From c3aed7e4e6f1960eaa43ecbea2178b82481887af Mon Sep 17 00:00:00 2001
From: Hubert Kario <hkario@redhat.com>
Date: Fri, 9 Dec 2022 20:43:22 +0100
Subject: [PATCH] rsa: add implicit rejection CHANGES entry

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13817)
---
 CHANGES.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/CHANGES.md b/CHANGES.md
index 5a2692cee79..bf27b69fac2 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -192,6 +192,18 @@ OpenSSL 3.2
 
    *Maxim Mikityanskiy*
 
+ * Added and enabled by default implicit rejection in RSA PKCS#1 v1.5
+   decryption as a protection against Bleichenbacher-like attacks.
+   The RSA decryption API will now return a randomly generated deterministic
+   message instead of an error in case it detects an error when checking
+   padding during PKCS#1 v1.5 decryption. This is a general protection against
+   issues like CVE-2020-25659 and CVE-2020-25657. This protection can be
+   disabled by calling
+   `EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection". "0")`
+   on the RSA decryption context.
+
+   *Hubert Kario*
+
 OpenSSL 3.1
 -----------
 
-- 
2.47.3