Context used in encryption or signing operation is associated with insecure padding type
This defect occurs when you perform RSA encryption or signature by using a context object that was previously associated with a weak padding scheme.
For instance, you perform encryption by using a context object that is associated with the PKCS#1v1.5 padding scheme. The scheme is considered insecure and has already been broken.
ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING); ... ret = EVP_PKEY_encrypt(ctx, out, &out_len, in, in_len)
Padding schemes remove determinism from the RSA algorithm and protect RSA operations from certain kinds of attacks. Padding schemes such as PKCS#1v1.5, ANSI X9.31, and SSLv23 are known to be vulnerable. Do not use these padding schemes for encryption or signature operations.
Before performing an RSA operation, associate the context object with a strong padding scheme.
Encryption: Use the OAEP padding scheme.
For instance, use the EVP_PKEY_CTX_set_rsa_padding
function with the argument RSA_PKCS1_OAEP_PADDING or
the RSA_padding_add_PKCS1_OAEP
function.
ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING);
You can then use functions such as EVP_PKEY_encrypt
/ EVP_PKEY_decrypt or
RSA_public_encrypt /
RSA_private_decrypt on the context.
Signature: Use the RSA-PSS padding scheme.
For instance, use the EVP_PKEY_CTX_set_rsa_padding
function with the argument
RSA_PKCS1_PSS_PADDING.
ret = EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PSS_PADDING);
You can then use functions such as the
EVP_PKEY_sign-EVP_PKEY_verify
pair or the
RSA_private_encrypt-RSA_public_decrypt
pair on the context.
| Group: Cryptography |
| Language: C | C++ |
| Default: Off |
Command-Line Syntax:
CRYPTO_RSA_WEAK_PADDING |
| Impact: Medium |
| CWE ID: 310, 326, 327, 780 |
Find defects (-checkers) | Incompatible
padding for RSA algorithm operation | Missing blinding
for RSA algorithm | Missing padding
for RSA algorithm | Nonsecure RSA
public exponent