Dear all, I was wondering about two things: 1. Can the EVP_Seal*() functions be told to use RSA_PKCS1_OAEP_PADDING, or do I need to stick with the lower level RSA_public_encrypt()? >From the source code it seems to me that RSA_PKCS1_PADDING is hardcoded because EVP_SealInit() [1] calls EVP_PKEY_encrypt_old() [2], which in turn has the line with hardcoded padding: ret = RSA_public_encrypt(key_len, key, ek, EVP_PKEY_get0_RSA(pubk), RSA_PKCS1_PADDING); 2. Isn't the default RSA_PKCS1_PADDING used by EVP_Seal*() vulnerable to padding oracle attacks? I mean, it's certainly possible to not to say anything about the padding result in error messages to the client but wouldn't there still be a potential information leak through response timing? How should EVP_Seal*() be used safely? Just as background info: the use case is a client encrypting a sensitive file based on a public key (using RSA-4096 + block cipher like AES-256-CBC) which is then transmitted to a webbased backend, with a final response back to the client. Nothing very special, although a high number of different clients is expected (i.e. high volume at the backend). Best regards, Daniel [1] https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/crypto/evp/p_seal.c [2] https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/crypto/evp/p_enc.c
