Skip to content

Commit

Permalink
rsa: add implicit rejection in PKCS#1 v1.5
Browse files Browse the repository at this point in the history 
The RSA decryption as implemented before required very careful handling
of both the exit code returned by OpenSSL and the potentially returned
ciphertext. Looking at the recent security vulnerabilities
(CVE-2020-25659 and CVE-2020-25657) it is unlikely that most users of
OpenSSL do it correctly.

Given that correct code requires side channel secure programming in
application code, we can classify the existing RSA decryption methods
as CWE-676, which in turn likely causes CWE-208 and CWE-385 in
application code.

To prevent that, we can use a technique called "implicit rejection".
For that we generate a random message to be returned in case the
padding check fails. We generate the message based on static secret
data (the private exponent) and the provided ciphertext (so that the
attacker cannot determine that the returned value is randomly generated
instead of result of decryption and de-padding). We return it in case
any part of padding check fails.

The upshot of this approach is that then not only is the length of the
returned message useless as the Bleichenbacher oracle, so are the
actual bytes of the returned message. So application code doesn't have
to perform any operations on the returned message in side-channel free
way to remain secure against Bleichenbacher attacks.

Note: this patch implements a specific algorithm, shared with Mozilla
NSS, so that the attacker cannot use one library as an oracle against the
other in heterogeneous environments.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from #13817)
  • Loading branch information
@tomato42 @t8m
tomato42 authored and t8m committed Dec 12, 2022
1 parent 1ca61aa commit 7fc67e0
Show file tree
Hide file tree
Showing 10 changed files with 395 additions and 7 deletions.
95 changes: 94 additions & 1 deletion crypto/rsa/rsa_ossl.c
View file
Expand Up @@ -17,6 +17,9 @@
#include "crypto/bn.h"
#include "rsa_local.h"
#include "internal/constant_time.h"
#include <openssl/evp.h>
#include <openssl/sha.h>
#include <openssl/hmac.h>

static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
Expand Down Expand Up @@ -372,8 +375,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
BIGNUM *f, *ret;
int j, num = 0, r = -1;
unsigned char *buf = NULL;
unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0};
HMAC_CTX *hmac = NULL;
unsigned int md_len = SHA256_DIGEST_LENGTH;
unsigned char kdk[SHA256_DIGEST_LENGTH] = {0};
BN_CTX *ctx = NULL;
int local_blinding = 0;
EVP_MD *md = NULL;
/*
* Used only if the blinding structure is shared. A non-NULL unblind
* instructs rsa_blinding_convert() and rsa_blinding_invert() to store
Expand Down Expand Up @@ -405,6 +413,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
goto err;
}

if (flen < 1) {
ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL);
goto err;
}

/* make data into a big number */
if (BN_bin2bn(from, (int)flen, f) == NULL)
goto err;
Expand Down Expand Up @@ -471,13 +484,91 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
goto err;

/*
* derive the Key Derivation Key from private exponent and public
* ciphertext
*/
if (!(rsa->flags & RSA_FLAG_EXT_PKEY)) {
/*
* because we use d as a handle to rsa->d we need to keep it local and
* free before any further use of rsa->d
*/
BIGNUM *d = BN_new();
if (d == NULL) {
ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
goto err;
}
if (rsa->d == NULL) {
ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
BN_free(d);
goto err;
}
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (BN_bn2binpad(d, buf, num) < 0) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
BN_free(d);
goto err;
}
BN_free(d);

/*
* we use hardcoded hash so that migrating between versions that use
* different hash doesn't provide a Bleichenbacher oracle:
* if the attacker can see that different versions return different
* messages for the same ciphertext, they'll know that the message is
* syntethically generated, which means that the padding check failed
*/
md = EVP_MD_fetch(rsa->libctx, "sha256", NULL);
if (md == NULL) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
goto err;
}

if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
goto err;
}

hmac = HMAC_CTX_new();
if (hmac == NULL) {
ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
goto err;
}

if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
goto err;
}

if (flen < num) {
memset(buf, 0, num - flen);
if (HMAC_Update(hmac, buf, num - flen) <= 0) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
goto err;
}
}
if (HMAC_Update(hmac, from, flen) <= 0) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
goto err;
}

md_len = SHA256_DIGEST_LENGTH;
if (HMAC_Final(hmac, kdk, &md_len) <= 0) {
ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
goto err;
}
}

j = BN_bn2binpad(ret, buf, num);
if (j < 0)
goto err;

switch (padding) {
case RSA_PKCS1_PADDING:
r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
if (rsa->flags & RSA_FLAG_EXT_PKEY)
r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
else
r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
break;
case RSA_PKCS1_OAEP_PADDING:
r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
Expand All @@ -500,6 +591,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
#endif

err:
HMAC_CTX_free(hmac);
EVP_MD_free(md);
BN_CTX_end(ctx);
BN_CTX_free(ctx);
OPENSSL_clear_free(buf, num);
Expand Down

0 comments on commit 7fc67e0

Please sign in to comment.