Skip to content

fix CRMF symmetric key handling#9774

Closed
Akretsch wants to merge 5 commits intoopenssl:masterfrom
Akretsch:crmf_fix
Closed

fix CRMF symmetric key handling#9774
Akretsch wants to merge 5 commits intoopenssl:masterfrom
Akretsch:crmf_fix

Conversation

@Akretsch
Copy link
Contributor

@Akretsch Akretsch commented Sep 5, 2019

Fixes related to review comments #7646 (comment) , #7646 (comment) , #7646 (comment) given by @bernd-edlinger

EVP_CIPHER_CTX_set_padding(evp_ctx, 0);

if (!EVP_DecryptInit(evp_ctx, cipher, ek, iv)
|| eksize != (size_t)EVP_CIPHER_key_length(cipher)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you need to check the eksize immediatly after the EVP_PKEY_decrypt.
best practice would be to do that with constant time code.
and to call ERR_clear_error before looking at the result code.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hopefully I got it now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It meanwhile turned out the constant-time style of checking the decryption result is not needed in the given context - see #17319 (comment).

size_t eksize = 0;

if (EVP_PKEY_decrypt(pkctx, NULL, &eksize, encKey->data, encKey->length)
<= 0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost okay. I suggest:

                || EVP_PKEY_decrypt(pkctx, ek, &eksize, encKey->data,
                                    encKey->length) <= 0
                || eksize != cikeysize) {
            ERR_clear_error(); /* error state has sensitive information */
            CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT,
                    CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY);
            goto end;
}

Bonus points, if you can do the result <= 0 || eksize != cikeysize in constant time.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hope I am closer to the bonus now. Thanks for your suggestions.

@Akretsch
Copy link
Contributor Author

Akretsch commented Sep 9, 2019

Thanks for help and guidance! Do I need a second reviewer for this PR?

@bernd-edlinger bernd-edlinger added branch: master Applies to master branch approval: review pending This pull request needs review by a committer labels Sep 9, 2019
@bernd-edlinger
Copy link
Member

correct.

@Akretsch
Copy link
Contributor Author

@mattcaswell May I ask you for 2nd review of this PR to drive our #9107 a little bit forward?

@mattcaswell mattcaswell added approval: done This pull request has the required number of approvals and removed approval: review pending This pull request needs review by a committer labels Sep 14, 2019
@mattcaswell
Copy link
Member

Pushed. Thanks.

levitte pushed a commit that referenced this pull request Sep 14, 2019
Reviewed-by: Bernd Edlinger <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
(Merged from #9774)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approval: done This pull request has the required number of approvals branch: master Applies to master branch

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants