Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:GA
opensc.35664
opensc-CVE-2023-5992.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File opensc-CVE-2023-5992.patch of Package opensc.35664
From b9e1d344df1f850a9b15bce6294f72c1620d0b45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com> Date: Mon, 13 Nov 2023 13:54:54 +0100 Subject: [PATCH 1/8] Reimplement removing of PKCS#1 v1.5 padding to be time constant --- src/common/Makefile.am | 6 +- src/common/constant-time.h | 128 ++++++++++++++++++++++++++++++++++++ src/libopensc/internal.h | 4 +- src/libopensc/padding.c | 102 +++++++++++++++++++--------- src/libopensc/pkcs15-sec.c | 5 +- src/minidriver/minidriver.c | 4 +- 6 files changed, 210 insertions(+), 39 deletions(-) create mode 100644 src/common/constant-time.h Index: opensc-0.19.0/src/common/constant-time.h =================================================================== --- /dev/null +++ opensc-0.19.0/src/common/constant-time.h @@ -0,0 +1,128 @@ +/* Original source: https://github.com/openssl/openssl/blob/9890cc42daff5e2d0cad01ac4bf78c391f599a6e/include/internal/constant_time.h */ + +#ifndef CONSTANT_TIME_H +#define CONSTANT_TIME_H + +#include <stdlib.h> +#include <string.h> + +#if !defined(inline) +#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L +#define constant_inline inline +#elif defined(__GNUC__) && __GNUC__ >= 2 +#elif defined(__GNUC__) && __GNUC__ >= 2 +#elif defined(_MSC_VER) +#define constant_inline __inline +#else +#define constant_inline +#endif +#else /* use what caller wants as inline may be from config.h */ +#define constant_inline inline /* inline */ +#endif + +/*- + * The boolean methods return a bitmask of all ones (0xff...f) for true + * and 0 for false. For example, + * if (a < b) { + * c = a; + * } else { + * c = b; + * } + * can be written as + * unsigned int lt = constant_time_lt(a, b); + * c = constant_time_select(lt, a, b); + */ + +static constant_inline unsigned int +value_barrier(unsigned int a) +{ + volatile unsigned int r = a; + return r; +} + +static constant_inline size_t +value_barrier_s(size_t a) +{ + volatile size_t r = a; + return r; +} + +/* MSB */ +static constant_inline size_t +constant_time_msb_s(size_t a) +{ + return 0 - (a >> (sizeof(a) * 8 - 1)); +} + +static constant_inline unsigned int +constant_time_msb(unsigned int a) +{ + return 0 - (a >> (sizeof(a) * 8 - 1)); +} + +/* Select */ +static constant_inline unsigned int +constant_time_select(unsigned int mask, unsigned int a, unsigned int b) +{ + return (value_barrier(mask) & a) | (value_barrier(~mask) & b); +} + +static constant_inline unsigned char +constant_time_select_8(unsigned char mask, unsigned char a, unsigned char b) +{ + return (unsigned char)constant_time_select(mask, a, b); +} + +static constant_inline size_t +constant_time_select_s(size_t mask, size_t a, size_t b) +{ + return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b); +} + +/* Zero */ +static constant_inline unsigned int +constant_time_is_zero(unsigned int a) +{ + return constant_time_msb(~a & (a - 1)); +} + +static constant_inline size_t +constant_time_is_zero_s(size_t a) +{ + return constant_time_msb_s(~a & (a - 1)); +} + +/* Comparison*/ +static constant_inline size_t +constant_time_lt_s(size_t a, size_t b) +{ + return constant_time_msb_s(a ^ ((a ^ b) | ((a - b) ^ b))); +} + +static constant_inline unsigned int +constant_time_lt(unsigned int a, unsigned int b) +{ + return constant_time_msb(a ^ ((a ^ b) | ((a - b) ^ b))); +} + +static constant_inline unsigned int +constant_time_ge(unsigned int a, unsigned int b) +{ + return ~constant_time_lt(a, b); +} + +/* Equality*/ + +static constant_inline unsigned int +constant_time_eq(unsigned int a, unsigned int b) +{ + return constant_time_is_zero(a ^ b); +} + +static constant_inline size_t +constant_time_eq_s(size_t a, size_t b) +{ + return constant_time_is_zero_s(a ^ b); +} + +#endif /* CONSTANT_TIME_H */ Index: opensc-0.19.0/src/libopensc/internal.h =================================================================== --- opensc-0.19.0.orig/src/libopensc/internal.h +++ opensc-0.19.0/src/libopensc/internal.h @@ -142,8 +142,8 @@ int _sc_card_add_ec_alg(struct sc_card * int sc_pkcs1_strip_01_padding(struct sc_context *ctx, const u8 *in_dat, size_t in_len, u8 *out_dat, size_t *out_len); -int sc_pkcs1_strip_02_padding(struct sc_context *ctx, const u8 *data, size_t len, - u8 *out_dat, size_t *out_len); +int sc_pkcs1_strip_02_padding_constant_time(sc_context_t *ctx, unsigned int n, const u8 *data, + unsigned int data_len, u8 *out, unsigned int *out_len); int sc_pkcs1_strip_digest_info_prefix(unsigned int *algorithm, const u8 *in_dat, size_t in_len, u8 *out_dat, size_t *out_len); Index: opensc-0.19.0/src/libopensc/padding.c =================================================================== --- opensc-0.19.0.orig/src/libopensc/padding.c +++ opensc-0.19.0/src/libopensc/padding.c @@ -26,10 +26,13 @@ #include <string.h> #include <stdlib.h> +#include "common/constant-time.h" #include "internal.h" /* TODO doxygen comments */ +#define SC_PKCS1_PADDING_MIN_SIZE 11 + /* * Prefixes for pkcs-v1 signatures */ @@ -137,45 +140,82 @@ sc_pkcs1_strip_01_padding(struct sc_cont return SC_SUCCESS; } - -/* remove pkcs1 BT02 padding (adding BT02 padding is currently not - * needed/implemented) */ +/* Remove pkcs1 BT02 padding (adding BT02 padding is currently not + * needed/implemented) in constant-time. + * Original source: https://github.com/openssl/openssl/blob/9890cc42daff5e2d0cad01ac4bf78c391f599a6e/crypto/rsa/rsa_pk1.c#L171 */ int -sc_pkcs1_strip_02_padding(sc_context_t *ctx, const u8 *data, size_t len, u8 *out, size_t *out_len) +sc_pkcs1_strip_02_padding_constant_time(sc_context_t *ctx, unsigned int n, const u8 *data, unsigned int data_len, u8 *out, unsigned int *out_len) { - unsigned int n = 0; - + unsigned int i = 0; + u8 *msg, *msg_orig = NULL; + unsigned int good, found_zero_byte, mask; + unsigned int zero_index = 0, msg_index, mlen = -1, len = 0; LOG_FUNC_CALLED(ctx); - if (data == NULL || len < 3) + + if (data == NULL || data_len <= 0 || data_len > n || n < SC_PKCS1_PADDING_MIN_SIZE) LOG_FUNC_RETURN(ctx, SC_ERROR_INTERNAL); - /* skip leading zero byte */ - if (*data == 0) { - data++; - len--; + msg = msg_orig = calloc(n, sizeof(u8)); + if (msg == NULL) + LOG_FUNC_RETURN(ctx, SC_ERROR_INTERNAL); + + /* + * We can not check length of input data straight away and still we need to read + * from input even when the input is not as long as needed to keep the time constant. + * If data has wrong size, it is padded by zeroes from left and the following checks + * do not pass. + */ + len = data_len; + for (data += len, msg += n, i = 0; i < n; i++) { + mask = ~constant_time_is_zero(len); + len -= 1 & mask; + data -= 1 & mask; + *--msg = *data & mask; + } + // check first byte to be 0x00 + good = constant_time_is_zero(msg[0]); + // check second byte to be 0x02 + good &= constant_time_eq(msg[1], 2); + + // find zero byte after random data in padding + found_zero_byte = 0; + for (i = 2; i < n; i++) { + unsigned int equals0 = constant_time_is_zero(msg[i]); + zero_index = constant_time_select(~found_zero_byte & equals0, i, zero_index); + found_zero_byte |= equals0; } - if (data[0] != 0x02) - LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING); - /* skip over padding bytes */ - for (n = 1; n < len && data[n]; n++) - ; - /* Must be at least 8 pad bytes */ - if (n >= len || n < 9) - LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING); - n++; - if (out == NULL) - /* just check the padding */ - LOG_FUNC_RETURN(ctx, SC_SUCCESS); - /* Now move decrypted contents to head of buffer */ - if (*out_len < len - n) - LOG_FUNC_RETURN(ctx, SC_ERROR_INTERNAL); - *out_len = len - n; - memmove(out, data + n, *out_len); + // zero_index stands for index of last found zero + good &= constant_time_ge(zero_index, 2 + 8); + + // start of the actual message in data + msg_index = zero_index + 1; + + // length of message + mlen = data_len - msg_index; + + // check that message fits into out buffer + good &= constant_time_ge(*out_len, mlen); + + // move the result in-place by |num|-SC_PKCS1_PADDING_MIN_SIZE-|mlen| bytes to the left. + *out_len = constant_time_select(constant_time_lt(n - SC_PKCS1_PADDING_MIN_SIZE, *out_len), + n - SC_PKCS1_PADDING_MIN_SIZE, *out_len); + for (msg_index = 1; msg_index < n - SC_PKCS1_PADDING_MIN_SIZE; msg_index <<= 1) { + mask = ~constant_time_eq(msg_index & (n - SC_PKCS1_PADDING_MIN_SIZE - mlen), 0); + for (i = SC_PKCS1_PADDING_MIN_SIZE; i < n - msg_index; i++) + msg[i] = constant_time_select_8(mask, msg[i + msg_index], msg[i]); + } + // move message into out buffer, if good + for (i = 0; i < *out_len; i++) { + unsigned int msg_index; + // when out is longer than message in data, use some bogus index in msg + mask = good & constant_time_lt(i, mlen); + msg_index = constant_time_select(mask, i + SC_PKCS1_PADDING_MIN_SIZE, 0); // to now overflow msg buffer + out[i] = constant_time_select_8(mask, msg[msg_index], out[i]); + } - sc_log(ctx, "stripped output(%"SC_FORMAT_LEN_SIZE_T"u): %s", len - n, - sc_dump_hex(out, len - n)); - LOG_FUNC_RETURN(ctx, len - n); + free(msg_orig); + return constant_time_select(good, mlen, SC_ERROR_WRONG_PADDING); } /* add/remove DigestInfo prefix */ Index: opensc-0.19.0/src/libopensc/pkcs15-sec.c =================================================================== --- opensc-0.19.0.orig/src/libopensc/pkcs15-sec.c +++ opensc-0.19.0/src/libopensc/pkcs15-sec.c @@ -228,12 +228,14 @@ int sc_pkcs15_decipher(struct sc_pkcs15_ /* Strip any padding */ if (pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) { - size_t s = r; - r = sc_pkcs1_strip_02_padding(ctx, out, s, out, &s); - LOG_TEST_RET(ctx, r, "Invalid PKCS#1 padding"); + unsigned int s = r; + unsigned int key_size = (unsigned int)alg_info->key_length; + r = sc_pkcs1_strip_02_padding_constant_time(ctx, key_size / 8, out, s, out, &s); + /* for keeping PKCS#1 v1.5 depadding constant-time, do not log error here */ } - LOG_FUNC_RETURN(ctx, r); + /* do not log error code to prevent side channel attack */ + return r; } /* derive one key from another. RSA can use decipher, so this is for only ECDH @@ -286,8 +288,9 @@ int sc_pkcs15_derive(struct sc_pkcs15_ca /* Strip any padding */ if (pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) { - size_t s = r; - r = sc_pkcs1_strip_02_padding(ctx, out, s, out, &s); + unsigned int s = r; + unsigned int key_size = (unsigned int)alg_info->key_length; + r = sc_pkcs1_strip_02_padding_constant_time(ctx, key_size / 8, out, s, out, &s); LOG_TEST_RET(ctx, r, "Invalid PKCS#1 padding"); } Index: opensc-0.19.0/src/minidriver/minidriver.c =================================================================== --- opensc-0.19.0.orig/src/minidriver/minidriver.c +++ opensc-0.19.0/src/minidriver/minidriver.c @@ -41,6 +41,7 @@ #include "cardmod.h" #include "common/compat_strlcpy.h" +#include "common/constant-time.h" #include "libopensc/asn1.h" #include "libopensc/cardctl.h" #include "libopensc/opensc.h" @@ -4361,13 +4362,15 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_D { DWORD dwret; - int r, opt_crypt_flags = 0; + int r, opt_crypt_flags = 0, good = 0; unsigned ui; VENDOR_SPECIFIC *vs; struct sc_pkcs15_prkey_info *prkey_info; BYTE *pbuf = NULL, *pbuf2 = NULL; struct sc_pkcs15_object *pkey = NULL; struct sc_algorithm_info *alg_info = NULL; + unsigned int wrong_padding = 0; + unsigned int pbufLen = 0; logprintf(pCardData, 1, "\nP:%lu T:%lu pCardData:%p ", (unsigned long)GetCurrentProcessId(), @@ -4465,11 +4468,11 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_D goto err; } + pbufLen = pInfo->cbData; if (alg_info->flags & SC_ALGORITHM_RSA_RAW) { logprintf(pCardData, 2, "sc_pkcs15_decipher: using RSA-RAW mechanism\n"); r = sc_pkcs15_decipher(vs->p15card, pkey, opt_crypt_flags, pbuf, pInfo->cbData, pbuf2, pInfo->cbData); - logprintf(pCardData, 2, "sc_pkcs15_decipher returned %d\n", r); - + /* do not log return value to not leak it */ if (r > 0) { /* Need to handle padding */ if (pInfo->dwVersion >= CARD_RSA_KEY_DECRYPT_INFO_VERSION_TWO) { @@ -4477,17 +4480,13 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_D "sc_pkcs15_decipher: DECRYPT-INFO dwVersion=%lu\n", (unsigned long)pInfo->dwVersion); if (pInfo->dwPaddingType == CARD_PADDING_PKCS1) { - size_t temp = pInfo->cbData; + unsigned int temp = pInfo->cbData; logprintf(pCardData, 2, "sc_pkcs15_decipher: stripping PKCS1 padding\n"); - r = sc_pkcs1_strip_02_padding(vs->ctx, pbuf2, pInfo->cbData, pbuf2, &temp); + r = sc_pkcs1_strip_02_padding_constant_time(vs->ctx, prkey_info->modulus_length / 8, pbuf2, pInfo->cbData, pbuf2, &temp); pInfo->cbData = (DWORD) temp; - if (r < 0) { - logprintf(pCardData, 2, "Cannot strip PKCS1 padding: %i\n", r); - pCardData->pfnCspFree(pbuf); - pCardData->pfnCspFree(pbuf2); - dwret = SCARD_F_INTERNAL_ERROR; - goto err; - } + wrong_padding = constant_time_eq_s(r, SC_ERROR_WRONG_PADDING); + /* continue without returning error to not leak that padding is wrong + to prevent time side-channel leak for Marvin attack*/ } else if (pInfo->dwPaddingType == CARD_PADDING_OAEP) { /* TODO: Handle OAEP padding if present - can call PFN_CSP_UNPAD_DATA */ Index: opensc-0.19.0/src/tests/unittests/strip_pkcs1_2_padding.c =================================================================== --- /dev/null +++ opensc-0.19.0/src/tests/unittests/strip_pkcs1_2_padding.c @@ -0,0 +1,204 @@ +#include "common/compat_strlcpy.c" +#include "libopensc/log.c" +#include "libopensc/padding.c" +#include "torture.h" +#include <cmocka.h> + +static void +torture_long_output_buffer(void **state) +{ + unsigned int n = 14; + unsigned int in_len = 14; + unsigned char in[] = {0x00, 0x02, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x00, + 'm', 's', 'g'}; + unsigned int out_len = 3; + unsigned char *out = malloc(out_len * sizeof(unsigned char)); + unsigned char result_msg[] = {'m', 's', 'g'}; + int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len); + assert_int_equal(r, 3); + assert_memory_equal(out, result_msg, r); + free(out); +} + +static void +torture_short_output_buffer(void **state) +{ + unsigned int n = 14; + unsigned int in_len = 14; + unsigned char in[] = {0x00, 0x02, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x00, + 'm', 's', 'g'}; + unsigned int out_len = 1; + unsigned char *out = malloc(out_len * sizeof(unsigned char)); + int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len); + assert_int_equal(r, SC_ERROR_WRONG_PADDING); + free(out); +} + +static void +torture_short_message_correct_padding(void **state) +{ + unsigned int n = 14; + unsigned int in_len = 14; + unsigned char in[] = {0x00, 0x02, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x00, + 'm', 's', 'g'}; + unsigned int out_len = 3; + unsigned char *out = malloc(out_len * sizeof(unsigned char)); + unsigned char result_msg[] = {'m', 's', 'g'}; + int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len); + assert_int_equal(r, 3); + assert_memory_equal(out, result_msg, r); + free(out); +} + +static void +torture_missing_first_zero(void **state) +{ + unsigned int n = 13; + unsigned int in_len = 13; + unsigned char in[] = {0x02, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x00, + 'm', 's', 'g'}; + unsigned int out_len = 10; + unsigned char *out = malloc(out_len * sizeof(unsigned char)); + int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len); + assert_int_equal(r, SC_ERROR_WRONG_PADDING); + free(out); +} + +static void +torture_missing_two(void **state) +{ + unsigned int n = 13; + unsigned int in_len = 13; + unsigned char in[] = {0x00, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x00, + 'm', 's', 'g'}; + unsigned int out_len = 10; + unsigned char *out = malloc(out_len * sizeof(unsigned char)); + int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len); + assert_int_equal(r, SC_ERROR_WRONG_PADDING); + free(out); +} + +static void +torture_short_padding(void **state) +{ + unsigned int n = 13; + unsigned int in_len = 13; + unsigned char in[] = {0x00, 0x02, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x00, + 'm', 's', 'g'}; + unsigned int out_len = 10; + unsigned char *out = malloc(out_len * sizeof(unsigned char)); + int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len); + assert_int_equal(r, SC_ERROR_WRONG_PADDING); + free(out); +} + +static void +torture_missing_second_zero(void **state) +{ + unsigned int n = 13; + unsigned int in_len = 13; + unsigned char in[] = {0x00, 0x02, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 'm', 's', 'g'}; + unsigned int out_len = 10; + unsigned char *out = malloc(out_len * sizeof(unsigned char)); + int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len); + assert_int_equal(r, SC_ERROR_WRONG_PADDING); + free(out); +} + +static void +torture_missing_message(void **state) +{ + unsigned int n = 20; + unsigned int in_len = 11; + unsigned char in[] = {0x00, 0x02, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x00}; + unsigned int out_len = 11; + unsigned char *out = malloc(out_len * sizeof(unsigned char)); + int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len); + assert_int_equal(r, SC_ERROR_WRONG_PADDING); + free(out); +} + +static void +torture_one_byte_message(void **state) +{ + unsigned int n = 12; + unsigned int in_len = 12; + unsigned char in[] = {0x00, 0x02, + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x00, + 'm'}; + unsigned int out_len = 1; + unsigned char *out = malloc(out_len * sizeof(unsigned char)); + unsigned char result_msg[] = {'m'}; + int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len); + assert_int_equal(r, 1); + assert_memory_equal(out, result_msg, r); + free(out); +} + +static void +torture_longer_padding(void **state) +{ + unsigned int n = 26; + unsigned int in_len = 26; + unsigned char in[] = {0x00, 0x02, + 0x0e, 0x38, 0x97, 0x18, 0x16, 0x57, 0x9e, 0x30, 0xb6, 0xa5, 0x78, 0x13, 0x20, 0xca, 0x11, + 0x00, + 0x9d, 0x98, 0x3d, 0xca, 0xa9, 0xa7, 0x11, 0x0a}; + unsigned int out_len = 8; + unsigned char *out = malloc(out_len * sizeof(unsigned char)); + unsigned char result_msg[] = {0x9d, 0x98, 0x3d, 0xca, 0xa9, 0xa7, 0x11, 0x0a}; + int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len); + assert_int_equal(r, 8); + assert_memory_equal(out, result_msg, r); + free(out); +} + +static void +torture_empty_message(void **state) +{ + unsigned int n = 18; + unsigned int in_len = 18; + unsigned char in[] = {0x00, 0x02, + 0x0e, 0x38, 0x97, 0x18, 0x16, 0x57, 0x9e, 0x30, 0xb6, 0xa5, 0x78, 0x13, 0x20, 0xca, 0x11, + 0x00}; + unsigned int out_len = 8; + unsigned char *out = malloc(out_len * sizeof(unsigned char)); + int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len); + assert_int_equal(r, 0); + free(out); +} + +int +main(void) +{ + const struct CMUnitTest tests[] = { + cmocka_unit_test(torture_long_output_buffer), + cmocka_unit_test(torture_short_output_buffer), + cmocka_unit_test(torture_short_message_correct_padding), + cmocka_unit_test(torture_missing_first_zero), + cmocka_unit_test(torture_missing_two), + cmocka_unit_test(torture_short_padding), + cmocka_unit_test(torture_missing_second_zero), + cmocka_unit_test(torture_missing_message), + cmocka_unit_test(torture_one_byte_message), + cmocka_unit_test(torture_longer_padding), + cmocka_unit_test(torture_empty_message)}; + return cmocka_run_group_tests(tests, NULL, NULL); +} Index: opensc-0.19.0/src/pkcs11/framework-pkcs15.c =================================================================== --- opensc-0.19.0.orig/src/pkcs11/framework-pkcs15.c +++ opensc-0.19.0/src/pkcs11/framework-pkcs15.c @@ -18,6 +18,7 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ +#include "common/constant-time.h" #include "config.h" #include <stdlib.h> #include <string.h> @@ -3871,7 +3872,8 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_se struct pkcs15_fw_data *fw_data = NULL; struct pkcs15_prkey_object *prkey; unsigned char decrypted[512]; /* FIXME: Will not work for keys above 4096 bits */ - int buff_too_small, rv, flags = 0, prkey_has_path = 0; + int rv, flags = 0, prkey_has_path = 0; + CK_ULONG mask, good, rv_pkcs11; sc_log(context, "Initiating decryption."); @@ -3908,27 +3910,53 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_se rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj, flags, pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted)); - if (rv < 0 && !sc_pkcs11_conf.lock_login && !prkey_has_path) + /* skip for PKCS#1 v1.5 padding prevent side channel attack */ + if (!(flags & SC_ALGORITHM_RSA_PAD_PKCS1) && + rv < 0 && !sc_pkcs11_conf.lock_login && !prkey_has_path) if (reselect_app_df(fw_data->p15_card) == SC_SUCCESS) rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj, flags, pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted)); sc_unlock(p11card->card); - sc_log(context, "Decryption complete. Result %d.", rv); + sc_log(context, "Decryption complete."); - if (rv < 0) - return sc_to_cryptoki_error(rv, "C_Decrypt"); + /* Handle following code in constant-time + * to prevent Marvin attack for PKCS#1 v1.5 padding. */ - buff_too_small = (*pulDataLen < (CK_ULONG)rv); - *pulDataLen = rv; - if (pData == NULL_PTR) - return CKR_OK; - if (buff_too_small) - return CKR_BUFFER_TOO_SMALL; - memcpy(pData, decrypted, *pulDataLen); + /* only padding error must be handled in constant-time way, + * other error can be returned straight away */ + if ((~constant_time_eq_s(rv, SC_ERROR_WRONG_PADDING) & constant_time_lt_s(sizeof(decrypted), rv))) + return sc_to_cryptoki_error(rv, "C_Decrypt"); - return CKR_OK; + /* check rv for padding error */ + good = ~constant_time_eq_s(rv, SC_ERROR_WRONG_PADDING); + rv_pkcs11 = sc_to_cryptoki_error(SC_ERROR_WRONG_PADDING, "C_Decrypt"); + rv_pkcs11 = constant_time_select_s(good, CKR_OK, rv_pkcs11); + + if (pData == NULL_PTR) { + /* set length only if no error */ + *pulDataLen = constant_time_select_s(good, rv, *pulDataLen); + /* return error only if original rv < 0 */ + return rv_pkcs11; + } + + /* check whether *pulDataLen < rv and set return value for small output buffer */ + mask = good & constant_time_lt_s(*pulDataLen, rv); + rv_pkcs11 = constant_time_select_s(mask, CKR_BUFFER_TOO_SMALL, rv_pkcs11); + good &= ~mask; + + /* move everything from decrypted into out buffer constant-time, if rv is ok */ + for (CK_ULONG i = 0; i < *pulDataLen; i++) { /* iterate over whole pData to not disclose real depadded length */ + CK_ULONG msg_index; + mask = good & constant_time_lt_s(i, sizeof(decrypted)); /* i should be in the bounds of decrypted */ + mask &= constant_time_lt_s(i, constant_time_select_s(good, rv, 0)); /* check that is in bounds of depadded message */ + msg_index = constant_time_select_s(mask, i, 0); + pData[i] = constant_time_select_8(mask, decrypted[msg_index], pData[i]); + } + *pulDataLen = constant_time_select_s(good, rv, *pulDataLen); + /* do not log error code to prevent side channel attack */ + return rv_pkcs11; } Index: opensc-0.19.0/src/pkcs11/mechanism.c =================================================================== --- opensc-0.19.0.orig/src/pkcs11/mechanism.c +++ opensc-0.19.0/src/pkcs11/mechanism.c @@ -23,6 +23,7 @@ #include <stdlib.h> #include <string.h> +#include "common/constant-time.h" #include "sc-pkcs11.h" /* Also used for verification data */ @@ -795,9 +796,12 @@ sc_pkcs11_decr(struct sc_pkcs11_session rv = op->type->decrypt(op, pEncryptedData, ulEncryptedDataLen, pData, pulDataLen); - if (rv != CKR_BUFFER_TOO_SMALL && pData != NULL) + /* terminate session for any return value except CKR_BUFFER_TOO_SMALL, + * perform check in time side-channel free way to prevent Marvin attack */ + if (~constant_time_eq_s(rv, CKR_OK) & ~constant_time_eq_s(rv, CKR_BUFFER_TOO_SMALL)) session_stop_operation(session, SC_PKCS11_OPERATION_DECRYPT); + /* do not log error code to prevent side channel attack */ return rv; } Index: opensc-0.19.0/src/pkcs11/pkcs11-object.c =================================================================== --- opensc-0.19.0.orig/src/pkcs11/pkcs11-object.c +++ opensc-0.19.0/src/pkcs11/pkcs11-object.c @@ -900,7 +900,8 @@ CK_RV C_Decrypt(CK_SESSION_HANDLE hSessi rv = reset_login_state(session->slot, rv); } - sc_log(context, "C_Decrypt() = %s", lookup_enum ( RV_T, rv )); + /* do not log error code to prevent side channel attack */ + sc_log(context, "C_Decrypt()"); sc_pkcs11_unlock(); return rv; } @@ -1261,7 +1262,8 @@ CK_RV C_VerifyUpdate(CK_SESSION_HANDLE h if (rv == CKR_OK) rv = sc_pkcs11_verif_update(session, pPart, ulPartLen); - sc_log(context, "C_VerifyUpdate() = %s", lookup_enum ( RV_T, rv )); + /* do not log error code to prevent side channel attack */ + sc_log(context, "C_DecryptUpdate()"); sc_pkcs11_unlock(); return rv; #endif @@ -1289,7 +1291,8 @@ CK_RV C_VerifyFinal(CK_SESSION_HANDLE hS rv = reset_login_state(session->slot, rv); } - sc_log(context, "C_VerifyFinal() = %s", lookup_enum ( RV_T, rv )); + /* do not log error code to prevent side channel attack */ + sc_log(context, "C_DecryptFinal()"); sc_pkcs11_unlock(); return rv; #endif Index: opensc-0.19.0/src/pkcs11/misc.c =================================================================== --- opensc-0.19.0.orig/src/pkcs11/misc.c +++ opensc-0.19.0/src/pkcs11/misc.c @@ -23,6 +23,7 @@ #include <stdlib.h> #include <string.h> +#include "common/constant-time.h" #include "sc-pkcs11.h" #define DUMP_TEMPLATE_MAX 32 @@ -162,7 +163,7 @@ CK_RV reset_login_state(struct sc_pkcs11 slot->p11card->framework->logout(slot); } - if (rv == CKR_USER_NOT_LOGGED_IN) { + if (constant_time_eq_s(rv, CKR_USER_NOT_LOGGED_IN)) { slot->login_user = -1; pop_all_login_states(slot); }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor