Blame SOURCES/runtime-re-enable-implicit-rejection.patch

d0859f
From 076687f5f9e7e1fce24f33f498b4e03c4150108e Mon Sep 17 00:00:00 2001
d0859f
From: Omair Majid <omajid@redhat.com>
d0859f
Date: Fri, 2 Feb 2024 12:09:52 -0500
d0859f
Subject: [PATCH] Revert "Disable implicit rejection for RSA PKCS#1 (#95218)"
d0859f
d0859f
This reverts commit e3500b8e8ad18e8bf067dc5250863b64bb8f0de0.
d0859f
d0859f
To quote Clemens Lang:
d0859f
d0859f
> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle
d0859f
> attack against PKCS#1v1.5 decryption. See
d0859f
> https://people.redhat.com/~hkario/marvin/ for details and
d0859f
> https://github.com/dotnet/runtime/pull/95157#issuecomment-1842784399 for a
d0859f
> comment by the researcher who published the vulnerability and proposed the
d0859f
> change in OpenSSL.
d0859f
d0859f
For more details, see:
d0859f
https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314
d0859f
---
d0859f
 .../RSA/EncryptDecrypt.cs                     | 49 ++++---------------
d0859f
 .../opensslshim.h                             |  6 ---
d0859f
 .../pal_evp_pkey_rsa.c                        | 13 -----
d0859f
 3 files changed, 10 insertions(+), 58 deletions(-)
d0859f
d0859f
diff --git a/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
d0859f
index 55a044d62a6..e72d42e87d2 100644
d0859f
--- a/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
d0859f
+++ b/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
d0859f
@@ -338,10 +338,19 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc
d0859f
             Assert.Equal(TestData.HelloBytes, output);
d0859f
         }
d0859f
 
d0859f
-        [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))]
d0859f
+        [ConditionalFact]
d0859f
         [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)]
d0859f
         public void RoundtripEmptyArray()
d0859f
         {
d0859f
+            if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
d0859f
+            {
d0859f
+                throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data.");
d0859f
+            }
d0859f
+            if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
d0859f
+            {
d0859f
+                throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data.");
d0859f
+            }
d0859f
+
d0859f
             using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
d0859f
             {
d0859f
                 void RoundtripEmpty(RSAEncryptionPadding paddingMode)
d0859f
@@ -692,26 +701,6 @@ public void NotSupportedValueMethods()
d0859f
             }
d0859f
         }
d0859f
 
d0859f
-        [ConditionalTheory]
d0859f
-        [InlineData(new byte[] { 1, 2, 3, 4 })]
d0859f
-        [InlineData(new byte[0])]
d0859f
-        public void Decrypt_Pkcs1_ErrorsForInvalidPadding(byte[] data)
d0859f
-        {
d0859f
-            if (data.Length == 0 && !PlatformSupportsEmptyRSAEncryption)
d0859f
-            {
d0859f
-                throw new SkipTestException("Platform does not support RSA encryption of empty data.");
d0859f
-            }
d0859f
-
d0859f
-            using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
d0859f
-            {
d0859f
-                byte[] encrypted = Encrypt(rsa, data, RSAEncryptionPadding.Pkcs1);
d0859f
-                encrypted[1] ^= 0xFF;
d0859f
-
d0859f
-                // PKCS#1, the data, and the key are all deterministic so this should always throw an exception.
d0859f
-                Assert.ThrowsAny<CryptographicException>(() => Decrypt(rsa, encrypted, RSAEncryptionPadding.Pkcs1));
d0859f
-            }
d0859f
-        }
d0859f
-
d0859f
         public static IEnumerable<object[]> OaepPaddingModes
d0859f
         {
d0859f
             get
d0859f
@@ -726,23 +715,5 @@ public static IEnumerable<object[]> OaepPaddingModes
d0859f
                 }
d0859f
             }
d0859f
         }
d0859f
-
d0859f
-        public static bool PlatformSupportsEmptyRSAEncryption
d0859f
-        {
d0859f
-            get
d0859f
-            {
d0859f
-                if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
d0859f
-                {
d0859f
-                    return false;
d0859f
-                }
d0859f
-
d0859f
-                if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
d0859f
-                {
d0859f
-                    return false;
d0859f
-                }
d0859f
-
d0859f
-                return true;
d0859f
-            }
d0859f
-        }
d0859f
     }
d0859f
 }
d0859f
diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.h b/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.h
d0859f
index 050df1193ff..dad18ebd9a1 100644
d0859f
--- a/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.h
d0859f
+++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.h
d0859f
@@ -272,10 +272,8 @@ const EVP_CIPHER* EVP_chacha20_poly1305(void);
d0859f
     REQUIRED_FUNCTION(ERR_peek_error) \
d0859f
     REQUIRED_FUNCTION(ERR_peek_error_line) \
d0859f
     REQUIRED_FUNCTION(ERR_peek_last_error) \
d0859f
-    REQUIRED_FUNCTION(ERR_pop_to_mark) \
d0859f
     FALLBACK_FUNCTION(ERR_put_error) \
d0859f
     REQUIRED_FUNCTION(ERR_reason_error_string) \
d0859f
-    REQUIRED_FUNCTION(ERR_set_mark) \
d0859f
     LIGHTUP_FUNCTION(ERR_set_debug) \
d0859f
     LIGHTUP_FUNCTION(ERR_set_error) \
d0859f
     REQUIRED_FUNCTION(EVP_aes_128_cbc) \
d0859f
@@ -330,7 +328,6 @@ const EVP_CIPHER* EVP_chacha20_poly1305(void);
d0859f
     REQUIRED_FUNCTION(EVP_PKCS82PKEY) \
d0859f
     REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \
d0859f
     REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \
d0859f
-    REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \
d0859f
     REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \
d0859f
     REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \
d0859f
     REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \
d0859f
@@ -728,10 +725,8 @@ FOR_ALL_OPENSSL_FUNCTIONS
d0859f
 #define ERR_peek_error_line ERR_peek_error_line_ptr
d0859f
 #define ERR_peek_last_error ERR_peek_last_error_ptr
d0859f
 #define ERR_put_error ERR_put_error_ptr
d0859f
-#define ERR_pop_to_mark ERR_pop_to_mark_ptr
d0859f
 #define ERR_reason_error_string ERR_reason_error_string_ptr
d0859f
 #define ERR_set_debug ERR_set_debug_ptr
d0859f
-#define ERR_set_mark ERR_set_mark_ptr
d0859f
 #define ERR_set_error ERR_set_error_ptr
d0859f
 #define EVP_aes_128_cbc EVP_aes_128_cbc_ptr
d0859f
 #define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr
d0859f
@@ -785,7 +780,6 @@ FOR_ALL_OPENSSL_FUNCTIONS
d0859f
 #define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr
d0859f
 #define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr
d0859f
 #define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr
d0859f
-#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr
d0859f
 #define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr
d0859f
 #define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr
d0859f
 #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr
d0859f
diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
d0859f
index c3e491a868f..36924abb505 100644
d0859f
--- a/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
d0859f
+++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
d0859f
@@ -63,19 +63,6 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const
d0859f
         {
d0859f
             return false;
d0859f
         }
d0859f
-
d0859f
-        // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding.
d0859f
-        // If the padding is invalid, the decryption operation returns random data.
d0859f
-        // See https://github.com/openssl/openssl/pull/13817 for background.
d0859f
-        // Some Linux distributions backported this change to previous versions of OpenSSL.
d0859f
-        // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid.
d0859f
-        ERR_set_mark();
d0859f
-
d0859f
-        EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0");
d0859f
-
d0859f
-        // Undo any changes to the error queue that may have occured while configuring implicit rejection if the
d0859f
-        // current version does not support implicit rejection.
d0859f
-        ERR_pop_to_mark();
d0859f
     }
d0859f
     else
d0859f
     {
d0859f
-- 
d0859f
2.43.0
d0859f