#
5ab3ec1b |
| 27-Oct-2022 |
Hubert Kario |
rsa: Add option to disable implicit rejection Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
rsa: Add option to disable implicit rejection Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13817)
show more ...
|
#
6c73ca4a |
| 18-Nov-2022 |
Clemens Lang |
signature: Clamp PSS salt len to MD len FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the sa
signature: Clamp PSS salt len to MD len FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of the hash function output block (in bytes)." Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will not use more than the digest length when signing, so that FIPS 186-4 is not violated. This value has two advantages when compared with RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when verifying signatures for maximum compatibility, where RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will work for combinations where the maximum salt length is smaller than the digest size, which typically happens with large digest sizes (e.g., SHA-512) and small RSA keys. J.-S. Coron shows in "Optimal Security Proofs for PSS and Other Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332 of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag, 2002." that longer salts than the output size of modern hash functions do not increase security: "For example,for an application in which at most one billion signatures will be generated, k0 = 30 bits of random salt are actually sufficient to guarantee the same level of security as RSA, and taking a larger salt does not increase the security level." Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19724)
show more ...
|
#
eab9dbbd |
| 25-Apr-2022 |
Nathan Sidwell |
Header file cleanup for C++20 header-units C++20 adds 'header units' as a stepping-stone to modules. Header units are regular header-files that have a 'self-contained' property -- t
Header file cleanup for C++20 header-units C++20 adds 'header units' as a stepping-stone to modules. Header units are regular header-files that have a 'self-contained' property -- they do not require previously-included headers to provide typedefs and what not. This addresses 2 problems discovered when using clang modules (as a proxy for C++20 header-units). a) Some headers that pay attention to OPENSSL_NO_STDIO to determine whether to declare certain FILE*-taking functions do not #include <stdio.h> themselves, relying on their includer already having done that. That breaks the above mentioned encapuslation requirement. Fixed by conditionally including stdio.h in those headers. I chose to always include stdio.h in such headers, even when they included another such header that transitively included stdio. That way they do not rely on an artifact of that intermediate header's behaviour. b) Some headers have #includes inside 'extern "C" { ... }' regions. That has a bad code-smell, but GCC and clang have extensions to permit it with implementation-defined effects. Clang needs annotation on the included files to know that they themselves are entirely inside a similar region. GCC behavesq as-if there's an extern "C++" region wrapping the included header (which must therefore wrap its contents in extern "C", if that is what it wants. In effect the includer's extern "C" region is just misleading. I didn't audit all the headers for this, only those I noticed when addressing #a. \#a is necessary to build the headers as a set of clang-modules. #b is not necessary, but as I mentioned, avoids potentially implementation-defined behaviour. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18221)
show more ...
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k |
|
#
f9253152 |
| 20-Mar-2021 |
Dr. David von Oheimb |
Add convenience functions and macros for asymmetric key generation Add EVP_PKEY_gen(), EVP_PKEY_Q_gen(), EVP_RSA_gen(), and EVP_EC_gen(). Also export auxiliary function OSSL_EC_curve_nid
Add convenience functions and macros for asymmetric key generation Add EVP_PKEY_gen(), EVP_PKEY_Q_gen(), EVP_RSA_gen(), and EVP_EC_gen(). Also export auxiliary function OSSL_EC_curve_nid2name() and improve deprecation info on RSA and EC key generation/management functions. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14695)
show more ...
|
#
2145ba5e |
| 19-Mar-2021 |
Tomas Mraz |
Implement EVP_PKEY_dup() function Fixes #14501 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14624)
|
Revision tags: openssl-3.0.0-alpha13 |
|
#
b0aae913 |
| 22-Feb-2021 |
Rich Salz |
Remove RSA SSLv23 padding mode Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14248)
|
Revision tags: openssl-3.0.0-alpha12 |
|
#
a28d06f3 |
| 18-Feb-2021 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14235)
|
Revision tags: OpenSSL_1_1_1j, openssl-3.0.0-alpha11, openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7 |
|
#
e947a064 |
| 09-Oct-2020 |
Daniel Bevenius |
EVP: fix keygen for EVP_PKEY_RSA_PSS This commit attempts to fix the an issue when generating a key of type EVP_PKEY_RSA_PSS. Currently, EVP_PKEY_CTX_set_rsa_keygen_bits will return
EVP: fix keygen for EVP_PKEY_RSA_PSS This commit attempts to fix the an issue when generating a key of type EVP_PKEY_RSA_PSS. Currently, EVP_PKEY_CTX_set_rsa_keygen_bits will return -1 if the key id is not of type EVP_PKEY_RSA. This commit adds EVP_PKEY_RSA_PSS to also be accepted. The macro EVP_PKEY_CTX_set_rsa_pss_keygen_md si converted into a function and it is now called in legacy_ctrl_to_param. Fixes #12384 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13099)
show more ...
|
#
3a1ee3c1 |
| 17-Dec-2020 |
Richard Levitte |
Drop OPENSSL_NO_RSA everywhere The configuration option 'no-rsa' was dropped with OpenSSL 1.1.0, so this is simply a cleanup of the remains. Reviewed-by: Tomas Mraz <tmraz@fedor
Drop OPENSSL_NO_RSA everywhere The configuration option 'no-rsa' was dropped with OpenSSL 1.1.0, so this is simply a cleanup of the remains. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13700)
show more ...
|
#
ac2c4f65 |
| 19-Nov-2020 |
Richard Levitte |
RSA: Fix guard mixup A OSSL_DEPRECATEDIN_0_9_8 function was surrounded by a OPENSSL_NO_DEPRECATED_3_0 guard. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https:
RSA: Fix guard mixup A OSSL_DEPRECATEDIN_0_9_8 function was surrounded by a OPENSSL_NO_DEPRECATED_3_0 guard. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13448)
show more ...
|
#
d7e498ac |
| 04-Oct-2020 |
Richard Levitte |
Deprecate RSA harder This deprecates all functions that deal with the types RSA and RSA_METHOD Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/open
Deprecate RSA harder This deprecates all functions that deal with the types RSA and RSA_METHOD Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13096)
show more ...
|
#
3786d748 |
| 24-Sep-2020 |
jwalch |
en EVP_PKEY_CTX_set_rsa_keygen_pubexp() BIGNUM management Fixes #12635 As discussed in the issue, supporting the set0-like semantics long-term is not necessarily desirable, although
en EVP_PKEY_CTX_set_rsa_keygen_pubexp() BIGNUM management Fixes #12635 As discussed in the issue, supporting the set0-like semantics long-term is not necessarily desirable, although necessary for short-term compatibility concerns. So I've deprecated the original method and added an equivalent that is explicitly labelled as set1. I tried to audit existing usages of the (now-deprecated) API and update them to use set1 if that appeared to align with their expectations. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12917)
show more ...
|
Revision tags: OpenSSL_1_1_1h, openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4 |
|
#
8bf37709 |
| 09-Jun-2020 |
Shane Lontis |
Update RSA keygen to use sp800-56b by default Fixes #11742 Fixes #11764 The newer RSA sp800-56b algorithm is being used for the normal case of a non multiprime key of at least l
Update RSA keygen to use sp800-56b by default Fixes #11742 Fixes #11764 The newer RSA sp800-56b algorithm is being used for the normal case of a non multiprime key of at least length 2048. Insecure key lengths and mutltiprime RSA will use the old method. Bad public exponents are no longer allowed (i.e values less than 65537 or even). Values such as 2 that would cause a infinite loop now result in an error. The value of 3 has been marked as deprecated but is still allowed for legacy purposes. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11765)
show more ...
|
Revision tags: openssl-3.0.0-alpha3, openssl-3.0.0-alpha2 |
|
#
e25761b1 |
| 05-May-2020 |
Richard Levitte |
EVP: Refactor the RSA-PSS key generation controls for providers Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
|
#
484d1a73 |
| 02-May-2020 |
Richard Levitte |
RSA: Add RSA key types The support of restricted RSA key types (OAEP and PSS) was lacking, or dependent on the presence of restriction parameters. For example, this means that even
RSA: Add RSA key types The support of restricted RSA key types (OAEP and PSS) was lacking, or dependent on the presence of restriction parameters. For example, this means that even though an RSA-PSS key may have been generated, it may appear as a plain unrestricted RSA key if parameters weren't present (which is the case when default restriction parameters are used) To make it clearer what an RSA key is intended for, and avoid depending in an EVP_PKEY, we introduce RSA key types. This is done by reserving a section of the RSA flags (4 bits, which allows a total of 16 different types). This isn't terribly important for EVP_PKEY_ASN1_METHOD code, as that has access to the wrapping EVP_PKEY. This is very important for provider code, which has no access to the wrapping EVP_PKEY. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
show more ...
|
#
588d5d01 |
| 28-Apr-2020 |
Pauli |
Undeprecate DH, DSA and RSA _bits() functions. These were deemed information and useful and that they should not be deprecated. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Undeprecate DH, DSA and RSA _bits() functions. These were deemed information and useful and that they should not be deprecated. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11669)
show more ...
|
Revision tags: openssl-3.0.0-alpha1 |
|
#
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
|
Revision tags: OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e |
|
#
8f7e1f68 |
| 10-Mar-2020 |
Pauli |
genrsa: update command line app to use EVP calls Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
|
Revision tags: OpenSSL_1_0_2u |
|
#
2972af10 |
| 27-Oct-2019 |
Richard Levitte |
PROV: Add RSA functionality for key generation This includes added support in legacy controls Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com
PROV: Add RSA functionality for key generation This includes added support in legacy controls Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10289)
show more ...
|
#
6f4b7663 |
| 01-Dec-2019 |
Richard Levitte |
PROV: add RSA signature implementation This includes legacy PSS controls to params conversion, and an attempt to generalise the parameter names when they are suitable for more than o
PROV: add RSA signature implementation This includes legacy PSS controls to params conversion, and an attempt to generalise the parameter names when they are suitable for more than one operation. Also added crypto/rsa/rsa_aid.c, containing proper AlgorithmIdentifiers for known RSA+hash function combinations. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10557)
show more ...
|
#
c5f87134 |
| 12-Feb-2020 |
Pauli |
Deprecate the low level RSA functions. Use of the low level RSA functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: Richard L
Deprecate the low level RSA functions. Use of the low level RSA functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11063)
show more ...
|
#
f93107d8 |
| 12-Feb-2020 |
Pauli |
rsa.h: fix preprocessor indentation Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11063)
|
#
d9a75107 |
| 11-Nov-2019 |
Matt Caswell |
Teach the RSA implementation about TLS RSA Key Transport In TLSv1.2 a pre-master secret value is passed from the client to the server encrypted using RSA PKCS1 type 2 padding in a Client
Teach the RSA implementation about TLS RSA Key Transport In TLSv1.2 a pre-master secret value is passed from the client to the server encrypted using RSA PKCS1 type 2 padding in a ClientKeyExchange message. As well as the normal formatting rules for RSA PKCA1 type 2 padding TLS imposes some additional rules about what constitutes a well formed key. Specifically it must be exactly the right length and encode the TLS version originally requested by the client (as opposed to the actual negotiated version) in its first two bytes. All of these checks need to be done in constant time and, if they fail, then the TLS implementation is supposed to continue anyway with a random key (and therefore the connection will fail later on). This avoids padding oracle type attacks. This commit implements this within the RSA padding code so that we keep all the constant time padding logic in one place. A later commit will remove it from libssl. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10411)
show more ...
|
#
677add38 |
| 18-Nov-2019 |
Richard Levitte |
PROV SERIALIZER: add support for writing RSA keys This also adds the missing accessor RSA_get0_pss_params(), so those parameters can be included in the PKCS#8 data structure without
PROV SERIALIZER: add support for writing RSA keys This also adds the missing accessor RSA_get0_pss_params(), so those parameters can be included in the PKCS#8 data structure without needing to know the inside of the RSA structure. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10394)
show more ...
|
#
89abd1b6 |
| 28-Oct-2019 |
Matt Caswell |
Move RSA Asym cipher code to the default provider Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10152)
|