Use safestack.h exclusively internally.

[openssl.git] / doc / man3 / RSA_public_encrypt.pod

diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod
index 2f78c274847f18e659a745bb9ce945fdc45266f9..91c176e24c5234f7994cf26561da077cff54e9f9 100644 (file)
--- a/doc/man3/RSA_public_encrypt.pod
+++ b/doc/man3/RSA_public_encrypt.pod
@@ -9,10 +9,10 @@ RSA_public_encrypt, RSA_private_decrypt - RSA public key cryptography
  #include <openssl/rsa.h>
 
  int RSA_public_encrypt(int flen, unsigned char *from,
-    unsigned char *to, RSA *rsa, int padding);
+                        unsigned char *to, RSA *rsa, int padding);
 
  int RSA_private_decrypt(int flen, unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding);
+                         unsigned char *to, RSA *rsa, int padding);
 
 =head1 DESCRIPTION
 
@@ -67,13 +67,20 @@ recovered plaintext.
 On error, -1 is returned; the error codes can be
 obtained by L<ERR_get_error(3)>.
 
+=head1 WARNING
+
+Decryption failures in the RSA_PKCS1_PADDING mode leak information
+which can potentially be used to mount a Bleichenbacher padding oracle
+attack. This is an inherent weakness in the PKCS #1 v1.5 padding
+design. Prefer RSA_PKCS1_OAEP_PADDING.
+
 =head1 CONFORMING TO
 
 SSL, PKCS #1 v2.0
 
 =head1 SEE ALSO
 
-L<ERR_get_error(3)>, L<rand(3)>,
+L<ERR_get_error(3)>, L<RAND_bytes(3)>,
 L<RSA_size(3)>
 
 =head1 COPYRIGHT