2153470 – Backport implicit rejection for RSA PKCS#1 v1.5 encryption

Bug 2153470 - Backport implicit rejection for RSA PKCS#1 v1.5 encryption

Summary: Backport implicit rejection for RSA PKCS#1 v1.5 encryption

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssl
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Dmitry Belyavskiy
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-12-14 16:40 UTC by Hubert Kario
Modified:	2023-01-13 18:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-01-13 18:32:48 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openssl openssl pull 13817	0	None	closed	Make RSA decryption API safe to use with PKCS#1 v1.5 padding	2022-12-14 16:40:34 UTC
Red Hat Issue Tracker	FC-682	0	None	None	None	2022-12-14 16:54:01 UTC

Internal Links: 2181430 2254432 2254465 2254466

Description Hubert Kario 2022-12-14 16:40:35 UTC

Description of problem:
The RSA decryption API is very easy to use incorrectly, causing issues like CVE-2020-25659 in pyca/cryptography. Please backport the recently merged implementation of implicit rejection to OpenSSL so that issues like that are properly addressed.

Version-Release number of selected component (if applicable):
openssl-3.0.5-7

How reproducible:
Always

Steps to Reproduce:
1. Try to decrypt a malformed RSA ciphertext using PKCS#1 v1.5 padding

Actual results:
Usually, an error is returned.

Expected results:
A random, but static (for a given ciphertext-key pair) message is returned.

Additional info:

Comment 1 Dmitry Belyavskiy 2023-01-05 17:34:03 UTC

Added and enabled by default implicit rejection in RSA PKCS#1 v1.5 decryption as a protection against Bleichenbacher-like attacks.

The RSA decryption API will now return a randomly generated deterministic message instead of an error in case it detects an error when checking padding during PKCS#1 v1.5 decryption. This is a general protection against issues like CVE-2020-25659 and CVE-2020-25657. 

This protection can be disabled by calling `EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0")` on the RSA decryption context.

Note You need to log in before you can comment on or make changes to this bug.