[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Emilia Kasper emilia at openssl.org
Tue Jul 18 09:29:03 UTC 2017

The branch OpenSSL_1_1_0-stable has been updated
       via  b9cdcb081c97846255cd0bf812b1ca294ddd7875 (commit)
      from  56c13d2bfa1983d71bcfcc5dfaf3592c5c6978e2 (commit)

- Log -----------------------------------------------------------------
commit b9cdcb081c97846255cd0bf812b1ca294ddd7875
Author: Emilia Kasper <emilia at openssl.org>
Date:   Tue Jul 18 11:26:34 2017 +0200

    RSA_padding_check_PKCS1_type_2 is not constant time.
    This is an inherent weakness of the padding mode. We can't make the
    implementation constant time (see the comments in rsa_pk1.c), so add a
    warning to the docs.
    Reviewed-by: Rich Salz <rsalz at openssl.org>


Summary of changes:
 doc/crypto/RSA_padding_add_PKCS1_type_1.pod | 7 +++++++
 doc/crypto/RSA_public_encrypt.pod           | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
index 3089944..5b53eb9 100644
--- a/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
+++ b/doc/crypto/RSA_padding_add_PKCS1_type_1.pod
@@ -104,6 +104,13 @@ The RSA_padding_check_xxx() functions return the length of the
 recovered data, -1 on error. Error codes can be obtained by calling
+=head1 WARNING
+The RSA_padding_check_PKCS1_type_2() padding check leaks timing
+information which can potentially be used to mount a Bleichenbacher
+padding oracle attack. This is an inherent weakness in the PKCS #1
+v1.5 padding design. Prefer PKCS1_OAEP padding.
 =head1 SEE ALSO
diff --git a/doc/crypto/RSA_public_encrypt.pod b/doc/crypto/RSA_public_encrypt.pod
index 05eda94..b1dd50d 100644
--- a/doc/crypto/RSA_public_encrypt.pod
+++ b/doc/crypto/RSA_public_encrypt.pod
@@ -67,6 +67,13 @@ recovered plaintext.
 On error, -1 is returned; the error codes can be
 obtained by L<ERR_get_error(3)>.
+=head1 WARNING
+Decryption failures in the RSA_PKCS1_PADDING mode leak information
+which can potentially be used to mount a Bleichenbacher padding oracle
+attack. This is an inherent weakness in the PKCS #1 v1.5 padding
+design. Prefer RSA_PKCS1_OAEP_PADDING.
 SSL, PKCS #1 v2.0

More information about the openssl-commits mailing list