summaryrefslogtreecommitdiffstats
path: root/CHANGES.md
diff options
context:
space:
mode:
authorClemens Lang <cllang@redhat.com>2022-11-18 12:35:33 +0100
committerTomas Mraz <tomas@openssl.org>2022-12-09 16:34:07 +0100
commitdb2fc00945bd128b873d9f66944dfde49f8a3853 (patch)
tree60a6fea244dec818b7e481917dcc6c16df8dc03b /CHANGES.md
parentfea151a24de59f546e6d485f352c309953f38e1d (diff)
signature: Clamp PSS salt len to MD len
FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of the hash function output block (in bytes)." Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will not use more than the digest length when signing, so that FIPS 186-4 is not violated. This value has two advantages when compared with RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when verifying signatures for maximum compatibility, where RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will work for combinations where the maximum salt length is smaller than the digest size, which typically happens with large digest sizes (e.g., SHA-512) and small RSA keys. J.-S. Coron shows in "Optimal Security Proofs for PSS and Other Signature Schemes. Advances in Cryptology – Eurocrypt 2002, volume 2332 of Lecture Notes in Computer Science, pp. 272 – 287. Springer Verlag, 2002." that longer salts than the output size of modern hash functions do not increase security: "For example,for an application in which at most one billion signatures will be generated, k0 = 30 bits of random salt are actually sufficient to guarantee the same level of security as RSA, and taking a larger salt does not increase the security level." Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (cherry picked from commit 6c73ca4a2f4ea71f4a880670624e7b2fdb6f32da) (Merged from https://github.com/openssl/openssl/pull/19862)
Diffstat (limited to 'CHANGES.md')
-rw-r--r--CHANGES.md9
1 files changed, 9 insertions, 0 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 0b5cdb0767..682a7726b3 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -85,6 +85,15 @@ OpenSSL 3.1
*Tomáš Mráz*
+ * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the
+ maximum size that is smaller or equal to the digest length to comply with
+ FIPS 186-4 section 5. This is implemented by a new option
+ `OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX` ("auto-digestmax") for the
+ `rsa_pss_saltlen` parameter, which is now the default. Signature
+ verification is not affected by this change and continues to work as before.
+
+ *Clemens Lang*
+
OpenSSL 3.0
-----------