git.ipfire.org Git - thirdparty/strongswan.git/commit

author	Tobias Brunner <tobias@strongswan.org>
	Tue, 28 Aug 2018 09:26:24 +0000 (11:26 +0200)
committer	Tobias Brunner <tobias@strongswan.org>
	Fri, 21 Sep 2018 16:51:58 +0000 (18:51 +0200)
commit	5955db5b124a1ee5f44c0845b6e00c86fddae67c
tree	1828757baa96168df9df2aac3adc67797708bbda	tree
parent	64d88efac5b6aeaa822a44315194503b674d5d16	commit \| diff

gmp: Don't parse PKCS1 v1.5 RSA signatures to verify them

Instead we generate the expected signature encoding and compare it to the
decrypted value.

Due to the lenient nature of the previous parsing code (minimum padding
length was not enforced, the algorithmIdentifier/OID parser accepts arbitrary
data after OIDs and in the parameters field etc.) it was susceptible to
Daniel Bleichenbacher's low-exponent attack (from 2006!), which allowed
forging signatures for keys that use low public exponents (i.e. e=3).

Since the public exponent is usually set to 0x10001 (65537) since quite a
while, the flaws in the previous code should not have had that much of a
practical impact in recent years.

Fixes: CVE-2018-16151, CVE-2018-16152

src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c		diff \| blob \| blame \| history
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c		diff \| blob \| blame \| history