[web] master update
Dr. Paul Dale
pauli at openssl.org
Wed Nov 4 23:15:19 UTC 2020
The branch master has been updated
via 96d7bc5229d5b350756a63878e5c38a683a26016 (commit)
via 981f70449c60812d9fef4106755ec637b6b868b4 (commit)
via 7fb9357ff70ce58df6c4e13ceb0e9a4dead77cc4 (commit)
from 7c84bf7db927de5a6676a0fad2e88546e7e6e7ed (commit)
- Log -----------------------------------------------------------------
commit 96d7bc5229d5b350756a63878e5c38a683a26016
Author: Pauli <paul.dale at oracle.com>
Date: Wed Nov 4 10:50:24 2020 +1000
Remove the TLS fixes items for CBC and key agreement.
Both of these have been completed and are no longer relevant FIPS related
work. Neither is a FIPS algorithm in of itself.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/204)
commit 981f70449c60812d9fef4106755ec637b6b868b4
Author: Pauli <paul.dale at oracle.com>
Date: Wed Nov 4 10:49:25 2020 +1000
Update FIPS algorithm list to indicate compliance.
The algorithms are now compliant, indicate this in the table.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/204)
commit 7fb9357ff70ce58df6c4e13ceb0e9a4dead77cc4
Author: Pauli <paul.dale at oracle.com>
Date: Wed Nov 4 10:43:21 2020 +1000
Update FIPS algorithm list.
Some additional algorithms have been added to the FIPS validation. Reflect this
in the appendix.
Reviewed-by: Matt Caswell <matt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/204)
-----------------------------------------------------------------------
Summary of changes:
docs/OpenSSL300Design.md | 184 ++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 159 insertions(+), 25 deletions(-)
diff --git a/docs/OpenSSL300Design.md b/docs/OpenSSL300Design.md
index e552692..6aab23a 100644
--- a/docs/OpenSSL300Design.md
+++ b/docs/OpenSSL300Design.md
@@ -1,7 +1,7 @@
---
title: OpenSSL 3.0.0 Design
author: OpenSSL Management Committee (OMC)
-date: January, 2019
+date: November, 2020
state: DRAFT
header-includes:
- |
@@ -2801,6 +2801,18 @@ Security Policy statement regarding the <a href="https://csrc.nist.gov/publicati
<td>All AES cipher modes supporting 128, 192 and 256 bits.
</td>
</tr>
+ <tr>
+ <td>
+ </td>
+ <td>CBC CTS
+ </td>
+ <td>
+ </td>
+ <td>✓
+ </td>
+ <td>
+ </td>
+ </tr>
<tr>
<td>
</td>
@@ -2810,7 +2822,19 @@ Security Policy statement regarding the <a href="https://csrc.nist.gov/publicati
</td>
<td>✓
</td>
- <td>It's likely easier to include all of these than to remove some of them.
+ <td>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ </td>
+ <td>CFB
+ </td>
+ <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38a/final">SP 800-38A</a>
+ </td>
+ <td>✓
+ </td>
+ <td>
</td>
</tr>
<tr>
@@ -2844,7 +2868,7 @@ Security Policy statement regarding the <a href="https://csrc.nist.gov/publicati
</td>
<td><a href="https://csrc.nist.gov/publications/detail/sp/800-38d/final">SP 800-38D</a>
</td>
- <td>✗
+ <td>✓
</td>
<td>Changes in IV. Module must generate the IV.
</td>
@@ -2861,6 +2885,18 @@ Security Policy statement regarding the <a href="https://csrc.nist.gov/publicati
<td>
</td>
</tr>
+ <tr>
+ <td>
+ </td>
+ <td>OFB
+ </td>
+ <td><a href="https://csrc.nist.gov/publications/detail/sp/800-38a/final">SP 800-38A</a>
+ </td>
+ <td>✓
+ </td>
+ <td>
+ </td>
+ </tr>
<tr>
<td>
</td>
@@ -2868,7 +2904,7 @@ Security Policy statement regarding the <a href="https://csrc.nist.gov/publicati
</td>
<td><a href="https://csrc.nist.gov/publications/detail/sp/800-38e/final">SP 800-38E</a>
</td>
- <td>✗
+ <td>✓
</td>
<td>See <a href="https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Module-Validation-Program/documents/fips140-2/FIPS1402IG.pdf">FIPS 140-2 I.G.</a> A.9. Needs key check added. This mode does not support 192 bits. Check added by <a href="https://github.com/openssl/openssl/pull/7120">#7120</a>.
</td>
@@ -2979,6 +3015,42 @@ Security Policy statement regarding the <a href="https://csrc.nist.gov/publicati
<td>
</td>
</tr>
+ <tr>
+ <td>CMAC
+ </td>
+ <td>
+ </td>
+ <td>
+ </td>
+ <td>✓
+ </td>
+ <td>
+ </td>
+ </tr>
+ <tr>
+ <td>GMAC
+ </td>
+ <td>
+ </td>
+ <td>
+ </td>
+ <td>✓
+ </td>
+ <td>
+ </td>
+ </tr>
+ <tr>
+ <td>KMAC
+ </td>
+ <td>
+ </td>
+ <td>
+ </td>
+ <td>✓
+ </td>
+ <td>
+ </td>
+ </tr>
<tr>
<td>DRBG
</td>
@@ -2986,7 +3058,7 @@ Security Policy statement regarding the <a href="https://csrc.nist.gov/publicati
</td>
<td><a href="https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final">SP 800-90A</a>
</td>
- <td>✗
+ <td>✓
</td>
<td rowspan="3" >Issues with <a href="https://csrc.nist.gov/publications/detail/sp/800-90c/draft">SP 800-90C</a>.
<p>
@@ -3000,7 +3072,7 @@ All comply with <a href="https://csrc.nist.gov/publications/detail/sp/800-90a/re
</td>
<td><a href="https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final">SP 800-90A</a>
</td>
- <td>✗
+ <td>✓
</td>
</tr>
<tr>
@@ -3010,7 +3082,7 @@ All comply with <a href="https://csrc.nist.gov/publications/detail/sp/800-90a/re
</td>
<td><a href="https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final">SP 800-90A</a>
</td>
- <td>✗
+ <td>✓
</td>
</tr>
<tr>
@@ -3032,7 +3104,7 @@ All comply with <a href="https://csrc.nist.gov/publications/detail/sp/800-90a/re
</td>
<td><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf">FIPS 186-4</a>
</td>
- <td>✗
+ <td>✓
</td>
<td>Refer also to <a href="https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/draft">SP 800-56B</a>. PKCS#1.5, PSS, Key pair generation. Modulus size changes.
</td>
@@ -3044,7 +3116,7 @@ All comply with <a href="https://csrc.nist.gov/publications/detail/sp/800-90a/re
</td>
<td><a href="https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/draft">SP 800-56B</a>
</td>
- <td>✗
+ <td>✓
</td>
<td>OAEP. Update to <a href="https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/draft">SP 800-56B rev-1</a> standard.
</td>
@@ -3056,7 +3128,7 @@ All comply with <a href="https://csrc.nist.gov/publications/detail/sp/800-90a/re
</td>
<td><a href="https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final">SP 800-56A</a>
</td>
- <td>✗
+ <td>✓
</td>
<td>Update to <a href="https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final">SP 800-56A rev-3</a> standard.
</td>
@@ -3068,7 +3140,7 @@ All comply with <a href="https://csrc.nist.gov/publications/detail/sp/800-90a/re
</td>
<td><a href="https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/keymgmt/KASVS.pdf">KASVS</a>
</td>
- <td>✗
+ <td>✓
</td>
<td>Additional testing to meet ZZonly. CVL/KAS.
</td>
@@ -3080,7 +3152,7 @@ All comply with <a href="https://csrc.nist.gov/publications/detail/sp/800-90a/re
</td>
<td><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf">FIPS 186-4</a>
</td>
- <td>✗
+ <td>✓
</td>
<td>PQG generation & verification, signature generation & verification, key pair generation.
</td>
@@ -3092,7 +3164,7 @@ All comply with <a href="https://csrc.nist.gov/publications/detail/sp/800-90a/re
</td>
<td><a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf">FIPS 186-4</a>
</td>
- <td>✗
+ <td>✓
</td>
<td>Key pair generation, public key generation, signature generation & verification.
</td>
@@ -3104,7 +3176,7 @@ All comply with <a href="https://csrc.nist.gov/publications/detail/sp/800-90a/re
</td>
<td><a href="https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final">SP 800-56A</a>
</td>
- <td>✗
+ <td>✓
</td>
<td>B-233, 283, 409, 571; K-233, 283, 409, 571; P-224, 256, 384, 521. Update to <a href="https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final">SP 800-56A rev-3</a> standard.
</td>
@@ -3116,7 +3188,7 @@ All comply with <a href="https://csrc.nist.gov/publications/detail/sp/800-90a/re
</td>
<td><a href="https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/keymgmt/KASVS.pdf">KASVS</a>
</td>
- <td>✗
+ <td>✓
</td>
<td>Additional testing to meet ZZonly. CVL/KAS.
</td>
@@ -3128,43 +3200,105 @@ All comply with <a href="https://csrc.nist.gov/publications/detail/sp/800-90a/re
</td>
<td><a href="https://csrc.nist.gov/publications/detail/sp/800-132/final">SP 800-132</a>
</td>
- <td>✗
+ <td>✓
</td>
<td>Verify conformance with standards. See <a href="https://github.com/openssl/openssl/pull/6674">#6674</a>.
</td>
</tr>
<tr>
- <td>TLS
+ <td>
</td>
- <td>PRF
+ <td>HKDF
</td>
<td>
</td>
- <td>✗
+ <td>✓
</td>
- <td>For TLS 1.2 and 1.3.
+ <td>
</td>
</tr>
<tr>
<td>
</td>
- <td>RSA
+ <td>SSKDF
</td>
<td>
</td>
- <td>N/A
+ <td>✓
</td>
- <td rowspan="2" ><em>These two are not algorithms, they serve as a reminder that the custom code for these in libssl would need to move to libcrypto and then be incorporated into the FIPS module.</em>
+ <td>
</td>
</tr>
<tr>
<td>
</td>
- <td>CBC
+ <td>SSHKDF
</td>
<td>
</td>
- <td>N/A
+ <td>✓
+ </td>
+ <td>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ </td>
+ <td>X9.42 KDF
+ </td>
+ <td>
+ </td>
+ <td>✓
+ </td>
+ <td>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ </td>
+ <td>X9.63 KDF
+ </td>
+ <td>
+ </td>
+ <td>✓
+ </td>
+ <td>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ </td>
+ <td>KBKDF
+ </td>
+ <td>
+ </td>
+ <td>✓
+ </td>
+ <td>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ </td>
+ <td>TLS PRF
+ </td>
+ <td>
+ </td>
+ <td>✓
+ </td>
+ <td>
+ </td>
+ </tr>
+ <tr>
+ <td>TLS
+ </td>
+ <td>PRF
+ </td>
+ <td>
+ </td>
+ <td>✓
+ </td>
+ <td>For TLS 1.2 and 1.3.
</td>
</tr>
</table>
More information about the openssl-commits
mailing list