Bug 2153471

Summary: Backport implicit rejection for RSA PKCS#1 v1.5 encryption [rhel-9]
Product: Red Hat Enterprise Linux 9 Reporter: Alicja Kario <hkario>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED ERRATA QA Contact: Alicja Kario <hkario>
Severity: medium Docs Contact: Mirek Jahoda <mjahoda>
Priority: medium    
Version: 9.0CC: cheimes, cllang, jafiala, mjahoda
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
.OpenSSL now contains protections against Bleichenbacher-like attacks This release of the OpenSSL TLS toolkit introduces API-level protections against Bleichenbacher-like attacks on the RSA PKCS #1 v1.5 decryption process. The RSA decryption now returns a randomly generated deterministic message instead of an error if it detects an error when checking padding during a PKCS #1 v1.5 decryption. The change provides general protection against vulnerabilities such as link:https://access.redhat.com/security/cve/CVE-2020-25659[CVE-2020-25659] and link:https://access.redhat.com/security/cve/CVE-2020-25657[CVE-2020-25657]. You can disable this protection by calling the `EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0")` function on the RSA decryption context, but this makes your system more vulnerable.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:52:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1889988    

Description Alicja Kario 2022-12-14 16:43:34 UTC 
Description of problem:
The RSA decryption API is very easy to use incorrectly, causing issues like CVE-2020-25659 in pyca/cryptography. Please backport the recently merged implementation of implicit rejection to OpenSSL so that issues like that are properly addressed.

Version-Release number of selected component (if applicable):
openssl-3.0.7-2.el9

How reproducible:
Always

Steps to Reproduce:
1. Try to decrypt a malformed RSA ciphertext using PKCS#1 v1.5 padding

Actual results:
Usually, an error is returned.

Expected results:
A random, but static (for a given ciphertext-key pair) message is returned.

Additional info:
Comment 9 errata-xmlrpc 2023-11-07 08:52:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssl bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6627