Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement implicit rejection for RSA PKCS#1 v1.5 de-padding #737

Merged
merged 3 commits into from Jan 23, 2024
Merged

Implement implicit rejection for RSA PKCS#1 v1.5 de-padding #737

merged 3 commits into from Jan 23, 2024

Conversation

ifranzki
Copy link
Contributor

No description provided.

@ifranzki ifranzki linked an issue Jan 19, 2024 that may be closed by this pull request
opencryptoki vulnerable to the Marvin Attack #731
Closed
@ifranzki
Copy link
Contributor Author

Fixed segfaults in travis runs.
It seems that OpenSSL 1.1.1 does not support re-init of EVP_DigestSignInit with HMAC.

@ifranzki
Constant time fixes for C_Decrypt return code handling
5b7408f 
Return code handling of C_Decrypt, C_DecryptUpdate, and C_DecryptFinal must
be performed in a constant time manner for RSA mechanisms. Otherwise it
may cause a timing side channel that may be used to perform a Bleichenbacher
style attack.

Handling of error situations with CKR_BUFFER_TOO_SMALL or size-query calls,
where the output buffer is NULL and the required size of the output buffer
is to be returned, do not need to be performed in constant time, since
these cases are shortcut anyway, and the result is only dependent on the
modulus size of the RSA key (which is public information anyway).

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
jschmidb
jschmidb reviewed Jan 19, 2024
View reviewed changes
usr/lib/common/mech_rsa.c Outdated Show resolved Hide resolved
jschmidb
jschmidb reviewed Jan 22, 2024
View reviewed changes
COPYRIGHTS Outdated Show resolved Hide resolved
jschmidb
jschmidb reviewed Jan 22, 2024
View reviewed changes
COPYRIGHTS Outdated Show resolved Hide resolved
jschmidb
jschmidb approved these changes Jan 22, 2024
View reviewed changes
Copy link
Contributor

@jschmidb jschmidb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good besides of the two last typos ...

@ifranzki
common: Add support for implicit rejection for RSA PKCS#1 v1.5 de-pad…
e3ad486 
…ding

Implicit rejection returns a pseudo random message in case the RSA PKCS#1 v1.5
padding is incorrect, but returns no error. The pseudo random message is based
on static secret data (the private exponent) and the provided ciphertext, so
that the attacker cannot determine that the returned value is randomly generated
instead of the result of decryption and de-padding.

The implicit rejection algorithm is the same as used by OpenSSL.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
@ifranzki
testcases: Add RSA implicit rejection test cases
cee1d66 
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
@ifranzki ifranzki mentioned this pull request Jan 23, 2024
Closed
@ifranzki ifranzki merged commit b833f2f into opencryptoki:master Jan 23, 2024
1 check passed
@ifranzki ifranzki deleted the consttime-fixes branch January 23, 2024 07:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jschmidb jschmidb jschmidb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

opencryptoki vulnerable to the Marvin Attack
2 participants
@ifranzki @jschmidb