diff options
author | Dmitry Belyavskiy <beldmit@gmail.com> | 2023-01-20 15:03:40 +0000 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2023-02-07 17:02:46 +0100 |
commit | 8022a4799fe884b3bf8d538e2b4c4ec323663118 (patch) | |
tree | a38573b28599c62cd953d715a037ee59cce916c3 /include | |
parent | e2d0a3b5f559e23f11e4d4687b2889b483afb22a (diff) |
Fix Timing Oracle in RSA decryption
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
Patch written by Dmitry Belyavsky and Hubert Kario
CVE-2022-4304
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/crypto/bn.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/include/crypto/bn.h b/include/crypto/bn.h index 6bee0af2ee..6cfa1a48c0 100644 --- a/include/crypto/bn.h +++ b/include/crypto/bn.h @@ -116,4 +116,10 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx); extern const BIGNUM ossl_bn_inv_sqrt_2; +int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, + const BN_BLINDING *blinding, + const BIGNUM *possible_arg2, + const BIGNUM *to_mod, BN_CTX *ctx, + unsigned char *buf, int num); + #endif |