[openssl-dev] [openssl.org #4076] PROBLEM: there exists a wrong return value of function int_rsa_verify()

Zhang Yan via RT rt at openssl.org
Thu Oct 8 08:55:45 UTC 2015 

Bug Description:      
     Function int_rsa_verify() defined in file crypto/rsa/rsa_sign.c would return 1 if a signature is valid, and 0 otherwise. The variable 'ret' keeps the return value, and it may be assigned to 1 if the condition in line 216 is satisfied. The signature is regarded as invalid if the conditions in line 241 are evaluated to be true, and the error message is dumped (in line 242) and the verify process is ended (in line 243). However, as variable 'ret' may keep value 1, this function will return 1 (in line 290) even if the signature is invalid, which will confuse the caller function whether the signature is really valid.
The related code snippets in int_rsa_verify() is as following.
168 int int_rsa_verify(int dtype, const unsigned char *m,
169                    unsigned int m_len,
170                    unsigned char *rm, size_t *prm_len,
171                    const unsigned char *sigbuf, size_t siglen, RSA *rsa)
172 {
173     int i, ret = 0, sigtype;
         ...
216     if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10) {
217         if (rm) {
218             memcpy(rm, s + 2, 16);
219             *prm_len = 16;
220             ret = 1;
221         } else if (memcmp(m, s + 2, 16))
222             RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
223         else
224             ret = 1;      
225     }
226
227     /* Special case: SSL signature */
228     if (dtype == NID_md5_sha1) {
229         if ((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
230             RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
231         else
232             ret = 1;
233     } else {                   // dtype != NID_md5_sha1
234         const unsigned char *p = s;
235         sig = d2i_X509_SIG(NULL, &p, (long)i);
236
237         if (sig == NULL)
238             goto err;                    
239
240         /* Excess data can be used to create forgeries */
241         if (p != s + i || !rsa_check_digestinfo(sig, s, i)) {
242             RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
243             goto err;                    
244         }
               ...
283  err:
284     if (sig != NULL)
285         X509_SIG_free(sig);
286     if (s != NULL) {
287         OPENSSL_cleanse(s, (unsigned int)siglen);
288         OPENSSL_free(s);
289     }
290     return (ret);
291 }




 



-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

More information about the openssl-dev mailing list