Ticket History #8428: Minimize timing leaks in PKINIT decryption

# Wed Jul 20 11:26:13 2016 ghudson@mit.edu (Greg Hudson) - Ticket created

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 1KiB

Minimize timing leaks in PKINIT decryption

pkcs7_dataDecode() is derived from OpenSSL's PKCS7_datadecode() and is
used by PKINIT clients to decrypt ReplyKeyPack values in RSA mode.
The upstream function was changed for CVE-2012-0884 to minimize the
timing difference when RSA decryption results in the wrong padding.
Although the impact on Kerberos is negligible (because clients do not
ordinarily choose to use RSA mode, and cannot easily be induced to
make many thousands of requests with the same key), change
pkcs7_dataDecode() to match the upstream change, generating a random
symmetric key and using it when RSA decryption fails. Also rename
"tmp" and "tmp_len" to "ek" and "eklen" to match the more descriptive
upstream variable names.

https://github.com/krb5/krb5/commit/f7c6723fdc5142e43edb79d4c5963acc26da7088
Author: Greg Hudson <ghudson@mit.edu>
Commit: f7c6723fdc5142e43edb79d4c5963acc26da7088
Branch: master
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 57 ++++++++++++--------
1 files changed, 34 insertions(+), 23 deletions(-)

# Wed Jul 20 11:26:13 2016 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Wed Jul 20 11:26:13 2016 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added

# Thu Oct 13 16:45:43 2016 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Thu Oct 13 16:45:43 2016 tlyu (Taylor Yu) - Version_Fixed 1.15 added