rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2.

And make RSAErr call unconditional. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit e875b0cf2f10bf2adf73e0c2ec81428290f4660c)
author: Andy Polyakov <appro@openssl.org> 2018-09-01 12:00:33 +0200
committer: Matt Caswell <matt@openssl.org> 2018-11-30 12:51:58 +0000
commit: db1b63f45c8585c9c7741e0540c01baad22aa190 (patch)
tree: 9171ebd4c9a5c502d5439273753dd346e6a52de6 /doc
parent: 382448f33757d96a65207c8e9b55fadf45517e57 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
index 93911cac97..9ea2634c03 100644
--- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod
+++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
@@ -110,7 +110,12 @@ L<ERR_get_error(3)>.
 The RSA_padding_check_PKCS1_type_2() padding check leaks timing
 information which can potentially be used to mount a Bleichenbacher
 padding oracle attack. This is an inherent weakness in the PKCS #1
-v1.5 padding design. Prefer PKCS1_OAEP padding.
+v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can
+be recommended to pass zero-padded B<f>, so that B<fl> equals to
+B<rsa_len>, and if fixed by protocol, B<tlen> being set to the
+expected length. In such case leakage would be minimal, it would
+take attacker's ability to observe memory access pattern with byte
+granilarity as it occurs, post-factum timing analysis won't do.
 
 =head1 SEE ALSO
author	Andy Polyakov <appro@openssl.org>	2018-09-01 12:00:33 +0200
committer	Matt Caswell <matt@openssl.org>	2018-11-30 12:51:58 +0000
commit	db1b63f45c8585c9c7741e0540c01baad22aa190 (patch)
tree	9171ebd4c9a5c502d5439273753dd346e6a52de6 /doc
parent	382448f33757d96a65207c8e9b55fadf45517e57 (diff)