From f6b981f4a6516aead24667ad1b21501c3bfcbe99 Mon Sep 17 00:00:00 2001 From: schwarze <> Date: Sun, 20 Aug 2017 20:45:18 +0000 Subject: Add a BUGS section stating that RSA_padding_check_PKCS1_type_2(3) is weak by design; from Emilia Kasper via OpenSSL commit 1e3f62a3 Jul 17 16:47:13 2017 +0200. --- src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 b/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 index 2c7fdb66c7..29a0eae1b4 100644 --- a/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 +++ b/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 @@ -1,5 +1,5 @@ -.\" $OpenBSD: RSA_padding_add_PKCS1_type_1.3,v 1.4 2016/12/11 12:21:48 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 +.\" $OpenBSD: RSA_padding_add_PKCS1_type_1.3,v 1.5 2017/08/20 20:45:18 schwarze Exp $ +.\" OpenSSL 1e3f62a3 Jul 17 16:47:13 2017 +0200 .\" .\" This file was written by Ulf Moeller . .\" Copyright (c) 2000 The OpenSSL Project. All rights reserved. @@ -48,7 +48,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 11 2016 $ +.Dd $Mdocdate: August 20 2017 $ .Dt RSA_PADDING_ADD_PKCS1_TYPE_1 3 .Os .Sh NAME @@ -246,3 +246,10 @@ appeared in SSLeay 0.9.0. and .Fn RSA_padding_check_PKCS1_OAEP were added in OpenSSL 0.9.2b. +.Sh BUGS +The +.Fn RSA_padding_check_PKCS1_type_2 +padding check leaks timing information which can potentially be +used to mount a Bleichenbacher padding oracle attack. +This is an inherent weakness in the PKCS #1 v1.5 padding design. +Prefer PKCS1_OAEP padding. -- cgit v1.2.3-55-g6feb