[openssl/openssl] 973dda: rsa-pss: add tests checking for SHAKE usage in RSA...

Wed, 22 May 2024 06:34:11 -0700 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: 973ddaa03f39ef6d3c890918afbeb0ea9cbe8b07
      
https://github.com/openssl/openssl/commit/973ddaa03f39ef6d3c890918afbeb0ea9cbe8b07
  Author: Dimitri John Ledkov <dimitri.led...@surgut.co.uk>
  Date:   2024-05-22 (Wed, 22 May 2024)

  Changed paths:
    M providers/common/digest_to_nid.c
    M test/recipes/30-test_evp_data/evppkey_rsa_common.txt

  Log Message:
  -----------
  rsa-pss: add tests checking for SHAKE usage in RSA-PSS

FIPS 186-5, RFC 8692, RFC 8702 all agree and specify that Shake shall
be used directly as MGF (not as a hash in MGF1). Add tests that try to
specify shake hash as MGF1 to ensure that fails.

Separately the above standards specify how to use SHAKE as a message
digest with either fixed or minimum output lengths. However, currently
shake is not part of allowed hashes.

Note that rsa_setup_md()/rsa_setup_mgf1_md() call
ossl_digest_rsa_sign_get_md_nid() ->
ossl_digest_get_approved_nid_with_sha1() ->
ossl_digest_get_approved_nid() which only contain sha1/sha2/sha3
digests without XOF.

The digest test case will need to be replace if/when shake with
minimum output lengths is added to ossl_digest_get_approved_nid().

Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24387)


  Commit: 1bfc8d17f349fbe1c849bf362b24ca0af4a8977d
      
https://github.com/openssl/openssl/commit/1bfc8d17f349fbe1c849bf362b24ca0af4a8977d
  Author: Dimitri John Ledkov <dimitri.led...@surgut.co.uk>
  Date:   2024-05-22 (Wed, 22 May 2024)

  Changed paths:
    M crypto/rsa/rsa_oaep.c
    M test/recipes/30-test_evp_data/evppkey_rsa_common.txt

  Log Message:
  -----------
  rsa-oaep: block SHAKE usage in FIPS mode

NIST SP 800-56 rev2 only allows using approved hash algorithms in
OAEP. Unlike FIPS 186-5 it doesn't have text allowing to use XOF SHAKE
functions. Maybe future revisions of SP 800-56 will adopt similar text
to FIPS 186-5 and allow XOF as MD and MGF (not MGF1).

RFC documents do not specify if SHAKE is allowed or blocked for usage
(i.e. there is no equivalent of RFC 8692 or RFC 8702 for OAEP). Status
quo allows their usage.

Add test cases for SHAKE in RSA-OAEP as allowed in default provider,
and blocked in fips.

Reviewed-by: Dmitry Belyavskiy <beld...@gmail.com>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24387)


Compare: https://github.com/openssl/openssl/compare/7884bedc04b9...1bfc8d17f349

To unsubscribe from these emails, change your notification settings at 
https://github.com/openssl/openssl/settings/notifications

Reply via email to