summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/hazmat/primitives/asymmetric/rsa.rst5
-rw-r--r--docs/limitations.rst16
2 files changed, 14 insertions, 7 deletions
diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst
index 2dfccb1a0..384cab073 100644
--- a/docs/hazmat/primitives/asymmetric/rsa.rst
+++ b/docs/hazmat/primitives/asymmetric/rsa.rst
@@ -555,6 +555,11 @@ Key interfaces
.. versionadded:: 0.4
+ .. warning::
+
+ Our implementation of PKCS1 v1.5 decryption is not constant time. See
+ :doc:`/limitations` for details.
+
Decrypt data that was encrypted with the public key.
:param bytes ciphertext: The ciphertext to decrypt.
diff --git a/docs/limitations.rst b/docs/limitations.rst
index 227ed6cd7..3f43c743c 100644
--- a/docs/limitations.rst
+++ b/docs/limitations.rst
@@ -24,21 +24,23 @@ RSA PKCS1 v1.5 constant time decryption
---------------------------------------
RSA decryption has several different modes, one of which is PKCS1 v1.5. When
-used in online contexts, a secure protocol implementation requires that peers
-not be able to tell whether RSA PKCS1 v1.5 decryption failed or succeeded,
-even by timing variability.
+used in **online contexts**, a secure protocol implementation requires that
+peers not be able to tell whether RSA PKCS1 v1.5 decryption failed or
+succeeded, even by timing variability.
``cryptography`` does not provide an API that makes this possible, due to the
fact that RSA decryption raises an exception on failure, which takes a
different amount of time than returning a value in the success case.
-For this reason, at present, we recommend not implementing online protocols
+Fixing this would require a new API in ``cryptography``, but OpenSSL does
+not expose an API for straightforwardly implementing this while reusing
+its own constant-time logic. See `issue 6167`_ for more information.
+
+For this reason we recommend not implementing online protocols
that use RSA PKCS1 v1.5 decryption with ``cryptography`` -- independent of this
limitation, such protocols generally have poor security properties due to their
lack of forward security.
-If a constant time RSA PKCS1 v1.5 decryption API is truly required, you should
-contribute one to ``cryptography``.
-
.. _`Memory wiping`: https://devblogs.microsoft.com/oldnewthing/?p=4223
.. _`CERT secure coding guidelines`: https://wiki.sei.cmu.edu/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources
+.. _`issue 6167`: https://github.com/pyca/cryptography/issues/6167#issuecomment-1276151799 \ No newline at end of file
View Lorry Controller Status