commit 393df9c99512337b403bbe80a3a3cee30f277fc6
author Janos Follath <janos.follath@arm.com> Fri Dec 29 11:14:58 2023 +0000
committer Dave Rodgman <dave.rodgman@arm.com> Mon Jan 22 15:33:19 2024 +0000
tree e85d41e1bcdb168d357159113c24721108b96595
parent 16ab76bbe774806079e2d5cab0c4209a4f7b0602

Add warning for PKCS 1.5 decryption

Any timing variance dependant on the output of this function enables a
Bleichenbacher attack. It is extremely difficult to use safely.

In the Marvin attack paper
(https://people.redhat.com/~hkario/marvin/marvin-attack-paper.pdf) the
author suggests that implementations of PKCS 1.5 decryption that don't
include a countermeasure should be considered inherently dangerous.

They suggest that all libraries implement the same countermeasure, as
implementing different countermeasures across libraries enables the
Bleichenbacher attack as well.

This is extremely fragile and therefore we don't implement it. The use
of PKCS 1.5 in Mbed TLS implements the countermeasures recommended in
the TLS standard (7.4.7.1 of RFC 5246) and is not vulnerable.

Add a warning to PKCS 1.5 decryption to warn users about this.

Signed-off-by: Janos Follath <janos.follath@arm.com>

include/psa/crypto_values.h

diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 5e33f6b..a17879b 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -1736,6 +1736,13 @@
      0)
 
 /** RSA PKCS#1 v1.5 encryption.
+ *
+ * \warning     Calling psa_asymmetric_decrypt() with this algorithm as a
+ *              parameter is considered an inherently dangerous function
+ *              (CWE-242). Unless it is used in a side channel free and safe
+ *              way (eg. implementing the TLS protocol as per 7.4.7.1 of
+ *              RFC 5246), the calling code is vulnerable.
+ *
  */
 #define PSA_ALG_RSA_PKCS1V15_CRYPT              ((psa_algorithm_t) 0x07000200)