diff options
Diffstat (limited to 'secure/lib/libcrypto/man/man3/RSA_public_encrypt.3')
| -rw-r--r-- | secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 | 160 |
1 files changed, 49 insertions, 111 deletions
diff --git a/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 b/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 index 1d2c5c0a8b53..1e5461bb97fc 100644 --- a/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 +++ b/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 @@ -1,4 +1,5 @@ -.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42) +.\" -*- mode: troff; coding: utf-8 -*- +.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) .\" .\" Standard preamble: .\" ======================================================================== @@ -15,29 +16,12 @@ .ft R .fi .. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. .ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' . ds C` . ds C' 'br\} @@ -68,84 +52,24 @@ . \} .\} .rr rF -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "RSA_PUBLIC_ENCRYPT 3ossl" -.TH RSA_PUBLIC_ENCRYPT 3ossl "2023-09-19" "3.0.11" "OpenSSL" +.TH RSA_PUBLIC_ENCRYPT 3ossl 2025-07-01 3.5.1 OpenSSL .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh -.SH "NAME" +.SH NAME RSA_public_encrypt, RSA_private_decrypt \- RSA public key cryptography -.SH "SYNOPSIS" +.SH SYNOPSIS .IX Header "SYNOPSIS" .Vb 1 \& #include <openssl/rsa.h> .Ve .PP The following functions have been deprecated since OpenSSL 3.0, and can be -hidden entirely by defining \fB\s-1OPENSSL_API_COMPAT\s0\fR with a suitable version value, +hidden entirely by defining \fBOPENSSL_API_COMPAT\fR with a suitable version value, see \fBopenssl_user_macros\fR\|(7): .PP .Vb 2 @@ -155,7 +79,7 @@ see \fBopenssl_user_macros\fR\|(7): \& int RSA_private_decrypt(int flen, const unsigned char *from, \& unsigned char *to, RSA *rsa, int padding); .Ve -.SH "DESCRIPTION" +.SH DESCRIPTION .IX Header "DESCRIPTION" Both of the functions described on this page are deprecated. Applications should instead use \fBEVP_PKEY_encrypt_init_ex\fR\|(3), @@ -167,25 +91,25 @@ session key) using the public key \fBrsa\fR and stores the ciphertext in \&\fBto\fR. \fBto\fR must point to RSA_size(\fBrsa\fR) bytes of memory. .PP \&\fBpadding\fR denotes one of the following modes: -.IP "\s-1RSA_PKCS1_PADDING\s0" 4 +.IP RSA_PKCS1_PADDING 4 .IX Item "RSA_PKCS1_PADDING" -\&\s-1PKCS\s0 #1 v1.5 padding. This currently is the most widely used mode. -However, it is highly recommended to use \s-1RSA_PKCS1_OAEP_PADDING\s0 in -new applications. \s-1SEE WARNING BELOW.\s0 -.IP "\s-1RSA_PKCS1_OAEP_PADDING\s0" 4 +PKCS #1 v1.5 padding. This currently is the most widely used mode. +However, it is highly recommended to use RSA_PKCS1_OAEP_PADDING in +new applications. SEE WARNING BELOW. +.IP RSA_PKCS1_OAEP_PADDING 4 .IX Item "RSA_PKCS1_OAEP_PADDING" -EME-OAEP as defined in \s-1PKCS\s0 #1 v2.0 with \s-1SHA\-1, MGF1\s0 and an empty +EME-OAEP as defined in PKCS #1 v2.0 with SHA\-1, MGF1 and an empty encoding parameter. This mode is recommended for all new applications. -.IP "\s-1RSA_NO_PADDING\s0" 4 +.IP RSA_NO_PADDING 4 .IX Item "RSA_NO_PADDING" -Raw \s-1RSA\s0 encryption. This mode should \fIonly\fR be used to implement +Raw RSA encryption. This mode should \fIonly\fR be used to implement cryptographically sound padding modes in the application code. -Encrypting user data directly with \s-1RSA\s0 is insecure. +Encrypting user data directly with RSA is insecure. .PP -\&\fBflen\fR must not be more than RSA_size(\fBrsa\fR) \- 11 for the \s-1PKCS\s0 #1 v1.5 -based padding modes, not more than RSA_size(\fBrsa\fR) \- 42 for -\&\s-1RSA_PKCS1_OAEP_PADDING\s0 and exactly RSA_size(\fBrsa\fR) for \s-1RSA_NO_PADDING.\s0 -When a padding mode other than \s-1RSA_NO_PADDING\s0 is in use, then +When encrypting \fBflen\fR must not be more than RSA_size(\fBrsa\fR) \- 11 for the +PKCS #1 v1.5 based padding modes, not more than RSA_size(\fBrsa\fR) \- 42 for +RSA_PKCS1_OAEP_PADDING and exactly RSA_size(\fBrsa\fR) for RSA_NO_PADDING. +When a padding mode other than RSA_NO_PADDING is in use, then \&\fBRSA_public_encrypt()\fR will include some random bytes into the ciphertext and therefore the ciphertext will be different each time, even if the plaintext and the public key are exactly identical. @@ -199,9 +123,9 @@ be equal to RSA_size(\fBrsa\fR) but may be smaller, when leading zero bytes are in the ciphertext. Those are not important and may be removed, but \fBRSA_public_encrypt()\fR does not do that. \fBto\fR must point to a memory section large enough to hold the maximal possible decrypted -data (which is equal to RSA_size(\fBrsa\fR) for \s-1RSA_NO_PADDING,\s0 -RSA_size(\fBrsa\fR) \- 11 for the \s-1PKCS\s0 #1 v1.5 based padding modes and -RSA_size(\fBrsa\fR) \- 42 for \s-1RSA_PKCS1_OAEP_PADDING\s0). +data (which is equal to RSA_size(\fBrsa\fR) for RSA_NO_PADDING, +RSA_size(\fBrsa\fR) \- 11 for the PKCS #1 v1.5 based padding modes and +RSA_size(\fBrsa\fR) \- 42 for RSA_PKCS1_OAEP_PADDING). \&\fBpadding\fR is the padding mode that was used to encrypt the data. \&\fBto\fR and \fBfrom\fR may overlap. .SH "RETURN VALUES" @@ -213,27 +137,41 @@ means only that the plaintext was empty. .PP On error, \-1 is returned; the error codes can be obtained by \fBERR_get_error\fR\|(3). -.SH "WARNINGS" +.SH WARNINGS .IX Header "WARNINGS" -Decryption failures in the \s-1RSA_PKCS1_PADDING\s0 mode leak information +Decryption failures in the RSA_PKCS1_PADDING mode leak information which can potentially be used to mount a Bleichenbacher padding oracle -attack. This is an inherent weakness in the \s-1PKCS\s0 #1 v1.5 padding -design. Prefer \s-1RSA_PKCS1_OAEP_PADDING.\s0 +attack. This is an inherent weakness in the PKCS #1 v1.5 padding +design. Prefer RSA_PKCS1_OAEP_PADDING. +.PP +In OpenSSL before version 3.2.0, both the return value and the length of +returned value could be used to mount the Bleichenbacher attack. +Since version 3.2.0, the default provider in OpenSSL does not return an +error when padding checks fail. Instead it generates a random +message based on used private +key and provided ciphertext so that application code doesn't have to implement +a side-channel secure error handling. +Applications that want to be secure against side-channel attacks with +providers that don't implement implicit rejection, still need to +handle the returned values using side-channel free code. +Side-channel free handling of the error stack can be performed using +either a pair of unconditional \fBERR_set_mark\fR\|(3) and \fBERR_pop_to_mark\fR\|(3) +calls or by using the \fBERR_clear_error\fR\|(3) call. .SH "CONFORMING TO" .IX Header "CONFORMING TO" -\&\s-1SSL, PKCS\s0 #1 v2.0 +SSL, PKCS #1 v2.0 .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3), -\&\fBRSA_size\fR\|(3) -.SH "HISTORY" +\&\fBRSA_size\fR\|(3), \fBEVP_PKEY_decrypt\fR\|(3), \fBEVP_PKEY_encrypt\fR\|(3) +.SH HISTORY .IX Header "HISTORY" Both of these functions were deprecated in OpenSSL 3.0. -.SH "COPYRIGHT" +.SH COPYRIGHT .IX Header "COPYRIGHT" -Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2024 The OpenSSL Project Authors. All Rights Reserved. .PP -Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use +Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy -in the file \s-1LICENSE\s0 in the source distribution or at +in the file LICENSE in the source distribution or at <https://www.openssl.org/source/license.html>. |