Add a BUGS section

stating that RSA_padding_check_PKCS1_type_2(3) is weak by design;
from Emilia Kasper <emilia at openssl dot org>
via OpenSSL commit 1e3f62a3 Jul 17 16:47:13 2017 +0200.

1 files changed, 10 insertions, 3 deletions

diff --git a/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 b/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
index 2c7fdb66c7f..29a0eae1b47 100644
--- a/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
+++ b/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
@@ -1,5 +1,5 @@
-.\"	$OpenBSD: RSA_padding_add_PKCS1_type_1.3,v 1.4 2016/12/11 12:21:48 schwarze Exp $
-.\"	OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\"	$OpenBSD: RSA_padding_add_PKCS1_type_1.3,v 1.5 2017/08/20 20:45:18 schwarze Exp $
+.\"	OpenSSL 1e3f62a3 Jul 17 16:47:13 2017 +0200
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
 .\" Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 11 2016 $
+.Dd $Mdocdate: August 20 2017 $
 .Dt RSA_PADDING_ADD_PKCS1_TYPE_1 3
 .Os
 .Sh NAME
@@ -246,3 +246,10 @@ appeared in SSLeay 0.9.0.
 and
 .Fn RSA_padding_check_PKCS1_OAEP
 were added in OpenSSL 0.9.2b.
+.Sh BUGS
+The
+.Fn RSA_padding_check_PKCS1_type_2
+padding check leaks timing information which can potentially be
+used to mount a Bleichenbacher padding oracle attack.
+This is an inherent weakness in the PKCS #1 v1.5 padding design.
+Prefer PKCS1_OAEP padding.