Bug 2153470

Summary: Backport implicit rejection for RSA PKCS#1 v1.5 encryption
Product: [Fedora] Fedora Reporter: Alicja Kario <hkario>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: crypto-team, dbelyavs, mspacek, mturk, sahana, support.web-tv, tm
Target Milestone: ---Keywords: Triaged
Target Release: ---Flags: fedora-admin-xmlrpc: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-13 18:32:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alicja Kario 2022-12-14 16:40:35 UTC 
Description of problem:
The RSA decryption API is very easy to use incorrectly, causing issues like CVE-2020-25659 in pyca/cryptography. Please backport the recently merged implementation of implicit rejection to OpenSSL so that issues like that are properly addressed.

Version-Release number of selected component (if applicable):
openssl-3.0.5-7

How reproducible:
Always

Steps to Reproduce:
1. Try to decrypt a malformed RSA ciphertext using PKCS#1 v1.5 padding

Actual results:
Usually, an error is returned.

Expected results:
A random, but static (for a given ciphertext-key pair) message is returned.

Additional info:
Comment 1 Dmitry Belyavskiy 2023-01-05 17:34:03 UTC 
Added and enabled by default implicit rejection in RSA PKCS#1 v1.5 decryption as a protection against Bleichenbacher-like attacks.

The RSA decryption API will now return a randomly generated deterministic message instead of an error in case it detects an error when checking padding during PKCS#1 v1.5 decryption. This is a general protection against issues like CVE-2020-25659 and CVE-2020-25657. 

This protection can be disabled by calling `EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0")` on the RSA decryption context.