[openssl-commits] [openssl] master update
Emilia Kasper
emilia at openssl.org
Tue Jul 18 09:21:22 UTC 2017
The branch master has been updated
via 1e3f62a3823f7e3db9d403f724fd9d66f5b04cf8 (commit)
from ff0426cc94df5e6dd25b8cfd6f9f7c840264a400 (commit)
- Log -----------------------------------------------------------------
commit 1e3f62a3823f7e3db9d403f724fd9d66f5b04cf8
Author: Emilia Kasper <emilia at openssl.org>
Date: Mon Jul 17 16:47:13 2017 +0200
RSA_padding_check_PKCS1_type_2 is not constant time.
This is an inherent weakness of the padding mode. We can't make the
implementation constant time (see the comments in rsa_pk1.c), so add a
warning to the docs.
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
doc/man3/RSA_padding_add_PKCS1_type_1.pod | 7 +++++++
doc/man3/RSA_public_encrypt.pod | 7 +++++++
2 files changed, 14 insertions(+)
diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
index 52ca15a..93911ca 100644
--- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod
+++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
@@ -105,6 +105,13 @@ The RSA_padding_check_xxx() functions return the length of the
recovered data, -1 on error. Error codes can be obtained by calling
L<ERR_get_error(3)>.
+=head1 WARNING
+
+The RSA_padding_check_PKCS1_type_2() padding check leaks timing
+information which can potentially be used to mount a Bleichenbacher
+padding oracle attack. This is an inherent weakness in the PKCS #1
+v1.5 padding design. Prefer PKCS1_OAEP padding.
+
=head1 SEE ALSO
L<RSA_public_encrypt(3)>,
diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod
index a495ecd..91c176e 100644
--- a/doc/man3/RSA_public_encrypt.pod
+++ b/doc/man3/RSA_public_encrypt.pod
@@ -67,6 +67,13 @@ recovered plaintext.
On error, -1 is returned; the error codes can be
obtained by L<ERR_get_error(3)>.
+=head1 WARNING
+
+Decryption failures in the RSA_PKCS1_PADDING mode leak information
+which can potentially be used to mount a Bleichenbacher padding oracle
+attack. This is an inherent weakness in the PKCS #1 v1.5 padding
+design. Prefer RSA_PKCS1_OAEP_PADDING.
+
=head1 CONFORMING TO
SSL, PKCS #1 v2.0
More information about the openssl-commits
mailing list