Fix Timing Oracle in RSA decryption

A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

Patch written by Dmitry Belyavsky and Hubert Kario

Backport to 1.0.2 by Matt Caswell.

CVE-2022-4304

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

Author: mattcaswell

crypto/bn/Makefile

@@ -26,13 +26,13 @@ LIBSRC=	bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \
 	bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
 	bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
 	bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
-	bn_depr.c bn_const.c bn_x931p.c
+	bn_depr.c bn_const.c bn_x931p.c rsa_sup_mul.c
 
 LIBOBJ=	bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
 	bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
 	bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
 	bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o bn_nist.o \
-	bn_depr.o bn_const.o bn_x931p.o
+	bn_depr.o bn_const.o bn_x931p.o rsa_sup_mul.o
 
 SRC= $(LIBSRC)
 
@@ -408,3 +408,13 @@ bn_x931p.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 bn_x931p.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 bn_x931p.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 bn_x931p.o: ../../include/openssl/symhacks.h bn_x931p.c
+rsa_sup_mul.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_sup_mul.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_sup_mul.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+rsa_sup_mul.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+rsa_sup_mul.o: ../../include/openssl/opensslconf.h
+rsa_sup_mul.o: ../../include/openssl/opensslv.h
+rsa_sup_mul.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
+rsa_sup_mul.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+rsa_sup_mul.o: ../../include/openssl/symhacks.h ../bn_int.h bn_lcl.h
+rsa_sup_mul.o: rsa_sup_mul.c

crypto/bn/bn.h

@@ -940,6 +940,7 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
  * The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
+
 void ERR_load_BN_strings(void);
 
 /* Error codes for the BN functions. */
@@ -959,6 +960,7 @@ void ERR_load_BN_strings(void);
 # define BN_F_BN_DIV                                      107
 # define BN_F_BN_DIV_NO_BRANCH                            138
 # define BN_F_BN_DIV_RECP                                 130
+# define BN_F_BN_DO_UNBLIND                               140
 # define BN_F_BN_EXP                                      123
 # define BN_F_BN_EXPAND2                                  108
 # define BN_F_BN_EXPAND_INTERNAL                          120
@@ -1005,11 +1007,12 @@ void ERR_load_BN_strings(void);
 # define BN_R_NOT_INITIALIZED                             107
 # define BN_R_NO_INVERSE                                  108
 # define BN_R_NO_SOLUTION                                 116
+# define BN_R_PASSED_INVALID_ARGUMENT                     117
 # define BN_R_P_IS_NOT_PRIME                              112
 # define BN_R_TOO_MANY_ITERATIONS                         113
 # define BN_R_TOO_MANY_TEMPORARY_VARIABLES                109
 
-#ifdef  __cplusplus
+# ifdef  __cplusplus
 }
-#endif
+# endif
 #endif

crypto/bn/bn_blind.c

@@ -115,23 +115,6 @@
 
 #define BN_BLINDING_COUNTER     32
 
-struct bn_blinding_st {
-    BIGNUM *A;
-    BIGNUM *Ai;
-    BIGNUM *e;
-    BIGNUM *mod;                /* just a reference */
-#ifndef OPENSSL_NO_DEPRECATED
-    unsigned long thread_id;    /* added in OpenSSL 0.9.6j and 0.9.7b; used
-                                 * only by crypto/rsa/rsa_eay.c, rsa_lib.c */
-#endif
-    CRYPTO_THREADID tid;
-    int counter;
-    unsigned long flags;
-    BN_MONT_CTX *m_ctx;
-    int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
-                       const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
-};
-
 BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
 {
     BN_BLINDING *ret = NULL;

crypto/bn/bn_err.c

@@ -1,6 +1,6 @@
 /* crypto/bn/bn_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2023 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -84,6 +84,7 @@ static ERR_STRING_DATA BN_str_functs[] = {
     {ERR_FUNC(BN_F_BN_DIV), "BN_div"},
     {ERR_FUNC(BN_F_BN_DIV_NO_BRANCH), "BN_div_no_branch"},
     {ERR_FUNC(BN_F_BN_DIV_RECP), "BN_div_recp"},
+    {ERR_FUNC(BN_F_BN_DO_UNBLIND), "bn_do_unblind"},
     {ERR_FUNC(BN_F_BN_EXP), "BN_exp"},
     {ERR_FUNC(BN_F_BN_EXPAND2), "bn_expand2"},
     {ERR_FUNC(BN_F_BN_EXPAND_INTERNAL), "BN_EXPAND_INTERNAL"},
@@ -133,6 +134,7 @@ static ERR_STRING_DATA BN_str_reasons[] = {
     {ERR_REASON(BN_R_NOT_INITIALIZED), "not initialized"},
     {ERR_REASON(BN_R_NO_INVERSE), "no inverse"},
     {ERR_REASON(BN_R_NO_SOLUTION), "no solution"},
+    {ERR_REASON(BN_R_PASSED_INVALID_ARGUMENT), "passed invalid argument"},
     {ERR_REASON(BN_R_P_IS_NOT_PRIME), "p is not prime"},
     {ERR_REASON(BN_R_TOO_MANY_ITERATIONS), "too many iterations"},
     {ERR_REASON(BN_R_TOO_MANY_TEMPORARY_VARIABLES),

crypto/bn/bn_lcl.h

@@ -531,6 +531,23 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
 int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
                 const BN_ULONG *np, const BN_ULONG *n0, int num);
 
+struct bn_blinding_st {
+    BIGNUM *A;
+    BIGNUM *Ai;
+    BIGNUM *e;
+    BIGNUM *mod;                /* just a reference */
+#ifndef OPENSSL_NO_DEPRECATED
+    unsigned long thread_id;    /* added in OpenSSL 0.9.6j and 0.9.7b; used
+                                 * only by crypto/rsa/rsa_eay.c, rsa_lib.c */
+#endif
+    CRYPTO_THREADID tid;
+    int counter;
+    unsigned long flags;
+    BN_MONT_CTX *m_ctx;
+    int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+                       const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+};
+
 #ifdef  __cplusplus
 }
 #endif