From 1681a0b2f84a4a252c71b87de870a2816de06fdf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Fri, 22 Jan 2016 13:54:52 +0100
Subject: Fix #13: Deprecated the VARBLOCK format and rsa.bigfile module

This deprecation is due to security issues; see
https://github.com/sybrenstuvel/python-rsa/issues/13 for more information.
---
 doc/reference.rst | 12 ++++++++++++
 doc/usage.rst     | 18 ++++++++++++++++++
 2 files changed, 30 insertions(+)

(limited to 'doc')

diff --git a/doc/reference.rst b/doc/reference.rst
index 53dee63..d80416a 100644
--- a/doc/reference.rst
+++ b/doc/reference.rst
@@ -44,6 +44,12 @@ Exceptions
 Module: rsa.bigfile
 --------------------------------------------------
 
+.. warning::
+
+    The :py:mod:`rsa.bigfile` module is NOT recommended for general use, has been
+    deprecated since Python-RSA 3.4, and will be removed in a future release. It's
+    vulnerable to a number of attacks. See :ref:`bigfiles` for more information.
+
 The :py:mod:`rsa.bigfile` module contains functions for encrypting and
 decrypting files that are larger than the RSA key. See
 :ref:`bigfiles` for more information.
@@ -57,6 +63,12 @@ decrypting files that are larger than the RSA key. See
 The VARBLOCK file format
 ++++++++++++++++++++++++++++++++++++++++++++++++++
 
+.. warning::
+
+    The VARBLOCK format is NOT recommended for general use, has been deprecated since
+    Python-RSA 3.4, and will be removed in a future release. It's vulnerable to a
+    number of attacks. See :ref:`bigfiles` for more information.
+
 The VARBLOCK file format allows us to encrypt files that are larger
 than the RSA key. The format is as follows; || denotes byte string
 concatenation::
diff --git a/doc/usage.rst b/doc/usage.rst
index 363788f..6e11a35 100644
--- a/doc/usage.rst
+++ b/doc/usage.rst
@@ -282,6 +282,24 @@ the encrypted key to the recipient. The complete flow is:
 Only using Python-RSA: the VARBLOCK format
 +++++++++++++++++++++++++++++++++++++++++++
 
+.. warning::
+
+    The VARBLOCK format is NOT recommended for general use, has been deprecated since
+    Python-RSA 3.4, and will be removed in a future release. It's vulnerable to a
+    number of attacks:
+
+    1. decrypt/encrypt_bigfile() does not implement `Authenticated encryption`_ nor
+       uses MACs to verify messages before decrypting public key encrypted messages.
+
+    2. decrypt/encrypt_bigfile() does not use hybrid encryption (it uses plain RSA)
+       and has no method for chaining, so block reordering is possible.
+
+    See `issue #19 on Github`_ for more information.
+
+.. _Authenticated encryption: https://en.wikipedia.org/wiki/Authenticated_encryption
+.. _issue #19 on Github: https://github.com/sybrenstuvel/python-rsa/issues/13
+
+
 As far as we know, there is no pure-Python AES encryption. Previous
 versions of Python-RSA included functionality to encrypt large files
 with just RSA, and so does this version. The format has been improved,
-- 
cgit v1.2.1