Description of problem: The RSA decryption API is very easy to use incorrectly, causing issues like CVE-2020-25659 in pyca/cryptography. Please backport the recently merged implementation of implicit rejection to OpenSSL so that issues like that are properly addressed. Version-Release number of selected component (if applicable): openssl-3.0.5-7 How reproducible: Always Steps to Reproduce: 1. Try to decrypt a malformed RSA ciphertext using PKCS#1 v1.5 padding Actual results: Usually, an error is returned. Expected results: A random, but static (for a given ciphertext-key pair) message is returned. Additional info:
Added and enabled by default implicit rejection in RSA PKCS#1 v1.5 decryption as a protection against Bleichenbacher-like attacks. The RSA decryption API will now return a randomly generated deterministic message instead of an error in case it detects an error when checking padding during PKCS#1 v1.5 decryption. This is a general protection against issues like CVE-2020-25659 and CVE-2020-25657. This protection can be disabled by calling `EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0")` on the RSA decryption context.