fix: private_encrypt/public_decrypt broken on OpenSSL 3.x#118
Merged
timlegge merged 3 commits intocpan-authors:mainfrom Apr 7, 2026
Merged
Conversation
Collaborator
|
view errors from smokers @toddr-bot rebase |
timlegge
requested changes
Mar 18, 2026
Member
timlegge
left a comment
timlegge
left a comment
There was a problem hiding this comment.
Assigning to myself . I need to look at this closer
toddr-bot
force-pushed
the
koan.toddr.bot/fix-private-encrypt-padding
branch
from
2b34b88 to
df8d955
Compare
toddr-bot
added a commit
to toddr-bot/Crypt-OpenSSL-RSA
that referenced
this pull request
Mar 18, 2026
Contributor
Author
Rebase: fix: private_encrypt/public_decrypt broken on OpenSSL 3.xBranch Diff: 4 files changed, 135 insertions(+), 18 deletions(-) Review feedback was analyzed and applied. Actions
CICI passed. Automated by Kōan |
Collaborator
|
@toddr-bot rebase |
toddr-bot
added a commit
to toddr-bot/Crypt-OpenSSL-RSA
that referenced
this pull request
Mar 21, 2026
toddr-bot
added a commit
to toddr-bot/Crypt-OpenSSL-RSA
that referenced
this pull request
Mar 21, 2026
- **Moved PSS-for-encrypt guard before `#if OPENSSL_VERSION_NUMBER >= 0x30000000L`** so it fires on all OpenSSL versions, not just 3.x. On pre-3.x smokers, `encrypt()` with PSS was falling through to the legacy RSA code path which produced a generic "unknown padding type" error instead of the friendly croak message. This matches how the Marvin attack (PKCS#1 v1.5) guard is already placed before the ifdef. - **Simplified test 9 in `t/private_encrypt.t`** to use `like()` unconditionally instead of branching on OpenSSL version, since the PSS croak now fires on all versions.
toddr-bot
force-pushed
the
koan.toddr.bot/fix-private-encrypt-padding
branch
from
df8d955 to
4fa560a
Compare
Contributor
Author
Rebase: fix: private_encrypt/public_decrypt broken on OpenSSL 3.xBranch Diff: 4 files changed, 127 insertions(+), 16 deletions(-) Review feedback was analyzed and applied. Changes
Actions
CICI passed. Automated by Kōan |
Member
|
@toddr-bot rebase this |
toddr-bot
added a commit
to toddr-bot/Crypt-OpenSSL-RSA
that referenced
this pull request
Mar 25, 2026
toddr-bot
added a commit
to toddr-bot/Crypt-OpenSSL-RSA
that referenced
this pull request
Mar 25, 2026
- **Moved PSS-for-encrypt guard before `#if OPENSSL_VERSION_NUMBER >= 0x30000000L`** so it fires on all OpenSSL versions, not just 3.x. On pre-3.x smokers, `encrypt()` with PSS was falling through to the legacy RSA code path which produced a generic "unknown padding type" error instead of the friendly croak message. This matches how the Marvin attack (PKCS#1 v1.5) guard is already placed before the ifdef. - **Simplified test 9 in `t/private_encrypt.t`** to use `like()` unconditionally instead of branching on OpenSSL version, since the PSS croak now fires on all versions.
toddr-bot
force-pushed
the
koan.toddr.bot/fix-private-encrypt-padding
branch
from
4fa560a to
642c7d5
Compare
Contributor
Author
Rebase: fix: private_encrypt/public_decrypt broken on OpenSSL 3.xBranch Diff: 4 files changed, 127 insertions(+), 16 deletions(-) Review feedback was analyzed and applied. Actions
CICI passed. Automated by Kōan |
Member
|
@toddr-bot rebase from main |
On OpenSSL 3.x, rsa_crypt() is shared by encrypt/decrypt (which use EVP_PKEY_encrypt/decrypt) and private_encrypt/public_decrypt (which use EVP_PKEY_sign/verify_recover). The code unconditionally forced OAEP padding for all non-NO_PADDING modes, but OAEP is only valid for encryption — not for sign/verify_recover operations. This meant private_encrypt() and public_decrypt() were broken with any padding except NO_PADDING. The fix replaces the unused `int public` parameter with `int is_encrypt` to distinguish the two operation types: - Encryption path (encrypt/decrypt): forces OAEP, rejects PSS - Sign path (private_encrypt/public_decrypt): passes through PKCS1 and NO_PADDING; rejects OAEP and PSS with clear error messages Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- **Moved PSS-for-encrypt guard before `#if OPENSSL_VERSION_NUMBER >= 0x30000000L`** so it fires on all OpenSSL versions, not just 3.x. On pre-3.x smokers, `encrypt()` with PSS was falling through to the legacy RSA code path which produced a generic "unknown padding type" error instead of the friendly croak message. This matches how the Marvin attack (PKCS#1 v1.5) guard is already placed before the ifdef. - **Simplified test 9 in `t/private_encrypt.t`** to use `like()` unconditionally instead of branching on OpenSSL version, since the PSS croak now fires on all versions.
Contributor
Author
Rebase: fix: private_encrypt/public_decrypt broken on OpenSSL 3.xBranch Diff: 4 files changed, 122 insertions(+), 11 deletions(-) Review feedback was analyzed and applied. Actions
CICI will be checked asynchronously. Automated by Kōan |
toddr-bot
force-pushed
the
koan.toddr.bot/fix-private-encrypt-padding
branch
from
642c7d5 to
141a216
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fixes
private_encrypt()andpublic_decrypt()being broken on OpenSSL 3.x with any padding exceptNO_PADDING.Why
rsa_crypt()is shared by four operations:encrypt,decrypt,private_encrypt, andpublic_decrypt. On OpenSSL 3.x, it unconditionally forced OAEP padding for all non-NO_PADDINGmodes. Butprivate_encrypt/public_decryptuseEVP_PKEY_sign/EVP_PKEY_verify_recoverunder the hood, where OAEP is not a valid padding mode. This caused an OpenSSL error ("illegal or unsupported padding mode") for any call toprivate_encrypt()orpublic_decrypt()with the default padding.This is the same family of issues as #61 — the v0.35 Marvin attack mitigation broke signature-related operations. This fix complements #103 (which fixes
sign()/verify()).How
Replaced the unused
int publicparameter inrsa_crypt()withint is_encryptto distinguish encryption from sign/verify_recover operations:encrypt/decrypt): forces OAEP, rejects PSS (existing behavior)private_encrypt/public_decrypt): passes through the user's padding choice; rejects OAEP and PSS with clear error messages pointing to the correct APITesting
t/private_encrypt.t)private_encrypt/public_decryptroundtrip withNO_PADDINGencrypt/decryptbehavior unchanged🤖 Generated with Claude Code
Quality Report
Changes: 4 files changed, 131 insertions(+), 15 deletions(-)
Code scan: clean
Tests: passed (OK)
Branch hygiene: clean
Generated by Kōan post-mission quality pipeline