[gnutls-devel] GnuTLS | Behavioral PKCS#1 v1.5 decryption oracle (Ok/Err bit) (#1901)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Sun Jun 7 09:33:06 CEST 2026
Issue created by Mark Esler: https://gitlab.com/gnutls/gnutls/-/work_items/1901
Hello,
While surveying PKCS#1 v1.5 implementations [0] for the behavioral Bleichenbacher oracle [1] I found that GnuTLS exposes the oracle through its callable decrypt API.
`gnutls_privkey_decrypt_data` / `gnutls_privkey_decrypt_data2` returns `GNUTLS_E_DECRYPTION_FAILED` on a non-conforming block and succeeds otherwise — a distinguishable bit. `_data2` is documented constant-time but that is constant-time *explicit* rejection, not implicit rejection; the behavioral bit remains. The oracle is closed inside the TLS key-exchange path (result discarded) but not for general callers (JOSE / CMS / PKCS#11 / direct decrypt). Runtime-confirmed, source-reviewed in `lib/privkey.c` and `lib/pk.c`.
The CFRG implementation guidance draft [2] covers remediation: OAEP as the fix, implicit rejection (§7.2) as the stopgap if v1.5 must stay.
Mark Esler
[0] https://hexproof.dev/datagrams/bleichenbacher-oracle-survey/
[1] https://hexproof.dev/datagrams/ok-err-is-a-padding-oracle/
[2] https://datatracker.ietf.org/doc/draft-irtf-cfrg-rsa-guidance/
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/work_items/1901
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/5-cgo0u1rjctmrc5yb71ioqn75l-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260607/75570155/attachment.html>
More information about the Gnutls-devel
mailing list