rsa: Add option to disable implicit rejection

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13817)
author: Hubert Kario <hkario@redhat.com> 2022-10-27 19:16:58 +0200
committer: Tomas Mraz <tomas@openssl.org> 2022-12-12 11:30:52 +0100
commit: 5ab3ec1bb1eaa795d775f5896818cfaa84d33a1a (patch)
tree: 8891701c8e4c4429fb9030cca393c132f938dd34 /doc/man1
parent: 8ae4f0e68ebb7435be494b58676827ae91695371 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
index b7c45caa23..dd87829798 100644
--- a/doc/man1/openssl-pkeyutl.pod.in
+++ b/doc/man1/openssl-pkeyutl.pod.in
@@ -272,6 +272,16 @@ explicitly set in PSS mode then the signing digest is used.
 Sets the digest used for the OAEP hash function. If not explicitly set then
 SHA1 is used.
 
+=item B<rsa_pkcs1_implicit_rejection:>I<flag>
+
+Disables (when set to 0) or enables (when set to 1) the use of implicit
+rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a
+protection against Bleichenbacher attack, the library will generate a
+deterministic random plaintext that it will return to the caller in case
+of padding check failure.
+When disabled, it's the callers' responsibility to handle the returned
+errors in a side-channel free manner.
+
 =back
 
 =head1 RSA-PSS ALGORITHM
author	Hubert Kario <hkario@redhat.com>	2022-10-27 19:16:58 +0200
committer	Tomas Mraz <tomas@openssl.org>	2022-12-12 11:30:52 +0100
commit	5ab3ec1bb1eaa795d775f5896818cfaa84d33a1a (patch)
tree	8891701c8e4c4429fb9030cca393c132f938dd34 /doc/man1
parent	8ae4f0e68ebb7435be494b58676827ae91695371 (diff)