rsa/rsa_pk1.c: remove memcpy calls from RSA_padding_check_PKCS1_type_2.

And make RSAErr call unconditional. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit e875b0cf2f10bf2adf73e0c2ec81428290f4660c) Resolved conflicts: crypto/rsa/rsa_pk1.c (Merged from https://github.com/openssl/openssl/pull/7737)
author: Andy Polyakov <appro@openssl.org> 2018-09-01 12:00:33 +0200
committer: Matt Caswell <matt@openssl.org> 2018-12-06 11:18:35 +0000
commit: 47f8fba64353a637cacdd8751cab25a9f3be3715 (patch)
tree: b4cc06c5ab27392315d7545f4990596fb74654ae /doc
parent: 3b776fd785efb1c0af4b28ad0b8036b23071904d (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
index f20f815d47..800e777869 100644
--- a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
+++ b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
@@ -109,7 +109,12 @@ L<ERR_get_error(3)|ERR_get_error(3)>.
 The RSA_padding_check_PKCS1_type_2() padding check leaks timing
 information which can potentially be used to mount a Bleichenbacher
 padding oracle attack. This is an inherent weakness in the PKCS #1
-v1.5 padding design. Prefer PKCS1_OAEP padding.
+v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can
+be recommended to pass zero-padded B<f>, so that B<fl> equals to
+B<rsa_len>, and if fixed by protocol, B<tlen> being set to the
+expected length. In such case leakage would be minimal, it would
+take attacker's ability to observe memory access pattern with byte
+granilarity as it occurs, post-factum timing analysis won't do.
 
 =head1 SEE ALSO
author	Andy Polyakov <appro@openssl.org>	2018-09-01 12:00:33 +0200
committer	Matt Caswell <matt@openssl.org>	2018-12-06 11:18:35 +0000
commit	47f8fba64353a637cacdd8751cab25a9f3be3715 (patch)
tree	b4cc06c5ab27392315d7545f4990596fb74654ae /doc
parent	3b776fd785efb1c0af4b28ad0b8036b23071904d (diff)