Limit size of modulus for bn_mul_mont and BN_mod_exp_mont_consttime#19735
Limit size of modulus for bn_mul_mont and BN_mod_exp_mont_consttime#19735bernd-edlinger wants to merge 1 commit intoopenssl:OpenSSL_1_1_1-stablefrom
Conversation
bernd-edlinger
added
the
branch: 1.1.1
|
The intention of this is limit the stack usage to ~4K |
|
Could you please submit the patch against master branch also reverting the recent limit change in BN_mod_exp_mont_consttime there? |
t8m
added
triaged: bug
|
I think this needs a comment first. |
crypto/bn/bn_local.h
Outdated
| /* #define BN_DEBUG */ | ||
| /* #define BN_DEBUG_RAND */ | ||
|
|
||
| #define BN_SIZE_LIMIT (4096 / BN_BYTES) |
There was a problem hiding this comment.
BN_CONSTTIME_SIZE_LIMIT or BN_MONT_CONSTTIME_SIZE_LIMIT?
There was a problem hiding this comment.
BN_SIZE_LIMIT feels right, as @davidben pointed out also BN_mod_exp and BN_mod_exp_mont will eventually call
bn_mul_mont_fixed_top and thus bn_mul_mont, so it is neither specific to consttime nor montgomery at all.
Actutally the whole issue starts to look a lot less harmless than in the beginning.
There was a problem hiding this comment.
Unless this limit applies to all BN operations it should not be called BN_SIZE_LIMIT.
There was a problem hiding this comment.
It is more the upper bound on the stack allocation of any BN operation we are willing to allow.
It also affects BN_mod_exp and BN_mod_sqrt.
Note: there are many call sites of the affected functions, especially of BN_mod_exp,
but not all of them seem to sanity check the input parameters.
If the modulus is a large enough odd number, a stack overflow will probably happen unexpectedly
|
|
||
| if (top > BN_SIZE_LIMIT) { | ||
| /* Prevent overflowing the powerbufLen computation below */ | ||
| return BN_mod_exp_mont(rr, a, p, m, ctx, in_mont); |
There was a problem hiding this comment.
Having a function that's explicitly about treating the exponent as secret then fallback to a function which doesn't seems poor. It seems better to just make the operation fail at this point.
Additionally, both these operations actually have comparable memory requirements anyway, because they're both windowed exponentiations. It's just that this one happens to allocate the memory contiguously, while BN_mod_exp_mont happens to just make a bunch of BIGNUMs. (Well, slightly less memory usage because, by using a sliding window, the public exponent variant is able to halve the table size, since you only need odd powers.)
The fallback from bn_mul_mont is more defensible, though I'd personally still just declare this is the limit for Montgomery reduction so there aren't extra codepaths to test and such.
There was a problem hiding this comment.
The rationale is this:
I dont think there is any valid cryptographic reason for doing computations with such large moduli,
RSA is limited 16384 bits, DH and DSA is limited to 10000 bits for a good reason.
It is much more likely that someone was tricked into calling this function with some bogus values
because doing this is likely to cause a stack overflow.
However, it is a clear ABI break to return an error when previously this function might have succeeded.
On the other hand, it is easy to configure with ./config -DBN_SIZE_LIMIT=1000000 if you are fine
with a stack allocation of 1MB or more.
There was a problem hiding this comment.
Having a function that's explicitly about treating the exponent as secret
by the way, the number of bits in the exponent is not a secret at all.
I kind of assumed that the while loop down below uses the number of bits in the modulus,
but now i see it takes a short cut if the exponent is much smaller than the modulus.
There was a problem hiding this comment.
I dont think there is any valid cryptographic reason for doing computations with such large moduli,
Well, one exception came just into my mind: I think I remember having read once a paper where researchers
did multiply the moduli of lots of publically available RSA certificates, forming huge composite numbers, and
doing GCD to find common divisors between them, And in deed that did result in some common primes
that were the result of poor random number generators.
However I doubt that they did consider using openssl for such computations, sinve there are better suited
math programs for math with such huge numbers. And moreover I doubt that I would call such use a
legitimate cryptographic use.
And doing this kind of math is not safe either, since currently all openssl versions might crash unexpectedly
with such computations, or will just be not optimized for use with such numbers if this PR gets merged.
But I wouldn't rule out the possibility that a future openssl version will turn this soft limit into a hard limit.
|
I've addressed the review comments. |
| /* | ||
| * This should limit the stack usage due to alloca to about 4K. | ||
| * BN_SIZE_LIMIT is a soft limit equivalent to 2*OPENSSL_RSA_MAX_MODULUS_BITS. | ||
| * Beyond that size bn_mul_mont is no longer used, and the constant time | ||
| * assembler code is disabled, due to the blatant alloca and bn_mul_mont usage. | ||
| * Note that bn_mul_mont does an alloca that is hidden away in assembly. | ||
| */ | ||
| # ifndef BN_SIZE_LIMIT | ||
| # define BN_SIZE_LIMIT (4096 / BN_BYTES) | ||
| # endif |
There was a problem hiding this comment.
As this is not hard size limit I'd still like to see a different name. BN_STACK_SIZE_LIMIT?
There was a problem hiding this comment.
I have extended the comment:
It is not recommended to do computations with numbers exceeding this limit,
since the result will be highly version dependent:
While the current OpenSSL version will use non-optimized, but safe code,
previous versions will use optimized code, that may crash due to unexpected
stack overflow, and future versions may very well turn this into a hard
limit.
Note however, that it is possible to override the size limit using
"./config -DBN_SITE_LIMIT=" if necessary, and the O/S specific
stack limit is known and taken into consideration.
There was a problem hiding this comment.
I'd still like to see a different name for the macro. The current one is totally misleading.
There was a problem hiding this comment.
Could we agree on BN_SOFT_LIMIT ?
bernd-edlinger
force-pushed
the
limit_alloca_size_in_bn_mod_mul
branch
from
26267e3 to
6643ed9
Compare
bernd-edlinger
force-pushed
the
limit_alloca_size_in_bn_mod_mul
branch
2 times, most recently
from
d71a9e1 to
da371a4
Compare
bernd-edlinger
force-pushed
the
limit_alloca_size_in_bn_mod_mul
branch
from
da371a4 to
c7f93ef
Compare
Otherwise the alloca can cause an exception. Issue reported by Jiayi Lin.
bernd-edlinger
force-pushed
the
limit_alloca_size_in_bn_mod_mul
branch
from
c7f93ef to
4f68d0d
Compare
t8m
added
the
approval: review pending
paulidale
added
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
bernd-edlinger
removed
the
hold: wait for master
|
Removing the hold, since #20005 has been merged. |
Otherwise the alloca can cause an exception. Issue reported by Jiayi Lin. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from #19735)
|
Merged to 1.1.1 as 5bbd921. |
Otherwise the alloca can cause an exception. Issue reported by Jiayi Lin. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#19735) (cherry picked from commit 5bbd921)
Otherwise the alloca can cause an exception. Issue reported by Jiayi Lin. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#19735) (cherry picked from commit 5bbd921)
Otherwise the alloca can cause an exception. Issue reported by Jiayi Lin. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#19735) (cherry picked from commit 5bbd921)
Otherwise the alloca can cause an exception. Issue reported by Jiayi Lin. Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from openssl#19735)
5 participants
Otherwise the alloca can cause an exception.
Issue reported by Jiayi Lin.
Checklist