diff options
Diffstat (limited to 'crypto/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod')
| -rw-r--r-- | crypto/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/crypto/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/crypto/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod index 93911cac97d6f..9ea2634c03468 100644 --- a/crypto/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod +++ b/crypto/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod @@ -110,7 +110,12 @@ L<ERR_get_error(3)>. The RSA_padding_check_PKCS1_type_2() padding check leaks timing information which can potentially be used to mount a Bleichenbacher padding oracle attack. This is an inherent weakness in the PKCS #1 -v1.5 padding design. Prefer PKCS1_OAEP padding. +v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can +be recommended to pass zero-padded B<f>, so that B<fl> equals to +B<rsa_len>, and if fixed by protocol, B<tlen> being set to the +expected length. In such case leakage would be minimal, it would +take attacker's ability to observe memory access pattern with byte +granilarity as it occurs, post-factum timing analysis won't do. =head1 SEE ALSO |