diff options
Diffstat (limited to 'doc/man3/RSA_public_encrypt.pod')
-rw-r--r-- | doc/man3/RSA_public_encrypt.pod | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod index 2ae6c7f290..47d198a24c 100644 --- a/doc/man3/RSA_public_encrypt.pod +++ b/doc/man3/RSA_public_encrypt.pod @@ -94,10 +94,17 @@ design. Prefer RSA_PKCS1_OAEP_PADDING. In OpenSSL before version 3.2.0, both the return value and the length of returned value could be used to mount the Bleichenbacher attack. -Since version 3.2.0, OpenSSL does not return an error in case of padding -checks failed. Instead it generates a random message based on used private +Since version 3.2.0, the default provider in OpenSSL does not return an +error when padding checks fail. Instead it generates a random +message based on used private key and provided ciphertext so that application code doesn't have to implement a side-channel secure error handling. +Applications that want to be secure against side-channel attacks with +providers that don't implement implicit rejection, still need to +handle the returned values using side-channel free code. +Side-channel free handling of the error stack can be performed using +either a pair of unconditional L<ERR_set_mark(3)> and L<ERR_pop_to_mark(3)> +calls or by using the L<ERR_clear_error(3)> call. =head1 CONFORMING TO @@ -106,7 +113,7 @@ SSL, PKCS #1 v2.0 =head1 SEE ALSO L<ERR_get_error(3)>, L<RAND_bytes(3)>, -L<RSA_size(3)> +L<RSA_size(3)>, L<EVP_PKEY_decrypt(3)>, L<EVP_PKEY_encrypt(3)> =head1 HISTORY |