slontis
commented
9 months ago rsa_enc.c should not allow the pad_mode to be RSA_PKCS1_PADDING in the FIPS_MODULE
Open paulidale opened 1 year ago
slontis
commented
9 months ago rsa_enc.c should not allow the pad_mode to be RSA_PKCS1_PADDING in the FIPS_MODULE
slontis
commented
9 months ago This padding mode is still allowed for signatures This requirement kills TLS 1.2 ciphersuites using RSA for key-agreement (since the standard only uses this padding mode for RSA),
jvdsn
commented
9 months ago You might also want to consider changing the padding in rsa_keygen_pairwise_test. Right now RSA_PKCS1_PADDING is used for encryption/decryption.
xnox
commented
3 weeks ago This is partially solved by:
But seems to be incomplete.
t8m
commented
3 weeks ago But seems to be incomplete.
What is missing?
xnox
commented
3 weeks ago But seems to be incomplete.
What is missing?
trying to figure out still, I cannot tell if this condition should also block padding none; and if so when. As "not compliant with SP 800-56B are disallowed" from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf also, sometimes, catches padding-none in addition to padding pkcs#5
maybe
t8m
commented
3 weeks ago It should be a separate issue then.
PKCS#5 version 1.5 padding is banned for key agreement purposes from January 2024 as part of SP 800-131Ar2.
Since it is now a soft transition and if we submit before then, we're okay until we need to update the FIPS provider.
I.e. we have to do this eventually.
The two obvious approaches are:
There is a third which is: do both.