1From 80a6ce8ddb02477cd724cd5b2944791aaddb702a Mon Sep 17 00:00:00 2001 2From: Alexander Sosedkin <asosedkin@redhat.com> 3Date: Tue, 9 Aug 2022 16:05:53 +0200 4Subject: [PATCH] auth/rsa: side-step potential side-channel 5 6Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com> 7Signed-off-by: Hubert Kario <hkario@redhat.com> 8Tested-by: Hubert Kario <hkario@redhat.com> 9Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/80a6ce8ddb02477cd724cd5b2944791aaddb702a 10 https://gitlab.com/gnutls/gnutls/-/commit/4b7ff428291c7ed77c6d2635577c83a43bbae558] 11CVE: CVE-2023-0361 12Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> 13--- 14 lib/auth/rsa.c | 30 +++--------------------------- 15 1 file changed, 3 insertions(+), 27 deletions(-) 16 17diff --git a/lib/auth/rsa.c b/lib/auth/rsa.c 18index 8108ee8..858701f 100644 19--- a/lib/auth/rsa.c 20+++ b/lib/auth/rsa.c 21@@ -155,13 +155,10 @@ static int 22 proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, 23 size_t _data_size) 24 { 25- const char attack_error[] = "auth_rsa: Possible PKCS #1 attack\n"; 26 gnutls_datum_t ciphertext; 27 int ret, dsize; 28 ssize_t data_size = _data_size; 29 volatile uint8_t ver_maj, ver_min; 30- volatile uint8_t check_ver_min; 31- volatile uint32_t ok; 32 33 #ifdef ENABLE_SSL3 34 if (get_num_version(session) == GNUTLS_SSL3) { 35@@ -187,7 +184,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, 36 37 ver_maj = _gnutls_get_adv_version_major(session); 38 ver_min = _gnutls_get_adv_version_minor(session); 39- check_ver_min = (session->internals.allow_wrong_pms == 0); 40 41 session->key.key.data = gnutls_malloc(GNUTLS_MASTER_SIZE); 42 if (session->key.key.data == NULL) { 43@@ -206,10 +202,9 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, 44 return ret; 45 } 46 47- ret = 48- gnutls_privkey_decrypt_data2(session->internals.selected_key, 49- 0, &ciphertext, session->key.key.data, 50- session->key.key.size); 51+ gnutls_privkey_decrypt_data2(session->internals.selected_key, 52+ 0, &ciphertext, session->key.key.data, 53+ session->key.key.size); 54 /* After this point, any conditional on failure that cause differences 55 * in execution may create a timing or cache access pattern side 56 * channel that can be used as an oracle, so treat very carefully */ 57@@ -225,25 +220,6 @@ proc_rsa_client_kx(gnutls_session_t session, uint8_t * data, 58 * Vlastimil Klima, Ondej Pokorny and Tomas Rosa. 59 */ 60 61- /* ok is 0 in case of error and 1 in case of success. */ 62- 63- /* if ret < 0 */ 64- ok = CONSTCHECK_EQUAL(ret, 0); 65- /* session->key.key.data[0] must equal ver_maj */ 66- ok &= CONSTCHECK_EQUAL(session->key.key.data[0], ver_maj); 67- /* if check_ver_min then session->key.key.data[1] must equal ver_min */ 68- ok &= CONSTCHECK_NOT_EQUAL(check_ver_min, 0) & 69- CONSTCHECK_EQUAL(session->key.key.data[1], ver_min); 70- 71- if (ok) { 72- /* call logging function unconditionally so all branches are 73- * indistinguishable for timing and cache access when debug 74- * logging is disabled */ 75- _gnutls_no_log("%s", attack_error); 76- } else { 77- _gnutls_debug_log("%s", attack_error); 78- } 79- 80 /* This is here to avoid the version check attack 81 * discussed above. 82 */ 83-- 842.25.1 85 86