fips: remove redundant RSA encrypt/decrypt KAT#25988
Closed
xnox wants to merge 1 commit intoopenssl:masterfrom
Closed
fips: remove redundant RSA encrypt/decrypt KAT#25988xnox wants to merge 1 commit intoopenssl:masterfrom
xnox wants to merge 1 commit intoopenssl:masterfrom
Conversation
FIPS 140-2 IG D.9 has become FIPS 140-3 D.G (see "Mapping FIPS 140-2 IGs to FIPS 140-3" in the FIPS 140-3 IG). The requirements w.r.t. RSA KATs have now been relaxed, meaning that existing full-message RSA signature verification (which is performed separately) is sufficient to meet KAT requirements for all RSA usecases (KEM/Encrypt/Decrypt/Sign/Verify). Dropping this KAT is very useful, because it is large/expensive on module startup, but also because it enables in the future to block RSA Encrypt/Decrypt operations with paddings other than OAEP, which are legacy or deprecated by either current or draft algorithm transition SP.
github-actions
bot
added
the
severity: fips change
paulidale
approved these changes
Nov 18, 2024
paulidale
added
branch: master
t8m
added
approval: done
t8m
approved these changes
Nov 20, 2024
t8m
removed
the
approval: review pending
openssl-machine
added
approval: ready to merge
Collaborator
|
This pull request is ready to merge |
Member
|
Merged to the master branch. Thank you for your contribution. |
openssl-machine
pushed a commit
that referenced
this pull request
Nov 22, 2024
FIPS 140-2 IG D.9 has become FIPS 140-3 D.G (see "Mapping FIPS 140-2 IGs to FIPS 140-3" in the FIPS 140-3 IG). The requirements w.r.t. RSA KATs have now been relaxed, meaning that existing full-message RSA signature verification (which is performed separately) is sufficient to meet KAT requirements for all RSA usecases (KEM/Encrypt/Decrypt/Sign/Verify). Dropping this KAT is very useful, because it is large/expensive on module startup, but also because it enables in the future to block RSA Encrypt/Decrypt operations with paddings other than OAEP, which are legacy or deprecated by either current or draft algorithm transition SP. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #25988)
Sashan
pushed a commit
to Sashan/openssl
that referenced
this pull request
Apr 23, 2025
FIPS 140-2 IG D.9 has become FIPS 140-3 D.G (see "Mapping FIPS 140-2 IGs to FIPS 140-3" in the FIPS 140-3 IG). The requirements w.r.t. RSA KATs have now been relaxed, meaning that existing full-message RSA signature verification (which is performed separately) is sufficient to meet KAT requirements for all RSA usecases (KEM/Encrypt/Decrypt/Sign/Verify). Dropping this KAT is very useful, because it is large/expensive on module startup, but also because it enables in the future to block RSA Encrypt/Decrypt operations with paddings other than OAEP, which are legacy or deprecated by either current or draft algorithm transition SP. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Dmitry Belyavskiy <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#25988)
nhorman
added a commit
to nhorman/openssl
that referenced
this pull request
Sep 26, 2025
This reverts commit 635bf49. During code review for FIPS-140-3 certification, our lab noticed that the known answer test for RSA was removed. This was done in the above commit, as part of openssl#25988 Under the assertion that FIPS 140-3 Imlementation Guidance section D.G had relaxed the requirements for testing, obviating the need for this test. However, for the 3.5 FIPS-140-3 certification we are adding assertions for support of KAS-IFC-SSC, which follows FIPS-140-e I.G section D.F, which does not contain the same relaxed constraints. As such we need to reintroduce the test. While the specifics of the I.G requirements are slightly different in D.F (allowing for other, potentially less time-consuming tests), the most expedient path forward here is to simply re-introduce the test as it existed previously, hence the reversion of the above commit. Fixes openssl/private#832
1 task
nhorman
added a commit
to nhorman/openssl
that referenced
this pull request
Sep 26, 2025
Revert "fips: remove redundant RSA encrypt/decrypt KAT" This reverts commit 635bf49. During code review for FIPS-140-3 certification, our lab noticed that the known answer test for RSA was removed. This was done in the above commit, as part of openssl#25988 Under the assertion that FIPS 140-3 Implementation Guidance section D.G had relaxed the requirements for testing, obviating the need for this test. However, for the 3.5 FIPS-140-3 certification we are adding assertions for support of KAS-IFC-SSC, which follows FIPS-140-3 I.G section D.F, which does not contain the same relaxed constraints. As such we need to reintroduce the test. While the specifics of the I.G requirements are slightly different in D.F (allowing for other, potentially less time-consuming tests), the most expedient path forward here is to simply re-introduce the test as it existed previously, hence the reversion of the above commit. Fixes openssl/private#832
openssl-machine
pushed a commit
that referenced
this pull request
Sep 27, 2025
This reverts commit 635bf49. During code review for FIPS-140-3 certification, our lab noticed that the known answer test for RSA was removed. This was done in the above commit, as part of #25988 Under the assertion that FIPS 140-3 Implementation Guidance section D.G had relaxed the requirements for testing, obviating the need for this test. However, for the 3.5 FIPS-140-3 certification we are adding assertions for support of KAS-IFC-SSC, which follows FIPS-140-3 I.G section D.F, which does not contain the same relaxed constraints. As such we need to reintroduce the test. While the specifics of the I.G requirements are slightly different in D.F (allowing for other, potentially less time-consuming tests), the most expedient path forward here is to simply re-introduce the test as it existed previously, hence the reversion of the above commit. Fixes openssl/private#832 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #28676)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 27, 2025
This reverts commit 635bf49. During code review for FIPS-140-3 certification, our lab noticed that the known answer test for RSA was removed. This was done in the above commit, as part of #25988 Under the assertion that FIPS 140-3 Implementation Guidance section D.G had relaxed the requirements for testing, obviating the need for this test. However, for the 3.5 FIPS-140-3 certification we are adding assertions for support of KAS-IFC-SSC, which follows FIPS-140-3 I.G section D.F, which does not contain the same relaxed constraints. As such we need to reintroduce the test. While the specifics of the I.G requirements are slightly different in D.F (allowing for other, potentially less time-consuming tests), the most expedient path forward here is to simply re-introduce the test as it existed previously, hence the reversion of the above commit. Fixes openssl/private#832 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #28676) (cherry picked from commit 3206bb7)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 27, 2025
This reverts commit 635bf49. During code review for FIPS-140-3 certification, our lab noticed that the known answer test for RSA was removed. This was done in the above commit, as part of #25988 Under the assertion that FIPS 140-3 Implementation Guidance section D.G had relaxed the requirements for testing, obviating the need for this test. However, for the 3.5 FIPS-140-3 certification we are adding assertions for support of KAS-IFC-SSC, which follows FIPS-140-3 I.G section D.F, which does not contain the same relaxed constraints. As such we need to reintroduce the test. While the specifics of the I.G requirements are slightly different in D.F (allowing for other, potentially less time-consuming tests), the most expedient path forward here is to simply re-introduce the test as it existed previously, hence the reversion of the above commit. Fixes openssl/private#832 Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #28676) (cherry picked from commit 3206bb7)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
FIPS 140-2 IG D.9 has become FIPS 140-3 D.G (see "Mapping FIPS 140-2
IGs to FIPS 140-3" in the FIPS 140-3 IG).
The requirements w.r.t. RSA KATs have now been relaxed, meaning that
existing full-message RSA signature verification (which is performed
separately) is sufficient to meet KAT requirements for all RSA
usecases (KEM/Encrypt/Decrypt/Sign/Verify).
Dropping this KAT is very useful, because it is large/expensive on
module startup, but also because it enables in the future to block RSA
Encrypt/Decrypt operations with paddings other than OAEP, which are
legacy or deprecated by either current or draft algorithm transition
SP.