-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option for disabling HW PKCS#1 v1.5 padding #2975
Conversation
In principle, I agree with this proposal, but we need to solve one thing. PKCS#1 v1.5 padding has type 1 and type 2. Disabling HW padding for MyEID was primarily focused on padding type 1. For cards where pkcs#1 padding type 1 works correctly, we need to keep this padding and turn off only depadding (type 2). We probably have to split the attribute SC_ALGORITHM_RSA_PAD_PKCS1 into a pair of attributes .. for type 1 and for type 2. And of course, there should be two global options for suppressing PKCS#1 type1/2 padding, i.e. At the same time, I would suggest that depadding be turned off by default and padding turned on by default. (In the documentation with the appropriate comment, so that users understand why it is the default). And I would ask to keep the section for the MyEID card in the documentation... with the note "MyEID specific" so that users have the opportunity to learn why HW padding type 1 is appropriately to disable for MyEID cards. |
You understand that some devices (HSM, YubiHSM2) forbid raw RSA operations? |
Yes, we've already discussed that for cards that don't support RAW RSA, there's nothing we can do to mitigate the pkcs#1 v1.5 type 2 padding attack. For those cards, of course, PKCS#1 depadding will remain enabled. |
6ab4769
to
53ac111
Compare
I added the option |
53ac111
to
ca277c4
Compare
ca277c4
to
c76f841
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one more nit, but I think this looks good now.
c76f841
to
c044253
Compare
c044253
to
6f57e40
Compare
Fixed check for RAW and PKCS1 flags in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the original version, there was a removal of the myeid specific flags, which I do not see in the current version (0415eb5). I do not see a reasoning/discussion why it is not included in the current version so I wanted to check. My take would be not to remove it as it is already in at least one release version, but
- update documentation to mark it deprecated, pointing to the new global option
- maybe still parse the configuration option and use it in the same way as the new one if it would be possible to make it backward compatible?
Added two more nits inline mostly about the formatting. I think the clang is trying to be helpful, but its not always obvious :) But we need to start somewhere.
I left the original MyEID pkcs1 disabling after the #2975 (comment)
So the original option for myeid is still there, followed by the global option. I would probably at least add note into documentation. |
My reading of the above comment was mostly the need to split decryption/signing, but missed the point about request to keep the myeid option. In that case, at least a note to the manual page about how these two options play together would be helpful. |
8bd3680
to
22cc14a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it is a bad idea to do it on the card, why do we need to make it configurable?
doc/files/opensc.conf.5.xml.in
Outdated
</para></listitem> | ||
</itemizedlist> | ||
(Default: <literal>ignore</literal> in Tokend, | ||
<literal>protect</literal> otherwise). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please adjust the default values. Should be decipher everywhere, I think
22cc14a
to
f368a4d
Compare
I would see this mostly as a safeguard to have a simple configurable way to revert back to previously working (even though potentially vulnerable) code if the constant time depadding in software wont work for some reason. Either because of implementation bug, card/driver issue (claiming raw support while not working on card) or something else. |
Because some cards (usually, those offering HSM capabilities) may insist on doing it on the card and refuse operation otherwise? |
f368a4d
to
6de5913
Compare
Merging. Thank you! |
This PR implements a configuration option for global disabling HW PKCS#1 v1.5 depadding if the card supports it. The depadding is then done in OpenSC rather than by the card. That can mask time time deviations between correct and incorrect padding. The initial idea is discussed in #2948 (#2948 (comment)).
A similar approach has already been implemented in MyEID.
It is up for further discussion