Add a BUGS section stating that RSA_PKCS1_PADDING is weak by design;

from Emilia Kasper <emilia at openssl dot org>
via OpenSSL commit 1e3f62a3 Jul 17 16:47:13 2017 +0200.

1 files changed, 11 insertions, 3 deletions

diff --git a/src/lib/libcrypto/man/RSA_public_encrypt.3 b/src/lib/libcrypto/man/RSA_public_encrypt.3
index 808126415d..c830d5d767 100644
--- a/src/lib/libcrypto/man/RSA_public_encrypt.3
+++ b/src/lib/libcrypto/man/RSA_public_encrypt.3
@@ -1,5 +1,5 @@
-.\"     $OpenBSD: RSA_public_encrypt.3,v 1.6 2017/03/25 18:17:45 schwarze Exp $
-.\"     OpenSSL RSA_public_encrypt.pod b41f6b64 Mar 10 15:49:04 2017 +0000
+.\"     $OpenBSD: RSA_public_encrypt.3,v 1.7 2017/08/20 20:53:04 schwarze Exp $
+.\"     OpenSSL RSA_public_encrypt.pod 1e3f62a3 Jul 17 16:47:13 2017 +0200
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
 .\" Copyright (c) 2000, 2004 The OpenSSL Project.  All rights reserved.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 25 2017 $
+.Dd $Mdocdate: August 20 2017 $
 .Dt RSA_PUBLIC_ENCRYPT 3
 .Os
 .Sh NAME
@@ -157,3 +157,11 @@ argument was added in SSLeay 0.8.
 .Dv RSA_NO_PADDING
 is available since SSLeay 0.9.0.
 OAEP was added in OpenSSL 0.9.2b.
+.Sh BUGS
+Decryption failures in the
+.Dv RSA_PKCS1_PADDING
+mode leak information which can potentially be used to mount a
+Bleichenbacher padding oracle attack.
+This is an inherent weakness in the PKCS #1 v1.5 padding design.
+Prefer
+.Dv RSA_PKCS1_OAEP_PADDING .