[openssl/openssl] 511157: Revert "Fix Timing Oracle in RSA decryption"

Bernd Edlinger noreply at github.com
Tue Apr 4 10:18:41 UTC 2023 

  Branch: refs/heads/openssl-3.1
  Home:   https://github.com/openssl/openssl
  Commit: 5111577cca8c4976f0a03f9f9e0425bafc90b0da
      https://github.com/openssl/openssl/commit/5111577cca8c4976f0a03f9f9e0425bafc90b0da
  Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
  Date:   2023-04-04 (Tue, 04 Apr 2023)

  Changed paths:
    M crypto/bn/bn_blind.c
    M crypto/bn/bn_local.h
    M crypto/bn/build.info
    R crypto/bn/rsa_sup_mul.c
    M crypto/rsa/rsa_ossl.c
    M include/crypto/bn.h

  Log Message:
  -----------
  Revert "Fix Timing Oracle in RSA decryption"

This reverts commit 8022a4799fe884b3bf8d538e2b4c4ec323663118.

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20282)


  Commit: 550a16247e899363ef973aa08623f9b19bb636fb
      https://github.com/openssl/openssl/commit/550a16247e899363ef973aa08623f9b19bb636fb
  Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
  Date:   2023-04-04 (Tue, 04 Apr 2023)

  Changed paths:
    M CHANGES.md
    M crypto/bn/bn_asm.c
    M crypto/bn/bn_blind.c
    M crypto/bn/bn_lib.c
    M crypto/bn/bn_local.h
    M crypto/rsa/rsa_ossl.c

  Log Message:
  -----------
  Alternative fix for CVE-2022-4304

This is about a timing leak in the topmost limb
of the internal result of RSA_private_decrypt,
before the padding check.

There are in fact at least three bugs together that
caused the timing leak:

First and probably most important is the fact that
the blinding did not use the constant time code path
at all when the RSA object was used for a private
decrypt, due to the fact that the Montgomery context
rsa->_method_mod_n was not set up early enough in
rsa_ossl_private_decrypt, when BN_BLINDING_create_param
needed it, and that was persisted as blinding->m_ctx,
although the RSA object creates the Montgomery context
just a bit later.

Then the infamous bn_correct_top was used on the
secret value right after the blinding was removed.

And finally the function BN_bn2binpad did not use
the constant-time code path since the BN_FLG_CONSTTIME
was not set on the secret value.

In order to address the first problem, this patch
makes sure that the rsa->_method_mod_n is initialized
right before the blinding context.

And to fix the second problem, we add a new utility
function bn_correct_top_consttime, a const-time
variant of bn_correct_top.

Together with the fact, that BN_bn2binpad is already
constant time if the flag BN_FLG_CONSTTIME is set,
this should eliminate the timing oracle completely.

In addition the no-asm variant may also have
branches that depend on secret values, because the last
invocation of bn_sub_words in bn_from_montgomery_word
had branches when the function is compiled by certain
gcc compiler versions, due to the clumsy coding style.

So additionally this patch stream-lined the no-asm
C-code in order to avoid branches where possible and
improve the resulting code quality.

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20282)


Compare: https://github.com/openssl/openssl/compare/5fc987234060...550a16247e89

More information about the openssl-commits mailing list