From 1e3f62a3823f7e3db9d403f724fd9d66f5b04cf8 Mon Sep 17 00:00:00 2001 From: Emilia Kasper Date: Mon, 17 Jul 2017 16:47:13 +0200 Subject: [PATCH] RSA_padding_check_PKCS1_type_2 is not constant time. This is an inherent weakness of the padding mode. We can't make the implementation constant time (see the comments in rsa_pk1.c), so add a warning to the docs. Reviewed-by: Rich Salz --- doc/man3/RSA_padding_add_PKCS1_type_1.pod | 7 +++++++ doc/man3/RSA_public_encrypt.pod | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod index 52ca15a72c..93911cac97 100644 --- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod +++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod @@ -105,6 +105,13 @@ The RSA_padding_check_xxx() functions return the length of the recovered data, -1 on error. Error codes can be obtained by calling L. +=head1 WARNING + +The RSA_padding_check_PKCS1_type_2() padding check leaks timing +information which can potentially be used to mount a Bleichenbacher +padding oracle attack. This is an inherent weakness in the PKCS #1 +v1.5 padding design. Prefer PKCS1_OAEP padding. + =head1 SEE ALSO L, diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod index a495ecdf76..91c176e24c 100644 --- a/doc/man3/RSA_public_encrypt.pod +++ b/doc/man3/RSA_public_encrypt.pod @@ -67,6 +67,13 @@ recovered plaintext. On error, -1 is returned; the error codes can be obtained by L. +=head1 WARNING + +Decryption failures in the RSA_PKCS1_PADDING mode leak information +which can potentially be used to mount a Bleichenbacher padding oracle +attack. This is an inherent weakness in the PKCS #1 v1.5 padding +design. Prefer RSA_PKCS1_OAEP_PADDING. + =head1 CONFORMING TO SSL, PKCS #1 v2.0 -- 2.34.1