diff options
author | Dmitry Belyavskiy <beldmit@gmail.com> | 2023-01-20 15:03:40 +0000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-02-03 12:38:22 +0100 |
commit | 8e257b86e5812c6e1cfa9e8e5f5660ac7bed899d (patch) | |
tree | 24b77097378730b287a820584800bc292d4061b8 /crypto/bn/bn_blind.c | |
parent | fe6842f5a5dc2fb66da7fb24bf4343a3aeedd50a (diff) |
Fix Timing Oracle in RSA decryption
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
Patch written by Dmitry Belyavsky and Hubert Kario
CVE-2022-4304
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Diffstat (limited to 'crypto/bn/bn_blind.c')
-rw-r--r-- | crypto/bn/bn_blind.c | 14 |
1 files changed, 0 insertions, 14 deletions
diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 72457b34cf..6061ebb4c0 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -13,20 +13,6 @@ #define BN_BLINDING_COUNTER 32 -struct bn_blinding_st { - BIGNUM *A; - BIGNUM *Ai; - BIGNUM *e; - BIGNUM *mod; /* just a reference */ - CRYPTO_THREAD_ID tid; - int counter; - unsigned long flags; - BN_MONT_CTX *m_ctx; - int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); - CRYPTO_RWLOCK *lock; -}; - BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) { BN_BLINDING *ret = NULL; |