FIPS fixes #12839
Merged
FIPS fixes #12839
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
skip RSA PSS with SHA224
This replaces the rsa_pss_cert.pem with a new one that uses a salt length matching the digest length (previously it was max length)
alex
reviewed
May 1, 2025
alex
reviewed
May 1, 2025
Member
|
Ok, looks good pending wycheproof merging the changes |
alex
approved these changes
May 2, 2025
alex
added a commit
to alex/cryptography
that referenced
this pull request
May 2, 2025
* attempt to fix wycheproof in CI on centos stream9 skip RSA PSS with SHA224 * Update test_rsa.py * Update backend.py * fix * make OpenSSL 3.5 FIPS work This replaces the rsa_pss_cert.pem with a new one that uses a salt length matching the digest length (previously it was max length) * simplify * comment * fix * update with new wycheproof --------- Co-authored-by: Alex Gaynor <[email protected]>
reaperhulk
added a commit
that referenced
this pull request
May 2, 2025
* FIPS fixes (#12839) * attempt to fix wycheproof in CI on centos stream9 skip RSA PSS with SHA224 * Update test_rsa.py * Update backend.py * fix * make OpenSSL 3.5 FIPS work This replaces the rsa_pss_cert.pem with a new one that uses a salt length matching the digest length (previously it was max length) * simplify * comment * fix * update with new wycheproof --------- Co-authored-by: Alex Gaynor <[email protected]> * chore(deps): bump openssl-sys from 0.9.107 to 0.9.108 (#12832) Bumps [openssl-sys](https://github.com/sfackler/rust-openssl) from 0.9.107 to 0.9.108. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-sys-v0.9.107...openssl-sys-v0.9.108) --- updated-dependencies: - dependency-name: openssl-sys dependency-version: 0.9.108 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * test on libressl 4.1.0 (#12845) * 44.0.3 release * Make wycheproof x25519 and x448 tests more flexible (#12676) * Update test_x448.py * Update test_x25519.py * Update test_x25519.py * Update test_x448.py * fix mitmproxy downstream tests (#12776) * clippy nightly fixes --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Paul Kehrer <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This resolves the changes the OpenSSL 3.5 FIPS provider made:
1 < ct < (n - 1)This also updates an X509 PSS cert test vector to replace the max salt length with a digest salt length.
Depends on C2SP/wycheproof#145 (at which point I can update the wycheproof hash in this PR and remove the workaround)