rsa: add implicit rejection in PKCS#1 v1.5

The RSA decryption as implemented before required very careful handling
of both the exit code returned by OpenSSL and the potentially returned
ciphertext. Looking at the recent security vulnerabilities
(CVE-2020-25659 and CVE-2020-25657) it is unlikely that most users of
OpenSSL do it correctly.

Given that correct code requires side channel secure programming in
application code, we can classify the existing RSA decryption methods
as CWE-676, which in turn likely causes CWE-208 and CWE-385 in
application code.

To prevent that, we can use a technique called "implicit rejection".
For that we generate a random message to be returned in case the
padding check fails. We generate the message based on static secret
data (the private exponent) and the provided ciphertext (so that the
attacker cannot determine that the returned value is randomly generated
instead of result of decryption and de-padding). We return it in case
any part of padding check fails.

The upshot of this approach is that then not only is the length of the
returned message useless as the Bleichenbacher oracle, so are the
actual bytes of the returned message. So application code doesn't have
to perform any operations on the returned message in side-channel free
way to remain secure against Bleichenbacher attacks.

Note: this patch implements a specific algorithm, shared with Mozilla
NSS, so that the attacker cannot use one library as an oracle against the
other in heterogeneous environments.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)

2 files changed, 346 insertions, 1 deletions

diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
index 54e2a1c61c..2b25dad893 100644
--- a/crypto/rsa/rsa_ossl.c
+++ b/crypto/rsa/rsa_ossl.c
@@ -17,6 +17,9 @@
 #include "crypto/bn.h"
 #include "rsa_local.h"
 #include "internal/constant_time.h"
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+#include <openssl/hmac.h>
 
 static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
                                   unsigned char *to, RSA *rsa, int padding);
@@ -372,8 +375,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
     BIGNUM *f, *ret;
     int j, num = 0, r = -1;
     unsigned char *buf = NULL;
+    unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0};
+    HMAC_CTX *hmac = NULL;
+    unsigned int md_len = SHA256_DIGEST_LENGTH;
+    unsigned char kdk[SHA256_DIGEST_LENGTH] = {0};
     BN_CTX *ctx = NULL;
     int local_blinding = 0;
+    EVP_MD *md = NULL;
     /*
      * Used only if the blinding structure is shared. A non-NULL unblind
      * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
@@ -405,6 +413,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
         goto err;
     }
 
+    if (flen < 1) {
+        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL);
+        goto err;
+    }
+
     /* make data into a big number */
     if (BN_bin2bn(from, (int)flen, f) == NULL)
         goto err;
@@ -471,13 +484,91 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
         if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
             goto err;
 
+    /*
+     * derive the Key Derivation Key from private exponent and public
+     * ciphertext
+     */
+    if (!(rsa->flags & RSA_FLAG_EXT_PKEY)) {
+        /*
+         * because we use d as a handle to rsa->d we need to keep it local and
+         * free before any further use of rsa->d
+         */
+        BIGNUM *d = BN_new();
+        if (d == NULL) {
+            ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
+        if (rsa->d == NULL) {
+            ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
+            BN_free(d);
+            goto err;
+        }
+        BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
+        if (BN_bn2binpad(d, buf, num) < 0) {
+            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+            BN_free(d);
+            goto err;
+        }
+        BN_free(d);
+
+        /*
+         * we use hardcoded hash so that migrating between versions that use
+         * different hash doesn't provide a Bleichenbacher oracle:
+         * if the attacker can see that different versions return different
+         * messages for the same ciphertext, they'll know that the message is
+         * syntethically generated, which means that the padding check failed
+         */
+        md = EVP_MD_fetch(rsa->libctx, "sha256", NULL);
+        if (md == NULL) {
+            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+
+        if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) {
+            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+
+        hmac = HMAC_CTX_new();
+        if (hmac == NULL) {
+            ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
+
+        if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) {
+            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+
+        if (flen < num) {
+            memset(buf, 0, num - flen);
+            if (HMAC_Update(hmac, buf, num - flen) <= 0) {
+                ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+                goto err;
+            }
+        }
+        if (HMAC_Update(hmac, from, flen) <= 0) {
+            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+
+        md_len = SHA256_DIGEST_LENGTH;
+        if (HMAC_Final(hmac, kdk, &md_len) <= 0) {
+            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+    }
+
     j = BN_bn2binpad(ret, buf, num);
     if (j < 0)
         goto err;
 
     switch (padding) {
     case RSA_PKCS1_PADDING:
-        r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
+        if (rsa->flags & RSA_FLAG_EXT_PKEY)
+            r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
+        else
+            r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
         break;
     case RSA_PKCS1_OAEP_PADDING:
         r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
@@ -500,6 +591,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
 #endif
 
  err:
+    HMAC_CTX_free(hmac);
+    EVP_MD_free(md);
     BN_CTX_end(ctx);
     BN_CTX_free(ctx);
     OPENSSL_clear_free(buf, num);
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index 5f72fe1735..04fb0e4ed5 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -21,10 +21,14 @@
 #include <openssl/rand.h>
 /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */
 #include <openssl/prov_ssl.h>
+#include <openssl/evp.h>
+#include <openssl/sha.h>
+#include <openssl/hmac.h>
 #include "internal/cryptlib.h"
 #include "crypto/rsa.h"
 #include "rsa_local.h"
 
+
 int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
                                  const unsigned char *from, int flen)
 {
@@ -271,6 +275,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
     return constant_time_select_int(good, mlen, -1);
 }
 
+
+static int ossl_rsa_prf(OSSL_LIB_CTX *ctx,
+                        unsigned char *to, int tlen,
+                        const char *label, int llen,
+                        const unsigned char *kdk,
+                        uint16_t bitlen)
+{
+    int pos;
+    int ret = -1;
+    uint16_t iter = 0;
+    unsigned char be_iter[sizeof(iter)];
+    unsigned char be_bitlen[sizeof(bitlen)];
+    HMAC_CTX *hmac = NULL;
+    EVP_MD *md = NULL;
+    unsigned char hmac_out[SHA256_DIGEST_LENGTH];
+    unsigned int md_len;
+
+    if (tlen * 8 != bitlen) {
+        ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+        return ret;
+    }
+
+    be_bitlen[0] = (bitlen >> 8) & 0xff;
+    be_bitlen[1] = bitlen & 0xff;
+
+    hmac = HMAC_CTX_new();
+    if (hmac == NULL) {
+        ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
+
+    /*
+     * we use hardcoded hash so that migrating between versions that use
+     * different hash doesn't provide a Bleichenbacher oracle:
+     * if the attacker can see that different versions return different
+     * messages for the same ciphertext, they'll know that the message is
+     * syntethically generated, which means that the padding check failed
+     */
+    md = EVP_MD_fetch(ctx, "sha256", NULL);
+    if (md == NULL) {
+        ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
+
+    if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) {
+        ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
+
+    for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) {
+        if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) {
+            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+
+        be_iter[0] = (iter >> 8) & 0xff;
+        be_iter[1] = iter & 0xff;
+
+        if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) {
+            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+        if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) {
+            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+        if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) {
+            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+            goto err;
+        }
+
+        /*
+         * HMAC_Final requires the output buffer to fit the whole MAC
+         * value, so we need to use the intermediate buffer for the last
+         * unaligned block
+         */
+        md_len = SHA256_DIGEST_LENGTH;
+        if (pos + SHA256_DIGEST_LENGTH > tlen) {
+            if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) {
+                ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+                goto err;
+            }
+            memcpy(to + pos, hmac_out, tlen - pos);
+        } else {
+            if (HMAC_Final(hmac, to + pos, &md_len) <= 0) {
+                ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+                goto err;
+            }
+        }
+    }
+
+    ret = 0;
+
+err:
+    HMAC_CTX_free(hmac);
+    EVP_MD_free(md);
+    return ret;
+}
+
+/*
+ * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2
+ * padding from a decrypted RSA message. Unlike the
+ * RSA_padding_check_PKCS1_type_2() it will not return an error in case it
+ * detects a padding error, rather it will return a deterministically generated
+ * random message. In other words it will perform an implicit rejection
+ * of an invalid padding. This means that the returned value does not indicate
+ * if the padding of the encrypted message was correct or not, making
+ * side channel attacks like the ones described by Bleichenbacher impossible
+ * without access to the full decrypted value and a brute-force search of
+ * remaining padding bytes
+ */
+int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx,
+                                        unsigned char *to, int tlen,
+                                        const unsigned char *from, int flen,
+                                        int num, unsigned char *kdk)
+{
+/*
+ * We need to generate a random length for the synthethic message, to avoid
+ * bias towards zero and avoid non-constant timeness of DIV, we prepare
+ * 128 values to check if they are not too large for the used key size,
+ * and use 0 in case none of them are small enough, as 2^-128 is a good enough
+ * safety margin
+ */
+#define MAX_LEN_GEN_TRIES 128
+    unsigned char *synthetic = NULL;
+    int synthethic_length;
+    uint16_t len_candidate;
+    unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)];
+    uint16_t len_mask;
+    uint16_t max_sep_offset;
+    int synth_msg_index = 0;
+    int ret = -1;
+    int i, j;
+    unsigned int good, found_zero_byte;
+    int zero_index = 0, msg_index;
+
+    /*
+     * If these checks fail then either the message in publicly invalid, or
+     * we've been called incorrectly. We can fail immediately.
+     * Since this code is called only internally by openssl, those are just
+     * sanity checks
+     */
+    if (num != flen || tlen <= 0 || flen <= 0) {
+        ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+        return -1;
+    }
+
+    /* Generate a random message to return in case the padding checks fail */
+    synthetic = OPENSSL_malloc(flen);
+    if (synthetic == NULL) {
+        ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
+        return -1;
+    }
+
+    if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0)
+        goto err;
+
+    /* decide how long the random message should be */
+    if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths),
+                     "length", 6, kdk,
+                     MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0)
+        goto err;
+
+    /*
+     * max message size is the size of the modulus size less 2 bytes for
+     * version and padding type and a minimum of 8 bytes padding
+     */
+    len_mask = max_sep_offset = flen - 2 - 8;
+    /*
+     * we want a mask so lets propagate the high bit to all positions less
+     * significant than it
+     */
+    len_mask |= len_mask >> 1;
+    len_mask |= len_mask >> 2;
+    len_mask |= len_mask >> 4;
+    len_mask |= len_mask >> 8;
+
+    synthethic_length = 0;
+    for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate);
+            i += sizeof(len_candidate)) {
+        len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1];
+        len_candidate &= len_mask;
+
+        synthethic_length = constant_time_select_int(
+            constant_time_lt(len_candidate, max_sep_offset),
+            len_candidate, synthethic_length);
+    }
+
+    synth_msg_index = flen - synthethic_length;
+
+    /* we have alternative message ready, check the real one */
+    good = constant_time_is_zero(from[0]);
+    good &= constant_time_eq(from[1], 2);
+
+    /* then look for the padding|message separator (the first zero byte) */
+    found_zero_byte = 0;
+    for (i = 2; i < flen; i++) {
+        unsigned int equals0 = constant_time_is_zero(from[i]);
+        zero_index = constant_time_select_int(~found_zero_byte & equals0,
+                                              i, zero_index);
+        found_zero_byte |= equals0;
+    }
+
+    /*
+     * padding must be at least 8 bytes long, and it starts two bytes into
+     * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check
+     * also fails.
+     */
+    good &= constant_time_ge(zero_index, 2 + 8);
+
+    /*
+     * Skip the zero byte. This is incorrect if we never found a zero-byte
+     * but in this case we also do not copy the message out.
+     */
+    msg_index = zero_index + 1;
+
+    /*
+     * old code returned an error in case the decrypted message wouldn't fit
+     * into the |to|, since that would leak information, return the synthethic
+     * message instead
+     */
+    good &= constant_time_ge(tlen, num - msg_index);
+
+    msg_index = constant_time_select_int(good, msg_index, synth_msg_index);
+
+    /*
+     * since at this point the |msg_index| does not provide the signal
+     * indicating if the padding check failed or not, we don't have to worry
+     * about leaking the length of returned message, we still need to ensure
+     * that we read contents of both buffers so that cache accesses don't leak
+     * the value of |good|
+     */
+    for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++)
+        to[j] = constant_time_select_8(good, from[i], synthetic[i]);
+    ret = j;
+
+err:
+    /*
+     * the only time ret < 0 is when the ciphertext is publicly invalid
+     * or we were called with invalid parameters, so we don't have to perform
+     * a side-channel secure raising of the error
+     */
+    if (ret < 0)
+        ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
+    OPENSSL_free(synthetic);
+    return ret;
+}
+
 /*
  * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2
  * padding from a decrypted RSA message in a TLS signature. The result is stored