← Back to branch summary

~ubuntu-branches/ubuntu/hardy/openssl/hardy-updates

« back to all changes in this revision

Viewing changes to crypto/ecdsa/ecdsatest.c

  • Committer: Package Import Robot
  • Author(s): Steve Beattie
  • Date: 2012-01-31 01:46:26 UTC
  • Revision ID: package-import@ubuntu.com-20120131014626-ffeo8a5xag43qawh
Tags: 0.9.8g-4ubuntu3.15
https://launchpad.net/bugs/922229
https://launchpad.net/bugs/244250
* SECURITY UPDATE: ECDSA private key timing attack
  - crypto/ecdsa/ecs_ossl.c: compute with fixed scalar length
  - http://cvs.openssl.org/chngview?cn=20892
  - CVE-2011-1945
* SECURITY UPDATE: ECDH ciphersuite denial of service
  - ssl/s3_lib.c, file ssl/s3_srvr.c: fix memory usage for thread
    safety
  - http://cvs.openssl.org/chngview?cn=21334
  - CVE-2011-3210
* SECURITY UPDATE: DTLS plaintext recovery attack (LP: #922229)
  - ssl/d1_pkt.c: perform all computations before discarding messages
  - http://cvs.openssl.org/chngview?cn=21942
  - http://cvs.openssl.org/chngview?cn=19574
  - CVE-2011-4108
* SECURITY UPDATE: policy check double free vulnerability
  - crypto/x509v3/pcy_map.c, crypto/x509v3/pcy_tree.c: only free
    domain policy in one location
  - http://cvs.openssl.org/chngview?cn=21941
  - CVE-2011-4019
* SECURITY UPDATE: incorrect elliptic curve computation TLS key
  exposure
  - crypto/bn/bn_nist.c: perform ellyiptic curve computations
    correctly
  - update to http://cvs.openssl.org/fileview?f=openssl/crypto/bn/bn_nist.c&v=1.20
  - CVE-2011-4354
* SECURITY UPDATE: SSL 3.0 block padding exposure
  - ssl/s3_enc.c: clear bytes used for block padding of SSL 3.0
    records.
  - http://cvs.openssl.org/chngview?cn=21940
  - CVE-2011-4576
* SECURITY UPDATE: malformed RFC 3779 data denial of service attack
  - crypto/x509v3/v3_addr.c: prevent malformed RFC3779 data
    from triggering an assertion failure
  - http://cvs.openssl.org/chngview?cn=21937
  - CVE-2011-4577
* SECURITY UPDATE: Server Gated Cryptography (SGC) denial of service
  - ssl/s3_srvr.c, ssl/ssl.h, ssl/ssl3.h, ssl/ssl_err.c: Only allow
    one SGC handshake restart for SSL/TLS.
  - CVE-2011-4619
* SECURITY UPDATE: fix for CVE-2011-4108 denial of service attack
  - ssl/d1_pkt.c: improve handling of DTLS MAC
  - http://cvs.openssl.org/chngview?cn=22032
  - CVE-2012-0050
* crypto/ecdsa/ecdsatest.c: fix ECDSA tests
  - http://cvs.openssl.org/chngview?cn=21777
  - http://cvs.openssl.org/chngview?cn=21995
* debian/libssl0.9.8.postinst: Only issue the reboot notification for
  servers by testing that the X server is not running (LP: #244250)

Show diffs side-by-side

added added

removed removed

Lines of Context:
crypto/ecdsa/ecdsatest.c
287
287
        size_t          crv_len = 0, n = 0;
288
288
        EC_KEY          *eckey = NULL, *wrong_eckey = NULL;
289
289
        EC_GROUP        *group;
 
290
        ECDSA_SIG       *ecdsa_sig = NULL;
290
291
        unsigned char   digest[20], wrong_digest[20];
291
 
        unsigned char   *signature = NULL; 
292
 
        unsigned int    sig_len;
 
292
        unsigned char   *signature = NULL;
 
293
        const unsigned char     *sig_ptr;
 
294
        unsigned char   *sig_ptr2;
 
295
        unsigned char   *raw_buf = NULL;
 
296
        unsigned int    sig_len, degree, r_len, s_len, bn_len, buf_len;
293
297
        int             nid, ret =  0;
294
298
        
295
299
        /* fill digest values with some random data */
339
343
                if (EC_KEY_set_group(eckey, group) == 0)
340
344
                        goto builtin_err;
341
345
                EC_GROUP_free(group);
342
 
                if (EC_GROUP_get_degree(EC_KEY_get0_group(eckey)) < 160)
 
346
                degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
 
347
                if (degree < 160)
343
348
                        /* drop the curve */ 
344
349
                        {
345
350
                        EC_KEY_free(eckey);
415
420
                        }
416
421
                BIO_printf(out, ".");
417
422
                (void)BIO_flush(out);
418
 
                /* modify a single byte of the signature */
419
 
                offset = signature[10] % sig_len;
420
 
                dirt   = signature[11];
421
 
                signature[offset] ^= dirt ? dirt : 1; 
 
423
                /* wrong length */
 
424
                if (ECDSA_verify(0, digest, 20, signature, sig_len - 1,
 
425
                        eckey) == 1)
 
426
                        {
 
427
                        BIO_printf(out, " failed\n");
 
428
                        goto builtin_err;
 
429
                        }
 
430
                BIO_printf(out, ".");
 
431
                (void)BIO_flush(out);
 
432
 
 
433
                /* Modify a single byte of the signature: to ensure we don't
 
434
                 * garble the ASN1 structure, we read the raw signature and
 
435
                 * modify a byte in one of the bignums directly. */
 
436
                sig_ptr = signature;
 
437
                if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)) == NULL)
 
438
                        {
 
439
                        BIO_printf(out, " failed\n");
 
440
                        goto builtin_err;
 
441
                        }
 
442
 
 
443
                /* Store the two BIGNUMs in raw_buf. */
 
444
                r_len = BN_num_bytes(ecdsa_sig->r);
 
445
                s_len = BN_num_bytes(ecdsa_sig->s);
 
446
                bn_len = (degree + 7) / 8;
 
447
                if ((r_len > bn_len) || (s_len > bn_len))
 
448
                        {
 
449
                        BIO_printf(out, " failed\n");
 
450
                        goto builtin_err;
 
451
                        }
 
452
                buf_len = 2 * bn_len;
 
453
                if ((raw_buf = OPENSSL_malloc(buf_len)) == NULL)
 
454
                        goto builtin_err;
 
455
                /* Pad the bignums with leading zeroes. */
 
456
                memset(raw_buf, 0, buf_len);
 
457
                BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len);
 
458
                BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len);
 
459
 
 
460
                /* Modify a single byte in the buffer. */
 
461
                offset = raw_buf[10] % buf_len;
 
462
                dirt   = raw_buf[11] ? raw_buf[11] : 1;
 
463
                raw_buf[offset] ^= dirt;
 
464
                /* Now read the BIGNUMs back in from raw_buf. */
 
465
                if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
 
466
                        (BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
 
467
                        goto builtin_err;
 
468
 
 
469
                sig_ptr2 = signature;
 
470
                sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
422
471
                if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1)
423
472
                        {
424
473
                        BIO_printf(out, " failed\n");
425
474
                        goto builtin_err;
426
475
                        }
 
476
                /* Sanity check: undo the modification and verify signature. */
 
477
                raw_buf[offset] ^= dirt;
 
478
                if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
 
479
                        (BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
 
480
                        goto builtin_err;
 
481
 
 
482
                sig_ptr2 = signature;
 
483
                sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
 
484
                if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1)
 
485
                        {
 
486
                        BIO_printf(out, " failed\n");
 
487
                        goto builtin_err;
 
488
                        }
427
489
                BIO_printf(out, ".");
428
490
                (void)BIO_flush(out);
429
491
                
430
492
                BIO_printf(out, " ok\n");
431
493
                /* cleanup */
 
494
                /* clean bogus errors */
 
495
                ERR_clear_error();
432
496
                OPENSSL_free(signature);
433
497
                signature = NULL;
434
498
                EC_KEY_free(eckey);
435
499
                eckey = NULL;
436
500
                EC_KEY_free(wrong_eckey);
437
501
                wrong_eckey = NULL;
 
502
                ECDSA_SIG_free(ecdsa_sig);
 
503
                ecdsa_sig = NULL;
 
504
                OPENSSL_free(raw_buf);
 
505
                raw_buf = NULL;
438
506
                }
439
507
 
440
508
        ret = 1;        
443
511
                EC_KEY_free(eckey);
444
512
        if (wrong_eckey)
445
513
                EC_KEY_free(wrong_eckey);
 
514
        if (ecdsa_sig)
 
515
                ECDSA_SIG_free(ecdsa_sig);
446
516
        if (signature)
447
517
                OPENSSL_free(signature);
 
518
        if (raw_buf)
 
519
                OPENSSL_free(raw_buf);
448
520
        if (curves)
449
521
                OPENSSL_free(curves);
450
522