Skip to content

Explain why RSA PKCS1 implicit rejection isn't used #126887

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PranavSenthilnathan wants to merge 1 commit into
base: main
Choose a base branch
from
+22 −5
Open

Explain why RSA PKCS1 implicit rejection isn't used #126887

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 22 additions & 5 deletions src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,11 +82,28 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const
return false;
}

// OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding.
// If the padding is invalid, the decryption operation returns random data.
// See https://github.com/openssl/openssl/pull/13817 for background.
// Some Linux distributions backported this change to previous versions of OpenSSL.
// Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid.
// OpenSSL 3.2 introduced "implicit rejection" for PKCS#1 RSA decryption
// (https://github.com/openssl/openssl/pull/13817). Instead of returning an error for invalid
// padding (software keys only), OpenSSL synthesizes a deterministic random value derived from the
// private key and ciphertext, leaving callers to handle it with constant-time comparison. This
// was intended to mitigate Bleichenbacher-style padding oracle attacks.
Comment on lines +87 to +89
Copy link
Copy Markdown
Member

@bartonjs bartonjs Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like it's understandable in context.

//
// Some Linux distributions (notably CentOS/RHEL via Red Hat backports) applied this change to
// earlier OpenSSL versions (e.g. 3.1), which broke some .NET tests.
Copy link
Copy Markdown
Member

@bartonjs bartonjs Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I disagree with Copilot's suggestion.

//
// We disable this feature ("implicit rejection") for several reasons:
// 1. Platform consistency: other platforms (Windows, macOS) and hardware-backed keys still
// return explicit errors; callers should see the same behavior everywhere.
// 2. It deviates from RSA specifications and OpenSSL itself had to disable it to pass FIPS
// conformance tests.
// 3. It broke OpenSSL's own CMS (EnvelopedCMS) implementation, so OpenSSL turns it off
// internally when doing CMS operations.
// 4. It does not fully solve the Bleichenbacher problem; it converts a "FFT" oracle into a
// "FFF" oracle. While FFF is ~1000x harder to exploit, the attack is not eliminated.
//
// Therefore we revert to the prior behavior: invalid padding produces an explicit error code
// and .NET throws an exception. This is a best-effort flag; if the running OpenSSL version does
// not recognize it, we silently ignore the failure (see ERR_set_mark / ERR_pop_to_mark below).
Comment on lines +89 to +106
Copy link
Copy Markdown
Member

@bartonjs bartonjs Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I disagree with Copilot's suggestion.

ERR_set_mark();

EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0");
Expand Down
Loading