[UBUNTU 21.04] openCryptoki: Soft token does not check if an EC key is valid

Bug #1928780 reported by bugproxy
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
High
Skipper Bug Screeners
opencryptoki (Ubuntu)
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned

Bug Description

[Description]
The Opencryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow one to perform Invalid Curve Attacks.

Fix:
https://github.com/opencryptoki/opencryptoki/commit/4e3b43c3d8844402c04a66b55c6c940f965109f0 (SOFT: Check the EC Key on C_CreateObject and C_DeriveKey)

This commit should apply smooth on top of OCK 3.16.0, but also on OCK 3.15.0 or 3.15.1.

EC support has been introduced in the Soft token with OCK 3.15.0. So all OCK versions >= 3.15.0 are affected. Earlier OCK releases are not affected.

This problem need only to be fixed with 21.04 wherer 3.15.1 is included.

[Test Plan]

DO THIS IN A THROWAWAY VM!!! The cleanup routine in the test isn't itself
well tested :)

First step is to prepare the default software-based slot for the tests.
We'll setup the user password to be 1234 (hardcoded in the testfile).
We're assuming the opencryptoki configuration is the default one (i.e. software-based backend at slot 3), in which case the SO password is by default 87654321

$ sudo apt install opencryptoki
$ sudo pkcsconf -c 3 -u

When this is done, install the lib headers (libopencryptoki-dev), download the test file provided in the comment #9 (named 'test.c' in the following command) and compile it

$ gcc test.c -o sru-test -lopencryptoki

Finally, run the binary as root. The return code will be 0 if the incorrect key is rejected, 56 if not.

$ sudo ./sru-test

[Where problems could occur]

Even assuming the underlying code is perfectly correct, the update increases the API surface of the library slightly, which could provoke namespace clashes where none existed before.

If the EC checking code isn't correct, the soft token implementation might reject some valid keys that would have previously gone through.

CVE References

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-192742 severity-high targetmilestone-inin2104
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → opencryptoki (Ubuntu)
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in opencryptoki (Ubuntu Impish):
assignee: Skipper Bug Screeners (skipper-screen-team) → nobody
Steve Langasek (vorlon)
tags: added: fr-1388
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2021-05-19 02:22 EDT-------
Also to be added to 3.16 (impish) . I missed that.

Revision history for this message
Simon Chopin (schopin) wrote :

Hi!

Would it be possible to have a repro case for the fixed bug? I'm not familiar with the opencryptoki internals, and the checks are introduced somewhat deep in the call hierarchy from what I can tell.

Thanks in advance,
Cheers,
Simon

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.16.0+dfsg-0ubuntu1

---------------
opencryptoki (3.16.0+dfsg-0ubuntu1) impish; urgency=medium

  * New upstream release (LP: #1928767)
    + Refresh d/p/03-dlopen-soname.patch
    + Drop patches merged upstream:
      - d/p/d15736b3d586518bfa2359e7eb28b90837b5de22.patch
      - d/p/821bc7ab4635e189d31bc3c808c626b9fcda5d02.patch
      - d/p/2d16f003911ceee50967546f4b3c7cac2db9ba86.patch
      - d/p/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
      - d/p/1e98001ff63cd7e75d95b4ea0d3d2a69965d8890.patch
  * d/copyright: only remove actually unlicensed files
  * Cherry-pick a fix from master (LP: #1928780)

 -- Simon Chopin <email address hidden> Mon, 26 Jul 2021 18:55:27 +0200

Changed in opencryptoki (Ubuntu Impish):
status: New → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Revision history for this message
Simon Chopin (schopin) wrote :

Here's a debdiff for the Hirsute SRU.

Simon Chopin (schopin)
description: updated
Revision history for this message
Simon Chopin (schopin) wrote :

The backported package is available at the following PPA: https://launchpad.net/~schopin/+archive/ubuntu/test-ppa/+sourcepub/12592922/+listing-archive-extra

The version is 3.15.1+dfsg-0ubuntu1.1~ppa2, but it's the same code otherwise. Waiting for repro before poking someone to upload the SRU package :)

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-07-30 07:40 EDT-------
I have enhanced the opencryptoki EC testcases to perform some tests with invalid EC keys, to trigger that the key check code is executed.

Please take a look at this commit in my github clone of opencryptoki:
https://github.com/ifranzki/opencryptoki/commit/779df741f1724c9276ea90bd760f0dd4d7733fc2

Please not that some of the tests may also pass without the EC key check fix (i.e. get an expected error, but maybe from another place or for another reason in the code), but at least with the fix it will run through the EC key check code added by the fix.

I will eventually also make this testcase enhancement available in the master branch of opencryptoki, once you confirmed that it is what you are looking for.

Revision history for this message
Simon Chopin (schopin) wrote :

Attached is a standalone version of the test file. I'm having trouble with my VMs so I won't update the description just yet with steps to confirm the bug and its fix just yet, but it's looking pretty good.

Small nit with the patch : there's a typo in the name of the function ;-)

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2021-08-02 03:51 EDT-------
> Small nit with the patch : there's a typo in the name of the function ;-)
Thanks! Fixed:
https://github.com/ifranzki/opencryptoki/commit/8c5524fd555656db35e13f55edb2bb082095016b

Revision history for this message
Simon Chopin (schopin) wrote :

New version of the test.c file, this time working as intended. Tested in an amd64 hirsute VM.

description: updated
Changed in opencryptoki (Ubuntu Hirsute):
status: New → In Progress
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote :

Is an update that we should get into the -security pocket of the archive?

Revision history for this message
Robie Basak (racb) wrote :

This SRU is blocked until Brian's security pocket question is resolved.

Changed in opencryptoki (Ubuntu Hirsute):
status: In Progress → Incomplete
Revision history for this message
Frank Heimes (fheimes) wrote :

Yes, I think this should better get into the -security pocket, since this bug may allow someone to perform Invalid Curve Attacks.

I think I'll also update the information type to public security.

information type: Public → Public Security
Revision history for this message
Simon Chopin (schopin) wrote :

I pinged the security team.

Revision history for this message
bugproxy (bugproxy) wrote : opencryptoki_hirsute.debdiff

Default Comment by Bridge

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package opencryptoki - 3.15.1+dfsg-0ubuntu1.2

---------------
opencryptoki (3.15.1+dfsg-0ubuntu1.2) hirsute-security; urgency=medium

  * SECURITY UPDATE: Invalid curve attacks
    - d/p/lp1928780-Add-missing-return-codes.patch: Partial cherry-pick of
      master as a prerequisite for the following fix.
    - d/p/lp1928780-SOFT-Check-the-EC-Key-on-C_CreateObject-and-C_Derive.patch:
      Cherry-picked to add checks preventing Invalid Curve attacks (LP: #1928780)

 -- Simon Chopin <email address hidden> Thu, 29 Jul 2021 10:22:13 +0200

Changed in opencryptoki (Ubuntu Hirsute):
status: Incomplete → Fix Released
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2021-08-04 14:51 EDT-------
Fixed released, hence closing the bug.
Staus: -> CLOSED

Revision history for this message
Mauro Matteo Cascella (mauro-cascella) wrote :

Hello,

jfyi - this issue was assigned CVE-2021-3798 by Red Hat, Inc.

Thank you,
Regards.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers