Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: add alternative EVP signing method #5141

Merged
merged 2 commits into from
Feb 27, 2025
Merged

refactor: add alternative EVP signing method #5141

merged 2 commits into from
Feb 27, 2025

Conversation

lrstewart
Copy link
Contributor

@lrstewart lrstewart commented Feb 21, 2025
edited
Loading

Release Summary:

Resolved issues:

related to #5105

Description of changes:

Final required change for #5105. This adds the new non-FIPS-140-3 EVP signing method and switches all libcryptos except awslc-fips to use it.

The state of the library after this change matches the desired state described in #5105, which is:

Libcrypto Hash method Signing Method
openssl-1.0.2 EVP EVP
awslc-fips EVP EVP-FIPS-140-3
openssl-3-fips EVP EVP
other EVP EVP

Testing:

I added s2n_evp_signing_test to the Openssl3fipsWIP build. It's nice to note that after this change, only 12/274 tests are failing for openssl-3.0-fips. A quick spot check doesn't suggest any of them are related to this change.

I also added known-value tests to s2n_evp_signing_test. That's important for a couple reasons:

  1. openssl-3.0-fips can't run the comparisons with the legacy signing methods because it doesn't support the legacy signing methods.
  2. I plan to remove the legacy signing methods, after which point no libcrypto will run the comparisons with the legacy signing methods
  3. There are subtle mistakes that aren't caught by self-talk tests. For example, I initially wasn't setting the EVP_MD on the pkey context, which is required to get the padding right when doing RSA PKCS1. Since neither the sign nor the verify methods were setting the EVP_MD, they were both wrong in the same way.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@lrstewart lrstewart mentioned this pull request Feb 21, 2025
Closed
9 tasks
@github-actions github-actions bot added the s2n-core team label Feb 21, 2025
lrstewart
lrstewart commented Feb 21, 2025
View reviewed changes
crypto/s2n_rsa_pss.c
Comment on lines +109 to +110
POSIX_GUARD(s2n_pkey_sign(priv, S2N_SIGNATURE_RSA_PSS_PSS, &sign_hash, &signature_data));
POSIX_GUARD(s2n_pkey_verify(pub, S2N_SIGNATURE_RSA_PSS_PSS, &verify_hash, &signature_data));
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without this, s2n_evp_signing_test can't load the RSA-PSS certificate it needs for testing.

@lrstewart lrstewart marked this pull request as ready for review February 21, 2025 21:46
@lrstewart lrstewart requested a review from dougch as a code owner February 21, 2025 21:46
goatgoose
goatgoose reviewed Feb 25, 2025
View reviewed changes
@lrstewart lrstewart requested a review from goatgoose February 26, 2025 18:52
@lrstewart lrstewart enabled auto-merge February 26, 2025 22:21
@lrstewart lrstewart added this pull request to the merge queue Feb 26, 2025
Merged via the queue into aws:main with commit 3b1255c Feb 27, 2025
46 checks passed
@lrstewart lrstewart deleted the openssl3fips_evp_3a branch February 27, 2025 01:17
dougch pushed a commit to dougch/s2n-tls that referenced this pull request Mar 3, 2025
@lrstewart @dougch
refactor: add alternative EVP signing method (aws#5141)
5535643
@BrewTestBot BrewTestBot mentioned this pull request Mar 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@goatgoose goatgoose goatgoose approved these changes

@jmayclin jmayclin jmayclin approved these changes

@dougch dougch dougch approved these changes

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lrstewart @goatgoose @jmayclin @dougch