Pedro Monreal Gonzalez
6bc57d937f
* SHA-1 is not allowed anymore in FIPS 186-5 for signature
verification operations. After 12/31/2030, NIST will disallow
SHA-1 for all of its usages.
* Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
- FIPS: RSA keygen PCT requirements.
* Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the
self-test requirements are covered by do_rsa_pct() for both
RSA-OAEP and RSA signatures [bsc#1221760]
* Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753]
* Add openssl-3-FIPS-PCT_rsa_keygen.patch
- FIPS: Check that the fips provider is available before setting
it as the default provider in FIPS mode. [bsc#1220523]
* Rebase openssl-Force-FIPS.patch
- FIPS: Port openssl to use jitterentropy [bsc#1220523]
* Set the module in error state if the jitter RNG fails either on
initialization or entropy gathering because health tests failed.
* Add jitterentropy as a seeding source output also in crypto/info.c
* Move the jitter entropy collector and the associated lock out
of the header file to avoid redefinitions.
* Add the fips_local.cnf symlink to the spec file. This simlink
points to the openssl_fips.config file that is provided by the
crypto-policies package.
* Rebase openssl-3-jitterentropy-3.4.0.patch
* Rebase openssl-FIPS-enforce-EMS-support.patch
- FIPS: Block non-Approved Elliptic Curves [bsc#1221786]
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=110
172 lines
6.3 KiB
Diff
172 lines
6.3 KiB
Diff
Subject: [PATCH] Revert "Improve FIPS RSA keygen performance."
|
|
|
|
This reverts commit 3431dd4b3ee7933822586aab62972de4d8c0e9e5.
|
|
---
|
|
crypto/bn/bn_prime.c | 11 --------
|
|
crypto/bn/bn_rsa_fips186_4.c | 49 ++++++------------------------------
|
|
include/crypto/bn.h | 2 --
|
|
3 files changed, 8 insertions(+), 54 deletions(-)
|
|
|
|
diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c
|
|
index 79776f1ce5..ddd31a0252 100644
|
|
--- a/crypto/bn/bn_prime.c
|
|
+++ b/crypto/bn/bn_prime.c
|
|
@@ -252,17 +252,6 @@ int ossl_bn_check_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
|
|
return bn_is_prime_int(w, checks, ctx, do_trial_division, cb);
|
|
}
|
|
|
|
-/*
|
|
- * Use this only for key generation.
|
|
- * It always uses trial division. The number of checks
|
|
- * (MR rounds) passed in is used without being clamped to a minimum value.
|
|
- */
|
|
-int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
|
|
- BN_GENCB *cb)
|
|
-{
|
|
- return bn_is_prime_int(w, checks, ctx, 1, cb);
|
|
-}
|
|
-
|
|
int BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb)
|
|
{
|
|
return ossl_bn_check_prime(p, 0, ctx, 1, cb);
|
|
diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c
|
|
index e9f0d4038c..8a7b2ecf2f 100644
|
|
--- a/crypto/bn/bn_rsa_fips186_4.c
|
|
+++ b/crypto/bn/bn_rsa_fips186_4.c
|
|
@@ -48,34 +48,6 @@ const BIGNUM ossl_bn_inv_sqrt_2 = {
|
|
BN_FLG_STATIC_DATA
|
|
};
|
|
|
|
-/*
|
|
- * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin
|
|
- * required for generation of RSA aux primes (p1, p2, q1 and q2).
|
|
- */
|
|
-static int bn_rsa_fips186_5_aux_prime_MR_rounds(int nbits)
|
|
-{
|
|
- if (nbits >= 4096)
|
|
- return 44;
|
|
- if (nbits >= 3072)
|
|
- return 41;
|
|
- if (nbits >= 2048)
|
|
- return 38;
|
|
- return 0; /* Error */
|
|
-}
|
|
-
|
|
-/*
|
|
- * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin
|
|
- * required for generation of RSA primes (p and q)
|
|
- */
|
|
-static int bn_rsa_fips186_5_prime_MR_rounds(int nbits)
|
|
-{
|
|
- if (nbits >= 3072)
|
|
- return 4;
|
|
- if (nbits >= 2048)
|
|
- return 5;
|
|
- return 0; /* Error */
|
|
-}
|
|
-
|
|
/*
|
|
* FIPS 186-5 Table A.1. "Min length of auxiliary primes p1, p2, q1, q2".
|
|
* (FIPS 186-5 has an entry for >= 4096 bits).
|
|
@@ -125,13 +97,11 @@ static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits)
|
|
* Xp1 The passed in starting point to find a probably prime.
|
|
* p1 The returned probable prime (first odd integer >= Xp1)
|
|
* ctx A BN_CTX object.
|
|
- * rounds The number of Miller Rabin rounds
|
|
* cb An optional BIGNUM callback.
|
|
* Returns: 1 on success otherwise it returns 0.
|
|
*/
|
|
static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1,
|
|
BIGNUM *p1, BN_CTX *ctx,
|
|
- int rounds,
|
|
BN_GENCB *cb)
|
|
{
|
|
int ret = 0;
|
|
@@ -147,7 +117,7 @@ static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1,
|
|
i++;
|
|
BN_GENCB_call(cb, 0, i);
|
|
/* MR test with trial division */
|
|
- tmp = ossl_bn_check_generated_prime(p1, rounds, ctx, cb);
|
|
+ tmp = BN_check_prime(p1, ctx, cb);
|
|
if (tmp > 0)
|
|
break;
|
|
if (tmp < 0)
|
|
@@ -190,7 +160,7 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
|
|
{
|
|
int ret = 0;
|
|
BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL;
|
|
- int bitlen, rounds;
|
|
+ int bitlen;
|
|
|
|
if (p == NULL || Xpout == NULL)
|
|
return 0;
|
|
@@ -207,7 +177,6 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
|
|
bitlen = bn_rsa_fips186_5_aux_prime_min_size(nlen);
|
|
if (bitlen == 0)
|
|
goto err;
|
|
- rounds = bn_rsa_fips186_5_aux_prime_MR_rounds(nlen);
|
|
|
|
/* (Steps 4.1/5.1): Randomly generate Xp1 if it is not passed in */
|
|
if (Xp1 == NULL) {
|
|
@@ -225,8 +194,8 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout,
|
|
}
|
|
|
|
/* (Steps 4.2/5.2) - find first auxiliary probable primes */
|
|
- if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb)
|
|
- || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, rounds, cb))
|
|
+ if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, cb)
|
|
+ || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, cb))
|
|
goto err;
|
|
/* (Table B.1) auxiliary prime Max length check */
|
|
if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >=
|
|
@@ -274,11 +243,11 @@ err:
|
|
*/
|
|
int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
|
|
const BIGNUM *r1, const BIGNUM *r2,
|
|
- int nlen, const BIGNUM *e,
|
|
- BN_CTX *ctx, BN_GENCB *cb)
|
|
+ int nlen, const BIGNUM *e, BN_CTX *ctx,
|
|
+ BN_GENCB *cb)
|
|
{
|
|
int ret = 0;
|
|
- int i, imax, rounds;
|
|
+ int i, imax;
|
|
int bits = nlen >> 1;
|
|
BIGNUM *tmp, *R, *r1r2x2, *y1, *r1x2;
|
|
BIGNUM *base, *range;
|
|
@@ -348,7 +317,6 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
|
|
* The number has been updated to 20 * nlen/2 as used in
|
|
* FIPS186-5 Appendix B.9 Step 9.
|
|
*/
|
|
- rounds = bn_rsa_fips186_5_prime_MR_rounds(nlen);
|
|
imax = 20 * bits; /* max = 20/2 * nbits */
|
|
for (;;) {
|
|
if (Xin == NULL) {
|
|
@@ -378,9 +346,8 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin,
|
|
if (BN_copy(y1, Y) == NULL
|
|
|| !BN_sub_word(y1, 1))
|
|
goto err;
|
|
-
|
|
if (BN_are_coprime(y1, e, ctx)) {
|
|
- int rv = ossl_bn_check_generated_prime(Y, rounds, ctx, cb);
|
|
+ int rv = BN_check_prime(Y, ctx, cb);
|
|
|
|
if (rv > 0)
|
|
goto end;
|
|
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
|
|
index 4d11e0e4b1..cf69bea848 100644
|
|
--- a/include/crypto/bn.h
|
|
+++ b/include/crypto/bn.h
|
|
@@ -95,8 +95,6 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
|
|
|
|
int ossl_bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx,
|
|
BN_GENCB *cb, int enhanced, int *status);
|
|
-int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx,
|
|
- BN_GENCB *cb);
|
|
|
|
const BIGNUM *ossl_bn_get0_small_factors(void);
|
|
|
|
--
|
|
2.44.0
|
|
|