154 lines
6.0 KiB
Diff
154 lines
6.0 KiB
Diff
commit f931d6e47bf2fb26aa9cf52e231d13edc1c837a1
|
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
Date: Tue Dec 12 17:16:56 2023 +0100
|
|
|
|
COMMON: Update rsa_parse_block_type_2() to not leak the message length
|
|
|
|
Take the implementation of OpenSSL function RSA_padding_check_PKCS1_type_2()
|
|
in crypto/rsa/rsa_pk1.c instead of ossl_rsa_padding_check_PKCS1_type_2(), since
|
|
the latter leaks the message size.
|
|
|
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
|
diff --git a/usr/lib/common/mech_rsa.c b/usr/lib/common/mech_rsa.c
|
|
index 326c5795..7bab1a84 100644
|
|
--- a/usr/lib/common/mech_rsa.c
|
|
+++ b/usr/lib/common/mech_rsa.c
|
|
@@ -29,6 +29,7 @@
|
|
#include "constant_time.h"
|
|
|
|
#include <openssl/crypto.h>
|
|
+#include <openssl/rsa.h>
|
|
|
|
CK_BBOOL is_rsa_mechanism(CK_MECHANISM_TYPE mech)
|
|
{
|
|
@@ -293,13 +294,16 @@ static CK_RV rsa_parse_block_type_2(CK_BYTE *in_data,
|
|
CK_BYTE *out_data,
|
|
CK_ULONG *out_data_len)
|
|
{
|
|
- unsigned int ok = 0, found, zero;
|
|
- size_t zero_index = 0, msg_index, mlen;
|
|
- size_t i, j;
|
|
+ int i;
|
|
+ unsigned char *em = NULL;
|
|
+ unsigned int good, found_zero_byte, mask, equals0;
|
|
+ int zero_index = 0, msg_index, mlen = -1;
|
|
+ int out_len = *out_data_len;
|
|
+ int rsa_size = in_data_len;
|
|
|
|
/*
|
|
* The implementation of this function is copied from OpenSSL's function
|
|
- * ossl_rsa_padding_check_PKCS1_type_2() in crypto/rsa/rsa_pk1.c
|
|
+ * RSA_padding_check_PKCS1_type_2() in crypto/rsa/rsa_pk1.c
|
|
* and is slightly modified to fit to the OpenCryptoki environment.
|
|
*
|
|
* The OpenSSL code is licensed under the Apache License 2.0.
|
|
@@ -324,55 +328,86 @@ static CK_RV rsa_parse_block_type_2(CK_BYTE *in_data,
|
|
* PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography Standard",
|
|
* section 7.2.2.
|
|
*/
|
|
- if (in_data_len < 11) {
|
|
+ if (rsa_size < RSA_PKCS1_PADDING_SIZE) {
|
|
TRACE_DEVEL("%s\n", ock_err(ERR_FUNCTION_FAILED));
|
|
return CKR_FUNCTION_FAILED;
|
|
}
|
|
|
|
- ok = constant_time_is_zero(in_data[0]);
|
|
- ok &= constant_time_eq(in_data[1], 2);
|
|
+ em = malloc(rsa_size);
|
|
+ if (em == NULL) {
|
|
+ TRACE_DEVEL("%s\n", ock_err(ERR_HOST_MEMORY));
|
|
+ return CKR_HOST_MEMORY;
|
|
+ }
|
|
+
|
|
+ /* in_data_len is always equal to rsa_size */
|
|
+ memcpy(em, in_data, rsa_size);
|
|
+
|
|
+ good = constant_time_is_zero(em[0]);
|
|
+ good &= constant_time_eq(em[1], 2);
|
|
|
|
/* scan over padding data */
|
|
- found = 0;
|
|
- for (i = 2; i < in_data_len; i++) {
|
|
- zero = constant_time_is_zero(in_data[i]);
|
|
+ found_zero_byte = 0;
|
|
+ for (i = 2; i < rsa_size; i++) {
|
|
+ equals0 = constant_time_is_zero(em[i]);
|
|
|
|
- zero_index = constant_time_select_int(~found & zero, i, zero_index);
|
|
- found |= zero;
|
|
+ zero_index = constant_time_select_int(~found_zero_byte & equals0,
|
|
+ i, zero_index);
|
|
+ found_zero_byte |= equals0;
|
|
}
|
|
|
|
/*
|
|
- * PS must be at least 8 bytes long, and it starts two bytes into |enc_msg|.
|
|
+ * PS must be at least 8 bytes long, and it starts two bytes into |em|.
|
|
* If we never found a 0-byte, then |zero_index| is 0 and the check
|
|
* also fails.
|
|
*/
|
|
- ok &= constant_time_ge(zero_index, 2 + 8);
|
|
+ good &= constant_time_ge(zero_index, 2 + 8);
|
|
|
|
/*
|
|
* Skip the zero byte. This is incorrect if we never found a zero-byte
|
|
* but in this case we also do not copy the message out.
|
|
*/
|
|
msg_index = zero_index + 1;
|
|
- mlen = in_data_len - msg_index;
|
|
+ mlen = rsa_size - msg_index;
|
|
|
|
/*
|
|
* For good measure, do this check in constant time as well.
|
|
*/
|
|
- ok &= constant_time_ge(*out_data_len, mlen);
|
|
+ good &= constant_time_ge(out_len, mlen);
|
|
|
|
/*
|
|
- * since at this point the |msg_index| does not provide the signal
|
|
- * indicating if the padding check failed or not, we don't have to worry
|
|
- * about leaking the length of returned message, we still need to ensure
|
|
- * that we read contents of both buffers so that cache accesses don't leak
|
|
- * the value of |good|
|
|
+ * Move the result in-place by |rsa_size|-RSA_PKCS1_PADDING_SIZE-|mlen|
|
|
+ * bytes to the left.
|
|
+ * Then if |good| move |mlen| bytes from |em|+RSA_PKCS1_PADDING_SIZE to
|
|
+ * |out_data|. Otherwise leave |out_data| unchanged.
|
|
+ * Copy the memory back in a way that does not reveal the size of
|
|
+ * the data being copied via a timing side channel. This requires copying
|
|
+ * parts of the buffer multiple times based on the bits set in the real
|
|
+ * length. Clear bits do a non-copy with identical access pattern.
|
|
+ * The loop below has overall complexity of O(N*log(N)).
|
|
*/
|
|
- for (i = msg_index, j = 0; i < in_data_len && j < *out_data_len; i++, j++)
|
|
- out_data[j] = constant_time_select_8(ok, in_data[i], out_data[j]);
|
|
+ out_len = constant_time_select_int(
|
|
+ constant_time_lt(rsa_size - RSA_PKCS1_PADDING_SIZE, out_len),
|
|
+ rsa_size - RSA_PKCS1_PADDING_SIZE,
|
|
+ out_len);
|
|
+ for (msg_index = 1; msg_index < rsa_size - RSA_PKCS1_PADDING_SIZE;
|
|
+ msg_index <<= 1) {
|
|
+ mask = ~constant_time_eq(
|
|
+ msg_index & (rsa_size - RSA_PKCS1_PADDING_SIZE - mlen), 0);
|
|
+ for (i = RSA_PKCS1_PADDING_SIZE; i < rsa_size - msg_index; i++)
|
|
+ em[i] = constant_time_select_8(mask, em[i + msg_index], em[i]);
|
|
+ }
|
|
+ for (i = 0; i < out_len; i++) {
|
|
+ mask = good & constant_time_lt(i, mlen);
|
|
+ out_data[i] = constant_time_select_8(
|
|
+ mask, em[i + RSA_PKCS1_PADDING_SIZE], out_data[i]);
|
|
+ }
|
|
+
|
|
+ OPENSSL_cleanse(em, rsa_size);
|
|
+ free(em);
|
|
|
|
- *out_data_len = j;
|
|
+ *out_data_len = constant_time_select_int(good, mlen, 0);
|
|
|
|
- return constant_time_select_int(ok, CKR_OK, CKR_ENCRYPTED_DATA_INVALID);
|
|
+ return constant_time_select_int(good, CKR_OK, CKR_ENCRYPTED_DATA_INVALID);
|
|
}
|
|
|
|
CK_RV rsa_parse_block(CK_BYTE *in_data,
|