Parse RSA parameters DP, DQ and QP from PKCS1 private keys #352
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which currently suffers from side channel issues in the computation of QP (see https://eprint.iacr.org/2020/055). By loading the pre-computed values not only is the side channel avoided, but runtime overhead of loading RSA keys is reduced. Discussion in ARMmbed#347
jack-fortanix
added a commit
to jack-fortanix/rust-mbedtls
that referenced
this pull request
Jan 22, 2020
Currently they are ignored in the serialized key and then regenerated from P/Q/D. But that exposes key loading to a side channel attack on the modular inversion and GCD bignum functions when QP is computed. [And probably similar issues for DP/DQ during the division step but no attack there has been published yet.] Backport of ARMmbed/mbed-crypto#352
gilles-peskine-arm
added
bug
|
Thanks for the patch! Unfortunately, the CI points out that it doesn't build when To reproduce: To run all the tests we run with CRT usage disabled: |
gilles-peskine-arm
added
the
needs: work
yanesca
reviewed
Jan 23, 2020
| @@ -769,14 +769,29 @@ static int pk_parse_key_pkcs1_der( mbedtls_rsa_context *rsa, | |||
| goto cleanup; | |||
| p += len; | |||
|
|
|||
| /* Complete the RSA private key */ | |||
| if( ( ret = mbedtls_rsa_complete( rsa ) ) != 0 ) | |||
| /* Import DP */ | |||
There was a problem hiding this comment.
Could we please add a comment here as a reminder for the future to ensure that nobody "optimises" this code out?
Basically explaining that although we could compute these values, we choose not to because this way it is faster and reduces the attack surface exposed to side channel attacks.
|
@gilles-peskine-arm I addressed the build problem but it looks like Jenkins is still failing, can you forward the issue here?
This appears to be a GCM test so I don't think has anything to do with my change - and the same error appears with |
|
Unfortunately For more detailed test output you can run the individual test functions with |
|
@yanesca Thanks, your suggestion resolved the build problem in the random tests. Unfortunately? now |
|
I copied the CI output here: In the first couple of lines it prints out the OS and tools versions. Also here is my local environment (slightly more recent than the CI), I could reproduce with these too (I encountered the same compilation problem though): The PR should be ready after fixing this test. This won't make the CI green though, because we have an unrelated failure in the CI. |
|
I was not able to reproduce until I edited |
|
Yes, it is resolved, the CI is only failing on known issues that are unrelated to this PR. Aren't you on OS X by any chance? Leak analyser is turned off by default in OS X ASan: |
yanesca
previously approved these changes
Jan 28, 2020
yanesca
removed
the
needs: work
gilles-peskine-arm
requested changes
Jan 28, 2020
There was a problem hiding this comment.
As noted by @yanesca, please use mbedtls_asn1_get_mpi where applicable.
|
Updated |
gilles-peskine-arm
approved these changes
Jan 28, 2020
yanesca
removed
the
needs: review
|
The only thing left on this PR is to do the backports. @jack-fortanix Could you please raise PRs with the same content in the Mbed TLS repository targeting the |
jack-fortanix
added a commit
to jack-fortanix/mbedtls
that referenced
this pull request
Jan 29, 2020
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which currently suffers from side channel issues in the computation of QP (see https://eprint.iacr.org/2020/055). By loading the pre-computed values not only is the side channel avoided, but runtime overhead of loading RSA keys is reduced. Discussion in ARMmbed/mbed-crypto#347 Backport of ARMmbed/mbed-crypto#352
jack-fortanix
added a commit
to jack-fortanix/mbedtls
that referenced
this pull request
Jan 29, 2020
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which currently suffers from side channel issues in the computation of QP (see https://eprint.iacr.org/2020/055). By loading the pre-computed values not only is the side channel avoided, but runtime overhead of loading RSA keys is reduced. Discussion in ARMmbed/mbed-crypto#347 Backport of ARMmbed/mbed-crypto#352
|
Thank you for submitting the backports! |
gilles-peskine-arm
added
ready for merge
jack-fortanix
added a commit
to jack-fortanix/rust-mbedtls
that referenced
this pull request
Feb 4, 2020
Currently they are ignored in the serialized key and then regenerated from P/Q/D. But that exposes key loading to a side channel attack on the modular inversion and GCD bignum functions when QP is computed. [And probably similar issues for DP/DQ during the division step but no attack there has been published yet.] Backport of ARMmbed/mbed-crypto#352
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Feb 29, 2020
= mbed TLS 2.16.5 branch released 2020-02-20
Security
* Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the curve)
unless the RNG is broken, and could result in information disclosure or
denial of service (application crash or extra resource consumption).
Found by Auke Zeilstra and Peter Schwabe, using static analysis.
* To avoid a side channel vulnerability when parsing an RSA private key,
read all the CRT parameters from the DER structure rather than
reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
Brumley. Reported and fix contributed by Jack Lloyd.
ARMmbed/mbed-crypto#352
Bugfix
* Fix an unchecked call to mbedtls_md() in the x509write module.
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys that would later be rejected by functions expecting private
keys. Found by Catena cyber using oss-fuzz (issue 20467).
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys with invalid values by silently fixing those values.
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Mar 8, 2020
security/mbedtls: security fix
Revisions pulled up:
- security/mbedtls/Makefile 1.12
- security/mbedtls/PLIST 1.6
- security/mbedtls/distinfo 1.8
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Feb 29 11:45:02 UTC 2020
Modified Files:
pkgsrc/security/mbedtls: Makefile PLIST distinfo
Log Message:
mbedtls: Update to 2.16.5
= mbed TLS 2.16.5 branch released 2020-02-20
Security
* Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the curve)
unless the RNG is broken, and could result in information disclosure or
denial of service (application crash or extra resource consumption).
Found by Auke Zeilstra and Peter Schwabe, using static analysis.
* To avoid a side channel vulnerability when parsing an RSA private key,
read all the CRT parameters from the DER structure rather than
reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
Brumley. Reported and fix contributed by Jack Lloyd.
ARMmbed/mbed-crypto#352
Bugfix
* Fix an unchecked call to mbedtls_md() in the x509write module.
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys that would later be rejected by functions expecting private
keys. Found by Catena cyber using oss-fuzz (issue 20467).
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys with invalid values by silently fixing those values.
bors bot
added a commit
to fortanix/rust-mbedtls
that referenced
this pull request
Mar 9, 2020
90: Fix ECDSA side channel r=jethrogb a=jack-fortanix Backport of ARMmbed/mbed-crypto@247c4d3 which addresses the attack described in https://eprint.iacr.org/2020/055.pdf 91: Parse RSA CRT parameters from PKCS1 private keys r=jethrogb a=jack-fortanix Currently they are ignored in the serialized key and then regenerated from P/Q/D. But that exposes key loading to a side channel attack on the modular inversion and GCD bignum functions when QP is computed. [And probably similar issues for DP/DQ during the division step but no attack there has been published yet.] Also this reduces computational overhead of loading RSA private keys from memory which will be nice for us in roche. Backport of ARMmbed/mbed-crypto#352 Co-authored-by: Jack Lloyd <jack.lloyd@fortanix.com>
bors bot
added a commit
to fortanix/rust-mbedtls
that referenced
this pull request
Mar 9, 2020
90: Fix ECDSA side channel r=jethrogb a=jack-fortanix Backport of ARMmbed/mbed-crypto@247c4d3 which addresses the attack described in https://eprint.iacr.org/2020/055.pdf 91: Parse RSA CRT parameters from PKCS1 private keys r=jethrogb a=jack-fortanix Currently they are ignored in the serialized key and then regenerated from P/Q/D. But that exposes key loading to a side channel attack on the modular inversion and GCD bignum functions when QP is computed. [And probably similar issues for DP/DQ during the division step but no attack there has been published yet.] Also this reduces computational overhead of loading RSA private keys from memory which will be nice for us in roche. Backport of ARMmbed/mbed-crypto#352 94: Fix docs on macro invocations r=jethrogb a=jethrogb Co-authored-by: Jack Lloyd <jack.lloyd@fortanix.com> Co-authored-by: Jethro Beekman <jethro@fortanix.com>
simonbutcher
pushed a commit
to simonbutcher/mbedtls
that referenced
this pull request
Mar 13, 2020
Otherwise these values are recomputed in mbedtls_rsa_deduce_crt, which currently suffers from side channel issues in the computation of QP (see https://eprint.iacr.org/2020/055). By loading the pre-computed values not only is the side channel avoided, but runtime overhead of loading RSA keys is reduced. Discussion in ARMmbed/mbed-crypto#347 Backport of ARMmbed/mbed-crypto#352
gilles-peskine-arm
added a commit
to gilles-peskine-arm/mbed-crypto
that referenced
this pull request
Mar 23, 2020
* ARMmbed#352: Parse RSA parameters DP, DQ and QP from PKCS1 private keys * ARMmbed#263: Introduce ASN.1 SEQUENCE traversal API * ARMmbed#345: Fix possible error code mangling in psa_mac_verify_finish * ARMmbed#357: Update Mbed Crypto with latest Mbed TLS changes as of 2020-02-03 * ARMmbed#350: test_suite_asn1parse: improve testing of trailing garbage in parse_prefixes * ARMmbed#346: Improve robustness and testing of mbedtls_mpi_copy
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Apr 6, 2020
security/mbedtls: security fix
Revisions pulled up:
- security/mbedtls/Makefile 1.12
- security/mbedtls/PLIST 1.6
- security/mbedtls/distinfo 1.8
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Feb 29 11:45:02 UTC 2020
Modified Files:
pkgsrc/security/mbedtls: Makefile PLIST distinfo
Log Message:
mbedtls: Update to 2.16.5
= mbed TLS 2.16.5 branch released 2020-02-20
Security
* Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the curve)
unless the RNG is broken, and could result in information disclosure or
denial of service (application crash or extra resource consumption).
Found by Auke Zeilstra and Peter Schwabe, using static analysis.
* To avoid a side channel vulnerability when parsing an RSA private key,
read all the CRT parameters from the DER structure rather than
reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
Brumley. Reported and fix contributed by Jack Lloyd.
ARMmbed/mbed-crypto#352
Bugfix
* Fix an unchecked call to mbedtls_md() in the x509write module.
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys that would later be rejected by functions expecting private
keys. Found by Catena cyber using oss-fuzz (issue 20467).
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys with invalid values by silently fixing those values.
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
May 27, 2020
security/mbedtls: security fix
Revisions pulled up:
- security/mbedtls/Makefile 1.12
- security/mbedtls/PLIST 1.6
- security/mbedtls/distinfo 1.8
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Feb 29 11:45:02 UTC 2020
Modified Files:
pkgsrc/security/mbedtls: Makefile PLIST distinfo
Log Message:
mbedtls: Update to 2.16.5
= mbed TLS 2.16.5 branch released 2020-02-20
Security
* Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the curve)
unless the RNG is broken, and could result in information disclosure or
denial of service (application crash or extra resource consumption).
Found by Auke Zeilstra and Peter Schwabe, using static analysis.
* To avoid a side channel vulnerability when parsing an RSA private key,
read all the CRT parameters from the DER structure rather than
reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
Brumley. Reported and fix contributed by Jack Lloyd.
ARMmbed/mbed-crypto#352
Bugfix
* Fix an unchecked call to mbedtls_md() in the x509write module.
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys that would later be rejected by functions expecting private
keys. Found by Catena cyber using oss-fuzz (issue 20467).
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys with invalid values by silently fixing those values.
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Oct 14, 2021
security/mbedtls: security fix
Revisions pulled up:
- security/mbedtls/Makefile 1.12
- security/mbedtls/PLIST 1.6
- security/mbedtls/distinfo 1.8
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Feb 29 11:45:02 UTC 2020
Modified Files:
pkgsrc/security/mbedtls: Makefile PLIST distinfo
Log Message:
mbedtls: Update to 2.16.5
= mbed TLS 2.16.5 branch released 2020-02-20
Security
* Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the curve)
unless the RNG is broken, and could result in information disclosure or
denial of service (application crash or extra resource consumption).
Found by Auke Zeilstra and Peter Schwabe, using static analysis.
* To avoid a side channel vulnerability when parsing an RSA private key,
read all the CRT parameters from the DER structure rather than
reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
Brumley. Reported and fix contributed by Jack Lloyd.
ARMmbed/mbed-crypto#352
Bugfix
* Fix an unchecked call to mbedtls_md() in the x509write module.
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys that would later be rejected by functions expecting private
keys. Found by Catena cyber using oss-fuzz (issue 20467).
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys with invalid values by silently fixing those values.
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Jan 18, 2023
security/mbedtls: security fix
Revisions pulled up:
- security/mbedtls/Makefile 1.12
- security/mbedtls/PLIST 1.6
- security/mbedtls/distinfo 1.8
---
Module Name: pkgsrc
Committed By: nia
Date: Sat Feb 29 11:45:02 UTC 2020
Modified Files:
pkgsrc/security/mbedtls: Makefile PLIST distinfo
Log Message:
mbedtls: Update to 2.16.5
= mbed TLS 2.16.5 branch released 2020-02-20
Security
* Fix potential memory overread when performing an ECDSA signature
operation. The overread only happens with cryptographically low
probability (of the order of 2^-n where n is the bitsize of the curve)
unless the RNG is broken, and could result in information disclosure or
denial of service (application crash or extra resource consumption).
Found by Auke Zeilstra and Peter Schwabe, using static analysis.
* To avoid a side channel vulnerability when parsing an RSA private key,
read all the CRT parameters from the DER structure rather than
reconstructing them. Found by Alejandro Cabrera Aldaya and Billy Bob
Brumley. Reported and fix contributed by Jack Lloyd.
ARMmbed/mbed-crypto#352
Bugfix
* Fix an unchecked call to mbedtls_md() in the x509write module.
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys that would later be rejected by functions expecting private
keys. Found by Catena cyber using oss-fuzz (issue 20467).
* Fix a bug in mbedtls_pk_parse_key() that would cause it to accept some
RSA keys with invalid values by silently fixing those values.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Otherwise these values are recomputed in
mbedtls_rsa_deduce_crt, which currently suffers from side channel issues in the computation of QP (see https://eprint.iacr.org/2020/055). By loading the pre-computed values not only is the side channel avoided, but runtime overhead of loading RSA keys is reduced.Discussion in #347