File opensc-CVE-2023-5992.patch of Package opensc.35661

Overview Repositories Revisions Requests Users Attributes Meta

File opensc-CVE-2023-5992.patch of Package opensc.35661

From b9e1d344df1f850a9b15bce6294f72c1620d0b45 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
Date: Mon, 13 Nov 2023 13:54:54 +0100
Subject: [PATCH 1/8] Reimplement removing of PKCS#1 v1.5 padding to be time
 constant

---
 src/common/Makefile.am      |   6 +-
 src/common/constant-time.h  | 128 ++++++++++++++++++++++++++++++++++++
 src/libopensc/internal.h    |   4 +-
 src/libopensc/padding.c     | 102 +++++++++++++++++++---------
 src/libopensc/pkcs15-sec.c  |   5 +-
 src/minidriver/minidriver.c |   4 +-
 6 files changed, 210 insertions(+), 39 deletions(-)
 create mode 100644 src/common/constant-time.h

Index: opensc-0.22.0/src/common/Makefile.am
===================================================================
--- opensc-0.22.0.orig/src/common/Makefile.am
+++ opensc-0.22.0/src/common/Makefile.am
@@ -8,7 +8,8 @@ dist_noinst_DATA = \
 	LICENSE.compat_getopt compat_getopt.txt \
 	compat_getopt_main.c \
 	README.compat_strlcpy compat_strlcpy.3
-noinst_HEADERS = compat_strlcat.h compat_strlcpy.h compat_strnlen.h compat_getpass.h compat_getopt.h simclist.h libpkcs11.h libscdl.h
+noinst_HEADERS = compat_strlcat.h compat_strlcpy.h compat_strnlen.h compat_getpass.h \
+	compat_getopt.h simclist.h libpkcs11.h libscdl.h constant-time.h
 
 AM_CPPFLAGS = -I$(top_srcdir)/src
 
@@ -40,7 +41,8 @@ TIDY_FILES = \
 	compat_report_rangecheckfailure.c \
 	compat___iob_func.c \
 	simclist.c simclist.h \
-	libpkcs11.c libscdl.c
+	libpkcs11.c libscdl.c \
+	constant-time.h
 
 check-local:
 	if [ -x "$(CLANGTIDY)" ]; then clang-tidy -config='' --checks='$(TIDY_CHECKS)' -header-filter=.* $(addprefix $(srcdir)/,$(TIDY_FILES)) -- $(TIDY_FLAGS); fi
Index: opensc-0.22.0/src/common/constant-time.h
===================================================================
--- /dev/null
+++ opensc-0.22.0/src/common/constant-time.h
@@ -0,0 +1,128 @@
+/* Original source: https://github.com/openssl/openssl/blob/9890cc42daff5e2d0cad01ac4bf78c391f599a6e/include/internal/constant_time.h */
+
+#ifndef CONSTANT_TIME_H
+#define CONSTANT_TIME_H
+
+#include <stdlib.h>
+#include <string.h>
+
+#if !defined(inline)
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L
+#define constant_inline inline
+#elif defined(__GNUC__) && __GNUC__ >= 2
+#elif defined(__GNUC__) && __GNUC__ >= 2
+#elif defined(_MSC_VER)
+#define constant_inline __inline
+#else
+#define constant_inline
+#endif
+#else			       /* use what caller wants as inline  may be from config.h */
+#define constant_inline inline /* inline */
+#endif
+
+/*-
+ * The boolean methods return a bitmask of all ones (0xff...f) for true
+ * and 0 for false. For example,
+ *      if (a < b) {
+ *        c = a;
+ *      } else {
+ *        c = b;
+ *      }
+ * can be written as
+ *      unsigned int lt = constant_time_lt(a, b);
+ *      c = constant_time_select(lt, a, b);
+ */
+
+static constant_inline unsigned int
+value_barrier(unsigned int a)
+{
+	volatile unsigned int r = a;
+	return r;
+}
+
+static constant_inline size_t
+value_barrier_s(size_t a)
+{
+	volatile size_t r = a;
+	return r;
+}
+
+/* MSB */
+static constant_inline size_t
+constant_time_msb_s(size_t a)
+{
+	return 0 - (a >> (sizeof(a) * 8 - 1));
+}
+
+static constant_inline unsigned int
+constant_time_msb(unsigned int a)
+{
+	return 0 - (a >> (sizeof(a) * 8 - 1));
+}
+
+/* Select */
+static constant_inline unsigned int
+constant_time_select(unsigned int mask, unsigned int a, unsigned int b)
+{
+	return (value_barrier(mask) & a) | (value_barrier(~mask) & b);
+}
+
+static constant_inline unsigned char
+constant_time_select_8(unsigned char mask, unsigned char a, unsigned char b)
+{
+	return (unsigned char)constant_time_select(mask, a, b);
+}
+
+static constant_inline size_t
+constant_time_select_s(size_t mask, size_t a, size_t b)
+{
+	return (value_barrier_s(mask) & a) | (value_barrier_s(~mask) & b);
+}
+
+/* Zero */
+static constant_inline unsigned int
+constant_time_is_zero(unsigned int a)
+{
+	return constant_time_msb(~a & (a - 1));
+}
+
+static constant_inline size_t
+constant_time_is_zero_s(size_t a)
+{
+	return constant_time_msb_s(~a & (a - 1));
+}
+
+/* Comparison*/
+static constant_inline size_t
+constant_time_lt_s(size_t a, size_t b)
+{
+	return constant_time_msb_s(a ^ ((a ^ b) | ((a - b) ^ b)));
+}
+
+static constant_inline unsigned int
+constant_time_lt(unsigned int a, unsigned int b)
+{
+	return constant_time_msb(a ^ ((a ^ b) | ((a - b) ^ b)));
+}
+
+static constant_inline unsigned int
+constant_time_ge(unsigned int a, unsigned int b)
+{
+	return ~constant_time_lt(a, b);
+}
+
+/* Equality*/
+
+static constant_inline unsigned int
+constant_time_eq(unsigned int a, unsigned int b)
+{
+	return constant_time_is_zero(a ^ b);
+}
+
+static constant_inline size_t
+constant_time_eq_s(size_t a, size_t b)
+{
+	return constant_time_is_zero_s(a ^ b);
+}
+
+#endif /* CONSTANT_TIME_H */
Index: opensc-0.22.0/src/libopensc/internal.h
===================================================================
--- opensc-0.22.0.orig/src/libopensc/internal.h
+++ opensc-0.22.0/src/libopensc/internal.h
@@ -166,8 +166,8 @@ int _sc_card_add_xeddsa_alg(struct sc_ca
 
 int sc_pkcs1_strip_01_padding(struct sc_context *ctx, const u8 *in_dat, size_t in_len,
 		u8 *out_dat, size_t *out_len);
-int sc_pkcs1_strip_02_padding(struct sc_context *ctx, const u8 *data, size_t len,
-		u8 *out_dat, size_t *out_len);
+int sc_pkcs1_strip_02_padding_constant_time(sc_context_t *ctx, unsigned int n, const u8 *data,
+		unsigned int data_len, u8 *out, unsigned int *out_len);
 int sc_pkcs1_strip_digest_info_prefix(unsigned int *algorithm,
 		const u8 *in_dat, size_t in_len, u8 *out_dat, size_t *out_len);
 
Index: opensc-0.22.0/src/libopensc/padding.c
===================================================================
--- opensc-0.22.0.orig/src/libopensc/padding.c
+++ opensc-0.22.0/src/libopensc/padding.c
@@ -32,10 +32,13 @@
 #include <string.h>
 #include <stdlib.h>
 
+#include "common/constant-time.h"
 #include "internal.h"
 
 /* TODO doxygen comments */
 
+#define SC_PKCS1_PADDING_MIN_SIZE 11
+
 /*
  * Prefixes for pkcs-v1 signatures
  */
@@ -143,45 +146,82 @@ sc_pkcs1_strip_01_padding(struct sc_cont
 	return SC_SUCCESS;
 }
 
-
-/* remove pkcs1 BT02 padding (adding BT02 padding is currently not
- * needed/implemented) */
+/* Remove pkcs1 BT02 padding (adding BT02 padding is currently not
+ * needed/implemented) in constant-time.
+ * Original source: https://github.com/openssl/openssl/blob/9890cc42daff5e2d0cad01ac4bf78c391f599a6e/crypto/rsa/rsa_pk1.c#L171 */
 int
-sc_pkcs1_strip_02_padding(sc_context_t *ctx, const u8 *data, size_t len, u8 *out, size_t *out_len)
+sc_pkcs1_strip_02_padding_constant_time(sc_context_t *ctx, unsigned int n, const u8 *data, unsigned int data_len, u8 *out, unsigned int *out_len)
 {
-	unsigned int	n = 0;
-
+	unsigned int i = 0;
+	u8 *msg, *msg_orig = NULL;
+	unsigned int good, found_zero_byte, mask;
+	unsigned int zero_index = 0, msg_index, mlen = -1, len = 0;
 	LOG_FUNC_CALLED(ctx);
-	if (data == NULL || len < 3)
+
+	if (data == NULL || data_len <= 0 || data_len > n || n < SC_PKCS1_PADDING_MIN_SIZE)
 		LOG_FUNC_RETURN(ctx, SC_ERROR_INTERNAL);
 
-	/* skip leading zero byte */
-	if (*data == 0) {
-		data++;
-		len--;
+	msg = msg_orig = calloc(n, sizeof(u8));
+	if (msg == NULL)
+		LOG_FUNC_RETURN(ctx, SC_ERROR_INTERNAL);
+
+	/*
+	 * We can not check length of input data straight away and still we need to read
+	 * from input even when the input is not as long as needed to keep the time constant.
+	 * If data has wrong size, it is padded by zeroes from left and the following checks
+	 * do not pass.
+	 */
+	len = data_len;
+	for (data += len, msg += n, i = 0; i < n; i++) {
+		mask = ~constant_time_is_zero(len);
+		len -= 1 & mask;
+		data -= 1 & mask;
+		*--msg = *data & mask;
+	}
+	// check first byte to be 0x00
+	good = constant_time_is_zero(msg[0]);
+	// check second byte to be 0x02
+	good &= constant_time_eq(msg[1], 2);
+
+	// find zero byte after random data in padding
+	found_zero_byte = 0;
+	for (i = 2; i < n; i++) {
+		unsigned int equals0 = constant_time_is_zero(msg[i]);
+		zero_index = constant_time_select(~found_zero_byte & equals0, i, zero_index);
+		found_zero_byte |= equals0;
 	}
-	if (data[0] != 0x02)
-		LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING);
-	/* skip over padding bytes */
-	for (n = 1; n < len && data[n]; n++)
-		;
-	/* Must be at least 8 pad bytes */
-	if (n >= len || n < 9)
-		LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING);
-	n++;
-	if (out == NULL)
-		/* just check the padding */
-		LOG_FUNC_RETURN(ctx, SC_SUCCESS);
 
-	/* Now move decrypted contents to head of buffer */
-	if (*out_len < len - n)
-		LOG_FUNC_RETURN(ctx, SC_ERROR_INTERNAL);
-	*out_len = len - n;
-	memmove(out, data + n, *out_len);
+	// zero_index stands for index of last found zero
+	good &= constant_time_ge(zero_index, 2 + 8);
+
+	// start of the actual message in data
+	msg_index = zero_index + 1;
+
+	// length of message
+	mlen = data_len - msg_index;
+
+	// check that message fits into out buffer
+	good &= constant_time_ge(*out_len, mlen);
+
+	// move the result in-place by |num|-SC_PKCS1_PADDING_MIN_SIZE-|mlen| bytes to the left.
+	*out_len = constant_time_select(constant_time_lt(n - SC_PKCS1_PADDING_MIN_SIZE, *out_len),
+			n - SC_PKCS1_PADDING_MIN_SIZE, *out_len);
+	for (msg_index = 1; msg_index < n - SC_PKCS1_PADDING_MIN_SIZE; msg_index <<= 1) {
+		mask = ~constant_time_eq(msg_index & (n - SC_PKCS1_PADDING_MIN_SIZE - mlen), 0);
+		for (i = SC_PKCS1_PADDING_MIN_SIZE; i < n - msg_index; i++)
+			msg[i] = constant_time_select_8(mask, msg[i + msg_index], msg[i]);
+	}
+	// move message into out buffer, if good
+	for (i = 0; i < *out_len; i++) {
+		unsigned int msg_index;
+		// when out is longer than message in data, use some bogus index in msg
+		mask = good & constant_time_lt(i, mlen);
+		msg_index = constant_time_select(mask, i + SC_PKCS1_PADDING_MIN_SIZE, 0); // to now overflow msg buffer
+		out[i] = constant_time_select_8(mask, msg[msg_index], out[i]);
+	}
 
-	sc_log(ctx, "stripped output(%"SC_FORMAT_LEN_SIZE_T"u): %s", len - n,
-	       sc_dump_hex(out, len - n));
-	LOG_FUNC_RETURN(ctx, len - n);
+	free(msg_orig);
+	return constant_time_select(good, mlen, SC_ERROR_WRONG_PADDING);
 }
 
 /* add/remove DigestInfo prefix */
Index: opensc-0.22.0/src/libopensc/pkcs15-sec.c
===================================================================
--- opensc-0.22.0.orig/src/libopensc/pkcs15-sec.c
+++ opensc-0.22.0/src/libopensc/pkcs15-sec.c
@@ -308,12 +308,14 @@ int sc_pkcs15_decipher(struct sc_pkcs15_
 
 	/* Strip any padding */
 	if (pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
-		size_t s = r;
-		r = sc_pkcs1_strip_02_padding(ctx, out, s, out, &s);
-		LOG_TEST_RET(ctx, r, "Invalid PKCS#1 padding");
+		unsigned int s = r;
+		unsigned int key_size = (unsigned int)alg_info->key_length;
+		r = sc_pkcs1_strip_02_padding_constant_time(ctx, key_size / 8, out, s, out, &s);
+		/* for keeping PKCS#1 v1.5 depadding constant-time, do not log error here */
 	}
 
-	LOG_FUNC_RETURN(ctx, r);
+	/* do not log error code to prevent side channel attack */
+	return r;
 }
 
 /* derive one key from another. RSA can use decipher, so this is for only ECDH
Index: opensc-0.22.0/src/minidriver/minidriver.c
===================================================================
--- opensc-0.22.0.orig/src/minidriver/minidriver.c
+++ opensc-0.22.0/src/minidriver/minidriver.c
@@ -41,6 +41,7 @@
 #include "cardmod.h"
 
 #include "common/compat_strlcpy.h"
+#include "common/constant-time.h"
 #include "libopensc/asn1.h"
 #include "libopensc/cardctl.h"
 #include "libopensc/opensc.h"
@@ -4463,13 +4464,15 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_D
 
 {
 	DWORD dwret;
-	int r, opt_crypt_flags = 0;
+	int r, opt_crypt_flags = 0, good = 0;
 	unsigned ui;
 	VENDOR_SPECIFIC *vs;
 	struct sc_pkcs15_prkey_info *prkey_info;
 	BYTE *pbuf = NULL, *pbuf2 = NULL;
 	struct sc_pkcs15_object *pkey = NULL;
 	struct sc_algorithm_info *alg_info = NULL;
+	unsigned int wrong_padding = 0;
+	unsigned int pbufLen = 0;
 
 	MD_FUNC_CALLED(pCardData, 1);
 
@@ -4570,11 +4573,11 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_D
 		goto err;
 	}
 
+	pbufLen = pInfo->cbData;
 	if (alg_info->flags & SC_ALGORITHM_RSA_RAW)   {
 		logprintf(pCardData, 2, "sc_pkcs15_decipher: using RSA-RAW mechanism\n");
 		r = sc_pkcs15_decipher(vs->p15card, pkey, opt_crypt_flags, pbuf, pInfo->cbData, pbuf2, pInfo->cbData);
-		logprintf(pCardData, 2, "sc_pkcs15_decipher returned %d\n", r);
-
+		/* do not log return value to not leak it */
 		if (r > 0) {
 			/* Need to handle padding */
 			if (pInfo->dwVersion >= CARD_RSA_KEY_DECRYPT_INFO_VERSION_TWO) {
@@ -4582,17 +4585,13 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_D
 					  "sc_pkcs15_decipher: DECRYPT-INFO dwVersion=%lu\n",
 					  (unsigned long)pInfo->dwVersion);
 				if (pInfo->dwPaddingType == CARD_PADDING_PKCS1)   {
-					size_t temp = pInfo->cbData;
+					unsigned int temp = pInfo->cbData;
 					logprintf(pCardData, 2, "sc_pkcs15_decipher: stripping PKCS1 padding\n");
-					r = sc_pkcs1_strip_02_padding(vs->ctx, pbuf2, pInfo->cbData, pbuf2, &temp);
+					r = sc_pkcs1_strip_02_padding_constant_time(vs->ctx, prkey_info->modulus_length / 8, pbuf2, pInfo->cbData, pbuf2, &temp);
 					pInfo->cbData = (DWORD) temp;
-					if (r < 0)   {
-						logprintf(pCardData, 2, "Cannot strip PKCS1 padding: %i\n", r);
-						pCardData->pfnCspFree(pbuf);
-						pCardData->pfnCspFree(pbuf2);
-						dwret = SCARD_F_INTERNAL_ERROR;
-						goto err;
-					}
+					wrong_padding = constant_time_eq_s(r, SC_ERROR_WRONG_PADDING);
+					/* continue without returning error to not leak that padding is wrong
+					   to prevent time side-channel leak for Marvin attack*/
 				}
 				else if (pInfo->dwPaddingType == CARD_PADDING_OAEP)   {
 					/* TODO: Handle OAEP padding if present - can call PFN_CSP_UNPAD_DATA */
@@ -4640,28 +4639,38 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_D
 		goto err;
 	}
 
-	if ( r < 0)   {
+	good = constant_time_eq_s(r, 0);
+	/* if no error or padding error, do not return here to prevent Marvin attack */
+	if (!(good | wrong_padding) && r < 0)   {
 		logprintf(pCardData, 2, "sc_pkcs15_decipher error(%i): %s\n", r, sc_strerror(r));
 		pCardData->pfnCspFree(pbuf);
 		pCardData->pfnCspFree(pbuf2);
 		dwret = md_translate_OpenSC_to_Windows_error(r, SCARD_E_INVALID_VALUE);
 		goto err;
 	}
+	dwret = constant_time_select_s(good, SCARD_S_SUCCESS, SCARD_F_INTERNAL_ERROR);
 
 	logprintf(pCardData, 2, "decrypted data(%lu):\n",
 		  (unsigned long)pInfo->cbData);
 	loghex(pCardData, 7, pbuf2, pInfo->cbData);
 
 	/*inversion donnees */
-	for(ui = 0; ui < pInfo->cbData; ui++)
-		pInfo->pbData[ui] = pbuf2[pInfo->cbData-ui-1];
+	/* copy data in constant-time way to prevent leak */
+	for (ui = 0; ui < pbufLen; ui++) {
+		unsigned int mask, msg_index, inv_ui;
+		mask = good & constant_time_lt_s(ui, pInfo->cbData); /* ui should be in the bounds of pbuf2 */
+		inv_ui = pInfo->cbData - ui - 1;
+		msg_index = constant_time_select_s(mask, inv_ui, 0);
+		pInfo->pbData[ui] = constant_time_select_8(mask, pbuf2[msg_index], pInfo->pbData[ui]);
+	}
 
 	pCardData->pfnCspFree(pbuf);
 	pCardData->pfnCspFree(pbuf2);
 
 err:
 	unlock(pCardData);
-	MD_FUNC_RETURN(pCardData, 1, dwret);
+	/* do not log return value to not leak it */
+	return dwret;
 }
 
 
Index: opensc-0.22.0/src/tests/unittests/Makefile.am
===================================================================
--- opensc-0.22.0.orig/src/tests/unittests/Makefile.am
+++ opensc-0.22.0/src/tests/unittests/Makefile.am
@@ -23,6 +23,7 @@ LDADD = $(top_builddir)/src/libopensc/li
 asn1_SOURCES = asn1.c
 simpletlv_SOURCES = simpletlv.c
 cachedir_SOURCES = cachedir.c
+strip_pkcs1_2_padding = strip_pkcs1_2_padding.c
 
 if ENABLE_ZLIB
 noinst_PROGRAMS += compression
Index: opensc-0.22.0/src/tests/unittests/Makefile.mak
===================================================================
--- opensc-0.22.0.orig/src/tests/unittests/Makefile.mak
+++ opensc-0.22.0/src/tests/unittests/Makefile.mak
@@ -1,9 +1,10 @@
 TOPDIR = ..\..\..
 
-TARGETS = asn1 compression
+TARGETS = asn1 compression strip_pkcs1_2_padding
 
 OBJECTS = asn1.obj \
-	compression.obj
+	compression.obj \
+	strip_pkcs1_2_padding.obj \
 	$(TOPDIR)\win32\versioninfo.res
 
 all: $(TARGETS)
Index: opensc-0.22.0/src/tests/unittests/strip_pkcs1_2_padding.c
===================================================================
--- /dev/null
+++ opensc-0.22.0/src/tests/unittests/strip_pkcs1_2_padding.c
@@ -0,0 +1,204 @@
+#include "common/compat_strlcpy.c"
+#include "libopensc/log.c"
+#include "libopensc/padding.c"
+#include "torture.h"
+#include <cmocka.h>
+
+static void
+torture_long_output_buffer(void **state)
+{
+	unsigned int n = 14;
+	unsigned int in_len = 14;
+	unsigned char in[] = {0x00, 0x02,
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+			0x00,
+			'm', 's', 'g'};
+	unsigned int out_len = 3;
+	unsigned char *out = malloc(out_len * sizeof(unsigned char));
+	unsigned char result_msg[] = {'m', 's', 'g'};
+	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal(r, 3);
+	assert_memory_equal(out, result_msg, r);
+	free(out);
+}
+
+static void
+torture_short_output_buffer(void **state)
+{
+	unsigned int n = 14;
+	unsigned int in_len = 14;
+	unsigned char in[] = {0x00, 0x02,
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+			0x00,
+			'm', 's', 'g'};
+	unsigned int out_len = 1;
+	unsigned char *out = malloc(out_len * sizeof(unsigned char));
+	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
+	free(out);
+}
+
+static void
+torture_short_message_correct_padding(void **state)
+{
+	unsigned int n = 14;
+	unsigned int in_len = 14;
+	unsigned char in[] = {0x00, 0x02,
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+			0x00,
+			'm', 's', 'g'};
+	unsigned int out_len = 3;
+	unsigned char *out = malloc(out_len * sizeof(unsigned char));
+	unsigned char result_msg[] = {'m', 's', 'g'};
+	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal(r, 3);
+	assert_memory_equal(out, result_msg, r);
+	free(out);
+}
+
+static void
+torture_missing_first_zero(void **state)
+{
+	unsigned int n = 13;
+	unsigned int in_len = 13;
+	unsigned char in[] = {0x02,
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+			0x00,
+			'm', 's', 'g'};
+	unsigned int out_len = 10;
+	unsigned char *out = malloc(out_len * sizeof(unsigned char));
+	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
+	free(out);
+}
+
+static void
+torture_missing_two(void **state)
+{
+	unsigned int n = 13;
+	unsigned int in_len = 13;
+	unsigned char in[] = {0x00,
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+			0x00,
+			'm', 's', 'g'};
+	unsigned int out_len = 10;
+	unsigned char *out = malloc(out_len * sizeof(unsigned char));
+	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
+	free(out);
+}
+
+static void
+torture_short_padding(void **state)
+{
+	unsigned int n = 13;
+	unsigned int in_len = 13;
+	unsigned char in[] = {0x00, 0x02,
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+			0x00,
+			'm', 's', 'g'};
+	unsigned int out_len = 10;
+	unsigned char *out = malloc(out_len * sizeof(unsigned char));
+	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
+	free(out);
+}
+
+static void
+torture_missing_second_zero(void **state)
+{
+	unsigned int n = 13;
+	unsigned int in_len = 13;
+	unsigned char in[] = {0x00, 0x02,
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+			'm', 's', 'g'};
+	unsigned int out_len = 10;
+	unsigned char *out = malloc(out_len * sizeof(unsigned char));
+	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
+	free(out);
+}
+
+static void
+torture_missing_message(void **state)
+{
+	unsigned int n = 20;
+	unsigned int in_len = 11;
+	unsigned char in[] = {0x00, 0x02,
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+			0x00};
+	unsigned int out_len = 11;
+	unsigned char *out = malloc(out_len * sizeof(unsigned char));
+	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
+	free(out);
+}
+
+static void
+torture_one_byte_message(void **state)
+{
+	unsigned int n = 12;
+	unsigned int in_len = 12;
+	unsigned char in[] = {0x00, 0x02,
+			0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+			0x00,
+			'm'};
+	unsigned int out_len = 1;
+	unsigned char *out = malloc(out_len * sizeof(unsigned char));
+	unsigned char result_msg[] = {'m'};
+	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal(r, 1);
+	assert_memory_equal(out, result_msg, r);
+	free(out);
+}
+
+static void
+torture_longer_padding(void **state)
+{
+	unsigned int n = 26;
+	unsigned int in_len = 26;
+	unsigned char in[] = {0x00, 0x02,
+			0x0e, 0x38, 0x97, 0x18, 0x16, 0x57, 0x9e, 0x30, 0xb6, 0xa5, 0x78, 0x13, 0x20, 0xca, 0x11,
+			0x00,
+			0x9d, 0x98, 0x3d, 0xca, 0xa9, 0xa7, 0x11, 0x0a};
+	unsigned int out_len = 8;
+	unsigned char *out = malloc(out_len * sizeof(unsigned char));
+	unsigned char result_msg[] = {0x9d, 0x98, 0x3d, 0xca, 0xa9, 0xa7, 0x11, 0x0a};
+	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal(r, 8);
+	assert_memory_equal(out, result_msg, r);
+	free(out);
+}
+
+static void
+torture_empty_message(void **state)
+{
+	unsigned int n = 18;
+	unsigned int in_len = 18;
+	unsigned char in[] = {0x00, 0x02,
+			0x0e, 0x38, 0x97, 0x18, 0x16, 0x57, 0x9e, 0x30, 0xb6, 0xa5, 0x78, 0x13, 0x20, 0xca, 0x11,
+			0x00};
+	unsigned int out_len = 8;
+	unsigned char *out = malloc(out_len * sizeof(unsigned char));
+	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal(r, 0);
+	free(out);
+}
+
+int
+main(void)
+{
+	const struct CMUnitTest tests[] = {
+			cmocka_unit_test(torture_long_output_buffer),
+			cmocka_unit_test(torture_short_output_buffer),
+			cmocka_unit_test(torture_short_message_correct_padding),
+			cmocka_unit_test(torture_missing_first_zero),
+			cmocka_unit_test(torture_missing_two),
+			cmocka_unit_test(torture_short_padding),
+			cmocka_unit_test(torture_missing_second_zero),
+			cmocka_unit_test(torture_missing_message),
+			cmocka_unit_test(torture_one_byte_message),
+			cmocka_unit_test(torture_longer_padding),
+			cmocka_unit_test(torture_empty_message)};
+	return cmocka_run_group_tests(tests, NULL, NULL);
+}
Index: opensc-0.22.0/src/pkcs11/framework-pkcs15.c
===================================================================
--- opensc-0.22.0.orig/src/pkcs11/framework-pkcs15.c
+++ opensc-0.22.0/src/pkcs11/framework-pkcs15.c
@@ -18,6 +18,7 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
+#include "common/constant-time.h"
 #include "config.h"
 #include <stdlib.h>
 #include <string.h>
@@ -4341,7 +4342,8 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_se
 	struct pkcs15_fw_data *fw_data = NULL;
 	struct pkcs15_prkey_object *prkey;
 	unsigned char decrypted[512]; /* FIXME: Will not work for keys above 4096 bits */
-	int	buff_too_small, rv, flags = 0, prkey_has_path = 0;
+	int rv, flags = 0, prkey_has_path = 0;
+	CK_ULONG mask, good, rv_pkcs11;
 
 	sc_log(context, "Initiating decryption.");
 
@@ -4415,27 +4417,53 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_se
 	rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj, flags,
 			pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted));
 
-	if (rv < 0 && !sc_pkcs11_conf.lock_login && !prkey_has_path)
+	/* skip for PKCS#1 v1.5 padding prevent side channel attack */
+	if (!(flags & SC_ALGORITHM_RSA_PAD_PKCS1) &&
+			rv < 0 && !sc_pkcs11_conf.lock_login && !prkey_has_path)
 		if (reselect_app_df(fw_data->p15_card) == SC_SUCCESS)
 			rv = sc_pkcs15_decipher(fw_data->p15_card, prkey->prv_p15obj, flags,
 					pEncryptedData, ulEncryptedDataLen, decrypted, sizeof(decrypted));
 
 	sc_unlock(p11card->card);
 
-	sc_log(context, "Decryption complete. Result %d.", rv);
+	sc_log(context, "Decryption complete.");
 
-	if (rv < 0)
-		return sc_to_cryptoki_error(rv, "C_Decrypt");
+	/* Handle following code in constant-time
+	 * to prevent Marvin attack for PKCS#1 v1.5 padding. */
 
-	buff_too_small = (*pulDataLen < (CK_ULONG)rv);
-	*pulDataLen = rv;
-	if (pData == NULL_PTR)
-		return CKR_OK;
-	if (buff_too_small)
-		return CKR_BUFFER_TOO_SMALL;
-	memcpy(pData, decrypted, *pulDataLen);
+	/* only padding error must be handled in constant-time way,
+	 * other error can be returned straight away */
+	if ((~constant_time_eq_s(rv, SC_ERROR_WRONG_PADDING) & constant_time_lt_s(sizeof(decrypted), rv)))
+		return sc_to_cryptoki_error(rv, "C_Decrypt");
 
-	return CKR_OK;
+	/* check rv for padding error */
+	good = ~constant_time_eq_s(rv, SC_ERROR_WRONG_PADDING);
+	rv_pkcs11 = sc_to_cryptoki_error(SC_ERROR_WRONG_PADDING, "C_Decrypt");
+	rv_pkcs11 = constant_time_select_s(good, CKR_OK, rv_pkcs11);
+
+	if (pData == NULL_PTR) {
+		/* set length only if no error */
+		*pulDataLen = constant_time_select_s(good, rv, *pulDataLen);
+		/* return error only if original rv < 0 */
+		return rv_pkcs11;
+	}
+
+	/* check whether *pulDataLen < rv and set return value for small output buffer */
+	mask = good & constant_time_lt_s(*pulDataLen, rv);
+	rv_pkcs11 = constant_time_select_s(mask, CKR_BUFFER_TOO_SMALL, rv_pkcs11);
+	good &= ~mask;
+
+	/* move everything from decrypted into out buffer constant-time, if rv is ok */
+	for (CK_ULONG i = 0; i < *pulDataLen; i++) { /* iterate over whole pData to not disclose real depadded length */
+		CK_ULONG msg_index;
+		mask = good & constant_time_lt_s(i, sizeof(decrypted));		    /* i should be in the bounds of decrypted */
+		mask &= constant_time_lt_s(i, constant_time_select_s(good, rv, 0)); /* check that is in bounds of depadded message */
+		msg_index = constant_time_select_s(mask, i, 0);
+		pData[i] = constant_time_select_8(mask, decrypted[msg_index], pData[i]);
+	}
+	*pulDataLen = constant_time_select_s(good, rv, *pulDataLen);
+	/* do not log error code to prevent side channel attack */
+	return rv_pkcs11;
 }
 
 
Index: opensc-0.22.0/src/pkcs11/mechanism.c
===================================================================
--- opensc-0.22.0.orig/src/pkcs11/mechanism.c
+++ opensc-0.22.0/src/pkcs11/mechanism.c
@@ -23,6 +23,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "common/constant-time.h"
 #include "sc-pkcs11.h"
 
 /* Also used for verification data */
@@ -844,9 +845,12 @@ sc_pkcs11_decr(struct sc_pkcs11_session
 	rv = op->type->decrypt(op, pEncryptedData, ulEncryptedDataLen,
 	                       pData, pulDataLen);
 
-	if (rv != CKR_BUFFER_TOO_SMALL && pData != NULL)
+	/* terminate session for any return value except CKR_BUFFER_TOO_SMALL,
+	 * perform check in time side-channel free way to prevent Marvin attack */
+	if (~constant_time_eq_s(rv, CKR_OK) & ~constant_time_eq_s(rv, CKR_BUFFER_TOO_SMALL))
 		session_stop_operation(session, SC_PKCS11_OPERATION_DECRYPT);
 
+	/* do not log error code to prevent side channel attack */
 	return rv;
 }
 
@@ -878,6 +882,10 @@ sc_pkcs11_wrap(struct sc_pkcs11_session
 		return CKR_KEY_TYPE_INCONSISTENT;
 
 	rv = session_start_operation(session, SC_PKCS11_OPERATION_WRAP, mt, &operation);
+	/* Skip DecryptFinalize for PKCS#1 v1.5 padding to prevent time side-channel leakage */
+	if (((CK_MECHANISM_PTR)&operation->mechanism)->mechanism == CKM_RSA_PKCS)
+		return rv;
+
 	if (rv != CKR_OK)
 		return rv;
 
Index: opensc-0.22.0/src/pkcs11/pkcs11-object.c
===================================================================
--- opensc-0.22.0.orig/src/pkcs11/pkcs11-object.c
+++ opensc-0.22.0/src/pkcs11/pkcs11-object.c
@@ -930,7 +930,8 @@ CK_RV C_Decrypt(CK_SESSION_HANDLE hSessi
 		rv = reset_login_state(session->slot, rv);
 	}
 
-	sc_log(context, "C_Decrypt() = %s", lookup_enum ( RV_T, rv ));
+	/* do not log error code to prevent side channel attack */
+	SC_LOG("C_Decrypt()");
 	sc_pkcs11_unlock();
 	return rv;
 }
@@ -1418,7 +1419,8 @@ CK_RV C_VerifyUpdate(CK_SESSION_HANDLE h
 	if (rv == CKR_OK)
 		rv = sc_pkcs11_verif_update(session, pPart, ulPartLen);
 
-	sc_log(context, "C_VerifyUpdate() = %s", lookup_enum ( RV_T, rv ));
+	/* do not log error code to prevent side channel attack */
+	SC_LOG("C_DecryptUpdate()");
 	sc_pkcs11_unlock();
 	return rv;
 #endif
@@ -1446,7 +1448,8 @@ CK_RV C_VerifyFinal(CK_SESSION_HANDLE hS
 		rv = reset_login_state(session->slot, rv);
 	}
 
-	sc_log(context, "C_VerifyFinal() = %s", lookup_enum ( RV_T, rv ));
+	/* do not log error code to prevent side channel attack */
+	SC_LOG("C_DecryptFinal()");
 	sc_pkcs11_unlock();
 	return rv;
 #endif
Index: opensc-0.22.0/src/pkcs11/sc-pkcs11.h
===================================================================
--- opensc-0.22.0.orig/src/pkcs11/sc-pkcs11.h
+++ opensc-0.22.0/src/pkcs11/sc-pkcs11.h
@@ -226,6 +226,11 @@ struct sc_pkcs11_slot {
 };
 typedef struct sc_pkcs11_slot sc_pkcs11_slot_t;
 
+#define SC_LOG(fmt) \
+	do { \
+		sc_log(context, (fmt)); \
+	} while (0)
+
 /* Debug virtual slots. S is slot to be highlighted or NULL
  * C is a comment format string and args It will be preceded by "VSS " */
 #define DEBUG_VSS(S, ...) do { sc_log(context,"VSS " __VA_ARGS__); _debug_virtual_slots(S); } while (0)
Index: opensc-0.22.0/src/pkcs11/misc.c
===================================================================
--- opensc-0.22.0.orig/src/pkcs11/misc.c
+++ opensc-0.22.0/src/pkcs11/misc.c
@@ -23,6 +23,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "common/constant-time.h"
 #include "sc-pkcs11.h"
 
 #define DUMP_TEMPLATE_MAX	32
@@ -172,7 +173,7 @@ CK_RV reset_login_state(struct sc_pkcs11
 			slot->p11card->framework->logout(slot);
 		}
 
-		if (rv == CKR_USER_NOT_LOGGED_IN) {
+		if (constant_time_eq_s(rv, CKR_USER_NOT_LOGGED_IN)) {
 			slot->login_user = -1;
 			pop_all_login_states(slot);
 		}
Index: opensc-0.22.0/src/common/Makefile.in
===================================================================
--- opensc-0.22.0.orig/src/common/Makefile.in
+++ opensc-0.22.0/src/common/Makefile.in
@@ -435,7 +435,7 @@ dist_noinst_DATA = \
 	compat_getopt_main.c \
 	README.compat_strlcpy compat_strlcpy.3
 
-noinst_HEADERS = compat_strlcat.h compat_strlcpy.h compat_strnlen.h compat_getpass.h compat_getopt.h simclist.h libpkcs11.h libscdl.h
+noinst_HEADERS = compat_strlcat.h compat_strlcpy.h compat_strnlen.h compat_getpass.h compat_getopt.h simclist.h libpkcs11.h libscdl.h constant-time.h
 AM_CPPFLAGS = -I$(top_srcdir)/src
 libcompat_la_SOURCES = \
 	compat_dummy.c \
@@ -462,7 +462,8 @@ TIDY_FILES = \
 	compat_report_rangecheckfailure.c \
 	compat___iob_func.c \
 	simclist.c simclist.h \
-	libpkcs11.c libscdl.c
+	libpkcs11.c libscdl.c \
+	constant-time.h
 
 all: all-am

Places

File opensc-CVE-2023-5992.patch of Package opensc.35661

Places