Page MenuHome GnuPG
Create Task
Maniphest T6511

EdDSA support in FIPS mode
Closed, ResolvedPublic
Actions

Description

FIPS 186-5 (https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf) was released an now specifies support for EdDSA signatures using the Ed25519 and Ed448 signatures schemes in section 7 and the Ed25519ph and Ed448ph schemes in section 7.8.

Enabling them in FIPS Mode, should be just flipping the fips bit in ecc-curves.c, adjusting the tests, selftests and PCT tests, ...

But it looks like the new digest&sign API is not compatible with the EdDSA as it requires the direct value in the data argument, so this will likely need some love to be able to implement PCT tests and use the EdDSA from the "approved" API.

I have a draft MR with the part of simple changes to the tests and the curves definitions, but it is missing the PCT, Selftest and I did not go through the guidance to verify the implementation matches the NIST requirements

https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/16

Details

Version
master, 1.10.x

Revisions and Commits

rC libgcrypt
rC3ac2bba4a4b1 cipher:ecc: Implement PCT for EdDSA.
rC547dfb5aecc1 cipher:ecc: Add selftests for EdDSA.
rC73d2f5d93541 tests: EdDSA keys work in FIPS mode
rCc08ea202d916 ecc: Enable Ed25519 and Ed448 in FIPS mode
rCed879d832659 cipher:ecc: Fix EdDSA secret key check.
rC86fcf8292208 cipher:ecc: Support gcry_pk_hash_sign/verify for EdDSA.

Related Objects

Event Timeline

Jakuje created this task.May 31 2023, 4:51 PM
werner triaged this task as Normal priority.Jun 1 2023, 9:05 AM
werner added a subscriber: werner.

My understanding is that FIPS 186-x lists more algorithms than approved for FIPS 140-y; the approved algorithms for 140-y are in the latest revisions of SP800-140. I have not checked the latter document, though.

Jakuje added a comment.Jun 1 2023, 9:08 AM

Correct, but the last revision of FIPS 140-3 lists the EdDSA already. The same for the IG for FIPS 140-3:

https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf

werner raised the priority of this task from Normal to High.Jun 1 2023, 9:26 AM

They re-used the same file name for the update from March and no history section. Anyway that looks promising and may solve the problem of having different algorithms allowed for restricted communication in the EU and the US.

gniibe claimed this task.Jun 1 2023, 9:46 AM
gniibe added a comment.EditedJun 8 2023, 8:32 AM

I'm going to add selftest of EdDSA with test vectors from RFC 8032.

For Ed448, tests/t-ed448.inp is duplicate.

gniibe added a comment.Jun 13 2023, 6:33 AM

Before adding FIPS support flag and tests, we need to modify implementation:

  • Adding PCT check for EdDSA
  • Adding support of gcry_pk_hash_sign/verify API for EdDSA

For the latter, I created an experimental patch:

lg-input-data.diff8 KBDownload

EdDSA has two modes (normal and hashed). Normal mode doesn't hash messages, so, we need to specify input data. To do so, I added CONTEXT_TYPE_INPUT_DATA. Another approach would be having "non-hash" algo for gcry_md_open.

Jakuje added a comment.Jun 13 2023, 9:53 AM

Another approach would be having "non-hash" algo for gcry_md_open.

I think this option would be too easy to misuse in other contexts so I would prefer having the specific CONTEXT_TYPE_INPUT_DATA for EdDSA. The proposed patch looks reasonable to me and no obvious issues noticed on fast review.

werner mentioned this in rC469919751d6e: cipher:ecc: Fix public key computation for EdDSA..Jun 13 2023, 10:57 AM
gniibe added a comment.Jun 14 2023, 4:50 AM

I changed the lg-input-data.diff patch not to break the ABI, reusing the published symbol of gcry_pk_random_override_new.
With this approach, if/when needed, backporting may be easier.
Drawback is debugging internal of libgcrypt will be a bit confusing.

gniibe added a comment.Jun 14 2023, 7:49 AM

I found that for EdDSA other than pure Ed25519, it can supply context.
I changed the semantics and API for adding context and input data, as we need to support both simultaneously.

gniibe added a commit: rC86fcf8292208: cipher:ecc: Support gcry_pk_hash_sign/verify for EdDSA..Jun 14 2023, 7:59 AM
gniibe added a commit: rCed879d832659: cipher:ecc: Fix EdDSA secret key check..Jun 15 2023, 6:42 AM
gniibe added a commit: rCc08ea202d916: ecc: Enable Ed25519 and Ed448 in FIPS mode.Jun 16 2023, 4:49 AM
gniibe added a commit: rC73d2f5d93541: tests: EdDSA keys work in FIPS mode.
gniibe added a commit: rC547dfb5aecc1: cipher:ecc: Add selftests for EdDSA..Jun 16 2023, 5:05 AM
gniibe added a commit: rC3ac2bba4a4b1: cipher:ecc: Implement PCT for EdDSA..Jun 16 2023, 7:12 AM
gniibe changed the task status from Open to Testing.Jun 16 2023, 7:12 AM

Added: rC547dfb5aecc1: cipher:ecc: Add selftests for EdDSA.
Added: rC3ac2bba4a4b1: cipher:ecc: Implement PCT for EdDSA.

werner added a comment.May 7 2024, 2:44 PM

Can we close this?

Jakuje added a comment.May 7 2024, 3:01 PM

I think so. We did not submit a modules for recertification with these changes, but we do not plan this in close future so you can consider it completed.

werner closed this task as Resolved.May 8 2024, 8:32 AM
werner moved this task from Backlog to For 1.10 on the libgcrypt board.
werner mentioned this in T7165: Release Libgcrypt 1.11.0.Jun 19 2024, 11:37 AM