Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement implicit rejection for RSA PKCS#1 v1.5 de-padding #737

Merged
merged 3 commits into from Jan 23, 2024
Merged

Implement implicit rejection for RSA PKCS#1 v1.5 de-padding #737

merged 3 commits into from Jan 23, 2024

Commits on Jan 19, 2024

  1. Constant time fixes for C_Decrypt return code handling 

    Return code handling of C_Decrypt, C_DecryptUpdate, and C_DecryptFinal must
be performed in a constant time manner for RSA mechanisms. Otherwise it
may cause a timing side channel that may be used to perform a Bleichenbacher
style attack.

Handling of error situations with CKR_BUFFER_TOO_SMALL or size-query calls,
where the output buffer is NULL and the required size of the output buffer
is to be returned, do not need to be performed in constant time, since
these cases are shortcut anyway, and the result is only dependent on the
modulus size of the RSA key (which is public information anyway).

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
    @ifranzki
    ifranzki committed Jan 19, 2024
    Configuration menu
    Copy the full SHA
    5b7408f View commit details
    Browse the repository at this point in the history

Commits on Jan 22, 2024

  1. common: Add support for implicit rejection for RSA PKCS#1 v1.5 de-pad… 

    …ding

Implicit rejection returns a pseudo random message in case the RSA PKCS#1 v1.5
padding is incorrect, but returns no error. The pseudo random message is based
on static secret data (the private exponent) and the provided ciphertext, so
that the attacker cannot determine that the returned value is randomly generated
instead of the result of decryption and de-padding.

The implicit rejection algorithm is the same as used by OpenSSL.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
    @ifranzki
    ifranzki committed Jan 22, 2024
    Configuration menu
    Copy the full SHA
    e3ad486 View commit details
    Browse the repository at this point in the history

  2. testcases: Add RSA implicit rejection test cases 

    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
    @ifranzki
    ifranzki committed Jan 22, 2024
    Configuration menu
    Copy the full SHA
    cee1d66 View commit details
    Browse the repository at this point in the history