openssl
openssl copied to clipboard
openssl
Add EDDSA FIPS self tests.
See FIPS 140-3 IG Section 10.3.A Part 11 Indicates ECDSA requires a sign and verify test. Note 11 states that HashEdDSA is not required to be tested if PureEdDSA is tested. Note 12 indicates that both ED25519 and X448 need to be tested.
Since ED uses the oneshot interface, additional API's needed to be exposed to the FIPS provider using #ifdef FIPS_MODULE.
Changed ED25518 and ED448 to use fips=true in the FIPS provider. Updated documentation for provider lists for EDDSA.
Checklist
- [x] documentation is added or updated
- [x] tests are added or updated
As this is FIPS related it is probably not required for OpenSSL 3.2 (unless 3.2 is going to become FIPS validated).
IMO: this is a working group discussion. I'm in favour of 3.1 getting this. I'm unsure about 3.0.
There is a conflict in this PR.
Also, there is a hold on this PR, but the question seems to be about 3.1. Is this going into master, and should it be there for the beta?
I think we could give an post-beta exception if it would be approved to go in 3.1 by OMC.
Otherwise it can as well wait for 3.3.
This is a feature addition - this is not in the fips provider and it is being added. It is not a simple addition of a "test".
As such it has to wait for 3.3.
I think this is a question for WG.
The 140-3 submission is long delayed and we've still got a possibility of including EdDSA. We know that EdDSA works, so it's really just changing "no" to "yes" in a few places and adding this test.
The 140-3 submission requires other changes in addition.
What about, instead of using the DigestSign API for the self test, adding the EDDSA support to the EVP_PKEY_sign()/verify()?
Had to do a slight change since a failure in the entropy setup was not being reported as a failure by the self test callback (since it was outside the onstart()/onend() callbacks.
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago
This PR is in a state where it requires action by @openssl/otc but the last update was 61 days ago
This PR is in a state where it requires action by @openssl/otc but the last update was 30 days ago
This PR is in a state where it requires action by @openssl/otc but the last update was 61 days ago
I'd wait with this after #23416 is merged and use the newly added signmessage/verifymessage operations instead of using digestsign/verify.
I'd wait with this after #23416 is merged and use the newly added signmessage/verifymessage operations instead of using digestsign/verify.
I think ED got taken out of the PR, it will be another PR - but yes we are on the same page.
@t8m - Can we merge this rather than waiting for the API / implementations to become present/finalized. i.e. This is an internal detail that we can modify later.
I am not really fond of merging this in this form. It requires adding a lot of FIPS_MODULE snippets into m_sigver.c that would have to be reverted. The signing API for EdDSA will be merged soon hopefully.
Aargh, how is it possible that the KAT for EdDSA fails on master after merging this?
@slontis Can you please look at this?
Being investigated.
One of the indicator changes I made causes this failure. In #25032, I put a limit on EdDSA to not allow a digest to be directly verified and instead insist on the entire message being passed through. @slontis and I think that that was a mistake and that restriction applies, instead, to ECDSA but we're not able to locate the paragraph of text in the standard that mandated this to confirm.
If correct, it's another weirdness. Not allowing external digests makes sense for EdDSA where the allowable digest is fixed. It makes a lot less sense for ECDSA where any digest is permitted.