On Tue, 14 Mar 2023 21:58:46 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> May I get a chance to review it before the integration? I may need more >> time to dig into time-constant issue. > >> May I get a chance to review it before the integration? I may need more time >> to dig into time-constant issue. > > If I read the Bleichenbacher's > Attack[[1]](https://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf)[[2]](https://medium.com/@c0D3M/bleichenbacher-attack-explained-bc630f88ff25)[[3]](https://asecuritysite.com/encryption/c_c3) > right, the attack works if it can tell the difference between good > conditions and error conditions. RFC 8017 says "distinguish the different > error conditions", but it may be parsed differently for various context. > Please be careful about this update. > > Thank you for giving me more time to look into the details. > @XueleiFan are you still looking into the details of this change? I'm not sure this update is safe. It would be good (it is possible) to have an improvement that there is no timing differences between success and failure by not using exception in unpad() implementation any longer. ------------- PR Comment: https://git.openjdk.org/jdk/pull/12732#issuecomment-1483174451
