Fix Timing Oracle in RSA decryption

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. Patch written by Dmitry Belyavsky and Hubert Kario CVE-2022-4304 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
author: Dmitry Belyavskiy <beldmit@gmail.com> 2023-01-20 15:03:40 +0000
committer: Tomas Mraz <tomas@openssl.org> 2023-02-07 17:02:46 +0100
commit: 8022a4799fe884b3bf8d538e2b4c4ec323663118 (patch)
tree: a38573b28599c62cd953d715a037ee59cce916c3 /include
parent: e2d0a3b5f559e23f11e4d4687b2889b483afb22a (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
index 6bee0af2ee..6cfa1a48c0 100644
--- a/include/crypto/bn.h
+++ b/include/crypto/bn.h
@@ -116,4 +116,10 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx);
 
 extern const BIGNUM ossl_bn_inv_sqrt_2;
 
+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate,
+                           const BN_BLINDING *blinding,
+                           const BIGNUM *possible_arg2,
+                           const BIGNUM *to_mod, BN_CTX *ctx,
+                           unsigned char *buf, int num);
+
 #endif
author	Dmitry Belyavskiy <beldmit@gmail.com>	2023-01-20 15:03:40 +0000
committer	Tomas Mraz <tomas@openssl.org>	2023-02-07 17:02:46 +0100
commit	8022a4799fe884b3bf8d538e2b4c4ec323663118 (patch)
tree	a38573b28599c62cd953d715a037ee59cce916c3 /include
parent	e2d0a3b5f559e23f11e4d4687b2889b483afb22a (diff)