diff options
author | Andy Polyakov <appro@openssl.org> | 2018-09-01 12:00:33 +0200 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-11-30 12:51:58 +0000 |
commit | db1b63f45c8585c9c7741e0540c01baad22aa190 (patch) | |
tree | 9171ebd4c9a5c502d5439273753dd346e6a52de6 /doc | |
parent | 382448f33757d96a65207c8e9b55fadf45517e57 (diff) |
rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2.
And make RSAErr call unconditional.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e875b0cf2f10bf2adf73e0c2ec81428290f4660c)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/RSA_padding_add_PKCS1_type_1.pod | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod index 93911cac97..9ea2634c03 100644 --- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod +++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod @@ -110,7 +110,12 @@ L<ERR_get_error(3)>. The RSA_padding_check_PKCS1_type_2() padding check leaks timing information which can potentially be used to mount a Bleichenbacher padding oracle attack. This is an inherent weakness in the PKCS #1 -v1.5 padding design. Prefer PKCS1_OAEP padding. +v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can +be recommended to pass zero-padded B<f>, so that B<fl> equals to +B<rsa_len>, and if fixed by protocol, B<tlen> being set to the +expected length. In such case leakage would be minimal, it would +take attacker's ability to observe memory access pattern with byte +granilarity as it occurs, post-factum timing analysis won't do. =head1 SEE ALSO |