[openssl/openssl] 7fc67e: rsa: add implicit rejection in PKCS#1 v1.5
Hubert Kario
noreply at github.com
Mon Dec 12 10:37:05 UTC 2022
Branch: refs/heads/master
Home: https://github.com/openssl/openssl
Commit: 7fc67e0a33102aa47bbaa56533eeecb98c0450f7
https://github.com/openssl/openssl/commit/7fc67e0a33102aa47bbaa56533eeecb98c0450f7
Author: Hubert Kario <hkario at redhat.com>
Date: 2022-12-12 (Mon, 12 Dec 2022)
Changed paths:
M crypto/rsa/rsa_ossl.c
M crypto/rsa/rsa_pk1.c
M doc/man1/openssl-pkeyutl.pod.in
M doc/man1/openssl-rsautl.pod.in
M doc/man3/EVP_PKEY_CTX_ctrl.pod
M doc/man3/EVP_PKEY_decrypt.pod
M doc/man3/RSA_padding_add_PKCS1_type_1.pod
M doc/man3/RSA_public_encrypt.pod
M include/crypto/rsa.h
M test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Log Message:
-----------
rsa: add implicit rejection in PKCS#1 v1.5
The RSA decryption as implemented before required very careful handling
of both the exit code returned by OpenSSL and the potentially returned
ciphertext. Looking at the recent security vulnerabilities
(CVE-2020-25659 and CVE-2020-25657) it is unlikely that most users of
OpenSSL do it correctly.
Given that correct code requires side channel secure programming in
application code, we can classify the existing RSA decryption methods
as CWE-676, which in turn likely causes CWE-208 and CWE-385 in
application code.
To prevent that, we can use a technique called "implicit rejection".
For that we generate a random message to be returned in case the
padding check fails. We generate the message based on static secret
data (the private exponent) and the provided ciphertext (so that the
attacker cannot determine that the returned value is randomly generated
instead of result of decryption and de-padding). We return it in case
any part of padding check fails.
The upshot of this approach is that then not only is the length of the
returned message useless as the Bleichenbacher oracle, so are the
actual bytes of the returned message. So application code doesn't have
to perform any operations on the returned message in side-channel free
way to remain secure against Bleichenbacher attacks.
Note: this patch implements a specific algorithm, shared with Mozilla
NSS, so that the attacker cannot use one library as an oracle against the
other in heterogeneous environments.
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)
Commit: 8ae4f0e68ebb7435be494b58676827ae91695371
https://github.com/openssl/openssl/commit/8ae4f0e68ebb7435be494b58676827ae91695371
Author: Hubert Kario <hkario at redhat.com>
Date: 2022-12-12 (Mon, 12 Dec 2022)
Changed paths:
M test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Log Message:
-----------
rsa: add test vectors for the implicit rejection in RSA PKCS#1 v1.5
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)
Commit: 5ab3ec1bb1eaa795d775f5896818cfaa84d33a1a
https://github.com/openssl/openssl/commit/5ab3ec1bb1eaa795d775f5896818cfaa84d33a1a
Author: Hubert Kario <hkario at redhat.com>
Date: 2022-12-12 (Mon, 12 Dec 2022)
Changed paths:
M crypto/cms/cms_env.c
M crypto/evp/ctrl_params_translate.c
M crypto/rsa/rsa_ossl.c
M crypto/rsa/rsa_pmeth.c
M doc/man1/openssl-pkeyutl.pod.in
M doc/man3/EVP_PKEY_CTX_ctrl.pod
M doc/man7/provider-asym_cipher.pod
M include/openssl/core_names.h
M include/openssl/rsa.h
M providers/implementations/asymciphers/rsa_enc.c
Log Message:
-----------
rsa: Add option to disable implicit rejection
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)
Commit: ddecbef6e389d263b728b7fa30fd3d9ce13feddb
https://github.com/openssl/openssl/commit/ddecbef6e389d263b728b7fa30fd3d9ce13feddb
Author: Hubert Kario <hkario at redhat.com>
Date: 2022-12-12 (Mon, 12 Dec 2022)
Changed paths:
M test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Log Message:
-----------
rsa: Skip the synthethic plaintext test with old FIPS provider
since the 3.0.0 FIPS provider doesn't implement the Bleichenbacher
workaround, the decryption fails instead of providing a synthetic
plaintext, so skip them then
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)
Commit: 455db0c94c0b83083ce8b792982c03aa56fc866f
https://github.com/openssl/openssl/commit/455db0c94c0b83083ce8b792982c03aa56fc866f
Author: Hubert Kario <hkario at redhat.com>
Date: 2022-12-12 (Mon, 12 Dec 2022)
Changed paths:
M test/recipes/30-test_evp_data/evppkey_rsa_common.txt
Log Message:
-----------
rsa: add test for the option to disable implicit rejection
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)
Commit: 056dade341d2589975a3aae71f81c8d7061583c7
https://github.com/openssl/openssl/commit/056dade341d2589975a3aae71f81c8d7061583c7
Author: Hubert Kario <hkario at redhat.com>
Date: 2022-12-12 (Mon, 12 Dec 2022)
Changed paths:
M crypto/pkcs7/pk7_doit.c
Log Message:
-----------
smime/pkcs7: disable the Bleichenbacher workaround
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)
Commit: c3aed7e4e6f1960eaa43ecbea2178b82481887af
https://github.com/openssl/openssl/commit/c3aed7e4e6f1960eaa43ecbea2178b82481887af
Author: Hubert Kario <hkario at redhat.com>
Date: 2022-12-12 (Mon, 12 Dec 2022)
Changed paths:
M CHANGES.md
Log Message:
-----------
rsa: add implicit rejection CHANGES entry
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)
Compare: https://github.com/openssl/openssl/compare/1ca61aa56090...c3aed7e4e6f1
More information about the openssl-commits
mailing list