From f1006f188c90e81898b69fb84e67e674bcdae030 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Sun, 3 Mar 2019 14:25:52 +0100 Subject: [PATCH] Update documentation of RSA_padding_check_PKCS1_OAEP_mgf1 Reviewed-by: Kurt Roeckx (Merged from https://github.com/openssl/openssl/pull/8365) (cherry picked from commit f0e4a860d0b350e10a1ee3898445cac85af8ea16) --- doc/man3/RSA_padding_add_PKCS1_type_1.pod | 60 ++++++++++++++++------- 1 file changed, 41 insertions(+), 19 deletions(-) diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod index 9ea2634c03..20926003d8 100644 --- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod +++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod @@ -5,6 +5,7 @@ RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1, RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2, RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP, +RSA_padding_add_PKCS1_OAEP_mgf1, RSA_padding_check_PKCS1_OAEP_mgf1, RSA_padding_add_SSLv23, RSA_padding_check_SSLv23, RSA_padding_add_none, RSA_padding_check_none - asymmetric encryption padding @@ -14,35 +15,46 @@ padding #include int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, - unsigned char *f, int fl); + const unsigned char *f, int fl); int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, - unsigned char *f, int fl, int rsa_len); + const unsigned char *f, int fl, int rsa_len); int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, - unsigned char *f, int fl); + const unsigned char *f, int fl); int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, - unsigned char *f, int fl, int rsa_len); + const unsigned char *f, int fl, int rsa_len); int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, - unsigned char *f, int fl, unsigned char *p, int pl); + const unsigned char *f, int fl, + const unsigned char *p, int pl); int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, - unsigned char *f, int fl, int rsa_len, - unsigned char *p, int pl); + const unsigned char *f, int fl, int rsa_len, + const unsigned char *p, int pl); + + int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *f, int fl, + const unsigned char *p, int pl, + const EVP_MD *md, const EVP_MD *mgf1md); + + int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *f, int fl, int rsa_len, + const unsigned char *p, int pl, + const EVP_MD *md, const EVP_MD *mgf1md); int RSA_padding_add_SSLv23(unsigned char *to, int tlen, - unsigned char *f, int fl); + const unsigned char *f, int fl); int RSA_padding_check_SSLv23(unsigned char *to, int tlen, - unsigned char *f, int fl, int rsa_len); + const unsigned char *f, int fl, int rsa_len); int RSA_padding_add_none(unsigned char *to, int tlen, - unsigned char *f, int fl); + const unsigned char *f, int fl); int RSA_padding_check_none(unsigned char *to, int tlen, - unsigned char *f, int fl, int rsa_len); + const unsigned char *f, int fl, int rsa_len); =head1 DESCRIPTION @@ -98,6 +110,10 @@ at B. For RSA_padding_xxx_OAEP(), B

points to the encoding parameter of length B. B

may be B if B is 0. +For RSA_padding_xxx_OAEP_mgf1(), B points to the md hash, +if B is B that means md=sha1, and B points to +the mgf1 hash, if B is B that means mgf1md=md. + =head1 RETURN VALUES The RSA_padding_add_xxx() functions return 1 on success, 0 on error. @@ -107,15 +123,21 @@ L. =head1 WARNING -The RSA_padding_check_PKCS1_type_2() padding check leaks timing +The result of RSA_padding_check_PKCS1_type_2() is a very sensitive information which can potentially be used to mount a Bleichenbacher padding oracle attack. This is an inherent weakness in the PKCS #1 -v1.5 padding design. Prefer PKCS1_OAEP padding. Otherwise it can -be recommended to pass zero-padded B, so that B equals to -B, and if fixed by protocol, B being set to the -expected length. In such case leakage would be minimal, it would -take attacker's ability to observe memory access pattern with byte -granilarity as it occurs, post-factum timing analysis won't do. +v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not +possible, the result of RSA_padding_check_PKCS1_type_2() should be +checked in constant time if it matches the expected length of the +plaintext and additionally some application specific consistency +checks on the plaintext need to be performed in constant time. +If the plaintext is rejected it must be kept secret which of the +checks caused the application to reject the message. +Do not remove the zero-padding from the decrypted raw RSA data +which was computed by RSA_private_decrypt() with B, +as this would create a small timing side channel which could be +used to mount a Bleichenbacher attack against any padding mode +including PKCS1_OAEP. =head1 SEE ALSO @@ -125,7 +147,7 @@ L, L =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy -- GitLab