#
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes
|
#
32b43b91 |
| 22-Aug-2024 |
slontis |
Update new FIPS indicator evp_tests to use FIPSversion + Availablein options. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: To
Update new FIPS indicator evp_tests to use FIPSversion + Availablein options. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25267)
show more ...
|
#
a595d624 |
| 26-Jul-2024 |
slontis |
Change existing evp_test KeyGen Ctrls to use provider algorithm parameter names. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged
Change existing evp_test KeyGen Ctrls to use provider algorithm parameter names. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/25008)
show more ...
|
#
f3c03be3 |
| 07-Aug-2024 |
pohsingwu |
Restrict salt length for RSA-PSS in the FIPS provider Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/o
Restrict salt length for RSA-PSS in the FIPS provider Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25115)
show more ...
|
#
068c9bee |
| 08-Aug-2024 |
Pauli |
test: add error reasons to RSA tests Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/open
test: add error reasons to RSA tests Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/25135)
show more ...
|
#
07e4d7f4 |
| 29-Jul-2024 |
slontis |
Add RSA Signature restrictions for X9.31 padding in the FIPS provider. In FIPS 140-3, RSA Signing with X9.31 padding is not approved, but verification is allowed for legacy purposes. An
Add RSA Signature restrictions for X9.31 padding in the FIPS provider. In FIPS 140-3, RSA Signing with X9.31 padding is not approved, but verification is allowed for legacy purposes. An indicator has been added for RSA signing with X9.31 padding. A strict restriction on the size of the RSA modulus has been added i.e. It must be 1024 + 256 * s (which is part of the ANSI X9.31 spec). Added implementation comments to the X9.31 padding code Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/24021)
show more ...
|
#
06da1473 |
| 03-Jul-2024 |
slontis |
Add FIPS indicators to evp_test evp_test code needed to be modified to defer setting algorithm contexts until the run phase. The parse functions also defer setting into the context u
Add FIPS indicators to evp_test evp_test code needed to be modified to defer setting algorithm contexts until the run phase. The parse functions also defer setting into the context until the run phase, which allows the context to initialize in a controlled order. This allows params to be passed into the algorithm init function. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24623)
show more ...
|
#
0285160f |
| 29-May-2024 |
Tomas Mraz |
Skip newly added blocked OAEP SHAKE testcases with old fips providers Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://gith
Skip newly added blocked OAEP SHAKE testcases with old fips providers Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24529)
show more ...
|
#
a0da3cb4 |
| 22-May-2024 |
Dimitri John Ledkov |
test: remove the just added, but now unrealistic, shake128 OAEP tests These were added as a POC in #24387. However, such combinations are no longer unusable since #24105 got merged.
test: remove the just added, but now unrealistic, shake128 OAEP tests These were added as a POC in #24387. However, such combinations are no longer unusable since #24105 got merged. This should unbreak all build failures on mainline. Partially reverts: 1bfc8d17f3 (rsa-oaep: block SHAKE usage in FIPS mode, 2024-05-13) Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24463)
show more ...
|
#
1bfc8d17 |
| 13-May-2024 |
Dimitri John Ledkov |
rsa-oaep: block SHAKE usage in FIPS mode NIST SP 800-56 rev2 only allows using approved hash algorithms in OAEP. Unlike FIPS 186-5 it doesn't have text allowing to use XOF SHAKE func
rsa-oaep: block SHAKE usage in FIPS mode NIST SP 800-56 rev2 only allows using approved hash algorithms in OAEP. Unlike FIPS 186-5 it doesn't have text allowing to use XOF SHAKE functions. Maybe future revisions of SP 800-56 will adopt similar text to FIPS 186-5 and allow XOF as MD and MGF (not MGF1). RFC documents do not specify if SHAKE is allowed or blocked for usage (i.e. there is no equivalent of RFC 8692 or RFC 8702 for OAEP). Status quo allows their usage. Add test cases for SHAKE in RSA-OAEP as allowed in default provider, and blocked in fips. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24387)
show more ...
|
#
973ddaa0 |
| 11-May-2024 |
Dimitri John Ledkov |
rsa-pss: add tests checking for SHAKE usage in RSA-PSS FIPS 186-5, RFC 8692, RFC 8702 all agree and specify that Shake shall be used directly as MGF (not as a hash in MGF1). Add tests th
rsa-pss: add tests checking for SHAKE usage in RSA-PSS FIPS 186-5, RFC 8692, RFC 8702 all agree and specify that Shake shall be used directly as MGF (not as a hash in MGF1). Add tests that try to specify shake hash as MGF1 to ensure that fails. Separately the above standards specify how to use SHAKE as a message digest with either fixed or minimum output lengths. However, currently shake is not part of allowed hashes. Note that rsa_setup_md()/rsa_setup_mgf1_md() call ossl_digest_rsa_sign_get_md_nid() -> ossl_digest_get_approved_nid_with_sha1() -> ossl_digest_get_approved_nid() which only contain sha1/sha2/sha3 digests without XOF. The digest test case will need to be replace if/when shake with minimum output lengths is added to ossl_digest_get_approved_nid(). Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24387)
show more ...
|
#
4514e02c |
| 08-Apr-2024 |
slontis |
Check range of RSA plaintext and ciphertext when using no padding. Fixes #24051 RSA with 'no padding' corresponds to RSAEP/RSADP. The code was not checking the lower bounds.
Check range of RSA plaintext and ciphertext when using no padding. Fixes #24051 RSA with 'no padding' corresponds to RSAEP/RSADP. The code was not checking the lower bounds. The bounds are specified in SP800-56Br2, section 7.1.1.1 and 7.1.2.1 Note that RFC8017 expresses the range in a sentence using the word between, and there is some ambiguity in this. The upper bounds have change to match the definition in SP800. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24061)
show more ...
|
#
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
|
#
eb4129e1 |
| 09-May-2023 |
Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> |
Fix typos found by codespell Typos in doc/man* will be fixed in a different commit. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (M
Fix typos found by codespell Typos in doc/man* will be fixed in a different commit. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20910)
show more ...
|
#
a53d4f83 |
| 01-Jan-2023 |
Semen Zhydenko |
Fixed typos in documentation and comments Fixed typo: accomodate -> accommodate Fixed typo: analagous -> analogous Fixed typo: auxilliary -> auxiliary Fixed typo: eigth -> eighth
Fixed typos in documentation and comments Fixed typo: accomodate -> accommodate Fixed typo: analagous -> analogous Fixed typo: auxilliary -> auxiliary Fixed typo: eigth -> eighth Fixed typo: explotation -> exploitation Fixed typo: originaly -> originally Fixed typo: simplier -> simpler Fixed typo: sucessful -> successful Fixed typo: recievers -> receivers Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19977)
show more ...
|
#
dc45d4c6 |
| 12-Dec-2022 |
Hubert Kario |
rsa: fix merge CI runs with old FIPS providers Since the fips provider version isn't frozen at 3.0.0, and the first planned release with the fix in the fips provider is in 3.2.0, we
rsa: fix merge CI runs with old FIPS providers Since the fips provider version isn't frozen at 3.0.0, and the first planned release with the fix in the fips provider is in 3.2.0, we need to skip all the tests that expect implicit rejection in all versions below 3.2.0 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19890)
show more ...
|
#
455db0c9 |
| 22-Nov-2022 |
Hubert Kario |
rsa: add test for the option to disable implicit rejection Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas
rsa: add test for the option to disable implicit rejection Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13817)
show more ...
|
#
ddecbef6 |
| 03-Nov-2022 |
Hubert Kario |
rsa: Skip the synthethic plaintext test with old FIPS provider since the 3.0.0 FIPS provider doesn't implement the Bleichenbacher workaround, the decryption fails instead of providing a
rsa: Skip the synthethic plaintext test with old FIPS provider since the 3.0.0 FIPS provider doesn't implement the Bleichenbacher workaround, the decryption fails instead of providing a synthetic plaintext, so skip them then Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13817)
show more ...
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
8ae4f0e6 |
| 12-Jan-2021 |
Hubert Kario |
rsa: add test vectors for the implicit rejection in RSA PKCS#1 v1.5 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mr
rsa: add test vectors for the implicit rejection in RSA PKCS#1 v1.5 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13817)
show more ...
|
#
7fc67e0a |
| 15-Mar-2022 |
Hubert Kario |
rsa: add implicit rejection in PKCS#1 v1.5 The RSA decryption as implemented before required very careful handling of both the exit code returned by OpenSSL and the potentially returned
rsa: add implicit rejection in PKCS#1 v1.5 The RSA decryption as implemented before required very careful handling of both the exit code returned by OpenSSL and the potentially returned ciphertext. Looking at the recent security vulnerabilities (CVE-2020-25659 and CVE-2020-25657) it is unlikely that most users of OpenSSL do it correctly. Given that correct code requires side channel secure programming in application code, we can classify the existing RSA decryption methods as CWE-676, which in turn likely causes CWE-208 and CWE-385 in application code. To prevent that, we can use a technique called "implicit rejection". For that we generate a random message to be returned in case the padding check fails. We generate the message based on static secret data (the private exponent) and the provided ciphertext (so that the attacker cannot determine that the returned value is randomly generated instead of result of decryption and de-padding). We return it in case any part of padding check fails. The upshot of this approach is that then not only is the length of the returned message useless as the Bleichenbacher oracle, so are the actual bytes of the returned message. So application code doesn't have to perform any operations on the returned message in side-channel free way to remain secure against Bleichenbacher attacks. Note: this patch implements a specific algorithm, shared with Mozilla NSS, so that the attacker cannot use one library as an oracle against the other in heterogeneous environments. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13817)
show more ...
|
#
54b40531 |
| 29-Jul-2021 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16176)
|
#
02d63fe9 |
| 14-Jul-2021 |
Tomas Mraz |
evp_test: Add tests for rsa_padding_mode:none Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16068)
|
Revision tags: openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7, OpenSSL_1_1_1h |
|
#
7a810fac |
| 04-Sep-2020 |
Shane Lontis |
Add 'fips-securitychecks' option and plumb this into the actual fips checks Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745)
|
#
3f699197 |
| 29-Aug-2020 |
Shane Lontis |
Add fips checks for rsa signatures. In fips mode SHA1 should not be allowed for signing, but may be present for verifying. Add keysize check. Add missing 'ossl_unused' to gettable an
Add fips checks for rsa signatures. In fips mode SHA1 should not be allowed for signing, but may be present for verifying. Add keysize check. Add missing 'ossl_unused' to gettable and settable methods. Update fips related tests that have these restrictions. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745)
show more ...
|