Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-14083

OpenSSL should provide FIPS-compliant RSA-OAEP

XMLWordPrintable

    • openssl-3.0.7-25.el9
    • Normal
    • ZStream
    • sst_security_crypto
    • ssg_security
    • 20
    • 24
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • CentOS Stream
    • Crypto24Q1, Crypto23Q4
    • Approved Blocker
    • Release Note Not Required
    • x86_64

      What were you trying to do that didn't work?

      RSA-OAEP in OpenSSL currently ships with an explicit indicator that marks it as not approved (see prior discussion in FIPS-78 for the rationale).

      After clarification with CMVP, we can now drop this indicator and mark RSA-OAEP as approved. Additionally, we will need to backport https://github.com/openssl/openssl/pull/22403 to fulfill the requirements of NIST SP 800-56Br2.

      Please provide the package NVR for which bug is seen:

      openssl-3.0.7-17.el9_2

      How reproducible:

      Run attached reproducer.

      Steps to reproduce

      1. $(head -1 rsa-enc.c | sed -E 's@^// @@g')
      2. ./rsa-enc 2048

      Expected results

      encrypt OK (indicator: approved)
decrypt OK (indicator: approved)

      Actual results

      encrypt OK (indicator: unapproved)
decrypt OK (indicator: unapproved)

        1. rsa-enc.c
          9 kB

            hkario@redhat.com Hubert Kario
            cllang@redhat.com Clemens Lang
            Clemens Lang Clemens Lang
            Hubert Kario Hubert Kario
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: