Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher

[openssl.git] / crypto / rsa / rsa_eay.c

diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index 69cabd2716445bb1a88b2ef0273b6d498b8ecc41..863a45a9758523056158ebf15fcb86e43ddce7e5 100644 (file)
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -259,7 +259,7 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
        if (ret == NULL)
                goto err;
 
-       if (BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id())
+       if ((BN_BLINDING_get_thread_id(ret) == CRYPTO_thread_id()) && (BN_BLINDING_get_thread_idptr(ret) == CRYPTO_thread_idptr()))
                {
                /* rsa->blinding is ours! */
 
@@ -640,6 +640,15 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                {
        case RSA_PKCS1_PADDING:
                r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+               /* Generally signatures should be at least 2/3 padding, though
+                  this isn't possible for really short keys and some standard
+                  signature schemes, so don't check if the unpadded data is
+                  small. */
+               if(r > 42 && 3*8*r >= BN_num_bits(rsa->n))
+                       {
+                       RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
+                       goto err;
+                       }
                break;
        case RSA_X931_PADDING:
                r=RSA_padding_check_X931(to,num,buf,i,num);