-
由 David Benjamin 提交于
Using RSA_PKCS1_PADDING with RSA_private_decrypt is inherently unsafe. The API requires writing output on success and touching the error queue on error. Thus, although the padding check itself is constant-time as of 294d1e36, and the logic after the decryption in the SSL code is constant-time as of adb46dbc, the API boundary in the middle still leaks whether the padding check succeeded, giving us our much-loved Bleichenbacher padding oracle. Instead, PKCS#1 padding must be handled by the caller which uses RSA_NO_PADDING, in timing-sensitive code integrated with the Bleichenbacher mitigation. Removing PKCS#1 padding in constant time is actually much simpler when the expected length is a constant (and if it's not a constant, avoiding a padding oracle seems unlikely), so just do it inline. Signed-off-by: NKurt Roeckx <kurt@roeckx.be> Reviewed-by: NRich Salz <rsalz@openssl.org> GH: #1222
5b8fa431