diff options
author | Emilia Kasper <emilia@openssl.org> | 2017-07-18 11:26:34 +0200 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2017-07-18 11:27:27 +0200 |
commit | 5c5fef4d7aba0ef20cc88d7e34b22cec0d2881bb (patch) | |
tree | e90ae935ddcb93b8d5aedafde811156d1fc9a662 | |
parent | c63a5ea848cf0ccd3c991198ddff08b36c312340 (diff) |
RSA_padding_check_PKCS1_type_2 is not constant time.
This is an inherent weakness of the padding mode. We can't make the
implementation constant time (see the comments in rsa_pk1.c), so add a
warning to the docs.
Reviewed-by: Rich Salz <rsalz@openssl.org>
-rw-r--r-- | doc/crypto/RSA_padding_add_PKCS1_type_1.pod | 7 | ||||
-rw-r--r-- | doc/crypto/RSA_public_encrypt.pod | 7 |
2 files changed, 14 insertions, 0 deletions
diff --git a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod index b8f678fe72..f20f815d47 100644 --- a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod +++ b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod @@ -104,6 +104,13 @@ The RSA_padding_check_xxx() functions return the length of the recovered data, -1 on error. Error codes can be obtained by calling L<ERR_get_error(3)|ERR_get_error(3)>. +=head1 WARNING + +The RSA_padding_check_PKCS1_type_2() padding check leaks timing +information which can potentially be used to mount a Bleichenbacher +padding oracle attack. This is an inherent weakness in the PKCS #1 +v1.5 padding design. Prefer PKCS1_OAEP padding. + =head1 SEE ALSO L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>, diff --git a/doc/crypto/RSA_public_encrypt.pod b/doc/crypto/RSA_public_encrypt.pod index 0541f348b3..4d7c1f2cac 100644 --- a/doc/crypto/RSA_public_encrypt.pod +++ b/doc/crypto/RSA_public_encrypt.pod @@ -67,6 +67,13 @@ recovered plaintext. On error, -1 is returned; the error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. +=head1 WARNING + +Decryption failures in the RSA_PKCS1_PADDING mode leak information +which can potentially be used to mount a Bleichenbacher padding oracle +attack. This is an inherent weakness in the PKCS #1 v1.5 padding +design. Prefer RSA_PKCS1_OAEP_PADDING. + =head1 CONFORMING TO SSL, PKCS #1 v2.0 |