Hi Matt,
Currently I am getting the signed hash message from some other entity. So i
can't make changes for the signing part.
My current implementation is phone will send the signed hash message and
our application will decrypt the signed message by using
RSA_public_decrypt() and then we compare the resultant data with hash
value of the phone identity (will calculate this hash by using
evp_digest*() using the info supplied by phone).
Its worked fine in openssl-0.9.8l in fips mode without any issue. I have't
make any other changes appart from upgrading openssl-0.9.8za. I have
checked the source code of RSA_public_decrypt() and not found any
difference in both versions. Please let me know what might be the reason
and how can i rectify this. Is there any other API i can use apart from
EVP_verify*().
Thanks,
Gayathri
On Thu, Oct 30, 2014 at 10:26 AM, Gayathri Manoj <gayathri.an...@gmail.com>
wrote:
> Hi Matt,
>
>
> Sorry for the inconvenience caused by you through my mail.
>
> 1. In RSA_public_decrypt(), the below line is added in latest version of
> the openssl. I have used the same in 0.9.8l
> #ifdef OPENSSL_FIPS
> if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
> {
> RSAerr(RSA_F_RSA_PUBLIC_
> DECRYPT,
> RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
> return 0;
> Hence my system has not thrown any error while in FIPS mode. But to
> address CVE-2014-0195 ,CVE-2014-0221 and CVE-2014-0224 i have upgraded
> my system with openssl-0.9.8.za.
> After this I ma not able to the phones signed data.
>
> 2. I wanted to decypt the data signed private key of phone using its
> public key. My aim is to decrypt the data which is given by phone.
> Currently I am using RSA_public_decrypt(sgnLen, signedData, dBuf,
> RSAPubKey, RSA_PKCS1_PADDING);
> Here we trying to decrypt 'signedData' using phones public key.
>
> Please let me know how to decrypt this information in FIPS mode.
>
> Thanks,
> Gayathri
>
>
>
>
>
> On Thu, Oct 30, 2014 at 5:28 AM, Matt Caswell <m...@openssl.org> wrote:
>
>>
>>
>> On 29/10/14 09:03, Gayathri Manoj wrote:
>> > Hi Matt,
>> >
>> > Thanks Matt.
>> >
>> > Please let me know RSA_public_decypt() is FIPS complaint in later
>> > version (openssl 1.0.x).
>> >
>> > Currently I am using RSA_public_decypt() in openssl-0.9.8l and not found
>> > any issues in FIPS mode. To address some of the CVE, I have upgraded
>> > openssl - from 0.9.8l to openssl-0.9.8ZA and encountered the
>> > decryption issue.
>>
>> I am slightly surprised that you are using RSA_public_decrypt in FIPS
>> mode without issues. I just checked the source code:
>>
>> int RSA_public_decrypt(int flen, const unsigned char *from, unsigned
>> char *to,
>> RSA *rsa, int padding)
>> {
>> #ifdef OPENSSL_FIPS
>> if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
>> {
>> RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
>> RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
>> return 0;
>> }
>> #endif
>> return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
>> }
>>
>> with the flag RSA_FLAG_NON_FIPS_ALLOW defined as follows:
>> /* If this flag is set the operations normally disabled in FIPS mode are
>> * permitted it is then the applications responsibility to ensure that the
>> * usage is compliant.
>> */
>>
>> #define RSA_FLAG_NON_FIPS_ALLOW 0x0400
>>
>> As you can see from the above if fips mode is set you should not be able
>> to use RSA_public_decrypt *unless* you have also set
>> RSA_FLAG_NON_FIPS_ALLOW...in which case it is up to you to ensure
>> compliance.
>>
>> The above is the code from 0.9.8...similar code exists for later
>> versions, i.e. you should not be able to call this function in FIPS mode.
>>
>> > To address some of the CVE, I have upgraded
>> > openssl - from 0.9.8l to openssl-0.9.8ZA and encountered the
>> > decryption issue.
>>
>> Sorry, I don't understand this. What decryption issue?
>>
>> >
>> > As per you explanation, to make the system FIPS complaint in 0.9.8za, I
>> > have to
>> > 1. replace the RSA_public_decypt() with EVP_verify()
>> > EVP_VerifyInit(), EVP_VerifyUpdate() and
>> > EVP_VerifyFinal()
>> > EVP_VerifyUpdate() - A buffer
>> > with the data to be verified. Same data in EVP_signUpdate()
>> > EVP_VerifyFinal - same
>> > signature which is used for EVP_SignFinal()
>> > 2. Needs to make similar changes in signing part using EVP_Sign*()
>> > EVP_SignInit(), EVP_SignUpdate() and
>> > EVP_SignFinal()
>> > EVP_SignUpdate() - should contain
>> > the data to be signed
>> > EVP_SignFinal - should contain a
>> > buffer to receive the signature
>> >
>>
>> That would be the recommended approach, yes. Although you didn't answer
>> my question about what signature scheme is in use E.g. RSASSA-PKCS1-v1.5
>> or RSASSA-PSS. If your existing signing code is not using a FIPS
>> compliant and openssl supported signature scheme then the above will not
>> work for verifying existing signatures (which may or may not be a
>> problem for you depending on the lifetime of these signatures in your
>> application).
>>
>>
>> > In 0.9.8 there is no other FIPS supported API for decryption.
>> >
>>
>> Your terminology is confusing. We are not talking about decryption here.
>> We are talking about signing/verifying. Some of the underlying
>> primitives are the same, which is where RSA_public_decrypt comes in, but
>> talking about decryption confuses the issue...unless I have
>> misunderstood what you are asking me?
>>
>> The recommended approach for doing signing/verifying in 0.9.8 is
>> EVP_Sign* and EVP_Verify*.
>>
>> Matt
>>
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majord...@openssl.org
>>
>
>
