runtime-re-enable-implicit-rejection.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

From 076687f5f9e7e1fce24f33f498b4e03c4150108e Mon Sep 17 00:00:00 2001
From: Omair Majid <omajid@redhat.com>
Date: Fri, 2 Feb 2024 12:09:52 -0500
Subject: [PATCH] Revert "Disable implicit rejection for RSA PKCS#1 (#95218)"

This reverts commit e3500b8e8ad18e8bf067dc5250863b64bb8f0de0.

To quote Clemens Lang:

> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle
> attack against PKCS#1v1.5 decryption. See
> https://people.redhat.com/~hkario/marvin/ for details and
> https://github.com/dotnet/runtime/pull/95157#issuecomment-1842784399 for a
> comment by the researcher who published the vulnerability and proposed the
> change in OpenSSL.

For more details, see:
https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314
---
 .../RSA/EncryptDecrypt.cs                     | 49 ++++---------------
 .../opensslshim.h                             |  6 ---
 .../pal_evp_pkey_rsa.c                        | 13 -----
 3 files changed, 10 insertions(+), 58 deletions(-)

diff --git a/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
index 55a044d62a6..e72d42e87d2 100644
--- a/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+++ b/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
@@ -338,10 +338,19 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc
             Assert.Equal(TestData.HelloBytes, output);
         }
 
-        [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))]
+        [ConditionalFact]
         [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)]
         public void RoundtripEmptyArray()
         {
+            if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
+            {
+                throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data.");
+            }
+            if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
+            {
+                throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data.");
+            }
+
             using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
             {
                 void RoundtripEmpty(RSAEncryptionPadding paddingMode)
@@ -726,23 +715,5 @@ public static IEnumerable<object[]> OaepPaddingModes
                 }
             }
         }
-
-        public static bool PlatformSupportsEmptyRSAEncryption
-        {
-            get
-            {
-                if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
-                {
-                    return false;
-                }
-
-                if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
-                {
-                    return false;
-                }
-
-                return true;
-            }
-        }
     }
 }
diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.h b/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.h
index 050df1193ff..dad18ebd9a1 100644
--- a/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.h
+++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.h
@@ -272,10 +272,8 @@ const EVP_CIPHER* EVP_chacha20_poly1305(void);
     REQUIRED_FUNCTION(ERR_peek_error) \
     REQUIRED_FUNCTION(ERR_peek_error_line) \
     REQUIRED_FUNCTION(ERR_peek_last_error) \
-    REQUIRED_FUNCTION(ERR_pop_to_mark) \
     FALLBACK_FUNCTION(ERR_put_error) \
     REQUIRED_FUNCTION(ERR_reason_error_string) \
-    REQUIRED_FUNCTION(ERR_set_mark) \
     LIGHTUP_FUNCTION(ERR_set_debug) \
     LIGHTUP_FUNCTION(ERR_set_error) \
     REQUIRED_FUNCTION(EVP_aes_128_cbc) \
@@ -330,7 +328,6 @@ const EVP_CIPHER* EVP_chacha20_poly1305(void);
     REQUIRED_FUNCTION(EVP_PKCS82PKEY) \
     REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \
     REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \
-    REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \
     REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \
     REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \
     REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \
@@ -728,10 +725,8 @@ FOR_ALL_OPENSSL_FUNCTIONS
 #define ERR_peek_error_line ERR_peek_error_line_ptr
 #define ERR_peek_last_error ERR_peek_last_error_ptr
 #define ERR_put_error ERR_put_error_ptr
-#define ERR_pop_to_mark ERR_pop_to_mark_ptr
 #define ERR_reason_error_string ERR_reason_error_string_ptr
 #define ERR_set_debug ERR_set_debug_ptr
-#define ERR_set_mark ERR_set_mark_ptr
 #define ERR_set_error ERR_set_error_ptr
 #define EVP_aes_128_cbc EVP_aes_128_cbc_ptr
 #define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr
@@ -785,7 +780,6 @@ FOR_ALL_OPENSSL_FUNCTIONS
 #define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr
 #define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr
 #define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr
-#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr
 #define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr
 #define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr
 #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr
diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
index c3e491a868f..36924abb505 100644
--- a/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
@@ -63,19 +63,6 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const
         {
             return false;
         }
-
-        // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding.
-        // If the padding is invalid, the decryption operation returns random data.
-        // See https://github.com/openssl/openssl/pull/13817 for background.
-        // Some Linux distributions backported this change to previous versions of OpenSSL.
-        // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid.
-        ERR_set_mark();
-
-        EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0");
-
-        // Undo any changes to the error queue that may have occured while configuring implicit rejection if the
-        // current version does not support implicit rejection.
-        ERR_pop_to_mark();
     }
     else
     {
-- 
2.43.0