git.openssl.org Git - openssl.git/commit

author	David Benjamin <davidben@google.com>
	Thu, 16 Jun 2016 18:15:19 +0000 (14:15 -0400)
committer	Kurt Roeckx <kurt@roeckx.be>
	Tue, 21 Jun 2016 18:55:54 +0000 (20:55 +0200)
commit	5b8fa431ae8eb5a18ba913494119e394230d4b70
tree	caf650c413af683180d763c2a9f65838068355c9	tree \| snapshot
parent	01238aec4071eabf072f4e98e3fb84cbab3c7107	commit \| diff

Make RSA key exchange code actually constant-time.

Using RSA_PKCS1_PADDING with RSA_private_decrypt is inherently unsafe.
The API requires writing output on success and touching the error queue
on error. Thus, although the padding check itself is constant-time as of
294d1e36c2495ff00e697c9ff622856d3114f14f, and the logic after the
decryption in the SSL code is constant-time as of
adb46dbc6dd7347750df2468c93e8c34bcb93a4b, the API boundary in the middle
still leaks whether the padding check succeeded, giving us our
much-loved Bleichenbacher padding oracle.

Instead, PKCS#1 padding must be handled by the caller which uses
RSA_NO_PADDING, in timing-sensitive code integrated with the
Bleichenbacher mitigation. Removing PKCS#1 padding in constant time is
actually much simpler when the expected length is a constant (and if
it's not a constant, avoiding a padding oracle seems unlikely), so just
do it inline.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1222