Skip to content

[release/6.0-staging] Disable implicit rejection for RSA PKCS#1 v1.5 #95218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
carlossanlop merged 1 commit into from
Jan 16, 2024
Merged

[release/6.0-staging] Disable implicit rejection for RSA PKCS#1 v1.5 #95218

carlossanlop merged 1 commit into from
Jan 16, 2024

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Nov 24, 2023
edited by vcsjones
Loading

Backport of #95157 to release/6.0-staging

/cc @vcsjones @bartonjs

Customer Impact

OpenSSL introduced a behavior change in EVP_PKEY_decrypt where RSA decryption with PKCS#1 v1.5 padding no longer produces an error with invalid padding. Instead, it returns “random” data.

Customers using affected versions of OpenSSL will no longer get consistent and documented behavior from RSA.Decrypt.

This change is reacting to a breaking behavioral change in a dependency, OpenSSL, so that RSA.Decrypt continues to function as it is documented to, and to be consistent with Windows and other platforms.

Testing

This behavior change was identified with a test in #95115. Additional tests were added.

Risk

Low. This is reacting to a change in OpenSSL by settings a particular flag. Existing tests cover RSA.Decrypt’s behavior.

@ghost ghost added the area-System.Security label Nov 24, 2023
@ghost
Copy link

ghost commented Nov 24, 2023

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Backport of #95157 to release/6.0-staging

/cc @vcsjones

Customer Impact

Testing

Risk

IMPORTANT: If this backport is for a servicing release, please verify that:

  • The PR target branch is release/X.0-staging, not release/X.0.

  • If the change touches code that ships in a NuGet package, you have added the necessary package authoring and gotten it explicitly reviewed.

Author: github-actions[bot]
Assignees: -
Labels:

area-System.Security
Milestone: -

@akoeplinger akoeplinger added the Servicing-consider Issue for next servicing release review label Nov 25, 2023
@vcsjones vcsjones added this to the 6.0.x milestone Nov 26, 2023
@leecow leecow added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Dec 5, 2023
@leecow leecow modified the milestones: 6.0.x, 6.0.27 Dec 5, 2023
@neverpanic
Copy link

neverpanic commented Dec 6, 2023
edited
Loading

Just to make sure that this doesn't end up being merged just because nobody saw the original comment: This re-enables a Bleichenbacher timing oracle attack against PKCS#1v1.5 decryption. See https://people.redhat.com/~hkario/marvin/ for details and #95157 (comment) for a comment by the researcher who published the vulnerability and proposed the change in OpenSSL.

I don't think this should be merged.

@carlossanlop carlossanlop added blocked Issue/PR is blocked on something - see comments needs-author-action An issue or pull request that requires more info or actions from the author. labels Jan 12, 2024
@carlossanlop
Copy link
Contributor

carlossanlop commented Jan 16, 2024

@GrabYourPitchforks addressed the above feedback in detail in the other backport PR. We are good to merge.

@carlossanlop carlossanlop merged commit e3500b8 into release/6.0-staging Jan 16, 2024
@carlossanlop carlossanlop deleted the backport/pr-95157-to-release/6.0-staging branch January 16, 2024 18:24
@carlossanlop carlossanlop removed blocked Issue/PR is blocked on something - see comments needs-author-action An issue or pull request that requires more info or actions from the author. labels Jan 16, 2024
omajid added a commit to omajid/dotnet-runtime that referenced this pull request Feb 2, 2024
@omajid
Revert "Disable implicit rejection for RSA PKCS#1 (dotnet#95218)"
076687f 
This reverts commit e3500b8.

To quote Clemens Lang:

> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle
> attack against PKCS#1v1.5 decryption. See
> https://people.redhat.com/~hkario/marvin/ for details and
> dotnet#95157 (comment) for a
> comment by the researcher who published the vulnerability and proposed the
> change in OpenSSL.

For more details, see:
dotnet#95216 (comment)
@github-actions github-actions bot locked and limited conversation to collaborators Feb 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bartonjs bartonjs bartonjs approved these changes

Assignees

No one assigned

Labels

area-System.Security Servicing-approved Approved for servicing release

Projects

None yet

Milestone

6.0.27

Development

Successfully merging this pull request may close these issues.

7 participants

@neverpanic @carlossanlop @bartonjs @vcsjones @akoeplinger @leecow