|
@@ -94,10 +94,17 @@ design. Prefer RSA_PKCS1_OAEP_PADDING.
|
|
|
|
|
|
In OpenSSL before version 3.2.0, both the return value and the length of
|
|
|
returned value could be used to mount the Bleichenbacher attack.
|
|
|
-Since version 3.2.0, OpenSSL does not return an error in case of padding
|
|
|
-checks failed. Instead it generates a random message based on used private
|
|
|
+Since version 3.2.0, the default provider in OpenSSL does not return an
|
|
|
+error when padding checks fail. Instead it generates a random
|
|
|
+message based on used private
|
|
|
key and provided ciphertext so that application code doesn't have to implement
|
|
|
a side-channel secure error handling.
|
|
|
+Applications that want to be secure against side-channel attacks with
|
|
|
+providers that don't implement implicit rejection, still need to
|
|
|
+handle the returned values using side-channel free code.
|
|
|
+Side-channel free handling of the error stack can be peformed using
|
|
|
+either a pair of unconditional L<ERR_set_mark(3)> and L<ERR_pop_to_mark(3)>
|
|
|
+calls or by using the L<ERR_clear_error(3)> call.
|
|
|
|
|
|
=head1 CONFORMING TO
|
|
|
|
|
@@ -106,7 +113,7 @@ SSL, PKCS #1 v2.0
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
L<ERR_get_error(3)>, L<RAND_bytes(3)>,
|
|
|
-L<RSA_size(3)>
|
|
|
+L<RSA_size(3)>, L<EVP_PKEY_decrypt(3)>, L<EVP_PKEY_encrypt(3)>
|
|
|
|
|
|
=head1 HISTORY
|
|
|
|