[gnutls-dev] Re: Bleichenbacher RSA signature forgery attack and GnuTLS

Simon Josefsson jas at extundo.com
Fri Sep 8 15:54:26 CEST 2006 

Simon Josefsson <jas at extundo.com> writes:

> 	      _gnutls_handshake_log ("PKCS #1 padding error");
> 	      ret = GNUTLS_E_PKCS1_WRONG_PAD;

Werner Koch points out that this error message may result in a
vulnerability similar to Bleichenbacher's Crypto 98 attack.  It is not
exactly the same situation -- Bleichenbacher talks about PKCS#1
encryption (block type 1, uses random padding) where this deals with
PKCS#1 verification (block type 2, uses 0xFF padding) -- but at a
glance, it appears to have similar consequences, but differ in the
number of messages required to mount the attack.

The patch to solve this, which has been installed on GnuTLS 1.4.x and
GnuTLS 1.5.x branches, is included below.  I'll release 1.4.3 later
today.

/Simon

Index: gnutls_pk.c
===================================================================
RCS file: /cvs/gnutls/gnutls/lib/gnutls_pk.c,v
retrieving revision 1.82
retrieving revision 1.83
diff -u -p -r1.82 -r1.83
--- gnutls_pk.c	15 Dec 2005 13:24:29 -0000	1.82
+++ gnutls_pk.c	8 Sep 2006 13:19:29 -0000	1.83
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation
+ * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation
  *
  * Author: Nikos Mavroyanopoulos
  *
@@ -265,8 +265,13 @@ _gnutls_pkcs1_rsa_decrypt (gnutls_datum_
 
   _gnutls_mpi_release (&res);
 
-  /* EB = 00||BT||PS||00||D 
+  /* EB = 00||BT||PS||00||D
    * (use block type 'btype')
+   *
+   * From now on, return GNUTLS_E_DECRYPTION_FAILED on errors, to
+   * avoid attacks similar to the one described by Bleichenbacher in:
+   * "Chosen Ciphertext Attacks against Protocols Based on RSA
+   * Encryption Standard PKCS #1".
    */
 
 
@@ -303,8 +308,8 @@ _gnutls_pkcs1_rsa_decrypt (gnutls_datum_
 	    }
 	  if (edata[i] != 0xff)
 	    {
-	      _gnutls_handshake_log ("PKCS #1 padding error");
-	      ret = GNUTLS_E_PKCS1_WRONG_PAD;
+	      /* PKCS #1 padding error.  Don't use
+		 GNUTLS_E_PKCS1_WRONG_PAD here.  */
 	      break;
 	    }
 	}
@@ -312,7 +317,6 @@ _gnutls_pkcs1_rsa_decrypt (gnutls_datum_
     default:
       gnutls_assert ();
       gnutls_afree (edata);
-      return GNUTLS_E_INTERNAL_ERROR;
     }
   i++;

More information about the Gnutls-devel mailing list