wo#7449 . test case for Bleichenbacher-style signature forgery

Special thanks to Sze Yiu Chau of Purdue University ([email protected])
who reported the issue, and made major contributions towards defining
this test case.

Author: bartman

tests/unit/libopenswan/Makefile

@@ -23,6 +23,7 @@ clean check:
 	@${MAKE} -C lo04-verifypubkeys  $@
 	@${MAKE} -C lo05-datatot        $@
 	@${MAKE} -C lo06-verifybadsigs $@
+	@${MAKE} -C lo07-bleichenbacher-attack $@
 
 
 

tests/unit/libopenswan/lo07-bleichenbacher-attack/.gitignore

@@ -0,0 +1,4 @@
+.gdbinit
+OUTPUT
+bleichenbacher-attack
+

tests/unit/libopenswan/lo07-bleichenbacher-attack/Makefile

@@ -0,0 +1,61 @@
+# OpenS/WAN testing makefile
+# Copyright (C) 2018 Bart Trojanowski <[email protected]>
+# Copyright (C) 2014 Michael Richardson <[email protected]>
+# Copyright (C) 2002 Michael Richardson <[email protected]>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# for more details.
+
+OPENSWANSRCDIR?=$(shell cd ../../../..; pwd)
+srcdir?=${OPENSWANSRCDIR}/tests/unit/libpluto/lp01-spdbtest
+include $(OPENSWANSRCDIR)/Makefile.inc
+
+EXTRAFLAGS+=${USERCOMPILE} ${PORTINCLUDE}
+EXTRAFLAGS+=-I${OPENSWANSRCDIR}/programs/pluto
+EXTRAFLAGS+=-I${OPENSWANSRCDIR}/include/pluto
+EXTRAFLAGS+=-I${OPENSWANSRCDIR}/include
+
+EXTRALIBS+=${LIBOSWLOG} ${LIBOPENSWAN} ${LIBOSWLOG} ${LIBOSWKEYS}
+EXTRALIBS+=${NSS_LIBS} ${FIPS_LIBS}    ${LIBGMP} ${CRYPTOLIBS} ${LIBPLUTO}
+
+EXTRAOBJS+=${OBJDIRTOP}/programs/pluto/ikev2_crypto.o
+EXTRAOBJS+=${OBJDIRTOP}/programs/pluto/ikev2_rsa.o
+EXTRAOBJS+=${OBJDIRTOP}/programs/pluto/keys.o
+EXTRAOBJS+=${OBJDIRTOP}/lib/libopenswan/oswconf.o
+
+EXTRAFLAGS+=${NSS_FLAGS}    ${FIPS_FLAGS}
+EXTRAFLAGS+=${NSS_HDRDIRS}  ${FIPS_HDRDIRS}
+
+TESTNUMBER=lo07-bleichenbacher-attack
+TESTNAME=bleichenbacher-attack
+UNITTESTARGS=
+
+Q=$(if $V,,@)
+
+check: ${TESTNAME}
+	@mkdir -p OUTPUT
+	${COREULIMIT} && ./${TESTNAME} ${UNITTESTARGS} >OUTPUT/${TESTNAME}.txt 2>&1
+	diff OUTPUT/${TESTNAME}.txt output.txt
+	@: recordresults lib-$testobj "$testexpect" "$stat" lib-$testobj false
+
+.PHONY: ${TESTNAME}
+${TESTNAME}: ${TESTNAME}.c
+	@echo CC ${TESTNAME}.c
+	$Q${CC} -o ${TESTNAME} ${EXTRAFLAGS} ${TESTNAME}.c ${EXTRAOBJS} ${EXTRALIBS}
+	@echo "file ${TESTNAME}"          >.gdbinit
+	@echo "set args "${UNITTESTARGS} >>.gdbinit
+
+update:
+	cp OUTPUT/${TESTNAME}.txt output.txt
+
+
+initiate:
+
+

tests/unit/libopenswan/lo07-bleichenbacher-attack/bleichenbacher-attack.c

@@ -0,0 +1,131 @@
+#define DEBUG
+#include <stdlib.h>
+#include <stddef.h>
+#include <limits.h>
+#include "openswan.h"
+#include "openswan/passert.h"
+#include "constants.h"
+#include "oswalloc.h"
+#include "oswlog.h"
+#include "secrets.h"
+#include "mpzfuncs.h"
+#include "id.h"
+#include "pluto/keys.h"
+#include "hexdump.c"
+#include "defs.h"
+#include "state.h"
+#include "packet.h"
+
+struct spd_route;
+struct payload_digest;
+#include "ikev2.h"
+
+const char *progname;
+struct prng not_very_random;
+
+void whack_log(int mess_no, const char *message, ...)
+{
+}
+
+void exit_tool(int stat)
+{
+    exit(stat);
+}
+
+int attack(uint8_t low_exponent, size_t modulus_bit_len)
+{
+    /* this would be our message digest */
+    uint8_t helloworldSHA1Bytes[] = {
+        0x2A, 0xAE, 0x6C, 0x35, 0xC9, 0x4F, 0xCF, 0xB4, 0x15, 0xDB,
+        0xE9, 0x5F, 0x40, 0x8B, 0x9C, 0xE9, 0x1E, 0xE8, 0x46, 0xED
+    };
+
+    uint8_t attackBytes[] = {
+        /* fake signature for 1024-bit modulus */
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4e, 0xe7, 0x01, 0x3b,
+        0x05, 0xba, 0x96, 0x90, 0x7a, 0x1f, 0xd0, 0x34, 0x4e, 0x77, 0x75, 0xce, 0x9a, 0x6b, 0x9e, 0xbc,
+        0xb8, 0x0e, 0x72, 0x18, 0x1b, 0x48, 0x5e, 0x24, 0x9b, 0x96, 0x52, 0x4e, 0xca, 0xcc, 0xb8, 0x55
+    };
+
+    /* if the attk is successful, this should not matter */
+    size_t modulus_byte_len = modulus_bit_len/8;
+    uint8_t modulusBytes[modulus_byte_len];
+
+    /* choose any 128-byte (1024-bit) modulus */
+    prng_bytes(&not_very_random, modulusBytes, modulus_byte_len);
+    printf("modulusBytes[%lu]:\n", modulus_byte_len);
+    hexdump(modulusBytes, 0, modulus_byte_len);
+
+    /* low-exponent ... let's say 3 */
+    uint8_t pubExpBytes[] = {
+        low_exponent
+    };
+    printf("pubExpBytes[%lu]:\n", sizeof(pubExpBytes));
+    hexdump(pubExpBytes, 0, sizeof(pubExpBytes));
+
+    /* prepare the public key */
+    struct pubkey pk;
+    pk.u.rsa.k = sizeof(attackBytes);
+    n_to_mpz(&(pk.u.rsa.e), pubExpBytes, sizeof(pubExpBytes));
+    n_to_mpz(&(pk.u.rsa.n), modulusBytes, sizeof(modulusBytes));
+
+    /* prepare a place holder state */
+    struct state st;
+    memset(&st, 0, sizeof(struct state));
+
+    pb_stream sig_pbs;
+    sig_pbs.cur = attackBytes;
+    sig_pbs.roof = attackBytes+sizeof(attackBytes);
+    err_t e = NULL;
+
+    e = try_RSA_signature_v2(
+                             helloworldSHA1Bytes,            // const u_char hash_val[MAX_DIGEST_LEN]
+                             sizeof(helloworldSHA1Bytes),    // size_t hash_len
+                             &sig_pbs,                       // const pb_stream *sig_pbs
+                             &pk,                            // struct pubkey *kr
+                             &st                             // struct state *st
+                            );
+
+    printf("try_RSA_signature_v2: %s\n",
+           e ? e : "OK");
+
+    int rc = 0;
+    if (e)
+	    rc = strtoul(e, NULL, 0);
+
+    /* we caught the attack, return success */
+    if (rc && rc != ULONG_MAX)
+	    return 0;
+
+    printf("ERROR: try_RSA_signature_v2() was fooled by our attack!\n");
+    return -1;
+}
+
+extern void load_oswcrypto(void);
+
+int main(int argc, char *argv[])
+{
+    int rc;
+
+    load_oswcrypto();
+
+    progname = argv[0];
+
+    prng_init(&not_very_random, "01234567", 8);
+
+    rc = attack(3, 1024);
+
+    exit(rc);
+}
+
+/*
+ * Local Variables:
+ * c-style: pluto
+ * c-basic-offset: 4
+ * End:
+ */

tests/unit/libopenswan/lo07-bleichenbacher-attack/description.txt

@@ -0,0 +1,9 @@
+This unit test case reads an ipsec.secrets file to find an RSA key in it.
+It then uses the private key found within to sign something (pseudo-random),
+and then uses the public key to validate that the signature was sane.
+
+As an side affect of doing this, the signatures are written to a file
+(in binary), which is used in lo04-verifypubkeys.
+The public keys can be extracted from the *.secrets file using showhostkey,
+using the "make update" target in the lo04-verifypubkeys test case.
+

tests/unit/libopenswan/lo07-bleichenbacher-attack/output.txt

@@ -0,0 +1,12 @@
+modulusBytes[128]:
+0000: 91 d5 f3 1f  46 27 25 30  30 53 bb 5a  f2 ae e3 50 
+0010: 07 ce 4a 50  2e 7c 96 32  a1 50 6b 52  79 4a c4 a6 
+0020: 48 5e ac fb  1e 17 d9 30  d3 3c 7c 90  9b da 9d 13 
+0030: 76 f5 d9 c1  82 6f 05 b1  04 5b ee f2  f6 73 13 9d 
+0040: 1a d8 76 eb  4a aa ea d8  8d 2d 1b c7  49 5a 10 9a 
+0050: 63 22 ef 22  79 d5 3b 00  6b fa 3f 57  d1 e6 69 24 
+0060: 3c b5 b4 04  d6 47 30 87  b1 de 7a 7f  9d bb 68 bc 
+0070: f5 b0 e6 d6  3b 8d 68 50  bf b5 24 4c  37 7e fd ea 
+pubExpBytes[1]:
+0000: 03 00 00 00 
+try_RSA_signature_v2: 4invalid Padding String