[openssl/openssl] 7fc67e: rsa: add implicit rejection in PKCS#1 v1.5

Hubert Kario noreply at github.com
Mon Dec 12 10:37:05 UTC 2022 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: 7fc67e0a33102aa47bbaa56533eeecb98c0450f7
      https://github.com/openssl/openssl/commit/7fc67e0a33102aa47bbaa56533eeecb98c0450f7
  Author: Hubert Kario <hkario at redhat.com>
  Date:   2022-12-12 (Mon, 12 Dec 2022)

  Changed paths:
    M crypto/rsa/rsa_ossl.c
    M crypto/rsa/rsa_pk1.c
    M doc/man1/openssl-pkeyutl.pod.in
    M doc/man1/openssl-rsautl.pod.in
    M doc/man3/EVP_PKEY_CTX_ctrl.pod
    M doc/man3/EVP_PKEY_decrypt.pod
    M doc/man3/RSA_padding_add_PKCS1_type_1.pod
    M doc/man3/RSA_public_encrypt.pod
    M include/crypto/rsa.h
    M test/recipes/30-test_evp_data/evppkey_rsa_common.txt

  Log Message:
  -----------
  rsa: add implicit rejection in PKCS#1 v1.5

The RSA decryption as implemented before required very careful handling
of both the exit code returned by OpenSSL and the potentially returned
ciphertext. Looking at the recent security vulnerabilities
(CVE-2020-25659 and CVE-2020-25657) it is unlikely that most users of
OpenSSL do it correctly.

Given that correct code requires side channel secure programming in
application code, we can classify the existing RSA decryption methods
as CWE-676, which in turn likely causes CWE-208 and CWE-385 in
application code.

To prevent that, we can use a technique called "implicit rejection".
For that we generate a random message to be returned in case the
padding check fails. We generate the message based on static secret
data (the private exponent) and the provided ciphertext (so that the
attacker cannot determine that the returned value is randomly generated
instead of result of decryption and de-padding). We return it in case
any part of padding check fails.

The upshot of this approach is that then not only is the length of the
returned message useless as the Bleichenbacher oracle, so are the
actual bytes of the returned message. So application code doesn't have
to perform any operations on the returned message in side-channel free
way to remain secure against Bleichenbacher attacks.

Note: this patch implements a specific algorithm, shared with Mozilla
NSS, so that the attacker cannot use one library as an oracle against the
other in heterogeneous environments.

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)


  Commit: 8ae4f0e68ebb7435be494b58676827ae91695371
      https://github.com/openssl/openssl/commit/8ae4f0e68ebb7435be494b58676827ae91695371
  Author: Hubert Kario <hkario at redhat.com>
  Date:   2022-12-12 (Mon, 12 Dec 2022)

  Changed paths:
    M test/recipes/30-test_evp_data/evppkey_rsa_common.txt

  Log Message:
  -----------
  rsa: add test vectors for the implicit rejection in RSA PKCS#1 v1.5

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)


  Commit: 5ab3ec1bb1eaa795d775f5896818cfaa84d33a1a
      https://github.com/openssl/openssl/commit/5ab3ec1bb1eaa795d775f5896818cfaa84d33a1a
  Author: Hubert Kario <hkario at redhat.com>
  Date:   2022-12-12 (Mon, 12 Dec 2022)

  Changed paths:
    M crypto/cms/cms_env.c
    M crypto/evp/ctrl_params_translate.c
    M crypto/rsa/rsa_ossl.c
    M crypto/rsa/rsa_pmeth.c
    M doc/man1/openssl-pkeyutl.pod.in
    M doc/man3/EVP_PKEY_CTX_ctrl.pod
    M doc/man7/provider-asym_cipher.pod
    M include/openssl/core_names.h
    M include/openssl/rsa.h
    M providers/implementations/asymciphers/rsa_enc.c

  Log Message:
  -----------
  rsa: Add option to disable implicit rejection

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)


  Commit: ddecbef6e389d263b728b7fa30fd3d9ce13feddb
      https://github.com/openssl/openssl/commit/ddecbef6e389d263b728b7fa30fd3d9ce13feddb
  Author: Hubert Kario <hkario at redhat.com>
  Date:   2022-12-12 (Mon, 12 Dec 2022)

  Changed paths:
    M test/recipes/30-test_evp_data/evppkey_rsa_common.txt

  Log Message:
  -----------
  rsa: Skip the synthethic plaintext test with old FIPS provider

since the 3.0.0 FIPS provider doesn't implement the Bleichenbacher
workaround, the decryption fails instead of providing a synthetic
plaintext, so skip them then

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)


  Commit: 455db0c94c0b83083ce8b792982c03aa56fc866f
      https://github.com/openssl/openssl/commit/455db0c94c0b83083ce8b792982c03aa56fc866f
  Author: Hubert Kario <hkario at redhat.com>
  Date:   2022-12-12 (Mon, 12 Dec 2022)

  Changed paths:
    M test/recipes/30-test_evp_data/evppkey_rsa_common.txt

  Log Message:
  -----------
  rsa: add test for the option to disable implicit rejection

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)


  Commit: 056dade341d2589975a3aae71f81c8d7061583c7
      https://github.com/openssl/openssl/commit/056dade341d2589975a3aae71f81c8d7061583c7
  Author: Hubert Kario <hkario at redhat.com>
  Date:   2022-12-12 (Mon, 12 Dec 2022)

  Changed paths:
    M crypto/pkcs7/pk7_doit.c

  Log Message:
  -----------
  smime/pkcs7: disable the Bleichenbacher workaround

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)


  Commit: c3aed7e4e6f1960eaa43ecbea2178b82481887af
      https://github.com/openssl/openssl/commit/c3aed7e4e6f1960eaa43ecbea2178b82481887af
  Author: Hubert Kario <hkario at redhat.com>
  Date:   2022-12-12 (Mon, 12 Dec 2022)

  Changed paths:
    M CHANGES.md

  Log Message:
  -----------
  rsa: add implicit rejection CHANGES entry

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)


Compare: https://github.com/openssl/openssl/compare/1ca61aa56090...c3aed7e4e6f1

More information about the openssl-commits mailing list