[gnutls-devel] GnuTLS | Optimize FIPS power-on self-tests (!1907)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Dec 17 11:59:55 CET 2024 


Daiki Ueno created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1907

Project:Branches: dueno/gnutls:wip/dueno/post-optimize to gnutls/gnutls:master
Author:   Daiki Ueno




<!-- Add a description of the new feature/bug fix. Reference any relevant bugs. -->

* crypto-selftests-pk: skip negative tests by default

* fips: skip compat API tests in AES self-tests

* fips: perform RSA self-tests using RSA-PSS instead of PKCS#1 v1.5

Previously the RSA self-tests were using PKCS#1 v1.5, for both
signature generation and encryption/decryption, which turned a bit
problematic as GnuTLS now has a run-time option to disable that
scheme.

According to FIPS 140-3 IG 10.3.A, for each FIPS 186-4 and FIPS 186-5
public key digital signature algorithm, a CAST shall be performed
using at least one of the schemes approved for use in the approved
mode. Similarly, the IG annex D.G mentions that if the RSA signature
generation algorithm and RSA un-encapsulation scheme use the same
implementation, only test for signature generation suffices.

Therefore, this switches to using RSA-PSS only and drop the
RSA encryption/decryption self-tests.

* fips: defer PBKDF2 self-tests until the algorithm is actually used

FIPS 140-3 allows the module to perform self-tests for an algorithm at
any time before the algorithm is used. Since PBKDF2 self-tests are
costly, this defers them until gnutls_pbkdf2 is called for the first
time.

* fips: defer EdDSA self-tests until the algorithm is actually used

FIPS 140-3 allows the module to perform self-tests for an algorithm at
any time before the algorithm is used. This defers them until the key
generation, signing, or signature verification actually happens.

Note that deferring self-tests for other public key algorithms is not
straightforward, because some of those algorithms change the internal
implementation based on whether the library is running the self-tests
or not, while we can't easily switch the library into that state in
later phases.  For example, RSA self-tests switch the RNG to be a
deterministic version.

* fips: defer DH self-tests until the algorithm is actually used

FIPS 140-3 allows the module to perform self-tests for an algorithm at
any time before the algorithm is used. Since DH self-tests are costly,
this defers them until the key generation or derivation actually
happens.

* fips: only run the first test vector for each symmetric algorithm

FIPS 140-3 doesn't require to run multiple test vectors for a single
algorithm, and one of the test vector for PBKDF2, with an 80000
iteration count is known to be too costly.  Therefore, this patch
changes gnutls_*_self_test to pick only the first test from the test
vectors, unless GNUTLS_SELF_TEST_FLAG_ALL is specified.  The existing
test vectors have been reviewed and modified for the first element to
use the sane parameters, namely: aes128_gcm_vectors to use non-zero
key and non-empty AAD, aes256_gcm_vectors to use non-empty AAD, and
pbkdf2_sha256_vectors to use iteration count greater than 1.

* fips: run AES-256 self-tests with only a single mode

Previously we ran FIPS power-on self-tests for AES-256-CBC,
AES-256-GCM, AES-256-XTS, and AES-256-CFB8, though only one mode per
key size suffices according to FIPS 140-3 IG. This omits AES-256-CBC,
AES-256-XTS, and AES-256-CFB8, keeping AES-256-GCM for performance.

Fixes: #1577 #1490 

## Checklist
 * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author
 * [ ] Code modified for feature
 * [ ] Test suite updated with functionality tests
 * [ ] Test suite updated with negative tests
 * [ ] Documentation updated / NEWS entry present (for non-trivial changes)
 * [ ] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)

## Reviewer's checklist:
 * [ ] Any issues marked for closing are addressed
 * [ ] There is a test suite reasonably covering new functionality or modifications
 * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md`
 * [ ] This feature/change has adequate documentation added
 * [ ] No obvious mistakes in the code

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1907
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20241217/0d50ff72/attachment-0001.html>

More information about the Gnutls-devel mailing list