[openssl-users] Using RSA_PKCS1_OAEP_PADDING with high level EVP_Seal functions

Daniel Knoppel daniel at phusion.nl
Wed Sep 7 12:51:58 UTC 2016


Dear all,

I was wondering about two things:

1. Can the EVP_Seal*() functions be told to use RSA_PKCS1_OAEP_PADDING,
or do I need to stick with the lower level RSA_public_encrypt()?

>From the source code it seems to me that RSA_PKCS1_PADDING is hardcoded
because EVP_SealInit() [1] calls EVP_PKEY_encrypt_old() [2], which in
turn has the line with hardcoded padding:

ret = RSA_public_encrypt(key_len, key, ek, EVP_PKEY_get0_RSA(pubk),
RSA_PKCS1_PADDING);


2. Isn't the default RSA_PKCS1_PADDING used by EVP_Seal*() vulnerable to
padding oracle attacks?

I mean, it's certainly possible to not to say anything about the padding
result in error messages to the client but wouldn't there still be a
potential information leak through response timing? How should
EVP_Seal*() be used safely?


Just as background info: the use case is a client encrypting a sensitive
file based on a public key (using RSA-4096 + block cipher like
AES-256-CBC) which is then transmitted to a webbased backend, with a
final response back to the client. Nothing very special, although a high
number of different clients is expected (i.e. high volume at the backend).

Best regards,

Daniel

[1]
https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/crypto/evp/p_seal.c
[2]
https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/crypto/evp/p_enc.c


More information about the openssl-users mailing list