rE=
+=MXpR
-----END PGP SIGNATURE-----