Add EDDSA FIPS self tests. #22112
Add EDDSA FIPS self tests. #22112
Conversation
slontis
added
branch: master
| @@ -86,7 +85,6 @@ static int evp_md_ctx_reset_ex(EVP_MD_CTX *ctx, int keep_fetched) | |||
| EVP_PKEY_CTX_free(ctx->pctx); | |||
There was a problem hiding this comment.
Without this change we get a memory leak.. since the digestsign interface uses ctx->pctx
There was a problem hiding this comment.
Line 565 of self_test_kats.c..
There was a problem hiding this comment.
I think you meant that last comment to go against the other thread about the init field in st_kat_sign_st... :-)
github-actions
bot
added
the
severity: fips change
mattcaswell
removed
the
approval: otc review pending
|
As this is FIPS related it is probably not required for OpenSSL 3.2 (unless 3.2 is going to become FIPS validated). |
|
OMC: should we including this in the 3.1.x validation? |
paulidale
added
approval: done
|
IMO: this is a working group discussion. |
|
There is a conflict in this PR. Also, there is a hold on this PR, but the question seems to be about 3.1. Is this going into master, and should it be there for the beta? |
|
I think we could give an post-beta exception if it would be approved to go in 3.1 by OMC. Otherwise it can as well wait for 3.3. |
|
This is a feature addition - this is not in the fips provider and it is being added. As such it has to wait for 3.3. |
|
I think this is a question for WG. The 140-3 submission is long delayed and we've still got a possibility of including EdDSA. The 140-3 submission requires other changes in addition. |
|
OMC: This can go into master branch. Not in 3.1. |
t8m
added
hold: need rebase
|
@slontis please rebase |
slontis
force-pushed
the
fips_eddsa_cast
branch
from
8017a4e
to
6510ad3
Compare
|
rebased |
|
CI is relevant |
t8m
removed
the
approval: ready to merge
|
What about, instead of using the DigestSign API for the self test, adding the EDDSA support to the EVP_PKEY_sign()/verify()? |
See FIPS 140-3 IG Section 10.3.A Part 11 Indicates ECDSA requires a sign and verify test. Note 11 states that HashEdDSA is not required to be tested if PureEdDSA is tested. Note 12 indicates that both ED25519 and X448 need to be tested. Since ED uses the oneshot interface, additional API's needed to be exposed to the FIPS provider using #ifdef FIPS_MODULE. Changed ED25518 and ED448 to use fips=true in the FIPS provider. Updated documentation for provider lists for EDDSA.
slontis
force-pushed
the
fips_eddsa_cast
branch
from
6510ad3
to
be68df3
Compare
|
rebased again |
slontis
added
the
approval: done
| "ED448", | ||
| NULL, | ||
| ed448_key, | ||
| NULL, 0, NULL, 0, NULL, 0, |
There was a problem hiding this comment.
Hi,
When I pick and test this commit, I found it should be as the following, or it will failed on self-tests.
ITM(sig_kat_entropyin),
ITM(sig_kat_nonce),
ITM(sig_kat_persstr),
Therefore, I would like to know whether it is a typo here, or do I misunderstand something?
Thank you.
There was a problem hiding this comment.
I will have to reorder the code since this doesnt print anything when it fails here.
There was a problem hiding this comment.
EDDSA works without the entropy.
There was a problem hiding this comment.
I found that it failed in set_kat_drbg.
Since EDDSA works without the entropy, we may need to skip the KAT setup for it?
There was a problem hiding this comment.
yes - I need to shift this inside the function so that it runs the self test callback with an error set..
slontis
added
approval: review pending
|
It looks like the tests fail here - so I will fix it.. |
|
Had to do a slight change since a failure in the entropy setup was not being reported as a failure by the self test callback (since it was outside the onstart()/onend() callbacks. |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
|
This PR is in a state where it requires action by @openssl/otc but the last update was 61 days ago |
| paramsinit = OSSL_PARAM_BLD_to_param(bldinit); | ||
|
|
||
| fromctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, ""); | ||
| if (fromctx == NULL\ |
| mctx = EVP_MD_CTX_new(); | ||
| if (mctx == NULL | ||
| || EVP_DigestSignInit_ex(mctx, NULL, NULL, libctx, NULL, | ||
| pkey, paramsinit)<= 0) |
There was a problem hiding this comment.
nit: missing space before <=
| @@ -697,13 +786,16 @@ static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) | |||
|
|
|||
| for (i = 0; ret && i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) { | |||
| t = st_kat_sign_tests + i; | |||
| if (!set_kat_drbg(libctx, t->entropy, t->entropy_len, | |||
| t->nonce, t->nonce_len, t->persstr, t->persstr_len)) | |||
| return 0; | |||
There was a problem hiding this comment.
Why is this no longer needed?
|
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago |
See FIPS 140-3 IG Section 10.3.A Part 11
Indicates ECDSA requires a sign and verify test.
Note 11 states that HashEdDSA is not required to be tested if PureEdDSA is tested. Note 12 indicates that both ED25519 and X448 need to be tested.
Since ED uses the oneshot interface, additional API's needed to be exposed to the FIPS provider using #ifdef FIPS_MODULE.
Changed ED25518 and ED448 to use fips=true in the FIPS provider. Updated documentation for provider lists for EDDSA.
Checklist