Skip to content

Commit

Permalink
Fix Timing Oracle in RSA decryption
Browse files Browse the repository at this point in the history
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA
padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

Patch written by Dmitry Belyavsky and Hubert Kario

Backport to 1.0.2 by Matt Caswell.

CVE-2022-4304

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
  • Loading branch information
mattcaswell authored and t8m committed Feb 2, 2023
1 parent 0c55850 commit d2ca0f4
Show file tree
Hide file tree
Showing 10 changed files with 731 additions and 28 deletions.
14 changes: 12 additions & 2 deletions crypto/bn/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -26,13 +26,13 @@ LIBSRC= bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \
bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
bn_depr.c bn_const.c bn_x931p.c
bn_depr.c bn_const.c bn_x931p.c rsa_sup_mul.c

LIBOBJ= bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o bn_nist.o \
bn_depr.o bn_const.o bn_x931p.o
bn_depr.o bn_const.o bn_x931p.o rsa_sup_mul.o

SRC= $(LIBSRC)

Expand Down Expand Up @@ -408,3 +408,13 @@ bn_x931p.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
bn_x931p.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_x931p.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_x931p.o: ../../include/openssl/symhacks.h bn_x931p.c
rsa_sup_mul.o: ../../e_os.h ../../include/openssl/asn1.h
rsa_sup_mul.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
rsa_sup_mul.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
rsa_sup_mul.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
rsa_sup_mul.o: ../../include/openssl/opensslconf.h
rsa_sup_mul.o: ../../include/openssl/opensslv.h
rsa_sup_mul.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
rsa_sup_mul.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
rsa_sup_mul.o: ../../include/openssl/symhacks.h ../bn_int.h bn_lcl.h
rsa_sup_mul.o: rsa_sup_mul.c
7 changes: 5 additions & 2 deletions crypto/bn/bn.h
Original file line number Diff line number Diff line change
Expand Up @@ -940,6 +940,7 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom);
* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/

void ERR_load_BN_strings(void);

/* Error codes for the BN functions. */
Expand All @@ -959,6 +960,7 @@ void ERR_load_BN_strings(void);
# define BN_F_BN_DIV 107
# define BN_F_BN_DIV_NO_BRANCH 138
# define BN_F_BN_DIV_RECP 130
# define BN_F_BN_DO_UNBLIND 140
# define BN_F_BN_EXP 123
# define BN_F_BN_EXPAND2 108
# define BN_F_BN_EXPAND_INTERNAL 120
Expand Down Expand Up @@ -1005,11 +1007,12 @@ void ERR_load_BN_strings(void);
# define BN_R_NOT_INITIALIZED 107
# define BN_R_NO_INVERSE 108
# define BN_R_NO_SOLUTION 116
# define BN_R_PASSED_INVALID_ARGUMENT 117
# define BN_R_P_IS_NOT_PRIME 112
# define BN_R_TOO_MANY_ITERATIONS 113
# define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109

#ifdef __cplusplus
# ifdef __cplusplus
}
#endif
# endif
#endif
17 changes: 0 additions & 17 deletions crypto/bn/bn_blind.c
Original file line number Diff line number Diff line change
Expand Up @@ -115,23 +115,6 @@

#define BN_BLINDING_COUNTER 32

struct bn_blinding_st {
BIGNUM *A;
BIGNUM *Ai;
BIGNUM *e;
BIGNUM *mod; /* just a reference */
#ifndef OPENSSL_NO_DEPRECATED
unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b; used
* only by crypto/rsa/rsa_eay.c, rsa_lib.c */
#endif
CRYPTO_THREADID tid;
int counter;
unsigned long flags;
BN_MONT_CTX *m_ctx;
int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
};

BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
{
BN_BLINDING *ret = NULL;
Expand Down
4 changes: 3 additions & 1 deletion crypto/bn/bn_err.c
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/* crypto/bn/bn_err.c */
/* ====================================================================
* Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved.
* Copyright (c) 1999-2023 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
Expand Down Expand Up @@ -84,6 +84,7 @@ static ERR_STRING_DATA BN_str_functs[] = {
{ERR_FUNC(BN_F_BN_DIV), "BN_div"},
{ERR_FUNC(BN_F_BN_DIV_NO_BRANCH), "BN_div_no_branch"},
{ERR_FUNC(BN_F_BN_DIV_RECP), "BN_div_recp"},
{ERR_FUNC(BN_F_BN_DO_UNBLIND), "bn_do_unblind"},
{ERR_FUNC(BN_F_BN_EXP), "BN_exp"},
{ERR_FUNC(BN_F_BN_EXPAND2), "bn_expand2"},
{ERR_FUNC(BN_F_BN_EXPAND_INTERNAL), "BN_EXPAND_INTERNAL"},
Expand Down Expand Up @@ -133,6 +134,7 @@ static ERR_STRING_DATA BN_str_reasons[] = {
{ERR_REASON(BN_R_NOT_INITIALIZED), "not initialized"},
{ERR_REASON(BN_R_NO_INVERSE), "no inverse"},
{ERR_REASON(BN_R_NO_SOLUTION), "no solution"},
{ERR_REASON(BN_R_PASSED_INVALID_ARGUMENT), "passed invalid argument"},
{ERR_REASON(BN_R_P_IS_NOT_PRIME), "p is not prime"},
{ERR_REASON(BN_R_TOO_MANY_ITERATIONS), "too many iterations"},
{ERR_REASON(BN_R_TOO_MANY_TEMPORARY_VARIABLES),
Expand Down
17 changes: 17 additions & 0 deletions crypto/bn/bn_lcl.h
Original file line number Diff line number Diff line change
Expand Up @@ -531,6 +531,23 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
const BN_ULONG *np, const BN_ULONG *n0, int num);

struct bn_blinding_st {
BIGNUM *A;
BIGNUM *Ai;
BIGNUM *e;
BIGNUM *mod; /* just a reference */
#ifndef OPENSSL_NO_DEPRECATED
unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b; used
* only by crypto/rsa/rsa_eay.c, rsa_lib.c */
#endif
CRYPTO_THREADID tid;
int counter;
unsigned long flags;
BN_MONT_CTX *m_ctx;
int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
};

#ifdef __cplusplus
}
#endif
Expand Down
Loading

0 comments on commit d2ca0f4

Please sign in to comment.