diff options
author | Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk> | 2024-05-13 18:07:40 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-05-22 15:31:00 +0200 |
commit | 1bfc8d17f349fbe1c849bf362b24ca0af4a8977d (patch) | |
tree | 8181102afd5116eb0488d6d176d3555ec512c771 /crypto | |
parent | 973ddaa03f39ef6d3c890918afbeb0ea9cbe8b07 (diff) |
rsa-oaep: block SHAKE usage in FIPS mode
NIST SP 800-56 rev2 only allows using approved hash algorithms in
OAEP. Unlike FIPS 186-5 it doesn't have text allowing to use XOF SHAKE
functions. Maybe future revisions of SP 800-56 will adopt similar text
to FIPS 186-5 and allow XOF as MD and MGF (not MGF1).
RFC documents do not specify if SHAKE is allowed or blocked for usage
(i.e. there is no equivalent of RFC 8692 or RFC 8702 for OAEP). Status
quo allows their usage.
Add test cases for SHAKE in RSA-OAEP as allowed in default provider,
and blocked in fips.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24387)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/rsa/rsa_oaep.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index b9030440c4..0ec18b9691 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -76,6 +76,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, if (mgf1md == NULL) mgf1md = md; +#ifdef FIPS_MODULE + /* XOF are approved as standalone; Shake256 in Ed448; MGF */ + if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) { + ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); + return 0; + } + if ((EVP_MD_get_flags(mgf1md) & EVP_MD_FLAG_XOF) != 0) { + ERR_raise(ERR_LIB_RSA, RSA_R_MGF1_DIGEST_NOT_ALLOWED); + return 0; + } +#endif + mdlen = EVP_MD_get_size(md); if (mdlen <= 0) { ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH); @@ -182,6 +194,18 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, if (mgf1md == NULL) mgf1md = md; +#ifdef FIPS_MODULE + /* XOF are approved as standalone; Shake256 in Ed448; MGF */ + if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) { + ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); + return -1; + } + if ((EVP_MD_get_flags(mgf1md) & EVP_MD_FLAG_XOF) != 0) { + ERR_raise(ERR_LIB_RSA, RSA_R_MGF1_DIGEST_NOT_ALLOWED); + return -1; + } +#endif + mdlen = EVP_MD_get_size(md); if (tlen <= 0 || flen <= 0) |