Decrypt error when using openssl 1.1.1b during SSL handshake
Matt Caswell
matt at openssl.org
Fri Oct 30 14:20:39 UTC 2020
On 30/10/2020 11:22, Mahendra SP wrote:
> Hi Matt,
>
> Thank you for the inputs.
> Yes, we had encountered the padding issue initially. But we added
> support for RSA_NO_PADDING in our hardware. That's why we are able to
> successfully decrypt the premaster secret in the hardware.
> Hence the issue does not seem to be related to padding. We have
> confirmed this by comparing the premaster secret on both client and
> server and they are the same.
Ok, good.
>
> We suspect in this case, verification of "encrypted handshake message"
> failure is happening.
It's possible. It would be helpful if you can get more information from
the error stack on the server, e.g. by using ERR_print_errors_fp() or
something similar. I'm particularly interested in identifying the source
file and line number where the decrypt_error is coming from. Printing
the error stack should give us that information. There are a number of
places that a "decrypt error" can occur and it would be helpful to
identify which one is the cause of the problem.
> We understand constant_time_xx APIs get used for CBC padding validation.
> Will this have any dependency on the compiler optimization or asm
> flags?
CBC padding validation is fairly independent of anything to do with RSA,
so I think its unlikely to be the culprit here. Of course sometimes
compiler optimization/asm issues do occur so it can't be ruled out
entirely - but it's not where I would start looking.
> Will this issue be seen if hardware takes more time for the
> operation?
>
No. Constant time here just means that we implement the code without any
branching based on secret data (e.g. no "if" statements/while loops etc
based on secret dependent data). It has very little to do with how long
something actually takes to process.
> Here is the snippet of the wireshark where our device acting as server
> closes the connection with decryption failure.
Thanks. To narrow it down further I need to figure out which line of
code the decrypt_error is coming from as described above.
Matt
> If you need any further info, please let us know.
> image.png
> Thanks
> Mahendra
>
> Please suggest.
>
>
>
> On Fri, Oct 30, 2020 at 3:32 PM Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>> wrote:
>
>
>
> On 30/10/2020 09:18, Mahendra SP wrote:
> > Hi All.
> >
> > We have upgraded openssl version to 1.1.1b
> >
> > With this, we are seeing decryption error during SSL handshake for the
> > below explained scenario. Our device acts as an SSL server.
> >
> > We have external hardware to offload RSA private key operations using
> > the engine.
> > Decryption of pre-master secret is done using hardware and is
> > successful. We compared the pre-master secret on both server and
> client
> > and they match.
> > However, we see that SSL handshake fails with "decrypt error (51)"
> with
> > an alert number 21. Verifying the encrypted finish message on the
> server
> > side fails.
> >
> > This issue does not happen with software performing RSA private key
> > operations.
> >
> > Can someone help with the reason for decryption failure? Below is the
> > compiler and processor details. It is 64 bit.
> > arm-linux-gnueabihf-gcc -march=armv7ve -mthumb -mfpu=neon
> -mfloat-abi=hard
>
> Potentially this is related to the use of PSS padding in libssl which is
> mandated in TLSv1.3. The TLSv1.3 spec also requires its use even in
> TLSv1.2.
>
> The PSS padding is implemented within the EVP layer. Ultimately EVP
> calls the function RSA_private_encrypt() with padding set to
> RSA_NO_PADDING.
>
> Assuming your engine is implemented via a custom RSA_METHOD does it
> support RSA_private_encrypt(() with RSA_NO_PADDING? If not this is
> likely to be the problem.
>
> More discussion of this is here:
>
> https://github.com/openssl/openssl/issues/7968
>
> Also related is the recent discussion on this list about the CAPI engine
> and this issue:
>
> https://github.com/openssl/openssl/issues/8872
>
> Matt
>
More information about the openssl-users
mailing list