From: Hubert Kario Date: Mon, 12 Dec 2022 15:25:21 +0000 (+0100) Subject: rsa: fix version of rsa implicit rejection introduction X-Git-Tag: openssl-3.2.0-alpha1~1590 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8548d3bfc9fbbbe86027c685c24df393daa88674;p=thirdparty%2Fopenssl.git rsa: fix version of rsa implicit rejection introduction Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19889) --- diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index f7957e95f7f..edbcb0dce85 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -394,7 +394,7 @@ OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual negotiated protocol version. Otherwise it should be left unset. Similarly to the B above, since OpenSSL version -3.1.0, the use of B will return a randomly generated message +3.2.0, the use of B will return a randomly generated message instead of padding errors in case padding checks fail. Applications that want to remain secure while using earlier versions of OpenSSL, still need to handle both the error code from the RSA decryption operation and the diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod index 462265c5a67..67e3f2da1ec 100644 --- a/doc/man3/EVP_PKEY_decrypt.pod +++ b/doc/man3/EVP_PKEY_decrypt.pod @@ -53,12 +53,12 @@ algorithm. =head1 WARNINGS -In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding, +In OpenSSL versions before 3.2.0, when used in PKCS#1 v1.5 padding, both the return value from the EVP_PKEY_decrypt() and the B provided information useful in mounting a Bleichenbacher attack against the used private key. They had to processed in a side-channel free way. -Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1 +Since version 3.2.0, the EVP_PKEY_decrypt() method when used with PKCS#1 v1.5 padding doesn't return an error in case it detects an error in padding, instead it returns a pseudo-randomly generated message, removing the need of side-channel secure code from applications using OpenSSL. diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod index bd3f835ac6d..2ae6c7f2900 100644 --- a/doc/man3/RSA_public_encrypt.pod +++ b/doc/man3/RSA_public_encrypt.pod @@ -92,9 +92,9 @@ which can potentially be used to mount a Bleichenbacher padding oracle attack. This is an inherent weakness in the PKCS #1 v1.5 padding design. Prefer RSA_PKCS1_OAEP_PADDING. -In OpenSSL before version 3.1.0, both the return value and the length of +In OpenSSL before version 3.2.0, both the return value and the length of returned value could be used to mount the Bleichenbacher attack. -Since version 3.1.0, OpenSSL does not return an error in case of padding +Since version 3.2.0, OpenSSL does not return an error in case of padding checks failed. Instead it generates a random message based on used private key and provided ciphertext so that application code doesn't have to implement a side-channel secure error handling.