Minidriver function CardRSADecrypt returns SCARD_F_INTERNAL_ERROR despite sc_pkcs15_decipher was successful

[jozsefd]

Problem Description

Minidriver function CardRSADecrypt returns SCARD_F_INTERNAL_ERROR despite sc_pkcs15_decipher was successful. The function compares the return value of sc_pkcs15_decipher (or sc_pkcs1_strip_02_padding_constant_time) agains 0, but these functions return the length of decrypted data on success, not 0.

Proposed Resolution

minidriver.c:4713

//good = constant_time_eq_i(r, 0);
good = constant_time_lt(0, r);

Steps to reproduce

Create a windows application, which calls API CryptDecrypt().

Logs

The return value is not logged, as
"/* do not log return value to not leak it */"
but it will be received by the calling Windows API.

[Jakuje]

Can you check the #3077 solves your issue?

[jozsefd]

Actually #3077 seems to fix my #3086 report and not this issue. The return value check agains 0 is incorrect, as the pre Marvin code looked like:

	if ( r < 0)   {
                ...
		goto err;
	}

[xhanulik]

Before changes fixing Marvin, the CardRSADecrypt called sc_pkcs1_strip_02_padding returning the length of depadded message r and checked it for error - the length of the depadded message is >= 0.

OpenSC/src/minidriver/minidriver.c

Lines 4714 to 4720 in a229082

	if ( r < 0) {
	logprintf(pCardData, 2, "sc_pkcs15_decipher error(%i): %s\n", r, sc_strerror(r));
	pCardData->pfnCspFree(pbuf);
	pCardData->pfnCspFree(pbuf2);
	dwret = md_translate_OpenSC_to_Windows_error(r, SCARD_E_INVALID_VALUE);
	goto err;
	}

So for Marvin, using good = constant_time_eq_i(r, 0); is not correct, but in #3077 this is changed to good = constant_time_ge(r, 0); which I think should solve this issue as it checks that r >= 0.

[jozsefd]

Oh sorry, I have only checked the last commit of #3077, the change of minidriver.c in de25718 is OK.

On the other hand, a 0 length output of decryption or unpadding seems to be a little bit odd for me.

[jozsefd]

I have tested #3077 with various cards, it fixes this issue.