Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable implicit rejection for RSA PKCS#1 v1.5 #95157

Merged
merged 1 commit into from
Nov 24, 2023
Merged

Disable implicit rejection for RSA PKCS#1 v1.5 #95157

merged 1 commit into from
Nov 24, 2023

Conversation

vcsjones
Copy link
Member

Starting in OpenSSL 3.2, RSA PKCS#1 v1.5 decryption no longer fails for invalid RSA padding. Instead, it produces random output data. This was introduced in openssl/openssl#13817.

Some Linux distributions back ported this to OpenSSL 3.1.x which resulted in failures seen in #95115.

This disables the "implicit rejection" of PKCS#1 v1.5 RSA decryption so that RSA.Encrypt and RSA.Decrypt continue to follow their documented behavior and cross-platform behavior.

Fixes #95115.

@ghost ghost assigned vcsjones Nov 23, 2023
@ghost
Copy link

ghost commented Nov 23, 2023

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Starting in OpenSSL 3.2, RSA PKCS#1 v1.5 decryption no longer fails for invalid RSA padding. Instead, it produces random output data. This was introduced in openssl/openssl#13817.

Some Linux distributions back ported this to OpenSSL 3.1.x which resulted in failures seen in #95115.

This disables the "implicit rejection" of PKCS#1 v1.5 RSA decryption so that RSA.Encrypt and RSA.Decrypt continue to follow their documented behavior and cross-platform behavior.

Fixes #95115.

Author: vcsjones
Assignees: -
Labels:

area-System.Security
Milestone: -

@vcsjones vcsjones requested a review from bartonjs November 23, 2023 02:26
@vcsjones
Copy link
Member Author

/azp list

@azure-pipelines Azure Pipelines

This comment was marked as outdated.

Sign in to view
@vcsjones
Copy link
Member Author

/azp run runtime-libraries-coreclr outerloop-linux

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@build-analysis build-analysis bot mentioned this pull request Nov 23, 2023
Closed
@vcsjones
Copy link
Member Author

Decrypt_512_CekDoesNotDecrypt_FixedValue passed in outerloop. I think this is good to merge now, and open back ports.

@bartonjs
Copy link
Member

The outerloop tests that failed look to be unrelated; and, notably, the one we're fixing didn't fail.

@bartonjs bartonjs merged commit c23d9fa into dotnet:main Nov 24, 2023
122 of 126 checks passed
@vcsjones vcsjones deleted the rsa-implicit-encryption branch November 24, 2023 19:09
@vcsjones
Copy link
Member Author

/backport to release/8.0-staging

@vcsjones
Copy link
Member Author

/backport to release/7.0-staging

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to release/8.0-staging: https://github.com/dotnet/runtime/actions/runs/6984746124

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to release/7.0-staging: https://github.com/dotnet/runtime/actions/runs/6984747052

@vcsjones
Copy link
Member Author

/backport to release/6.0-staging

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to release/6.0-staging: https://github.com/dotnet/runtime/actions/runs/6984748090

This was referenced Nov 24, 2023
Merged
Merged
Merged
@tomato42
Copy link

tomato42 commented Dec 6, 2023
edited
Loading

This will make all users of the RSA PKCS#1v1.5 decryption API vulnerable!

The change in OpenSSL was introduced to protect users of OpenSSL against https://people.redhat.com/~hkario/marvin/

@github-actions github-actions bot locked and limited conversation to collaborators Jan 6, 2024
@carlossanlop
Copy link
Member

The above feedback was addressed in detail by @GrabYourPitchforks here. All backports have been merged.

@bartonjs bartonjs added cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. tracking This issue is tracking the completion of other related issues. labels Aug 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels
area-System.Security cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. tracking This issue is tracking the completion of other related issues.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

System.Security.Cryptography.Pkcs test Decrypt_512_CekDoesNotDecrypt_FixedValue fails on Fedora 38
4 participants
@vcsjones @bartonjs @tomato42 @carlossanlop