mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-18 13:44:20 +08:00
Code Issues Packages Projects Releases Wiki Activity
1ca61aa560
openssl/providers
History
Clemens Lang 6c73ca4a2f signature: Clamp PSS salt len to MD len 
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."

Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
not use more than the digest length when signing, so that FIPS 186-4 is
not violated. This value has two advantages when compared with
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
verifying signatures for maximum compatibility, where
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
work for combinations where the maximum salt length is smaller than the
digest size, which typically happens with large digest sizes (e.g.,
SHA-512) and small RSA keys.

J.-S. Coron shows in "Optimal Security Proofs for PSS and Other
Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332
of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag,
2002." that longer salts than the output size of modern hash functions
do not increase security: "For example,for an application in which at
most one billion signatures will be generated, k0 = 30 bits of random
salt are actually sufficient to guarantee the same level of security as
RSA, and taking a larger salt does not increase the security level."

Signed-off-by: Clemens Lang <cllang@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19724)
2022-12-08 11:02:52 +01:00
..
common Implements Hybrid Public Key Encryption (HPKE) as per RFC9180. 2022-11-25 16:26:55 +00:00
fips aes: add AES-GCM-SIV modes to the FIPS provider 2022-11-30 07:50:33 +11:00
implementations signature: Clamp PSS salt len to MD len 2022-12-08 11:02:52 +01:00
baseprov.c Cleanup : directly include of internal/nelem.h when required. 2022-11-23 18:08:25 +01:00
build.info Add VERSIONINFO resource to legacy provider if it is not builtin 2022-06-02 11:09:10 -04:00
decoders.inc Support decode SM2 parameters 2022-08-23 11:08:11 +10:00
defltprov.c Implement deterministic ECDSA sign (RFC6979) 2022-11-30 07:31:53 +00:00
encoders.inc ENCODER PROV: Add encoders with EncryptedPrivateKeyInfo output 2021-09-05 21:34:51 +02:00
fips-sources.checksums make update 2021-07-29 15:50:27 +01:00
fips.checksum make update 2021-07-29 15:50:27 +01:00
fips.module.sources make update 2021-07-29 15:50:27 +01:00
legacyprov.c Fix regression in default key length for Blowfish CFB and OFB ciphers 2022-05-23 08:50:42 +02:00
nullprov.c
prov_running.c
stores.inc Add support for loading root CAs from Windows crypto API 2022-09-14 14:10:18 +01:00