root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Replace PKCS#1 v1.5 encryption in RSA PCT 

After December 31, 2023, SP 800-131Ar2 [0] no longer allows PKCS#1 v1.5
padding for RSA "key-transport" (aka encryption and decryption).
There's a few good options to replace this usage in the RSA PCT, but
signature generation and verification using PKCS#1 v1.5 padding (which
remains approved) is the simplest.

[0]: https://doi.org/10.6028/NIST.SP.800-131Ar2

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23832)
This commit is contained in:
Joachim Vandersmissen 2024-03-13 19:26:21 -05:00 committed by Pauli
parent e91384d5b0
commit 9341e6683c
1 changed files with 15 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
crypto/rsa/rsa_gen.c
View File

@ -23,7 +23,9 @@
#include <time.h> #include <time.h>
#include "internal/cryptlib.h" #include "internal/cryptlib.h"
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/obj_mac.h>
#include <openssl/self_test.h> #include <openssl/self_test.h>
#include "crypto/sha.h"
#include "prov/providercommon.h" #include "prov/providercommon.h"
#include "rsa_local.h" #include "rsa_local.h"
@ -658,13 +660,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes,
static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg) static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg)
{ {
int ret = 0; int ret = 0;
unsigned int ciphertxt_len; unsigned int sig_len;
unsigned char *ciphertxt = NULL; unsigned char *sig = NULL;
const unsigned char plaintxt[16] = {0}; const unsigned char md[SHA256_DIGEST_LENGTH] = {0};
unsigned char *decoded = NULL;
unsigned int decoded_len;
unsigned int plaintxt_len = (unsigned int)sizeof(plaintxt_len);
int padding = RSA_PKCS1_PADDING;
OSSL_SELF_TEST *st = NULL; OSSL_SELF_TEST *st = NULL;
st = OSSL_SELF_TEST_new(cb, cbarg); st = OSSL_SELF_TEST_new(cb, cbarg);
@ -673,37 +671,25 @@ static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg)
OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT, OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1); OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1);
ciphertxt_len = RSA_size(rsa); sig_len = RSA_size(rsa);
/* sig = OPENSSL_zalloc(sig_len);
* RSA_private_encrypt() and RSA_private_decrypt() requires the 'to' if (sig == NULL)
* parameter to be a maximum of RSA_size() - allocate space for both.
*/
ciphertxt = OPENSSL_zalloc(ciphertxt_len * 2);
if (ciphertxt == NULL)
goto err;
decoded = ciphertxt + ciphertxt_len;
ciphertxt_len = RSA_public_encrypt(plaintxt_len, plaintxt, ciphertxt, rsa,
padding);
if (ciphertxt_len <= 0)
goto err;
if (ciphertxt_len == plaintxt_len
&& memcmp(ciphertxt, plaintxt, plaintxt_len) == 0)
goto err; goto err;
OSSL_SELF_TEST_oncorrupt_byte(st, ciphertxt); if (RSA_sign(NID_sha256, md, SHA256_DIGEST_LENGTH, sig, &sig_len, rsa) == 0)
goto err;
decoded_len = RSA_private_decrypt(ciphertxt_len, ciphertxt, decoded, rsa, OSSL_SELF_TEST_oncorrupt_byte(st, sig);
padding);
if (decoded_len != plaintxt_len if (RSA_verify(NID_sha256, md, SHA256_DIGEST_LENGTH, sig, sig_len,
|| memcmp(decoded, plaintxt, decoded_len) != 0) rsa) == 0)
goto err; goto err;
ret = 1; ret = 1;
err: err:
OSSL_SELF_TEST_onend(st, ret); OSSL_SELF_TEST_onend(st, ret);
OSSL_SELF_TEST_free(st); OSSL_SELF_TEST_free(st);
OPENSSL_free(ciphertxt); OPENSSL_free(sig);
return ret; return ret;
} }