RSA_padding_check_PKCS1_type_2 is not constant time.

This is an inherent weakness of the padding mode. We can't make the implementation constant time (see the comments in rsa_pk1.c), so add a warning to the docs. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Emilia Kasper <emilia@openssl.org> 2017-07-18 11:26:34 +0200
committer: Emilia Kasper <emilia@openssl.org> 2017-07-18 11:27:27 +0200
commit: 5c5fef4d7aba0ef20cc88d7e34b22cec0d2881bb (patch)
tree: e90ae935ddcb93b8d5aedafde811156d1fc9a662 /doc/crypto/RSA_padding_add_PKCS1_type_1.pod
parent: c63a5ea848cf0ccd3c991198ddff08b36c312340 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
index b8f678fe72..f20f815d47 100644
--- a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
+++ b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
@@ -104,6 +104,13 @@ The RSA_padding_check_xxx() functions return the length of the
 recovered data, -1 on error. Error codes can be obtained by calling
 L<ERR_get_error(3)|ERR_get_error(3)>.
 
+=head1 WARNING
+
+The RSA_padding_check_PKCS1_type_2() padding check leaks timing
+information which can potentially be used to mount a Bleichenbacher
+padding oracle attack. This is an inherent weakness in the PKCS #1
+v1.5 padding design. Prefer PKCS1_OAEP padding.
+
 =head1 SEE ALSO
 
 L<RSA_public_encrypt(3)|RSA_public_encrypt(3)>,
author	Emilia Kasper <emilia@openssl.org>	2017-07-18 11:26:34 +0200
committer	Emilia Kasper <emilia@openssl.org>	2017-07-18 11:27:27 +0200
commit	5c5fef4d7aba0ef20cc88d7e34b22cec0d2881bb (patch)
tree	e90ae935ddcb93b8d5aedafde811156d1fc9a662 /doc/crypto/RSA_padding_add_PKCS1_type_1.pod
parent	c63a5ea848cf0ccd3c991198ddff08b36c312340 (diff)