mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-18 13:44:20 +08:00
Code Issues Packages Projects Releases Wiki Activity
7176c1af10
openssl/doc
History
Clemens Lang 6c73ca4a2f signature: Clamp PSS salt len to MD len 
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection
5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the
salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of
the hash function output block (in bytes)."

Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the
default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will
not use more than the digest length when signing, so that FIPS 186-4 is
not violated. This value has two advantages when compared with
RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when
verifying signatures for maximum compatibility, where
RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will
work for combinations where the maximum salt length is smaller than the
digest size, which typically happens with large digest sizes (e.g.,
SHA-512) and small RSA keys.

J.-S. Coron shows in "Optimal Security Proofs for PSS and Other
Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332
of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag,
2002." that longer salts than the output size of modern hash functions
do not increase security: "For example,for an application in which at
most one billion signatures will be generated, k0 = 30 bits of random
salt are actually sufficient to guarantee the same level of security as
RSA, and taking a larger salt does not increase the security level."

Signed-off-by: Clemens Lang <cllang@redhat.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19724)
2022-12-08 11:02:52 +01:00
..
designs QUIC Connection State Machine Design Document 2022-12-03 08:14:28 +00:00
HOWTO Replace "a RSA" with "an RSA" 2022-12-07 09:37:25 +11:00
images doc: add OpenSSL logo 2020-02-26 21:04:38 +01:00
internal Replace some boldened types with a corresponding man page link 2022-12-08 07:32:34 +01:00
life-cycles
man1 Fix typo in openssl-x509.pod.in 2022-11-25 11:36:35 +11:00
man3 signature: Clamp PSS salt len to MD len 2022-12-08 11:02:52 +01:00
man5 Add missing HISTORY sections for OpenSSL 3.0 related documents. 2022-11-21 12:03:10 +01:00
man7 signature: Clamp PSS salt len to MD len 2022-12-08 11:02:52 +01:00
build.info Move the description of the core types into their own pages 2022-12-08 07:32:34 +01:00
build.info.in
dir-locals.example.el
fingerprints.txt
openssl-c-indent.el
perlvars.pm
README.md

README.md

OpenSSL Documentation

README.md This file

fingerprints.txt PGP fingerprints of authorised release signers

standards.txt standards.txt Moved to the web, https://www.openssl.org/docs/standards.html

HOWTO/ A few how-to documents; not necessarily up-to-date

man1/ The openssl command-line tools; start with openssl.pod

man3/ The SSL library and the crypto library

man5/ File formats

man7/ Overviews; start with crypto.pod and ssl.pod, for example Algorithm specific EVP_PKEY documentation.

Formatted versions of the manpages (apps,ssl,crypto) can be found at https://www.openssl.org/docs/manpages.html