1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From: Veronika HanulĂková <vhanulik@redhat.com>
Date: Thu, 16 Nov 2023 10:38:12 +0100
Subject: pkcs15-sec: Remove logging after PKCS#1 v1.5 depadding
To prevent Marvin attack on RSA PKCS#1 v1.5 padding
when logging the return value, signaling the padding error.
Origin: https://github.com/OpenSC/OpenSC/commit/2ee8730649e9a0f2ab01597cfba4f72571eed601
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2248685
Bug: https://github.com/OpenSC/OpenSC/wiki/CVE-2023-5992
Bug: https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h6ww-xfc2-jw4h
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-5992
Bug-Debian: https://bugs.debian.org/1064189
---
src/libopensc/pkcs15-sec.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/libopensc/pkcs15-sec.c b/src/libopensc/pkcs15-sec.c
index ed0f396..0aa42f5 100644
--- a/src/libopensc/pkcs15-sec.c
+++ b/src/libopensc/pkcs15-sec.c
@@ -308,10 +308,10 @@ int sc_pkcs15_decipher(struct sc_pkcs15_card *p15card,
/* Strip any padding */
if (pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) {
- int s = r;
- int key_size = alg_info->key_length;
+ unsigned int s = r;
+ unsigned int key_size = (unsigned int)alg_info->key_length;
r = sc_pkcs1_strip_02_padding_constant_time(ctx, key_size / 8, out, s, out, &s);
- LOG_TEST_RET(ctx, r, "Invalid PKCS#1 padding");
+ /* for keeping PKCS#1 v1.5 depadding constant-time, do not log error here */
}
#ifdef ENABLE_OPENSSL
if (pad_flags & SC_ALGORITHM_RSA_PAD_OAEP)
@@ -333,7 +333,8 @@ int sc_pkcs15_decipher(struct sc_pkcs15_card *p15card,
LOG_TEST_RET(ctx, r, "Invalid OAEP padding");
}
#endif
- LOG_FUNC_RETURN(ctx, r);
+ /* do not log error code to prevent side channel attack */
+ return r;
}
/* derive one key from another. RSA can use decipher, so this is for only ECDH
|
