New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement KAT for KBKDF with KMAC128 #23745
Conversation
I dont think this is necessary since the underlying construct is KECCAK. |
Right, and the ambiguity of the IG is the main problem here, ideally this would be clarified by the CMVP. What about replacing the existing SHA3-256 test with a SHAKE128 test? Would that be considered a regression by OpenSSL? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When comparing with other self tests, this one takes negligible amount of time. So IMO OK to add it even if it might be redundant by some interpretations of IGs.
This pull request is ready to merge |
Merged to the master branch. Thank you for your contribution. |
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #23745)
FIPS 140-3 IG 10.3.A lists the following requirements regarding self-tests:
These make it clear that, if a cryptographic module implements SHA-3 and SHAKE (from FIPS 202), it is sufficient to test either one of those functions to cover all of them.
However, for SP 800-185 (which defines additional XOFs based on Keccak), the IG says the following:
In its entirety, this text is quite ambiguous. The intent seems to be that, to cover the SP 800-185 functions, one needs to implement a self-test for a function based on SHAKE (i.e. SHAKE128, SHAKE256, cSHAKE, KMAC...). SHA-3 is not defined in terms of SHAKE, but in terms of Keccak, and thus a SHA-3 KAT would not cover cSHAKE/KMAC/... On the other hand, SHA-3 and SHAKE seem to be considered equivalent for the purpose of self-testing FIPS 202 functions.
Because OpenSSL implements KMAC (an SP 800-185 function), I would like to propose that another KAT is added to test a SHAKE-based function. I'm aware that OpenSSL 3 already has FIPS 140-2 validation and is in the queue for FIPS 140-3 validation. Perhaps you have already discussed this with your lab and decided this would be a non-issue. I simply propose this KAT to err on the safe side.
There's a few options:
self_test_kats.c
currently does not support XOFs.self_test_kats.c
currently does not support MACs.self_test_kats.c
already supports KBKDF, so adding this KAT only requires small changes toself_test_data.inc
.The test data for this KAT was collected using the NIST ACVTS.