Files
Zhang Peng 4cbf9d8d2c opensc: fix CVE-2023-5992
CVE-2023-5992:
A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not
implemented as side-channel resistant. This issue may result in the potential leak
of private data.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2023-5992]
[https://github.com/OpenSC/OpenSC/wiki/CVE-2023-5992]

Upstream patches:
[https://github.com/OpenSC/OpenSC/pull/2948]
[https://github.com/OpenSC/OpenSC/pull/3016]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2025-11-02 15:09:01 +01:00

76 lines
3.1 KiB
Diff

From 0039fe386c996faffaa2cf2d728c176cc239468b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
Date: Mon, 5 Feb 2024 13:33:05 +0100
Subject: [PATCH 10/10] Fix constant-time comparison of negative values
Thanks Coverity CID 414687
CVE: CVE-2023-5992
Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/pull/3016]
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
---
src/common/constant-time.h | 6 ++++++
src/minidriver/minidriver.c | 4 ++--
src/pkcs11/framework-pkcs15.c | 4 ++--
3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/common/constant-time.h b/src/common/constant-time.h
index 40c3e500c..3f4446d4d 100644
--- a/src/common/constant-time.h
+++ b/src/common/constant-time.h
@@ -125,4 +125,10 @@ constant_time_eq_s(size_t a, size_t b)
return constant_time_is_zero_s(a ^ b);
}
+static constant_inline unsigned int
+constant_time_eq_i(int a, int b)
+{
+ return constant_time_eq((unsigned int)a, (unsigned int)b);
+}
+
#endif /* CONSTANT_TIME_H */
diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c
index 37e576ba2..e2be9e53d 100644
--- a/src/minidriver/minidriver.c
+++ b/src/minidriver/minidriver.c
@@ -4590,7 +4590,7 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_DATA pCardData,
logprintf(pCardData, 2, "sc_pkcs15_decipher: stripping PKCS1 padding\n");
r = sc_pkcs1_strip_02_padding_constant_time(vs->ctx, prkey_info->modulus_length / 8, pbuf2, pInfo->cbData, pbuf2, &temp);
pInfo->cbData = (DWORD) temp;
- wrong_padding = constant_time_eq_s(r, SC_ERROR_WRONG_PADDING);
+ wrong_padding = constant_time_eq_i(r, SC_ERROR_WRONG_PADDING);
/* continue without returning error to not leak that padding is wrong
to prevent time side-channel leak for Marvin attack*/
}
@@ -4640,7 +4640,7 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_DATA pCardData,
goto err;
}
- good = constant_time_eq_s(r, 0);
+ good = constant_time_eq_i(r, 0);
/* if no error or padding error, do not return here to prevent Marvin attack */
if (!(good | wrong_padding) && r < 0) {
logprintf(pCardData, 2, "sc_pkcs15_decipher error(%i): %s\n", r, sc_strerror(r));
diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
index 8376057ea..8b0a63b10 100644
--- a/src/pkcs11/framework-pkcs15.c
+++ b/src/pkcs11/framework-pkcs15.c
@@ -4433,11 +4433,11 @@ pkcs15_prkey_decrypt(struct sc_pkcs11_session *session, void *obj,
/* only padding error must be handled in constant-time way,
* other error can be returned straight away */
- if ((~constant_time_eq_s(rv, SC_ERROR_WRONG_PADDING) & constant_time_lt_s(sizeof(decrypted), rv)))
+ if ((~constant_time_eq_i(rv, SC_ERROR_WRONG_PADDING) & constant_time_lt_s(sizeof(decrypted), (size_t)rv)))
return sc_to_cryptoki_error(rv, "C_Decrypt");
/* check rv for padding error */
- good = ~constant_time_eq_s(rv, SC_ERROR_WRONG_PADDING);
+ good = ~constant_time_eq_i(rv, SC_ERROR_WRONG_PADDING);
rv_pkcs11 = sc_to_cryptoki_error(SC_ERROR_WRONG_PADDING, "C_Decrypt");
rv_pkcs11 = constant_time_select_s(good, CKR_OK, rv_pkcs11);
--
2.50.0