-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release/7.0-staging] Disable implicit rejection for RSA PKCS#1 v1.5 #95217
[release/7.0-staging] Disable implicit rejection for RSA PKCS#1 v1.5 #95217
Conversation
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones Issue DetailsBackport of #95157 to release/7.0-staging /cc @vcsjones Customer ImpactTestingRiskIMPORTANT: If this backport is for a servicing release, please verify that:
|
Just to make sure that this doesn't end up being merged just because nobody saw the original comment: This re-enables a Bleichenbacher timing oracle attack against PKCS#1v1.5 decryption. See https://people.redhat.com/~hkario/marvin/ for details and #95157 (comment) for a comment by the researcher who published the vulnerability and proposed the change in OpenSSL. I don't think this should be merged. |
^ Please address the provided feedback above. I added the blocked label just in case. @bartonjs Friendly reminder that Tuesday January 16th 4pm is the Code Complete deadline for the February Release. If all requirements are met, please merge your PR before that date and time to ensure this fix gets included in that Release. |
@GrabYourPitchforks addressed the feedback in the other backport PR. We are good to merge. |
This reverts commit a314c5b. To quote Clemens Lang: > [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle > attack against PKCS#1v1.5 decryption. See > https://people.redhat.com/~hkario/marvin/ for details and > dotnet#95157 (comment) for a > comment by the researcher who published the vulnerability and proposed the > change in OpenSSL. For more details, see: dotnet#95217 (comment)
Backport of #95157 to release/7.0-staging
/cc @vcsjones @bartonjs
Customer Impact
OpenSSL introduced a behavior change in
EVP_PKEY_decrypt
where RSA decryption with PKCS#1 v1.5 padding no longer produces an error with invalid padding. Instead, it returns “random” data.Customers using affected versions of OpenSSL will no longer get consistent and documented behavior from
RSA.Decrypt
.This change is reacting to a breaking behavioral change in a dependency, OpenSSL, so that RSA.Decrypt continues to function as it is documented to, and to be consistent with Windows and other platforms.
Testing
This behavior change was identified with a test in #95115. Additional tests were added.
Risk
Low. This is reacting to a change in OpenSSL by settings a particular flag. Existing tests cover RSA.Decrypt’s behavior.