Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher

[openssl.git] / crypto / rsa / rsa_eay.c

diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index c6ceaee6e731689448c0d9c1ab35a43b2887b929..863a45a9758523056158ebf15fcb86e43ddce7e5 100644 (file)
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -640,6 +640,15 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                {
        case RSA_PKCS1_PADDING:
                r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
+               /* Generally signatures should be at least 2/3 padding, though
+                  this isn't possible for really short keys and some standard
+                  signature schemes, so don't check if the unpadded data is
+                  small. */
+               if(r > 42 && 3*8*r >= BN_num_bits(rsa->n))
+                       {
+                       RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
+                       goto err;
+                       }
                break;
        case RSA_X931_PADDING:
                r=RSA_padding_check_X931(to,num,buf,i,num);