[openssl/openssl] 908eac: Revert "Fix Timing Oracle in RSA decryption"

Bernd Edlinger noreply at github.com
Tue Apr 4 10:18:51 UTC 2023


  Branch: refs/heads/openssl-3.0
  Home:   https://github.com/openssl/openssl
  Commit: 908eaceb62624f5b5c505b286d904bd3a4e8a64a
      https://github.com/openssl/openssl/commit/908eaceb62624f5b5c505b286d904bd3a4e8a64a
  Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
  Date:   2023-04-04 (Tue, 04 Apr 2023)

  Changed paths:
    M crypto/bn/bn_blind.c
    M crypto/bn/bn_local.h
    M crypto/bn/build.info
    R crypto/bn/rsa_sup_mul.c
    M crypto/rsa/rsa_ossl.c
    M include/crypto/bn.h

  Log Message:
  -----------
  Revert "Fix Timing Oracle in RSA decryption"

This reverts commit 8e257b86e5812c6e1cfa9e8e5f5660ac7bed899d.

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20283)


  Commit: a00d757d9ca212994625d1a02c81cc5edd27e13b
      https://github.com/openssl/openssl/commit/a00d757d9ca212994625d1a02c81cc5edd27e13b
  Author: Bernd Edlinger <bernd.edlinger at hotmail.de>
  Date:   2023-04-04 (Tue, 04 Apr 2023)

  Changed paths:
    M CHANGES.md
    M crypto/bn/bn_asm.c
    M crypto/bn/bn_blind.c
    M crypto/bn/bn_lib.c
    M crypto/bn/bn_local.h
    M crypto/rsa/rsa_ossl.c

  Log Message:
  -----------
  Alternative fix for CVE-2022-4304

This is about a timing leak in the topmost limb
of the internal result of RSA_private_decrypt,
before the padding check.

There are in fact at least three bugs together that
caused the timing leak:

First and probably most important is the fact that
the blinding did not use the constant time code path
at all when the RSA object was used for a private
decrypt, due to the fact that the Montgomery context
rsa->_method_mod_n was not set up early enough in
rsa_ossl_private_decrypt, when BN_BLINDING_create_param
needed it, and that was persisted as blinding->m_ctx,
although the RSA object creates the Montgomery context
just a bit later.

Then the infamous bn_correct_top was used on the
secret value right after the blinding was removed.

And finally the function BN_bn2binpad did not use
the constant-time code path since the BN_FLG_CONSTTIME
was not set on the secret value.

In order to address the first problem, this patch
makes sure that the rsa->_method_mod_n is initialized
right before the blinding context.

And to fix the second problem, we add a new utility
function bn_correct_top_consttime, a const-time
variant of bn_correct_top.

Together with the fact, that BN_bn2binpad is already
constant time if the flag BN_FLG_CONSTTIME is set,
this should eliminate the timing oracle completely.

In addition the no-asm variant may also have
branches that depend on secret values, because the last
invocation of bn_sub_words in bn_from_montgomery_word
had branches when the function is compiled by certain
gcc compiler versions, due to the clumsy coding style.

So additionally this patch stream-lined the no-asm
C-code in order to avoid branches where possible and
improve the resulting code quality.

Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20283)


Compare: https://github.com/openssl/openssl/compare/b2c6a24aefb8...a00d757d9ca2


More information about the openssl-commits mailing list