[Cryptech-Commits] [sw/libhal] branch pkcs8 updated: Defend against Bleichenbacher's Attack in hal_rpc_pkey_import().

git at cryptech.is git at cryptech.is
Fri Apr 7 01:48:11 UTC 2017

Previous message (by thread): [Cryptech-Commits] [sw/libhal] 14/14: Initial test and debug script for key backup.
Next message (by thread): [Cryptech-Commits] [sw/libhal] branch pkcs8 updated: Shake bugs out of hal_rpc_pkey_import().
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch pkcs8
in repository sw/libhal.

The following commit(s) were added to refs/heads/pkcs8 by this push:
     new 1386e9b  Defend against Bleichenbacher's Attack in hal_rpc_pkey_import().
1386e9b is described below

commit 1386e9b75feeff4ed5446b0169d286e54d7317ff
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Thu Apr 6 21:16:38 2017 -0400

    Defend against Bleichenbacher's Attack in hal_rpc_pkey_import().
    
    Borrowing an idea from PyCrypto, we substitute CSPRNG output for the
    value of a decrypted KEK if the PKCS #1.5 type 02 block format check
    fails.  Done properly, this should be very close to constant-time, and
    should make it harder to use hal_rpc_pkey_import() as an oracle.
---
 rpc_pkey.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/rpc_pkey.c b/rpc_pkey.c
index ce67614..9473ec3 100644
--- a/rpc_pkey.c
+++ b/rpc_pkey.c
@@ -1217,14 +1217,13 @@ static hal_error_t pkey_local_import(const hal_client_handle_t client,
   if ((err = hal_rsa_decrypt(NULL, rsa, data, data_len, der, data_len)) != HAL_OK)
     goto fail;
 
-  d = memchr(der + 2, 0x00, data_len - 2);
-
-  if (der[0] != 0x00 || der[1] != 0x02 || d == NULL || der + data_len != d + 1 + KEK_LENGTH) {
-    err = HAL_ERROR_ASN1_PARSE_FAILED;
+  if ((err = hal_get_random(NULL, kek, sizeof(kek))) != HAL_OK)
     goto fail;
-  }
 
-  memcpy(kek, d + 1, sizeof(kek));
+  d = memchr(der + 2, 0x00, data_len - 2);
+
+  if (der[0] == 0x00 && der[1] == 0x02 && d != NULL && der + data_len == d + 1 + KEK_LENGTH)
+    memcpy(kek, d + 1, sizeof(kek));
 
   if ((err = hal_asn1_decode_pkcs8_encryptedprivatekeyinfo(&oid, &oid_len, &data, &data_len, pkcs8, pkcs8_len)) != HAL_OK)
     goto fail;

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

Previous message (by thread): [Cryptech-Commits] [sw/libhal] 14/14: Initial test and debug script for key backup.
Next message (by thread): [Cryptech-Commits] [sw/libhal] branch pkcs8 updated: Shake bugs out of hal_rpc_pkey_import().
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Commits mailing list