diff options
author | Andy Polyakov <appro@openssl.org> | 2018-09-01 12:00:33 +0200 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-12-06 11:18:35 +0000 |
commit | 47f8fba64353a637cacdd8751cab25a9f3be3715 (patch) | |
tree | b4cc06c5ab27392315d7545f4990596fb74654ae /doc | |
parent | 3b776fd785efb1c0af4b28ad0b8036b23071904d (diff) |
rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2.
And make RSAErr call unconditional.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e875b0cf2f10bf2adf73e0c2ec81428290f4660c)
Resolved conflicts:
crypto/rsa/rsa_pk1.c
(Merged from https://github.com/openssl/openssl/pull/7737)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/crypto/RSA_padding_add_PKCS1_type_1.pod | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod index f20f815d47..800e777869 100644 --- a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod +++ b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod @@ -109,7 +109,12 @@ L<ERR_get_error(3)|ERR_get_error(3)>. The RSA_padding_check_PKCS1_type_2() padding check leaks timing information which can potentially be used to mount a Bleichenbacher padding oracle attack. This is an inherent weakness in the PKCS #1 -v1.5 padding design. Prefer PKCS1_OAEP padding. +v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can +be recommended to pass zero-padded B<f>, so that B<fl> equals to +B<rsa_len>, and if fixed by protocol, B<tlen> being set to the +expected length. In such case leakage would be minimal, it would +take attacker's ability to observe memory access pattern with byte +granilarity as it occurs, post-factum timing analysis won't do. =head1 SEE ALSO |