Closed Bug 351848 Opened 18 years ago Closed 18 years ago

DecryptSigBlock does not check the message digest's length is correct

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.11.2
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.11.3

People

(Reporter: wtc, Assigned: nelson)

Details

(Keywords: verified1.8.0.7, verified1.8.1, Whiteboard: [sg:high])

Attachments

(4 files, 5 obsolete files)

Patch for NSS_3_11_BRANCH v2 (Checked in)
4.70 KB, patch
nelson
: review+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
merged to client 1.8.0 branch v2
4.03 KB, patch
Details | Diff | Splinter Review
Patch for trunk v3 (as checked in)
8.02 KB, patch
nelson
: review+
Details | Diff | Splinter Review
patch for NSS_3_3_4_1_BRANCH, v2
69.64 KB, patch
christophe.ravel.bugs
: review+
julien.pierre
: superreview+
Details | Diff | Splinter Review 
The callers of DecryptSigBlock pass a buffer of size
HASH_LENGTH_MAX to ensure it is large enough to hold
any message digest.  But DecryptSigBlock only checks
that the message digest can fit in the buffer.  It doesn't
check that the message digest's length is correct for the
message digest algorithm, and it doesn't return the length
to the callers, so the callers can't check that, either.

So for MD5, one can append up to 48 bytes of arbitrary data
after the MD5 hash, and for SHA-1, up to 44 bytes.  However,
the length octet in the ASN.1 encoding of the hash must
match the length.  Because of the smaller number of bytes to
play with and the constraint on the length octet, it may be
impossible to implement an attack similar to bug 350640.
This form of forgery is one of the 9 test cases attached to bug 351079.

It's e) garbage appended to the hash, inside the DER encoding 
  that is: header, DER(Algorithm OID, algorithm parameters, hash+garbage)

oh, wait, are you suggesting something like this:

   header, DER(Algorithm OID, algorithm parameters, hash, garbage)

where the garbage is inside the sequence that includes the hash, but 
comes after the hash?
It is

  header, DER(Algorithm OID, algorithm parameters, hash+garbage)

NSS 3.11.3 release candidate has this bug.

I also tried

  header, DER(Algorithm OID, algorithm parameters, hash, garbage)

Thunderbird says the signature is invalid.  I believe it fails in
the decoding of DigestInfo but didn't verify it in a debugger or
with printf statements.
We have a forged cert for that test case.  
3.11.3 has been tested against it (certutil -V and vfychain)
and detects it.  So I conclude that one of these must be true:
a) test forgery is defective.  (I will investigate that)
b) you're testing a different code path than I have been testing
   (I've been testing CERT_VerifyCert).
I tested email signature verification in Thunderbird.  This is the
code path (the line numbers may be slightly off because of the
printf statements and other changes I added):

1. Decoding of DigestInfo:

DecryptSigBlock(int * 0x0309fdfc, unsigned char * 0x027862ac, unsigned int 64, SECKEYPublicKeyStr * 0x0389ef00, const SECItemStr * 0x03759eb0, char * 0x0373dfa0) line 107
vfy_CreateContextPrivate(const SECKEYPublicKeyStr * 0x02d361d0, const SECItemStr * 0x03759eb0, int 20, const SECItemStr * 0x00000000, void * 0x0373dfa0) line 354 + 33 bytes
vfy_VerifyDataPrivate(const unsigned char * 0x038a17f8, int 461, const SECKEYPublicKeyStr * 0x02d361d0, const SECItemStr * 0x03759eb0, int 20, const SECItemStr * 0x00000000, void * 0x0373dfa0) line 602 + 25 bytes
VFY_VerifyData(unsigned char * 0x038a17f8, int 461, SECKEYPublicKeyStr * 0x02d361d0, SECItemStr * 0x03759eb0, int 20, void * 0x0373dfa0) line 621 + 31 bytes
NSS_CMSSignerInfo_Verify(NSSCMSSignerInfoStr * 0x03759e68, SECItemStr * 0x0375a4b8, SECItemStr * 0x00303894) line 469 + 38 bytes
NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedDataStr * 0x0276a228, int 0, NSSTrustDomainStr * 0x027452e0, int 4) line 699 + 17 bytes
THUNDERBIRD! 007ec136()
THUNDERBIRD! 007ec03a()
THUNDERBIRD! 007ef870()
THUNDERBIRD! 007ef9d6()
25e814ec()

2. PORT_Memcmp call that compares the decrypted hash with the alleged hash:

VFY_EndWithSignature(VFYContextStr * 0x027862a0, SECItemStr * 0x00000000) line 521
VFY_End(VFYContextStr * 0x027862a0) line 536 + 11 bytes
vfy_VerifyDataPrivate(const unsigned char * 0x038a17f8, int 461, const SECKEYPublicKeyStr * 0x02d361d0, const SECItemStr * 0x03759eb0, int 20, const SECItemStr * 0x00000000, void * 0x0373dfa0) line 610 + 9 bytes
VFY_VerifyData(unsigned char * 0x038a17f8, int 461, SECKEYPublicKeyStr * 0x02d361d0, SECItemStr * 0x03759eb0, int 20, void * 0x0373dfa0) line 621 + 31 bytes
NSS_CMSSignerInfo_Verify(NSSCMSSignerInfoStr * 0x03759e68, SECItemStr * 0x0375a4b8, SECItemStr * 0x00303894) line 469 + 38 bytes
NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedDataStr * 0x0276a228, int 0, NSSTrustDomainStr * 0x027452e0, int 4) line 699 + 17 bytes
THUNDERBIRD! 007ec136()
THUNDERBIRD! 007ec03a()
THUNDERBIRD! 007ef870()
THUNDERBIRD! 007ef9d6()
25e814ec()
Please assign this to a real owner (wtc? nelson?)

I'm confused by comment 4, NSS is vulnerable but Thunderbird is not?
Flags: blocking1.8.1?
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.7?
Whiteboard: [sg:investigate]
This is one way to fix it.  I won't be able to work on
this bug this week.  Feel free to use this patch or write
your own patch.  If you use this patch, feel free to change
identifier names and indentation, etc.  I didn't have time
to work on coding style.
Also, someone should examine VFY_VerifyDigest because of the XXX
comment in front of it.
Assignee: nobody → nelson
This bug, together with bug 350640 and bug 351079, are all vulnerabilities to 
malformed PKCS#1 v1.5 RSA signatures.  There are several code paths through
NSS that check these signatures.  One of them was fixed for bug 351079.
This bug reports another path that is vulnerable to one of the same cases as 
shown in that bug.  

It appears that the difference is that this path is used to verify
signatures on things other than certificates, whereas the other path was
used to verify signatures on certificates.  

I consider this to be part of the same vulnerability.  If NSS accepts the 
malformed signature, NSS is vulnerable to it, regardless of what kind of 
data (cert or other) is being signed.  Perhaps we should reopen bug 351079 
and make this bug a dup of that one.
Severity: normal → blocker
Priority: -- → P1
Whiteboard: [sg:investigate] → [sg:high]
Target Milestone: --- → 3.11.3
Comment on attachment 237388 [details] [diff] [review]
Patch for NSS_3_11_BRANCH (Checked in)

r=nelsonb.  Bob please SR.

There is one minor (nit) change I would make to this patch, but in 
the interest of time, I will refrain from changing it.
In the patch segment below, instead of the 3 "+" lines, I would have
coded this "*" line:

> 	    if (sig) {
> 		SECOidTag hashid = SEC_OID_UNKNOWN;
>-	    	rv = DecryptSigBlock(&hashid, cx->u.buffer,
>+		unsigned int digestlen = 0;
>+	    	rv = DecryptSigBlock(&hashid, cx->u.buffer, &digestlen,
>*              rv = DecryptSigBlock(&hashid, cx->u.buffer, &cx->rsadigestlen,
> 			HASH_LENGTH_MAX, cx->key, sig, (char*)wincx);
> 		cx->alg = hashid;
>+		cx->rsadigestlen = digestlen;
> 	    } else {
Attachment #237388 - Flags: superreview?(rrelyea)
Attachment #237388 - Flags: review+
Comment on attachment 237388 [details] [diff] [review]
Patch for NSS_3_11_BRANCH (Checked in)

r+=relyea

The u.buffer data really calls out to be a secitem which points to the u.buffer space. That should also simplify the DSA and ECDSA verification code.
Attachment #237388 - Flags: superreview?(rrelyea) → superreview+
I believe the issue here is that the forged signature case uses more data than the biggest HASH we support, so it is being detected. The reduced size means that it will likely be harder to construct a perfect cube in the space we allow, but 40 bytes is enough to make me worried. Especially if one starts trying to attack 1024 bit keys (which may need less 'garbage' than 2048 or 3072 bit keys).

Anyway I concur this should be fixed as part of the other signing issues.

bob
Severity: blocker → normal
Priority: P1 → --
Target Milestone: 3.11.3 → ---
Flags: blocking1.8.1? → blocking1.8.1+
Comment on attachment 237388 [details] [diff] [review]
Patch for NSS_3_11_BRANCH (Checked in)

> 	    if (sig) {
> 		SECOidTag hashid = SEC_OID_UNKNOWN;
>-	    	rv = DecryptSigBlock(&hashid, cx->u.buffer,
>+		unsigned int digestlen = 0;
>+	    	rv = DecryptSigBlock(&hashid, cx->u.buffer, &digestlen,
> 			HASH_LENGTH_MAX, cx->key, sig, (char*)wincx);
> 		cx->alg = hashid;
>+		cx->rsadigestlen = digestlen;
> 	    } else {

The use of the local variable 'digestlen' is intended to
bring your attention to the similar use of 'hashid' in
the original code.

Feel free to eliminate 'digestlen' and pass &cx->rsadigestlen
directly, but please also eliminate 'hashid' and pass &cx->alg
directly.
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.7?
Flags: blocking1.8.0.7+
Comment on attachment 237388 [details] [diff] [review]
Patch for NSS_3_11_BRANCH (Checked in)

approved for the 1.8.0 branch, a=dveditz for drivers
Attachment #237388 - Flags: approval1.8.0.7+
Checked in on NSS_3_11_BRANCH
Severity: normal → critical
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → 3.11.3
Comment on attachment 237388 [details] [diff] [review]
Patch for NSS_3_11_BRANCH (Checked in)

Now the owners of the mozilla branches need to port this to their branches.  

lib/cryptohi/secvfy.c; new revision: 1.16.2.4; previous revision: 1.16.2.3

I will work on preparing a patch for the trunk next.
This file is VERY different on the trunk.
Attachment #237388 - Attachment description: Patch → Patch for NSS_3_11_BRANCH (Checked in)
Attached patch Patch for trunk (obsolete) — Splinter Review 
Since this file is already SO different between trunk and branch,
this patch for the trunk differs significantly from the branch patch.
I took the liberty of renaming one variable to avoid ambiguity, 
and I also took Wan-Teh's suggestion about the hashid variable.

This patch is not blocking any other mozilla branches.
Attachment #237443 - Flags: superreview?(wtchang)
Attachment #237443 - Flags: review?(rrelyea)
I renamed a function parameter and added a comment.
There is no real change.
Attachment #237388 - Attachment is obsolete: true
Comment on attachment 237536 [details] [diff] [review]
Patch for NSS_3_11_BRANCH  v2 (Checked in)

groovy.
Attachment #237536 - Flags: review+
Comment on attachment 237443 [details] [diff] [review]
Patch for trunk

r+ = rrelyea.
The patch explains why hashid was separate, and handles the new semantic correctly.

bob
Attachment #237443 - Flags: review?(rrelyea) → review+
Attached patch merged to client 1.8.0 branch (obsolete) — Splinter Review 
Nelson, please give this a once-over to make sure the merge is OK.
Attachment #237546 - Flags: review?
Attachment #237546 - Flags: approval1.8.0.7+
Attachment #237546 - Flags: review?(wtchang)
Attachment #237546 - Flags: review?(nelson)
Attachment #237546 - Flags: review?
Attachment #237388 - Flags: approval1.8.0.7+
Comment on attachment 237388 [details] [diff] [review]
Patch for NSS_3_11_BRANCH (Checked in)

This one works for the 1.8 branch.
Attachment #237388 - Flags: approval1.8.1?
Comment on attachment 237536 [details] [diff] [review]
Patch for NSS_3_11_BRANCH  v2 (Checked in)

ought to take this too just in case we have to merge something else in here later on.
Attachment #237536 - Flags: approval1.8.1?
Comment on attachment 237546 [details] [diff] [review]
merged to client 1.8.0 branch

I'm giving this a qualified r+ for the 1.8.0 branch.

I believe this patch accurately carries the change from 
the NSS_3_11_BRANCH back to this older branch.

However, because there are other preceeding changes 
from the NSS_3_11_BRANCH that have not been carried back
I cannot state with any certainty that, with this patch
applied, the 1.8.0 branch will be as free of vulnerabilities
as the 3_11_BRANCH is now.
Attachment #237546 - Flags: review?(nelson) → review+
Attachment #237388 - Flags: approval1.8.1?
Dan, your patch is correct.  I renamed the rsadigestlen field of
VFYContext because 'digestlen' looks nicer on the MOZILLA_1_8_0_BRANCH
(and NSS_3_10_BRANCH).
Attachment #237546 - Attachment is obsolete: true
Attachment #237546 - Flags: review?(wtchang)
Comment on attachment 237536 [details] [diff] [review]
Patch for NSS_3_11_BRANCH  v2 (Checked in)

a=schrep
Attachment #237536 - Flags: approval1.8.1? → approval1.8.1+
Checked in attachment 237536 [details] [diff] [review] to the 1.8 branch for 1.8.1
Keywords: fixed1.8.1
Verified with Thunderbird 1.5.0.7 rc6 (compared with 1.5.0.5,
which has the bug).

Verified with Thunderbird 2 alpha 1 20060911 (compared with
build 20060910, which has the bug).
Keywords: fixed1.8.0.7, fixed1.8.1verified1.8.0.7, verified1.8.1
Attached patch Patch for trunk v2 (obsolete) — Splinter Review 
I added my new comment for digestlen and renamed the 'len'
parameter of DecryptSigBlock.

You missed the change to one PORT_Memcmp call.  If it's
intentional, please remove that change from this patch.
Attachment #237443 - Attachment is obsolete: true
Attachment #237443 - Flags: superreview?(wtchang)

        Attachment #237879 -
        Flags: review?(julien.pierre.bugs)

    
  

        Attachment #237879 -
        Flags: review?(julien.pierre.bugs) → review+

    
    

    
  
Comment on attachment 237878 [details] [diff] [review]
Patch for trunk v2

r=nelson

        Attachment #237878 -
        Flags: superreview?(rrelyea)

        Attachment #237878 -
        Flags: review+

    
    

    
  
Comment on attachment 237878 [details] [diff] [review]
Patch for trunk v2

sigh, good catch wan-teh.
r=relyea

        Attachment #237878 -
        Flags: superreview?(rrelyea) → superreview+

    
    

    
  


  
I made two additional changes to vfy_CreateContext.
1. I removed a break statement that's no longer necessary.
2. I fixed a leak of 'cx' on an error return.  Coverity
   should be able to catch this leak, but Coverity was only
   run on some NSS branch used by Mozilla, and this code is
   new on the trunk only.

Please review these two changes.  I've checked in this patch
on the NSS trunk for NSS 3.12.

Checking in secvfy.c;
/cvsroot/mozilla/security/nss/lib/cryptohi/secvfy.c,v  <--  secvfy.c
new revision: 1.20; previous revision: 1.19
done

        Attachment #237878 -
        Attachment is obsolete: true

        Attachment #238003 -
        Flags: review+

    
    

    
  


  
This revision fixes a problem due to the added declaration of QuickDER
coming from a different revision than the source to QuickDER.  The MSVC 
compiler didn't complain, but Sun's compiler rightly called it an error.

        Attachment #237879 -
        Attachment is obsolete: true

        Attachment #238134 -
        Flags: superreview?(julien.pierre.bugs)

        Attachment #238134 -
        Flags: review?(christophe.ravel.bugs)

    
    

    
  
The build is passing on Solaris now. I am going to run some tests with all.sh.


    
    

    
  
Comment on attachment 238134 [details] [diff] [review]
patch for NSS_3_3_4_1_BRANCH, v2

Build and tests are passing on Solaris with this patch.

        Attachment #238134 -
        Flags: review?(christophe.ravel.bugs) → review+

    
  

        Attachment #238134 -
        Flags: superreview?(julien.pierre.bugs) → superreview+

    
    

    
  
Comment on attachment 238134 [details] [diff] [review]
patch for NSS_3_3_4_1_BRANCH, v2

Fix committed on the NSS_3_3_4_1_BRANCH. 

cmd/lib/SECerrs.h;           new : 1.1.148.1;     previous : 1.1
lib/cryptohi/secvfy.c;       new : 1.5.54.1;      previous : 1.5
lib/softoken/pkcs11c.c;      new : 1.13.2.2.2.2;  previous : 1.13.2.2.2.1
lib/util/manifest.mn;        new : 1.4.108.1;     previous : 1.4
lib/util/quickder.c;         new : 1.23.20.1;     previous : (added)
lib/util/secasn1.h;          new : 1.4.56.1;      previous : 1.4
lib/util/secasn1t.h;         new : 1.4.48.1.46.2; previous : 1.4.48.1.46.1
lib/util/seccomon.h;         new : 1.2.118.1;     previous : 1.2
lib/util/secdig.c;           new : 1.2.200.1;     previous : 1.2
lib/util/secerr.h;           new : 1.3.64.1;      previous : 1.3
tests/qa_stat;               new : 1.21.50.1;     previous : 1.21
tests/cipher/cipher.sh;      new : 1.5.124.1;     previous : 1.5
tests/cipher/performance.sh; new : 1.2.220.1;     previous : 1.2
tests/ssl/ssl.sh;            new : 1.38.52.2;     previous : 1.38.52.1

Is this bug ready to be marked resolved/fixed?
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Group: security

    
    

    
  
Related to or inspired by CVE-2006-4340 : unchecked garbage in PKCS v1.5 blocks

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: