Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2666 +/- ##
==========================================
+ Coverage 78.80% 78.83% +0.02%
==========================================
Files 667 667
Lines 113983 114057 +74
Branches 16028 16044 +16
==========================================
+ Hits 89826 89913 +87
+ Misses 23382 23370 -12
+ Partials 775 774 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
crypto/fipsmodule/ml_dsa/ml_dsa.c
Outdated
| ml_dsa_params params; | ||
| ml_dsa_44_params_init(¶ms); | ||
| return (ml_dsa_keypair(¶ms, public_key, private_key, seed) == 0); | ||
| int ret = (ml_dsa_keypair(¶ms, public_key, private_key, seed) == 0); |
There was a problem hiding this comment.
Any ML-DSA function that calls another approved service (e.g. SHA3) or has a self test needs to lock the service indicator before the call, and then unlock the service indicator after. Otherwise it's not clear to the caller if the ML-DSA call they made is approved or if it's the SHA3 call that was approved but ML-DSA was not approved. This is why the CI is failing with Assertion failed: (before + 1 == after), function TestBody, file service_indicator_test.cc, line 5413..
#2112 has more information on the issue and examples.
There was a problem hiding this comment.
Thanks! I couldn't get CI to fire off at first, and my local FIPS build was in RELEASE so I wasn't getting the test output I wanted! That second PR helped!
…nto mldsa-service-indicator
Issues:
Required for FIPS
Addresses ML-DSA FIPS 204
Description of changes:
Following #1829, this PR adds the service indicator for FIPS 204 ML-DSA (both pure and pre-hash variants).
Testing:
All EVP functions are tested, for keygen, sign, verify, in all levels of ml-dsa, and all pre-hash/pure variants.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.