Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release/6.0] Fix RSA OAEP decryption in Android with non-power-of-two key lengths #71696

Merged
merged 1 commit into from
Jul 13, 2022

Conversation

vcsjones
Copy link
Member

@vcsjones vcsjones commented Jul 6, 2022

Customer Impact

A customer reported in #71607 that decrypting RSA OAEP with SHA2 and a 3072-bit key on Linux resulted in a OAEP de-padding error, while other platforms were able to perform these operations successfully.

Investigation in to the issue led to uncover that RSA OAEP decryption that uses the managed implementation does not work with non-power-of-two keys because we do not slice a rented buffer accordingly. This issue was also present for Android, in addition to the reported platform, Linux. The current implementation only works because CryptoPool.Rent happens to give back power-of-two arrays which are exactly the same size as the key.

The fix is to slice the data to the correct size.

.NET 7 will address this issue differently, by completely removing the managed RSA OEAP depadding in #71670, so this is not a back port.

This is a port of dotnet/corefx#43153 for Android for release/6.0.

Testing

Unit tests were introduced to test RSA OAEP encryption with a 3072-bit RSA key. These tests will be forward-ported to dotnet/runtime@main.

Risk

Minimal. The change is localized and understood that a Slice was missing.

@ghost
Copy link

ghost commented Jul 6, 2022

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Customer Impact

A customer reported in #71607 that decrypting RSA OAEP with SHA2 and a 3072-bit key on Linux resulted in a OAEP de-padding error, while other platforms were able to perform these operations successfully.

Investigation in to the issue led to uncover that RSA OAEP decryption that uses the managed implementation does not work with non-power-of-two keys because we do not slice a rented buffer accordingly. This issue was also present for Android, in addition to the reported platform, Linux. The current implementation only works because CryptoPool.Rent happens to give back power-of-two arrays which are exactly the same size as the key.

The fix is to slice the data to the correct size.

.NET 7 will address this issue differently, by completely removing the managed RSA OEAP depadding in #71670, so this is not a back port.

This is a port of dotnet/corefx#43153 for Android for release/6.0.

Testing

Unit tests were introduced to test RSA OAEP encryption with a 3072-bit RSA key. These tests will be forward-ported to dotnet/runtime@main.

Risk

Minimal. The change is localized and understood that a Slice was missing.

Author: vcsjones
Assignees: -
Labels:

area-System.Security

Milestone: -

@ghost
Copy link

ghost commented Jul 6, 2022

Tagging subscribers to 'arch-android': @steveisok, @akoeplinger
See info in area-owners.md if you want to be subscribed.

Issue Details

Customer Impact

A customer reported in #71607 that decrypting RSA OAEP with SHA2 and a 3072-bit key on Linux resulted in a OAEP de-padding error, while other platforms were able to perform these operations successfully.

Investigation in to the issue led to uncover that RSA OAEP decryption that uses the managed implementation does not work with non-power-of-two keys because we do not slice a rented buffer accordingly. This issue was also present for Android, in addition to the reported platform, Linux. The current implementation only works because CryptoPool.Rent happens to give back power-of-two arrays which are exactly the same size as the key.

The fix is to slice the data to the correct size.

.NET 7 will address this issue differently, by completely removing the managed RSA OEAP depadding in #71670, so this is not a back port.

This is a port of dotnet/corefx#43153 for Android for release/6.0.

Testing

Unit tests were introduced to test RSA OAEP encryption with a 3072-bit RSA key. These tests will be forward-ported to dotnet/runtime@main.

Risk

Minimal. The change is localized and understood that a Slice was missing.

Author: vcsjones
Assignees: vcsjones
Labels:

area-System.Security, os-android

Milestone: -

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
@vcsjones vcsjones force-pushed the android-oaep-decrypt branch from 13c327f to c6d0ac3 Compare July 6, 2022 05:02
@bartonjs bartonjs added the Servicing-consider Issue for next servicing release review label Jul 6, 2022
@rbhanda rbhanda added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Jul 12, 2022
@rbhanda rbhanda added this to the 6.0.9 milestone Jul 12, 2022
@carlossanlop carlossanlop merged commit 262d14f into dotnet:release/6.0 Jul 13, 2022
@vcsjones vcsjones deleted the android-oaep-decrypt branch July 13, 2022 00:54
@ghost ghost locked as resolved and limited conversation to collaborators Aug 12, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants