CVE-2023-45287: Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant...

The vulnerability (CVE-2023-45287) states that prior to Go 1.20, RSA-based TLS key exchanges used the math/big library, which is not constant time, leading to potential timing attacks. The Go vulnerability database (GO-2023-2375) explicitly lists several functions in the crypto/tls package as affected symbols. These functions are high-level entry points for establishing TLS connections and performing handshakes (e.g., Conn.Handshake, Dial). When these functions negotiate an RSA key exchange, they would, prior to the fix, invoke underlying RSA cryptographic operations that relied on the non-constant-time math/big library. Therefore, these crypto/tls functions would be present in a runtime profile when the vulnerability is triggered during an RSA key exchange. The fix involved switching the crypto/tls library to a fully constant-time RSA implementation. While the specific code diffs were not available through the tools, the official Go vulnerability database provides strong evidence for these functions being the relevant runtime indicators of the vulnerability's exploitation path. The file paths are standard locations for these Go crypto/tls functions.