Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-14083

OpenSSL should provide FIPS-compliant RSA-OAEP

    XMLWordPrintable

Details

    • sst_security_crypto
    • ssg_security
    • 20
    • 24
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • CentOS Stream
    • Crypto24Q1, Crypto23Q4
    • Approved Blocker
    • Release Note Not Required
    • x86_64

    Description

      What were you trying to do that didn't work?

      RSA-OAEP in OpenSSL currently ships with an explicit indicator that marks it as not approved (see prior discussion in FIPS-78 for the rationale).

      After clarification with CMVP, we can now drop this indicator and mark RSA-OAEP as approved. Additionally, we will need to backport https://github.com/openssl/openssl/pull/22403 to fulfill the requirements of NIST SP 800-56Br2.

      Please provide the package NVR for which bug is seen:

      openssl-3.0.7-17.el9_2

      How reproducible:

      Run attached reproducer.

      Steps to reproduce

      1. $(head -1 rsa-enc.c | sed -E 's@^// @@g')
      2. ./rsa-enc 2048

      Expected results

      encrypt OK (indicator: approved)
decrypt OK (indicator: approved)

      Actual results

      encrypt OK (indicator: unapproved)
decrypt OK (indicator: unapproved)

      Attachments

        Issue Links

          links to

          Web Link openssl/openssl#22403

          Web Link RHBA-2023:124119 openssl bug fix and enhancement update

          mentioned on

          GitLab Commit - Mark RSA-OAEP as approved in FIPS mode

          Activity

            People

              hkario@redhat.com Hubert Kario
              cllang@redhat.com Clemens Lang
              Clemens Lang Clemens Lang
              Hubert Kario Hubert Kario
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: