Ensure service indicator is incremented only once, update RSA and ED25519 to ensure the state is locked #2112
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2112 +/- ##
=======================================
Coverage 78.97% 78.97%
=======================================
Files 611 611
Lines 105500 105504 +4
Branches 14938 14937 -1
=======================================
+ Hits 83316 83322 +6
+ Misses 21531 21529 -2
Partials 653 653 ☔ View full report in Codecov by Sentry. |
smittals2
previously approved these changes
Jan 14, 2025
samuel40791765
approved these changes
Jan 15, 2025
nebeid
reviewed
Jan 16, 2025
samuel40791765
requested changes
Jan 16, 2025
|
You'll want to rebase since Ed25519ph got merged in, but I think we are aligned / should be fixed now in the functions you touched. |
…5519 to ensure the state is locked
andrewhop
force-pushed
the
service_inidicator_test
branch
from
626dbf3 to
354fc6f
Compare
skmcgrail
reviewed
Jan 29, 2025
| int res = ED25519ph_sign_digest_no_self_test(out_sig, digest, private_key, | ||
| context, context_len); | ||
| FIPS_service_indicator_unlock_state(); |
There was a problem hiding this comment.
Here I thought I got it right in all of the places :)
skmcgrail
approved these changes
Jan 29, 2025
samuel40791765
approved these changes
Jan 30, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
Resolves P186477736
Description of changes:
Currently the service indicator checks that
before != afterand multiple approved APIs might call each other. If a lock is missed a lower approved algorithm will increment the count which incorrectly marks the higher level API as approved. This is happening in three spots:This change updates the service indicator to enforce
before + 1 == afterwith a debug assert.Call-outs
This doesn't change the external behavior of the service indicator, what algorithms are approved, or what APIs are approved. The service indicator tests are unchanged. This change just ensures what we expect to be modifying the indicator is in the thing doing the update.
Testing:
The existing service indicator tests cover all approved APIs, and the new requirement that
before + 1 = afterensures only one thing per call increments the count.I took out a lock and verified it failed as expected:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.