Hi Matt,
Sorry for the inconvenience caused by you through my mail.
1. In RSA_public_decrypt(), the below line is added in latest version of
the openssl. I have used the same in 0.9.8l
#ifdef OPENSSL_FIPS
if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
{
RSAerr(RSA_F_RSA_PUBLIC_
DECRYPT,
RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
return 0;
Hence my system has not thrown any error while in FIPS mode. But to
address CVE-2014-0195
,CVE-2014-0221 and CVE-2014-0224 i have upgraded my system with
openssl-0.9.8.za.
After this I ma not able to the phones signed data.
2. I wanted to decypt the data signed private key of phone using its
public key. My aim is to decrypt the data which is given by phone.
Currently I am using RSA_public_decrypt(sgnLen, signedData, dBuf,
RSAPubKey, RSA_PKCS1_PADDING);
Here we trying to decrypt 'signedData' using phones public key.
Please let me know how to decrypt this information in FIPS mode.
Thanks,
Gayathri
On Thu, Oct 30, 2014 at 5:28 AM, Matt Caswell <m...@openssl.org> wrote:
>
>
> On 29/10/14 09:03, Gayathri Manoj wrote:
> > Hi Matt,
> >
> > Thanks Matt.
> >
> > Please let me know RSA_public_decypt() is FIPS complaint in later
> > version (openssl 1.0.x).
> >
> > Currently I am using RSA_public_decypt() in openssl-0.9.8l and not found
> > any issues in FIPS mode. To address some of the CVE, I have upgraded
> > openssl - from 0.9.8l to openssl-0.9.8ZA and encountered the
> > decryption issue.
>
> I am slightly surprised that you are using RSA_public_decrypt in FIPS
> mode without issues. I just checked the source code:
>
> int RSA_public_decrypt(int flen, const unsigned char *from, unsigned
> char *to,
> RSA *rsa, int padding)
> {
> #ifdef OPENSSL_FIPS
> if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
> {
> RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
> RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
> return 0;
> }
> #endif
> return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
> }
>
> with the flag RSA_FLAG_NON_FIPS_ALLOW defined as follows:
> /* If this flag is set the operations normally disabled in FIPS mode are
> * permitted it is then the applications responsibility to ensure that the
> * usage is compliant.
> */
>
> #define RSA_FLAG_NON_FIPS_ALLOW 0x0400
>
> As you can see from the above if fips mode is set you should not be able
> to use RSA_public_decrypt *unless* you have also set
> RSA_FLAG_NON_FIPS_ALLOW...in which case it is up to you to ensure
> compliance.
>
> The above is the code from 0.9.8...similar code exists for later
> versions, i.e. you should not be able to call this function in FIPS mode.
>
> > To address some of the CVE, I have upgraded
> > openssl - from 0.9.8l to openssl-0.9.8ZA and encountered the
> > decryption issue.
>
> Sorry, I don't understand this. What decryption issue?
>
> >
> > As per you explanation, to make the system FIPS complaint in 0.9.8za, I
> > have to
> > 1. replace the RSA_public_decypt() with EVP_verify()
> > EVP_VerifyInit(), EVP_VerifyUpdate() and
> > EVP_VerifyFinal()
> > EVP_VerifyUpdate() - A buffer
> > with the data to be verified. Same data in EVP_signUpdate()
> > EVP_VerifyFinal - same
> > signature which is used for EVP_SignFinal()
> > 2. Needs to make similar changes in signing part using EVP_Sign*()
> > EVP_SignInit(), EVP_SignUpdate() and
> > EVP_SignFinal()
> > EVP_SignUpdate() - should contain
> > the data to be signed
> > EVP_SignFinal - should contain a
> > buffer to receive the signature
> >
>
> That would be the recommended approach, yes. Although you didn't answer
> my question about what signature scheme is in use E.g. RSASSA-PKCS1-v1.5
> or RSASSA-PSS. If your existing signing code is not using a FIPS
> compliant and openssl supported signature scheme then the above will not
> work for verifying existing signatures (which may or may not be a
> problem for you depending on the lifetime of these signatures in your
> application).
>
>
> > In 0.9.8 there is no other FIPS supported API for decryption.
> >
>
> Your terminology is confusing. We are not talking about decryption here.
> We are talking about signing/verifying. Some of the underlying
> primitives are the same, which is where RSA_public_decrypt comes in, but
> talking about decryption confuses the issue...unless I have
> misunderstood what you are asking me?
>
> The recommended approach for doing signing/verifying in 0.9.8 is
> EVP_Sign* and EVP_Verify*.
>
> Matt
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
