mbedtls/include
Janos Follath 393df9c995 Add warning for PKCS 1.5 decryption
Any timing variance dependant on the output of this function enables a
Bleichenbacher attack. It is extremely difficult to use safely.

In the Marvin attack paper
(https://people.redhat.com/~hkario/marvin/marvin-attack-paper.pdf) the
author suggests that implementations of PKCS 1.5 decryption that don't
include a countermeasure should be considered inherently dangerous.

They suggest that all libraries implement the same countermeasure, as
implementing different countermeasures across libraries enables the
Bleichenbacher attack as well.

This is extremely fragile and therefore we don't implement it. The use
of PKCS 1.5 in Mbed TLS implements the countermeasures recommended in
the TLS standard (7.4.7.1 of RFC 5246) and is not vulnerable.

Add a warning to PKCS 1.5 decryption to warn users about this.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-01-22 15:33:19 +00:00
..
mbedtls Add warning for PKCS 1.5 decryption 2024-01-22 15:33:19 +00:00
psa Add warning for PKCS 1.5 decryption 2024-01-22 15:33:19 +00:00
.gitignore
CMakeLists.txt Update spelling "mbed TLS" to "Mbed TLS" 2023-09-12 19:18:17 +02:00