45    RSA-SHA2-256 including new API functions in the EVP_PKEY_sign,
80    RSA Encryption using PKCS1 padding is no longer approved.
324    OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation.
522  * When function EVP_PKEY_public_check() is called on RSA public keys,
523    a computation is done to confirm that the RSA modulus, n, is composite.
524    For valid RSA keys, n is a product of two or more large primes and this
528    An application that calls EVP_PKEY_public_check() and supplies an RSA key
537    To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
883  * The default SSL/TLS security level has been changed from 1 to 2. RSA,
1013  * Added and enabled by default implicit rejection in RSA PKCS#1 v1.5
1015    The RSA decryption API will now return a randomly generated deterministic
1021    on the RSA decryption context.
1183  * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
1428  * Fixed Timing Oracle in RSA Decryption.
1430    A timing based side channel exists in the OpenSSL RSA Decryption
1434    of trial messages for decryption. The vulnerability affects all RSA padding
1435    modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
1637  * The OpenSSL 3.0.4 release introduced a serious bug in the RSA
1639    This issue makes the RSA implementation with 2048 bit private keys
1645    SSL/TLS servers or other servers using 2048 bit RSA private keys running
2254  * Removed RSA padding mode for SSLv23 (which was only used for
2261  * Deprecated the obsolete X9.31 RSA key generation related functions.
2268  * Deprecated the obsolete X9.31 RSA key generation related functions
2274  * The default key generation method for the regular 2-prime RSA keys was
2609  * All of the low-level RSA functions have been deprecated.
2967    decoded, but if the RSA decryption fails, the correct encryption key is
2988    when primes for RSA keys are computed.
2989    Since we previously always generated primes == 2 (mod 3) for RSA keys,
2990    the 2-prime and 3-prime RSA modules were easy to distinguish, since
2992    2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2993    This avoids possible fingerprinting of newly generated RSA modules.
3617    when primes for RSA keys are computed.
3618    Since we previously always generated primes == 2 (mod 3) for RSA keys,
3619    the 2-prime and 3-prime RSA modules were easy to distinguish, since
3621    2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
3622    This avoids possible fingerprinting of newly generated RSA modules.
3717    decoded, but if the RSA decryption fails, the correct encryption key is
3794  * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
3796    It fixes an omission in earlier changes that changed all RSA, DSA and DH
3820  * Do the error handling in RSA decryption constant time.
4242  * Add multi-prime RSA (RFC 8017) support.
4378    does for RSA, etc.
4452  * The RSA "null" method, which was partially supported to avoid patent
4487    decoded, but if the RSA decryption fails, the correct encryption key is
4508  * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
4510    It fixes an omission in earlier changes that changed all RSA, DSA and DH
4614  * Cache timing vulnerability in RSA Key Generation
4616    The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
4618    mount cache timing attacks during the RSA key generation process could
4745    Analysis suggests that attacks against RSA and DSA as a result of this
4769    against RSA and DSA as a result of this defect would be very difficult to
4854    against RSA and DSA as a result of this defect would be very difficult to
4902    longer than 256 bits. Analysis suggests that attacks against RSA, DSA
5056    off the constant time implementation for RSA, DSA and DH have been made
5164  * Made RSA and RSA_METHOD opaque. The structures for managing RSA
5246    - Prefer (EC)DHE handshakes over plain RSA.
5248    - Prefer ECDSA over RSA when both certificates are available.
5568    ciphers who are no longer supported and drops support the ephemeral RSA key
5761    EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
5839  * Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
5969  * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
5974  * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
6060  * Add PRNG security strength checks to RSA, DSA and ECDSA using
6284    decoded, but if the RSA decryption fails, the correct encryption key is
6305  * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
6307    It fixes an omission in earlier changes that changed all RSA, DSA and DH
6399  * Cache timing vulnerability in RSA Key Generation
6401    The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
6403    mount cache timing attacks during the RSA key generation process could
6496    Analysis suggests that attacks against RSA and DSA as a result of this
6520    against RSA and DSA as a result of this defect would be very difficult to
6572    against RSA and DSA as a result of this defect would be very difficult to
6593    longer than 256 bits. Analysis suggests that attacks against RSA, DSA
7029    of RSA keys.  The ability to exploit this issue is limited as it relies on
7041  * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
7043    omission in an earlier change that changed all RSA/DSA key generation
7101    against RSA and DSA as a result of this defect would be very difficult to
7120    dereference if presented with an ASN.1 signature using the RSA PSS
7323    dereference if presented with an ASN.1 signature using the RSA PSS
7517  * Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
8231    of RSA keys.  The ability to exploit this issue is limited as it relies on
8243  * Change the req command to generate a 2048-bit RSA/DSA key by default,
8245    omission in an earlier change that changed all RSA/DSA key generation
8282    dereference if presented with an ASN.1 signature using the RSA PSS
8561  * Remove non-export ephemeral RSA code on client and server. This code
8562    violated the TLS standard by allowing the use of temporary RSA keys in
8564    downgrade the RSA key length used to a value smaller than the server
8714    verifying RSA signature: this will reject any improperly encoded
9066  * The format used for MDC2 RSA signatures is inconsistent between EVP
9068    OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
9075    support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
9157  * Add RSA PSS signing function. This will generate and set the
9278  * Redirect RSA operations to FIPS module including keygen,
9279    encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
9348    ciphersuites. At present only RSA key exchange ciphersuites work with
9626  * Remove non-export ephemeral RSA code on client and server. This code
9627    violated the TLS standard by allowing the use of temporary RSA keys in
9629    downgrade the RSA key length used to a value smaller than the server
9731    verifying RSA signature: this will reject any improperly encoded
9945  * Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
9946    in CMS and PKCS7 code. When RSA decryption fails use a random key for
10732    with RSA certificates on the one hand and with ECDSA certificates
10739    authentication, not RSA or ECDSA authentication (the latter is
10748            kECDHr   - ECDH cert, signed with RSA
10750            kECDH    - ECDH cert (signed with either RSA or ECDSA)
10818    the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
10883    functionality for RSA.
11408    double-checked locking was incomplete for RSA blinding,
11452  * Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
11496  * RSA OAEP patches to fix two separate invalid memory reads.
11730            TLS_DHE_RSA_WITH_SEED_CBC_SHA  =  "DHE-RSA-SEED-SHA"
11761    RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
11789    a ciphersuite string such as "DEFAULT:RSA" cannot enable
11926  * Fix RSA blinding Heisenbug (problems sometimes occurred on
12094    Add a second BN_BLINDING slot to the RSA structure to improve
12095    performance when a single RSA object is shared among several
12262    to allow all RSA operations to function using a single BN_CTX.
12540  * Added an ENGINE that implements RSA by performing private key
12703    recognized instead of using RSA as a default.
12971    a ciphersuite string such as "DEFAULT:RSA" cannot enable
13068  * Fix RSA blinding Heisenbug (problems sometimes occurred on
13127    RSA, DSA, and DH private-key operations so that the sequence of
13134    BN_FLG_EXP_CONSTTIME is set for the exponent.  RSA, DSA, and DH
13207       size for static RSA ciphersuites) as well as client server and random
13410  * Turn on RSA blinding by default in the default implementation
13417  * Change RSA blinding code so that it works when the PRNG is not
13418    seeded (in this case, the secret RSA exponent is abused as
13420    is no point in blinding anyway).  Make RSA blinding thread-safe
13424    avoids excessive locking; and if an RSA object is not shared
13731    (E.g., cipher list string "RSA" enables ciphersuites that are left
13733    "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
13934    default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
14109    API changes worth noting - some RSA, DSA, DH, and RAND functions that
14225    RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
14256  * Give DH, DSA, and RSA types their own `*_up_ref()` function to increment
14364    already does with RSA. testdsa.h now has 'priv_key/pub_key'
14525    analogous to the RSA vs. RSA_METHOD type of separation. Because of this
15482    Also constify the RSA code and most things related to it.  In a
15668  * Turn on RSA blinding by default in the default implementation
15675  * Change RSA blinding code so that it works when the PRNG is not
15676    seeded (in this case, the secret RSA exponent is abused as
15678    is no point in blinding anyway).  Make RSA blinding thread-safe
15682    avoids excessive locking; and if an RSA object is not shared
16349    RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
16450  * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
16647    (RSA objects have a reference count access to which is protected
16699  * Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
16991    used for low-level RSA operations. DER public key
17716  * Allow for the possibility of temp RSA key generation failure:
18039    as a shared library without RSA.  Use #ifndef NO_SSL2 instead of
18165    if a DER encoded private key is RSA or DSA traditional format. Changed
18411  * Modify RSA and DSA PEM read routines to transparently handle
18430    is used which works with EVP_PKEY, RSA or DSA structures: though
18576    performance improvement for 1024 bit RSA signs.
18635    for RSA signatures we could do without one.
18788  * Preliminary compilation option RSA_NULL which disables RSA crypto without
18789    removing all other RSA functionality (this is what NO_RSA does). This
18791    by the RSA patent while allowing storage and parsing of RSA keys and RSA
18812    (s23_srvr.c) and for RSA client key exchange verification
18972  * Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp
18976    in the RSA structure, which cannot be accessed from bn_mod_exp.
19040    for verifying the consistency of RSA keys.
19126    to mess around with the internals of an RSA structure.
19849  * Make sure the RSA OAEP test is skipped under -DRSAref because
19906  * Fix to RSA private encryption routines: if p < q then it would
20107  * Add a bunch of SSL_xxx() functions for configuring the temporary RSA and
20113       For the RSA certificate situation is makes no difference, but
20155    (in addition to RSA certificates) to match the behaviour of `openssl dsa
20157    -modulus`.  For RSA the -modulus is the real "modulus" while for DSA
20161    option; it now only avoids using the RSA stuff. Same applies to NO_DSA
20211    padding method for RSA, which is recommended for new applications in PKCS
20215    against Bleichbacher's attack on RSA.
20224    via RSA, checks that if TLS was proposed, but we roll back to SSLv3
20588  * Make Montgomery context stuff explicit in RSA data structure.
20634  * Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
20677  * Incorporated the popular no-RSA/DSA-only patches
20678    which allow to compile an RSA-free SSLeay.
20820  * Added more RSA padding checks for SSL/TLS.

Last Index update Mon Sep 30 00:02:53 UTC 2024

Dedicated to & Maintained by Room-11