stefanberger / libtpms

77%

master: 77%

LAST BUILD ON BRANCH rsa_pkcs1_returnvalue

branch: rsa_pkcs1_returnvalue

CHANGE BRANCH

x

Reset

• rsa_pkcs1_returnvalue
• HEAD
• ac_link_ifelse
• autoconf_check_defines
• cflags_wmissing_prototypes
• configure_with_tpm2_default
• constant_time
• coverity-fixes
• coverity_scan
• cpp_coveralls
• cpp_coveralls.dashb
• cppcheck
• dcache
• dynamic_hlk_compliance
• ecc_consttime
• ecc_fixes
• extend_context_gap
• fix_304
• fix_fortify_source
• fix_issue_195
• fix_json
• fix_nistp521_parameter_reporting
• fix_readme
• fix_rsa_decrypt_stack_smash
• fix_s390x
• fix_tpm2_contextsave
• fuzzer-data
• hlk_compliant
• libtpms_added
• man_page_cleanup
• master
• master.autoupdate
• master.coverity
• master.fixes
• master.fuzzer
• master.next
• master.next,rhel6
• master.next.rsa
• master.ossl3
• master.sm4-getsymtestdata
• move-to-buildsys
• nvmarshal_typos
• pure_openssl
• pure_openssl_rsa_crt
• pure_openssl_seeds
• rev155
• rev159
• rev162
• rev164
• rsa_3072
• silent_rules
• stable-0.6.0
• stable-0.6.0-compile-fixes
• stable-0.6.0-fix_issue_195
• stable-0.6.0.next
• stable-0.7.0
• stable-0.7.0-constanttime
• stable-0.7.0-ecc_consttime
• stable-0.7.0-fix_issue_195
• stable-0.7.0-fix_nistp521_parameter_reporting
• stable-0.7.0.next
• stable-0.7.0_fix_iv
• stable-0.8
• stable-0.8-erroneous-gitignore
• stable-0.8-fix_issue_195
• stable-0.8.next
• stable-0.8.next.ossl3
• stable-0.8_fix_iv
• stable-0.9
• stable-0.9.next
• stefanberger/add_sm4_to_json
• stefanberger/coverity_fixes
• stefanberger/do_not_write_permanent_state_if_only_clock_changed
• stefanberger/enable_camellia
• stefanberger/extend_context_gap
• stefanberger/openssl3-helpers-part1
• stefanberger/openssl3-helpers-part2
• stefanberger/prepare-0.9-release
• stefanberger/tpm12_coverity
• travis
• ubsan
• v0.6.1
• v0.6.2
• v0.6.3
• v0.6.4
• v0.6.5
• v0.6.6
• v0.7.0
• v0.7.1
• v0.7.10
• v0.7.2
• v0.7.3
• v0.7.4
• v0.7.5
• v0.7.6
• v0.7.7
• v0.7.8
• v0.7.9
• v0.8.0
• v0.8.1
• v0.8.2
• v0.8.3
• v0.8.4
• v0.8.5
• v0.8.6
• v0.8.7
• v0.9.0
• v0.9.1
• v0.9.2
• v0.9.3
• v0.9.4

Build # 1730

Build Type

push

travis-ci-com

Committed by stefanberger

Commit Message

tpm2: Always return a value after pkcs1-padded RSA decryption

PKCS #1 v1.5 padding is susceptible to Bleichenbacher attacks just as
the WARNING on this page here states:
https://www.openssl.org/docs/man1.1.1/man3/RSA_padding_check_PKCS1_type_2.html

The TPM 2 supports this type of padding. This patch tries to find a
(experimental) solution to the Bleichenbacher type of attacks. However, the
argument is that TPM 2 implements low-level crypto primitives that
higher layer software and devlopers need to choose whether to use.

To fool the attacker this patch now modifies the code so that it returns
messages even if the decryption failed.

We will not merge this because:
- The TCG TPM 2 code, which is equivalent of the spec of the TPM 2,
  does not do this and therefore higher layers don't expect decrpytion
  failures to return a message and a success status code.
- It is not clear how applications would react to decryption failures not
  returning a failure status code but a message instead. Decryption
  failures typically propagate through higer layers, such as TSS stacks,
  TPM 2 PKCS 11 modules, or TPM 2 OpenSSL engines, into applications.

My guidance is:
Do not use PKCS #1 v1.5 padding for anything that offers some sort of
over-the-network decryption service, such as a TPM 2 PKCS #11 module
(if it offers this type of padding at all) or a web server accessing
the TPM 2 keys via OpenSSL engine (if it offers this type of padding
at all) or so. You can use it for private encryption where you alone
are using the key and the key is not accessible by any over-the
network service. Better use OAEP padding.

With this patch we are returning a deterministic random message of
deterministic random length (less or equal to the max. message size)
when PKCS #1 v1.5 padding is being used for RSA encryption. The goal is to
avoid Bleichenbacher type of attacks that attempt to reconstruct an
RSA private key by sending thousands of probes for decryption and
checking whi... (continued)

Run Details

28931 of 37380 relevant lines covered (77.4%)

89039.45 hits per line