From 641b14538a2987bf20fa1b25f96201419a66589c Mon Sep 17 00:00:00 2001
From: schwarze <>
Date: Sun, 20 Aug 2017 20:53:04 +0000
Subject: Add a BUGS section stating that RSA_PKCS1_PADDING is weak by design;
 from Emilia Kasper <emilia at openssl dot org> via OpenSSL commit 1e3f62a3
 Jul 17 16:47:13 2017 +0200.

---
 src/lib/libcrypto/man/RSA_public_encrypt.3 | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/man/RSA_public_encrypt.3 b/src/lib/libcrypto/man/RSA_public_encrypt.3
index 808126415d..c830d5d767 100644
--- a/src/lib/libcrypto/man/RSA_public_encrypt.3
+++ b/src/lib/libcrypto/man/RSA_public_encrypt.3
@@ -1,5 +1,5 @@
-.\"	$OpenBSD: RSA_public_encrypt.3,v 1.6 2017/03/25 18:17:45 schwarze Exp $
-.\"	OpenSSL RSA_public_encrypt.pod b41f6b64 Mar 10 15:49:04 2017 +0000
+.\"	$OpenBSD: RSA_public_encrypt.3,v 1.7 2017/08/20 20:53:04 schwarze Exp $
+.\"	OpenSSL RSA_public_encrypt.pod 1e3f62a3 Jul 17 16:47:13 2017 +0200
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
 .\" Copyright (c) 2000, 2004 The OpenSSL Project.  All rights reserved.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 25 2017 $
+.Dd $Mdocdate: August 20 2017 $
 .Dt RSA_PUBLIC_ENCRYPT 3
 .Os
 .Sh NAME
@@ -157,3 +157,11 @@ argument was added in SSLeay 0.8.
 .Dv RSA_NO_PADDING
 is available since SSLeay 0.9.0.
 OAEP was added in OpenSSL 0.9.2b.
+.Sh BUGS
+Decryption failures in the
+.Dv RSA_PKCS1_PADDING
+mode leak information which can potentially be used to mount a
+Bleichenbacher padding oracle attack.
+This is an inherent weakness in the PKCS #1 v1.5 padding design.
+Prefer
+.Dv RSA_PKCS1_OAEP_PADDING .
-- 
cgit v1.2.3-55-g6feb