Closed Bug 1459141 Opened 7 years ago Closed 5 years ago

Softoken CBC padding removal might have a timing side channel

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mt, Assigned: deian)

References

Details

(Keywords: csectype-side-channel, sec-moderate)

Attachments

(3 files, 4 obsolete files)

0001-Bug-1459141-Rewrite-softoken-CBC-pad-check-to-be-con.patch
5.55 KB, patch
kjacobs
: review-
Details | Diff | Splinter Review
Rewrite softoken CBC pad check to be constant
47 bytes, text/x-phabricator-request
Details | Review
Bug 1459141 - A few more CBC padding tests.
47 bytes, text/x-phabricator-request
Details | Review
NSC_Decrypt[Final] takes some steps to avoid creating a timing oracle, but I believe that it isn't perfect. Here's the code: https://searchfox.org/nss/rev/07e15231b59638e9babc79d63493eab766d12595/lib/softoken/pkcs11c.c#1578 And the comparable code in our TLS code: https://searchfox.org/nss/rev/07e15231b59638e9babc79d63493eab766d12595/lib/ssl/ssl3con.c#11684 You will note that the padding removal in the TLS code always reads 255 octets (up to a limit of what is available), where softoken isn't anywhere near as careful.
Blocks: 1458929
QA Contact: jjones
Type: enhancement → defect
Priority: -- → P2

Seems like NSC_Decrypt (non Final) has the same issue here:

        if (padding > context->blockSize || !padding) {      // <-- treated as public
            crv = CKR_ENCRYPTED_DATA_INVALID;
        } else {
            unsigned int i;
            unsigned int badPadding = 0; /* used as a boolean */
            for (i = 0; i < padding; i++) {       // <-- treated as public
                badPadding |= (unsigned int)pData[outlen - 1 - i] ^ padding; // <-- treated as if secret
            }
Assignee: nobody → deian
Attachment #9098693 - Flags: review?(kjacobs.bugzilla)
Comment on attachment 9098693 [details] [diff] [review] 0001-Bug-1459141-Rewrite-softoken-CBC-pad-check-to-be-con.patch Review of attachment 9098693 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/softoken/pkcs11c.c @@ +1617,5 @@ > + unsigned int padSize = (unsigned int)pLastPart[blockSize - 1]; > + > + /* if ((padSize > blockSize) || (padSize == 0)) { */ > + /* goodPAD = ~0; */ > + /* } */ Just a nit, but can we make the multi-line comment formatting match the one below?

That was lingering code for testing the parts of the function as I was porting it to CT. Should not have been there, sorry.

Attachment #9098693 - Attachment is obsolete: true
Attachment #9098693 - Flags: review?(kjacobs.bugzilla)
Attachment #9100345 - Flags: review?(kjacobs.bugzilla)
Comment on attachment 9100345 [details] [diff] [review] 0001-Bug-1459141-Rewrite-softoken-CBC-pad-check-to-be-con.patch No problem, thank you! r+ for check-in after clang-format.
Attachment #9100345 - Flags: review?(kjacobs.bugzilla) → review+

clang-format, carrying r+

Attachment #9100345 - Attachment is obsolete: true
Attachment #9100349 - Flags: review+

Try push failed on Windows, cannot land. (https://treeherder.mozilla.org/#/jobs?repo=nss-try&revision=08aee908a2c4)

c:/Users/task_1570825892/nss/lib/softoken/pkcs11c.c(1623): warning C4146: unary minus operator applied to unsigned type, result still unsigned

Furthermore, I have a review comment, sorry that I didn't review this sooner than now:

As changed, the NSC_DecryptFinal function modifies pulLastPartLen even on crv being a failure, which we generally try to avoid. Due to different construction NSC_Decrypt still appears to behave that way. We shouldn't regress that behavior for NSC_DecryptFinal

Flags: needinfo?(deian)

I've already tagged NSS_3_47_BETA1 but I will be happy to take this for NSS_3_47_BETA2.

  • Since we just want CT_NOT_ZERO(X) to give us all-zeros for 0 and all-ones otherwise, I just replaced -(x) with (0-x) in the macro. Not sure if there is a different convention elsewhere in the codebase to follow though.

  • Fixed NSC_DecryptFinal; copied a helper function from ssl3con.c. May be nice to share some of these helper functions/macros.

Attachment #9100349 - Attachment is obsolete: true
Flags: needinfo?(deian)
Attachment #9100791 - Flags: review?(jjones)

Due to different construction NSC_Decrypt still appears to behave that way.

With refactoring of the padding code out it's pretty easy to fix this too. Should we just do it in this patch?

Flags: needinfo?(jjones)

I don't feel strongly either way on expanding this patch. Kevin?

Flags: needinfo?(jjones) → needinfo?(kjacobs.bugzilla)
Comment on attachment 9100791 [details] [diff] [review] 0001-Bug-1459141-Rewrite-softoken-CBC-pad-check-to-be-con.patch Review of attachment 9100791 [details] [diff] [review]: ----------------------------------------------------------------- Looks good to me. Kevin, can you take one more look? Try push is here: https://treeherder.mozilla.org/#/jobs?repo=nss-try&revision=01f948011f38da9f374a7ae61b9b80e37b6e69e2
Attachment #9100791 - Flags: review?(kjacobs.bugzilla)
Attachment #9100791 - Flags: review?(jjones)
Attachment #9100791 - Flags: review+
Comment on attachment 9100791 [details] [diff] [review] 0001-Bug-1459141-Rewrite-softoken-CBC-pad-check-to-be-con.patch Review of attachment 9100791 [details] [diff] [review]: ----------------------------------------------------------------- Looks good to me as-is.
Attachment #9100791 - Flags: review?(kjacobs.bugzilla) → review+

^ Clearing NI.

Flags: needinfo?(kjacobs.bugzilla)

https://hg.mozilla.org/projects/nss/rev/474d62c9d0db3f8c3780e62a1a16c91c364fee14

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.47

This breaks u2f soft tokens in Firefox.

Status: RESOLVED → REOPENED
Flags: needinfo?(deian)
Resolution: FIXED → ---
See Also: → 1589120

I'm shortly going to back this back out for a BETA3 to keep our uplift train moving. We can make a BETA4 as necessary.

u2f tests passes and all nss tests pass

Attachment #9100791 - Attachment is obsolete: true
Flags: needinfo?(deian)
Comment on attachment 9101693 [details] [diff] [review] 0001-Bug-1459141-Rewrite-softoken-CBC-pad-check-to-be-con.patch Review of attachment 9101693 [details] [diff] [review]: ----------------------------------------------------------------- See vectors in https://phabricator.services.mozilla.com/D49503
Attachment #9101693 - Flags: review-

This patch adds more test vectors for AES-CBC and 2DES-CBC padding.

https://hg.mozilla.org/projects/nss/rev/d3c8638f85cdc4ed6c114406fca49314514bc097

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → FIXED
Target Milestone: 3.48 → 3.47
Group: crypto-core-security → core-security-release
Group: core-security-release
Duplicate of this bug: 1458929
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: