RSA-OAEP decrypt crashes OpenSSL

mouse07410 commented 1 year ago

MacOS Ventura 13.2.1, Xcode-14.2, OpenSSL-3.0.8, current master of yubihsm-shell.

Symptoms

$ openssl pkeyutl -decrypt -inkey "pkcs11:model=YubiHSM;token=YubiHSM;id=%04%02;type=private" -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha384 -pkeyopt rsa_mgf1_md:sha384 -in /tmp/key.enc1 -out /tmp/key.dec1
Enter pass phrase for PKCS#11 Token (Slot 0 - YubiHSM Connector 0.0.0.0):
Segmentation fault: 11
$ cmp /tmp/key.bin /tmp/key.dec1
$

Decryption succeeds (plaintext verified).

Crash report:

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Codes:       0x0000000000000001, 0x0000000000000000

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [65027]

VM Region Info: 0 is not in any region.  Bytes before following region: 4480049152
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      10b082000-10b102000    [  512K] r-x/r-x SM=COW  ...xec/*/openssl

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   libsystem_pthread.dylib             0x7ff813668f63 pthread_rwlock_rdlock + 0
1   libcrypto.3.dylib                      0x10b77734f CRYPTO_THREAD_read_lock + 9
2   libcrypto.3.dylib                      0x10b79962b ossl_method_store_cache_get + 59
3   libcrypto.3.dylib                      0x10b74baa1 inner_evp_generic_fetch + 366
4   libcrypto.3.dylib                      0x10b74b912 evp_generic_fetch + 65
5   libcrypto.3.dylib                      0x10b749307 evp_cipher_init_internal + 1389
6   libcrypto.3.dylib                      0x10b74a09d EVP_EncryptInit_ex + 27
7   libyubihsm.2.4.0.dylib                 0x10b2e1eba aes_encrypt_ex + 58
8   libyubihsm.2.4.0.dylib                 0x10b2e38c2 send_encrypted_msg + 1218
9   libyubihsm.2.4.0.dylib                 0x10b2e3259 yh_send_secure_msg + 89
10  libyubihsm.2.4.0.dylib                 0x10b2ec0ab yh_util_close_session + 107
11  yubihsm_pkcs11.dylib                   0x10b3bc264 C_CloseSession + 372
12  pkcs11.dylib                           0x10b321af7 p11prov_CloseSession + 87
13  pkcs11.dylib                           0x10b32e152 session_free + 194
14  pkcs11.dylib                           0x10b32c25e p11prov_free_slots + 366
15  pkcs11.dylib                           0x10b32a87b p11prov_ctx_free + 187
16  libcrypto.3.dylib                      0x10b7745ff ossl_provider_free + 61
17  libcrypto.3.dylib                      0x10b7d96ac OPENSSL_sk_pop_free + 45
18  libcrypto.3.dylib                      0x10b775e02 provider_store_free + 63
19  libcrypto.3.dylib                      0x10b76c1d6 CRYPTO_free_ex_data + 326
20  libcrypto.3.dylib                      0x10b7696d6 context_deinit + 98
21  libcrypto.3.dylib                      0x10b769667 ossl_lib_ctx_default_deinit + 16
22  libcrypto.3.dylib                      0x10b76c5ca OPENSSL_cleanup + 200
23  libsystem_c.dylib                   0x7ff813562c26 __cxa_finalize_ranges + 416
24  libsystem_c.dylib                   0x7ff813562a39 exit + 35
25  openssl                                0x10b0a61bb main + 594
26  dyld                                0x7ff813339310 start + 2432

Suspected cause

As discussed in https://github.com/latchset/pkcs11-provider/issues/196#issuecomment-1429952478:

note that this is happening during openssl deinit, so I think this is a similar problem to https://github.com/latchset/pkcs11-provider/issues/187, where the yubikey library is liberally using the common openssl libctx, and it is invoking it after openssl already started deiniting it. May have no solution except for yuico fixing their library to use a non-default libctx.

qpernil commented 1 year ago

Looking at som of the spy traces in referenced cases it seems we are running into thee different issues here.

yubihsm_pkcs11 requires PIN to be verified before being able to do (almost) anything
yubihsm_pkcs11 doesn't support EC keys for encryption / decryption
From what I see here and in the other cases i would agree we are trying to use openssl while it is being deinitialized. I will look into using a non-default library context.

mouse07410 commented 1 year ago

yubihsm_pkcs11 requires PIN to be verified before being able to do (almost) anything

Yes, and I don't see it as a problem.

yubihsm_pkcs11 doesn't support EC keys for encryption / decryption

I don't think any of my traces involved EC - RSA only.

Regardless, I know that there's no EC encryption or decryption (aka, El Gamal) support - but doesn't yubihsm_pkcs11 support ECDH? (Not that it's crucial, given that CNSA-2.0 guidance suggests moving to PQ algorithms, and staying with RSA-3072+ in the meanwhile.)

From what I see here and in the other cases i would agree we are trying to use openssl while it is being deinitialized. I will look into using a non-default library context.

Yes please! This is a big problem that can be solved (IMHO) only in your library.

qpernil commented 1 year ago

I only mentioned the nonexistent EC support because I found traces where that was the issue. But they may not have been yours. The YubiHSM does support ecdh so implementing something like ECIES is quite possible in the module, but is not implemented at this time, i.e. C_EncryptInit / C_DecryptInit will simply fail for non-RSA keys (it also supports AES / and wrap keys)

mouse07410 commented 1 year ago

The YubiHSM does support ECDH so implementing something like ECIES is quite possible in the module, but is not implemented at this time, i.e. C_EncryptInit / C_DecryptInit will simply fail for non-RSA keys (it also supports AES / and wrap keys)

I'd like to see it implemented for the sake of completeness (and it would only require some extra code in the software module, no changes to YubiHSM2 itself), but as I said before - support for Post-Quantum algorithms (Kyber key encapsulation, Dilithium signature, SPHINCS+ signature) is more important on my priority scale.

mouse07410 commented 1 year ago

yubihsm_pkcs11 requires PIN to be verified before being able to do (almost) anything

Yes, and I don't see it as a problem.

yubihsm_pkcs11 doesn't support EC keys for encryption / decryption

I don't think any of my traces involved EC - RSA only.

Regardless, I know that there's no EC encryption or decryption (aka, El Gamal) support - but doesn't yubihsm_pkcs11 support ECDH? (Not that it's crucial, given that CNSA-2.0 guidance suggests moving to PQ algorithms, and staying with RSA-3072+ in the meanwhile.)

From what I see here and in the other cases i would agree we are trying to use openssl while it is being deinitialized. I will look into using a non-default library context.

Yes please! This is a big problem that can be solved (IMHO) only in your library.

Ping? Any chance to get this addressed any time soon? Thanks!

qpernil commented 1 year ago

To reproduce this I'd like to ask for some context in terms of config files, installed packages etc, that is required to load the pkcs11 engine & pkcs11 module

mouse07410 commented 1 year ago

to reproduce this I'd like to ask for some context in terms of config files, installed packages etc, that is required to load the pkcs11 engine & pkcs11 module

MacOS 13.3.1, Xcode-14.3, Macports-installed OpenSSL-3.1.0 and p11-kit 0.24.1. OpenSC compiled from source of master branch. pkcs11-provider compiled from main branch of https://github.com/latchset/pkcs11-provider, libp11 compiled from the master branch of https://github.com/OpenSC/libp11

p11-kit config is shown here https://github.com/latchset/pkcs11-provider/issues/198#issuecomment-1510034294

openssl.cnf (relevant parts):

[openssl_init]
providers = provider_sect
engines = engine_sect

[provider_sect]
 default = default_sect
 legacy = legacy_sect
 pkcs11 = pkcs11_sect
 #gost   = gost_sect
 base = base_sect
 oqs = oqs_sect

[default_sect]
 activate = 1

[legacy_sect]
 activate = 1

[pkcs11_sect]
 module = /opt/local/libexec/openssl3/lib/ossl-modules/pkcs11.dylib
 #pkcs11-module-path = /Library/OpenSC/lib/opensc-pkcs11.so
 pkcs11-module-path = /usr/local/lib/libykcs11.dylib
 activate = 1

[gost_sect]
 module = /opt/local/libexec/openssl3/lib/ossl-modules/gostprov.dylib
 activate = 1

[base_sect]
 activate = 1

[oqs_sect]
 module = /opt/local/libexec/openssl3/lib/ossl-modules/oqsprovider.dylib
 activate = 1

[engine_sect]
 #pkcs11 = pkcs11_section
 #gost = gost_section

[pkcs11_section]
 engine_id = pkcs11
 dynamic_path = /opt/local/libexec/openssl3/lib/engines-3/pkcs11.so
 MODULE_PATH = /Library/OpenSC/lib/opensc-pkcs11.so
 init = 0

[gost_section]
 engine_id = gost
 dynamic_path = /opt/local/libexec/openssl3/lib/engines-3/gost.dylib
 default_algorithms = ALL
 #CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
 #CRYPT-PARAMS = id-GostR3410-2001-CryptoPro-A-ParamSet
 PBE_PARAMS = "gost12_512"
 init = 0

mouse07410 commented 1 year ago

Ping?

mouse07410 commented 1 year ago

@qpernil ping?

mouse07410 commented 8 months ago

Apple Silicon M2 MacBook Pro, MacOS Ventura 13.6.2, Xcode-15.0.1, OpenSSL-3.2.0, current master.

$ openssl version
OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
$ openssl pkeyutl -decrypt -inkey "pkcs11:model=YubiHSM;token=YubiHSM;id=%04%02;type=private" -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha384 -pkeyopt rsa_mgf1_md:sha384 -in /tmp/key.enc1 -out /tmp/key.dec1
Enter pass phrase for PKCS#11 Token (Slot 20 - YubiHSM Connector 0.0.0.0):
$
$ cat /tmp/key.dec1 /tmp/key.txt 
e73555df0a8808a070a39e491d49859e
e73555df0a8808a070a39e491d49859e
$

Seems to be working now, closing.

Yubico / yubihsm-shell