[openssl/openssl] 973dda: rsa-pss: add tests checking for SHAKE usage in RSA...

Dimitri John Ledkov noreply at github.com
Wed May 22 13:33:58 UTC 2024 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: 973ddaa03f39ef6d3c890918afbeb0ea9cbe8b07
      https://github.com/openssl/openssl/commit/973ddaa03f39ef6d3c890918afbeb0ea9cbe8b07
  Author: Dimitri John Ledkov <dimitri.ledkov at surgut.co.uk>
  Date:   2024-05-22 (Wed, 22 May 2024)

  Changed paths:
    M providers/common/digest_to_nid.c
    M test/recipes/30-test_evp_data/evppkey_rsa_common.txt

  Log Message:
  -----------
  rsa-pss: add tests checking for SHAKE usage in RSA-PSS

FIPS 186-5, RFC 8692, RFC 8702 all agree and specify that Shake shall
be used directly as MGF (not as a hash in MGF1). Add tests that try to
specify shake hash as MGF1 to ensure that fails.

Separately the above standards specify how to use SHAKE as a message
digest with either fixed or minimum output lengths. However, currently
shake is not part of allowed hashes.

Note that rsa_setup_md()/rsa_setup_mgf1_md() call
ossl_digest_rsa_sign_get_md_nid() ->
ossl_digest_get_approved_nid_with_sha1() ->
ossl_digest_get_approved_nid() which only contain sha1/sha2/sha3
digests without XOF.

The digest test case will need to be replace if/when shake with
minimum output lengths is added to ossl_digest_get_approved_nid().

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24387)


  Commit: 1bfc8d17f349fbe1c849bf362b24ca0af4a8977d
      https://github.com/openssl/openssl/commit/1bfc8d17f349fbe1c849bf362b24ca0af4a8977d
  Author: Dimitri John Ledkov <dimitri.ledkov at surgut.co.uk>
  Date:   2024-05-22 (Wed, 22 May 2024)

  Changed paths:
    M crypto/rsa/rsa_oaep.c
    M test/recipes/30-test_evp_data/evppkey_rsa_common.txt

  Log Message:
  -----------
  rsa-oaep: block SHAKE usage in FIPS mode

NIST SP 800-56 rev2 only allows using approved hash algorithms in
OAEP. Unlike FIPS 186-5 it doesn't have text allowing to use XOF SHAKE
functions. Maybe future revisions of SP 800-56 will adopt similar text
to FIPS 186-5 and allow XOF as MD and MGF (not MGF1).

RFC documents do not specify if SHAKE is allowed or blocked for usage
(i.e. there is no equivalent of RFC 8692 or RFC 8702 for OAEP). Status
quo allows their usage.

Add test cases for SHAKE in RSA-OAEP as allowed in default provider,
and blocked in fips.

Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24387)


Compare: https://github.com/openssl/openssl/compare/7884bedc04b9...1bfc8d17f349

To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications

More information about the openssl-commits mailing list