stefanberger / libtpms / 1730
77%
master: 77%

LAST BUILD BRANCH: HEAD
DEFAULT BRANCH: master
Ran
Jobs 1
Files 453
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
1730

push

travis-ci-com

stefanberger 
tpm2: Always return a value after pkcs1-padded RSA decryption

PKCS #1 v1.5 padding is susceptible to Bleichenbacher attacks just as
the WARNING on this page here states:
https://www.openssl.org/docs/man1.1.1/man3/RSA_padding_check_PKCS1_type_2.html

The TPM 2 supports this type of padding. This patch tries to find a
(experimental) solution to the Bleichenbacher type of attacks. However, the
argument is that TPM 2 implements low-level crypto primitives that
higher layer software and devlopers need to choose whether to use.

To fool the attacker this patch now modifies the code so that it returns
messages even if the decryption failed.

We will not merge this because:
- The TCG TPM 2 code, which is equivalent of the spec of the TPM 2,
  does not do this and therefore higher layers don't expect decrpytion
  failures to return a message and a success status code.
- It is not clear how applications would react to decryption failures not
  returning a failure status code but a message instead. Decryption
  failures typically propagate through higer layers, such as TSS stacks,
  TPM 2 PKCS 11 modules, or TPM 2 OpenSSL engines, into applications.

My guidance is:
Do not use PKCS #1 v1.5 padding for anything that offers some sort of
over-the-network decryption service, such as a TPM 2 PKCS #11 module
(if it offers this type of padding at all) or a web server accessing
the TPM 2 keys via OpenSSL engine (if it offers this type of padding
at all) or so. You can use it for private encryption where you alone
are using the key and the key is not accessible by any over-the
network service. Better use OAEP padding.

With this patch we are returning a deterministic random message of
deterministic random length (less or equal to the max. message size)
when PKCS #1 v1.5 padding is being used for RSA encryption. The goal is to
avoid Bleichenbacher type of attacks that attempt to reconstruct an
RSA private key by sending thousands of probes for decryption and
checking whi... (continued)

28931 of 37380 relevant lines covered (77.4%)

89039.45 hits per line

Jobs
ID Job ID Ran Files Coverage
2 1730.2 (COVERITY_SCAN_TOKEN=[secure] CONFIG="--with-openssl --prefix=/usr --with-tpm2 --enable-test-coverage" TARGET="install" NPROC="nproc") 0
77.4
 Travis Job 1730.2
Source Files on build 1730
Detailed source file information is not available for this build.