root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

RSA_padding_check_PKCS1_type_2 is not constant time. 

This is an inherent weakness of the padding mode. We can't make the
implementation constant time (see the comments in rsa_pk1.c), so add a
warning to the docs.

Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Emilia Kasper 2017-07-17 16:47:13 +02:00
parent ff0426cc94
commit 1e3f62a382
2 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/man3/RSA_padding_add_PKCS1_type_1.pod
View File

@ -105,6 +105,13 @@ The RSA_padding_check_xxx() functions return the length of the
recovered data, -1 on error. Error codes can be obtained by calling recovered data, -1 on error. Error codes can be obtained by calling
L<ERR_get_error(3)>. L<ERR_get_error(3)>.
=head1 WARNING
The RSA_padding_check_PKCS1_type_2() padding check leaks timing
information which can potentially be used to mount a Bleichenbacher
padding oracle attack. This is an inherent weakness in the PKCS #1
v1.5 padding design. Prefer PKCS1_OAEP padding.
=head1 SEE ALSO =head1 SEE ALSO
L<RSA_public_encrypt(3)>, L<RSA_public_encrypt(3)>,

7
doc/man3/RSA_public_encrypt.pod
View File

@ -67,6 +67,13 @@ recovered plaintext.
On error, -1 is returned; the error codes can be On error, -1 is returned; the error codes can be
obtained by L<ERR_get_error(3)>. obtained by L<ERR_get_error(3)>.
=head1 WARNING
Decryption failures in the RSA_PKCS1_PADDING mode leak information
which can potentially be used to mount a Bleichenbacher padding oracle
attack. This is an inherent weakness in the PKCS #1 v1.5 padding
design. Prefer RSA_PKCS1_OAEP_PADDING.
=head1 CONFORMING TO =head1 CONFORMING TO
SSL, PKCS #1 v2.0 SSL, PKCS #1 v2.0