Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug 1651411 New tlsfuzzer code can still detect timing issues in RSA …
…operations. This patch defeats Bleichenbacher by not trying to hide the size of the decrypted text, but to hide if the text succeeded for failed. This is done by generating a fake returned text that's based on the key and the cipher text, so the fake data is always the same for the same key and cipher text. Both the length and the plain text are generated with a prf. Here's the proposed spec the patch codes to: 1. Use SHA-256 to hash the private exponent encoded as a big-endian integer to a string the same length as the public modulus. Keep this value secret. (this is just an optimisation so that the implementation doesn't have to serialise the key over and over again) 2. Check the length of input according to step one of https://tools.ietf.org/html/rfc8017#section-7.2.2 3. When provided with a ciphertext, use SHA-256 HMAC(key=hash_from_step1, text=ciphertext) to generate the key derivation key 4. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "length" with the big-endian representation of 2048 (0x0800) as the bit length of the generated string. - Iterate this PRF 8 times to generate a 256 byte string 5. initialise the length of synthetic message to 0 6. split the PRF output into 2 byte strings, convert into big-endian integers, zero-out high-order bits so that they have the same bit length as the octet length of the maximum acceptable message size (k-11), select the last integer that is no larger than (k-11) or remain at 0 if no integer is smaller than (k-11); this selection needs to be performed using a side-channel free operators 7. Use SHA-256 HMAC with key derivation key as the key and a two-byte big-endian iterator concatenated with byte string "message" with the big-endian representation of k*8 - use this PRF to generate k bytes of output (right-truncate last HMAC call if the number of generated bytes is not a multiple of SHA-256 output size) 8. perform the RSA decryption as described in step 2 of section 7.2.2 of rfc8017 9. Verify the EM message padding as described in step 3 of section 7.2.2 of rfc8017, but instead of outputting "decryption error", return the last l bytes of the "message" PRF, when l is the selected synthetic message length using the "length" PRF, make this decision and copy using side-channel free operation Differential Revision: https://phabricator.services.mozilla.com/D99843
- Loading branch information
Showing
12 changed files
with
3,270 additions
and
247 deletions.
There are no files selected for viewing
1,270 changes: 1,232 additions & 38 deletions
1,270
gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h
Large diffs are not rendered by default.
Oops, something went wrong.
1,231 changes: 1,159 additions & 72 deletions
1,231
gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h
Large diffs are not rendered by default.
Oops, something went wrong.
527 changes: 446 additions & 81 deletions
527
gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
#! gmake | ||
# | ||
# This Source Code Form is subject to the terms of the Mozilla Public | ||
# License, v. 2.0. If a copy of the MPL was not distributed with this | ||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
||
####################################################################### | ||
# (1) Include initial platform-independent assignments (MANDATORY). # | ||
####################################################################### | ||
|
||
include manifest.mn | ||
|
||
####################################################################### | ||
# (2) Include "global" configuration information. (OPTIONAL) # | ||
####################################################################### | ||
|
||
include $(CORE_DEPTH)/coreconf/config.mk | ||
|
||
####################################################################### | ||
# (3) Include "component" configuration information. (OPTIONAL) # | ||
####################################################################### | ||
|
||
|
||
####################################################################### | ||
# (4) Include "local" platform-dependent assignments (OPTIONAL). # | ||
####################################################################### | ||
|
||
include ../common/gtest.mk | ||
|
||
####################################################################### | ||
# (5) Execute "global" rules. (OPTIONAL) # | ||
####################################################################### | ||
|
||
include $(CORE_DEPTH)/coreconf/rules.mk | ||
|
||
####################################################################### | ||
# (6) Execute "component" rules. (OPTIONAL) # | ||
####################################################################### | ||
|
||
|
||
####################################################################### | ||
# (7) Execute "local" rules. (OPTIONAL). # | ||
####################################################################### |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# | ||
# This Source Code Form is subject to the terms of the Mozilla Public | ||
# License, v. 2.0. If a copy of the MPL was not distributed with this | ||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
CORE_DEPTH = ../.. | ||
DEPTH = ../.. | ||
MODULE = nss | ||
|
||
# we'll need to figure out how to get these symbols linked | ||
# in before we include these tests: | ||
# mpi_unittest.cc | ||
# ghash_unittest.cc | ||
CPPSRCS = \ | ||
dh_unittest.cc \ | ||
ecl_unittest.cc \ | ||
rsa_unittest.cc \ | ||
cmac_unittests.cc \ | ||
$(NULL) | ||
|
||
DEFINES += -DDLL_PREFIX=\"$(DLL_PREFIX)\" -DDLL_SUFFIX=\"$(DLL_SUFFIX)\" | ||
|
||
INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \ | ||
-I$(CORE_DEPTH)/lib/freebl/ecl \ | ||
-I$(CORE_DEPTH)/lib/freebl/mpi \ | ||
-I$(CORE_DEPTH)/lib/freebl \ | ||
-I$(CORE_DEPTH)/gtests/common \ | ||
-I$(CORE_DEPTH)/cpputil | ||
|
||
REQUIRES = nspr nss libdbm gtest cpputil | ||
|
||
PROGRAM = freebl_gtest | ||
|
||
EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \ | ||
$(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \ | ||
$(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX) \ | ||
$(NULL) | ||
|
||
USE_STATIC_LIBS=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.