ECURITY FIX for CVE-2009-0217 (XML Signature HMAC Truncation Spoofing)

patch extracted from mono 2.4.2.2
2009-07-21 13:51:41 +00:00 · 2009-07-21 13:51:41 +00:00 · e4e2d96dc1
commit e4e2d96dc1
parent 33f694372f
2 changed files with 47 additions and 2 deletions
--- a/lang/mono/Makefile
+++ b/lang/mono/Makefile
@ -1,11 +1,11 @@
-# $OpenBSD: Makefile,v 1.9 2009/03/15 02:19:31 kurt Exp $
+# $OpenBSD: Makefile,v 1.10 2009/07/21 13:51:41 jasper Exp $

 ONLY_FOR_ARCHS=	amd64 i386

 COMMENT=	cross platform, open source .NET developement framework

 DISTNAME=	mono-2.0
-PKGNAME=	${DISTNAME}p5
+PKGNAME=	${DISTNAME}p6
 CATEGORIES=	lang devel

 SHARED_LIBS=	mono-profiler-aot	0.0 \
--- a/lang/mono/patches/patch-mcs_class_System_Security_System_Security_Cryptography_Xml_SignedXml_cs
+++ b/lang/mono/patches/patch-mcs_class_System_Security_System_Security_Cryptography_Xml_SignedXml_cs
@ -0,0 +1,45 @@
+$OpenBSD: patch-mcs_class_System_Security_System_Security_Cryptography_Xml_SignedXml_cs,v 1.1 2009/07/21 13:51:41 jasper Exp $
+
+Security fix for CVE-2009-0217, XML signature HMAC truncation authentication bypass
+
+
+--- mcs/class/System.Security/System.Security.Cryptography.Xml/SignedXml.cs.orig	Tue Jul 21 15:18:58 2009
+++ mcs/class/System.Security/System.Security.Cryptography.Xml/SignedXml.cs	Tue Jul 21 15:20:54 2009
+@@ -592,17 +592,28 @@ namespace System.Security.Cryptography.Xml {
+ 				return false;
+ 
+ 			byte[] actual = macAlg.ComputeHash (s);
+-			// HMAC signature may be partial
+			// HMAC signature may be partial  and specified by <HMACOutputLength>
+ 			if (m_signature.SignedInfo.SignatureLength != null) {
+-				int length = actual.Length;
+-				try {
+-					// SignatureLength is in bits
+-					length = (Int32.Parse (m_signature.SignedInfo.SignatureLength) >> 3);
+-				}
+-				catch {
+-				}
+				int length = Int32.Parse (m_signature.SignedInfo.SignatureLength);
+				// we only support signatures with a multiple of 8 bits
+				// and the value must match the signature length
+				if ((length & 7) != 0)
+					throw new CryptographicException ("Signature length must be a multiple of 8 bits.");
+ 
+-				if (length != actual.Length) {
+			       // SignatureLength is in bits (and we works on bytes, only in multiple of 8 bits)
+			       // and both values must match for a signature to be valid
+			       length >>= 3;
+			       if (length != m_signature.SignatureValue.Length)
+				       throw new CryptographicException ("Invalid signature length.");
+
+			       // is the length "big" enough to make the signature meaningful ? 
+			       // we use a minimum of 80 bits (10 bytes) or half the HMAC normal output length
+			       // e.g. HMACMD5 output 128 bits but our minimum is 80 bits (not 64 bits)
+			       int minimum = Math.Max (10, actual.Length / 2);
+			       if (length < minimum)
+				       throw new CryptographicException ("HMAC signature is too small");
+
+			       if (length < actual.Length) {
+ 					byte[] trunked = new byte [length];
+ 					Buffer.BlockCopy (actual, 0, trunked, 0, length);
+ 					actual = trunked;