-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add EDDSA FIPS self tests. #22112
base: master
Are you sure you want to change the base?
Add EDDSA FIPS self tests. #22112
Conversation
@@ -86,7 +85,6 @@ static int evp_md_ctx_reset_ex(EVP_MD_CTX *ctx, int keep_fetched) | |||
EVP_PKEY_CTX_free(ctx->pctx); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without this change we get a memory leak.. since the digestsign interface uses ctx->pctx
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line 565 of self_test_kats.c..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you meant that last comment to go against the other thread about the init field in st_kat_sign_st... :-)
As this is FIPS related it is probably not required for OpenSSL 3.2 (unless 3.2 is going to become FIPS validated). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could consider this for 3.1 if we end up validating a version other than 3.1.2.
OMC: should we including this in the 3.1.x validation? |
IMO: this is a working group discussion. |
There is a conflict in this PR. Also, there is a hold on this PR, but the question seems to be about 3.1. Is this going into master, and should it be there for the beta? |
I think we could give an post-beta exception if it would be approved to go in 3.1 by OMC. Otherwise it can as well wait for 3.3. |
This is a feature addition - this is not in the fips provider and it is being added. As such it has to wait for 3.3. |
I think this is a question for WG. The 140-3 submission is long delayed and we've still got a possibility of including EdDSA. The 140-3 submission requires other changes in addition. |
OMC: This can go into master branch. Not in 3.1. |
@slontis please rebase |
8017a4e
to
6510ad3
Compare
rebased |
CI is relevant |
What about, instead of using the DigestSign API for the self test, adding the EDDSA support to the EVP_PKEY_sign()/verify()? |
See FIPS 140-3 IG Section 10.3.A Part 11 Indicates ECDSA requires a sign and verify test. Note 11 states that HashEdDSA is not required to be tested if PureEdDSA is tested. Note 12 indicates that both ED25519 and X448 need to be tested. Since ED uses the oneshot interface, additional API's needed to be exposed to the FIPS provider using #ifdef FIPS_MODULE. Changed ED25518 and ED448 to use fips=true in the FIPS provider. Updated documentation for provider lists for EDDSA.
6510ad3
to
be68df3
Compare
rebased again |
"ED448", | ||
NULL, | ||
ed448_key, | ||
NULL, 0, NULL, 0, NULL, 0, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
When I pick and test this commit, I found it should be as the following, or it will failed on self-tests.
ITM(sig_kat_entropyin),
ITM(sig_kat_nonce),
ITM(sig_kat_persstr),
Therefore, I would like to know whether it is a typo here, or do I misunderstand something?
Thank you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will have to reorder the code since this doesnt print anything when it fails here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
EDDSA works without the entropy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found that it failed in set_kat_drbg
.
Since EDDSA works without the entropy, we may need to skip the KAT setup for it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes - I need to shift this inside the function so that it runs the self test callback with an error set..
It looks like the tests fail here - so I will fix it.. |
Had to do a slight change since a failure in the entropy setup was not being reported as a failure by the self test callback (since it was outside the onstart()/onend() callbacks. |
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
This PR is in a state where it requires action by @openssl/otc but the last update was 61 days ago |
paramsinit = OSSL_PARAM_BLD_to_param(bldinit); | ||
|
||
fromctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, ""); | ||
if (fromctx == NULL\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the trailing \
here?
mctx = EVP_MD_CTX_new(); | ||
if (mctx == NULL | ||
|| EVP_DigestSignInit_ex(mctx, NULL, NULL, libctx, NULL, | ||
pkey, paramsinit)<= 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: missing space before <=
@@ -697,13 +786,16 @@ static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) | |||
|
|||
for (i = 0; ret && i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) { | |||
t = st_kat_sign_tests + i; | |||
if (!set_kat_drbg(libctx, t->entropy, t->entropy_len, | |||
t->nonce, t->nonce_len, t->persstr, t->persstr_len)) | |||
return 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this no longer needed?
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
See FIPS 140-3 IG Section 10.3.A Part 11
Indicates ECDSA requires a sign and verify test.
Note 11 states that HashEdDSA is not required to be tested if PureEdDSA is tested. Note 12 indicates that both ED25519 and X448 need to be tested.
Since ED uses the oneshot interface, additional API's needed to be exposed to the FIPS provider using #ifdef FIPS_MODULE.
Changed ED25518 and ED448 to use fips=true in the FIPS provider. Updated documentation for provider lists for EDDSA.
Checklist