From 2bc4315d92a70d9a5e895d60defba4f799798806 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Fri, 19 Dec 2025 23:14:05 +0100 Subject: crypto/internal/fips140test: add ML-DSA to FIPS 140-3 functional tests Change-Id: I568d28d27d2bc55bbadcc678a2fcf9d36a6a6964 Reviewed-on: https://go-review.googlesource.com/c/go/+/731540 Reviewed-by: Roland Shoemaker Reviewed-by: Junyang Shao Auto-Submit: Filippo Valsorda LUCI-TryBot-Result: Go LUCI --- .../internal/fips140test/cast_fips140v1.0_test.go | 9 ------ .../internal/fips140test/cast_fips140v1.26_test.go | 16 ----------- .../internal/fips140test/fips140v1.0_test.go | 13 +++++++++ .../internal/fips140test/fips140v1.26_test.go | 33 ++++++++++++++++++++++ src/crypto/internal/fips140test/fips_test.go | 2 ++ 5 files changed, 48 insertions(+), 25 deletions(-) delete mode 100644 src/crypto/internal/fips140test/cast_fips140v1.0_test.go delete mode 100644 src/crypto/internal/fips140test/cast_fips140v1.26_test.go create mode 100644 src/crypto/internal/fips140test/fips140v1.0_test.go create mode 100644 src/crypto/internal/fips140test/fips140v1.26_test.go diff --git a/src/crypto/internal/fips140test/cast_fips140v1.0_test.go b/src/crypto/internal/fips140test/cast_fips140v1.0_test.go deleted file mode 100644 index b9ddfe4d8b..0000000000 --- a/src/crypto/internal/fips140test/cast_fips140v1.0_test.go +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build fips140v1.0 - -package fipstest - -func fips140v126Conditionals() {} diff --git a/src/crypto/internal/fips140test/cast_fips140v1.26_test.go b/src/crypto/internal/fips140test/cast_fips140v1.26_test.go deleted file mode 100644 index ef79068c38..0000000000 --- a/src/crypto/internal/fips140test/cast_fips140v1.26_test.go +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright 2024 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !fips140v1.0 - -package fipstest - -import "crypto/internal/fips140/mldsa" - -func fips140v126Conditionals() { - // ML-DSA sign and verify PCT - kMLDSA := mldsa.GenerateKey44() - // ML-DSA-44 - mldsa.SignDeterministic(kMLDSA, make([]byte, 32), "") -} diff --git a/src/crypto/internal/fips140test/fips140v1.0_test.go b/src/crypto/internal/fips140test/fips140v1.0_test.go new file mode 100644 index 0000000000..262ef61d5c --- /dev/null +++ b/src/crypto/internal/fips140test/fips140v1.0_test.go @@ -0,0 +1,13 @@ +// Copyright 2024 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build fips140v1.0 + +package fipstest + +import "testing" + +func fips140v126Conditionals() {} + +func testFIPS140v126(t *testing.T, plaintext []byte) {} diff --git a/src/crypto/internal/fips140test/fips140v1.26_test.go b/src/crypto/internal/fips140test/fips140v1.26_test.go new file mode 100644 index 0000000000..6cd9f4fe40 --- /dev/null +++ b/src/crypto/internal/fips140test/fips140v1.26_test.go @@ -0,0 +1,33 @@ +// Copyright 2024 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !fips140v1.0 + +package fipstest + +import ( + "crypto/internal/fips140/mldsa" + "testing" +) + +func fips140v126Conditionals() { + // ML-DSA sign and verify PCT + kMLDSA := mldsa.GenerateKey44() + // ML-DSA-44 + mldsa.SignDeterministic(kMLDSA, make([]byte, 32), "") +} + +func testFIPS140v126(t *testing.T, plaintext []byte) { + t.Run("ML-DSA KeyGen, SigGen, SigVer", func(t *testing.T) { + ensureServiceIndicator(t) + k := mldsa.GenerateKey44() + + sig, err := mldsa.SignDeterministic(k, plaintext, "") + fatalIfErr(t, err) + t.Logf("ML-DSA signature: %x", sig) + + err = mldsa.Verify(k.PublicKey(), plaintext, sig, "") + fatalIfErr(t, err) + }) +} diff --git a/src/crypto/internal/fips140test/fips_test.go b/src/crypto/internal/fips140test/fips_test.go index 52fc9d3488..7f2824ca9a 100644 --- a/src/crypto/internal/fips140test/fips_test.go +++ b/src/crypto/internal/fips140test/fips_test.go @@ -101,6 +101,8 @@ func TestFIPS140(t *testing.T) { aesBlock, err := aes.New(aesKey) fatalIfErr(t, err) + testFIPS140v126(t, plaintext) + t.Run("AES-CTR", func(t *testing.T) { ensureServiceIndicator(t) ctr := aes.NewCTR(aesBlock, aesIV) -- cgit v1.3