Releases: usnistgov/ACVP-Server
Releases · usnistgov/ACVP-Server
v1.1.0.29
Demo: 2023-06-01
- New Algorithm (Demo Only):
- RSA signaturePrimitive 2.0 - Tests RSASP1 from RFC 3447. Whereas RSA signaturePrimitive 1.0 only supports testing a 2048 bit modulus, RSA signaturePrimitive 2.0 supports testing the 2048, 3072 and 4096 moduli.
- RSA sigGen FIPS186-5 and RSA sigVer FIPS186-5
- EDDSA keyGen 1.0 - removes secretGenerationMode as a valid registration property
- SHA3-* 2.0 - updates MCT so that IUTs that do not support digestSize as a supported messageLength can be tested
- TLS-v1.2 KDF RFC7627 - Adds keyBlockLength as a registration property. If keyBlockLength is omitted, a 1024-bit key block length is assumed
- ACVP-AES-FF1 1.0 - Adds corner cases for AES-FF1 testing on particular radix-payloadLength pairs to catch rounding errors
- LMS sigGen 1.0 - Fixes issue where test cases were not generated when "isSample": false
v1.1.0.28-hotfix-2
Demo: 2023-4-28
Prod: 2023-4-28
- LMS sigVer 1.0 - Fixes an issue where signature verification tests that should not fail are marked as failing.
- RSA decryptionPrimitive Sp800-56Br2 - Includes additional test case information in the prompt file, i.e., values for e, p, q, n & d. Updates the testing to check for the failure conditions identified in section 7.1.2 of SP 800-56Br2, i.e., "c: the ciphertext; an integer such that 1 < c < (n – 1)".
Prod Update: 2023-05-12
- RSA decryptionPrimitive Sp800-56Br2 algorithm enabled on Prod.
v1.1.0.28-hotfix-1
Demo: 2023-3-24
Prod: 2023-4-12
- LMS keyGen 1.0 - Decreases the number of test cases.
- SHA-1, SHA2-224, SHA2-256, SHA2-384, SHA2-512, SHA2-512/224, SHA2-512/256 - The MCTs are updated to support the case where !SupportedMessageLengths.Contains(3*digestSize), a limitation of the original MCT design. This change is backwards compatible.
Prod Update: 2023-04-19
- LMS keyGen 1.0, LMS sigGen 1.0 and LMS sigVer 1.0 algorithms enabled on Prod.
v1.1.0.28
Demo: 2023-3-2
Prod: 2023-3-21
- LMS algorithms:
- LMS keyGen 1.0 - New algorithm. Adds support for testing LMS key generation.
- LMS sigGen 1.0 - New algorithm. Adds support for testing LMS signature generation
- LMS sigVer 1.0 - New algorithm. Adds support for testing LMS signature verification.
- NOTE: LMS keyGen 1.0, sigGen 1.0 and sigVer 1.0 will not be enabled in Prod until further testing in Demo has been completed.
- kdf-components srtp 1.0 - Adds support for testing SRTP/SRTCP KDF implementations where a 48-bit quantity, i.e., 000...0 || 0 || SRTCP index, is used in the SRTCP key derivation (see IETF RFC Errata ID 7606 and https://csrc.nist.gov/csrc/media/publications/sp/800-135/rev-1/final/documents/sp800-135r1-informative-note-20160919.pdf) vs the 32-bit quantity, i.e., 0 || SRTCP index, defined in the original RFC 3711. This is accomplished with the addition of the supports48BitSrtcpIndex registration property.
- RSA keyGen FIPS186-4 and RSA keyGen FIPS186-5 - Fixes an issue where a "General exception. Contact service provider." would be returned when the RSA key generation parameters provided by an IUT ran afoul of the FIPS 186-4 "Compute a probable prime factor based on aux primes" failure condition at FIPS 186-4 C.9 Step 9. Instead of ending the validation with a General exception, an informative error is now logged for any offending test cases in the validation.json.
- kdf-components ansix9.63 1.0 - Adds testing support for SHA2-512/224, SHA2-512/256, SHA3-224, SHA3-256, SHA3-384 and SHA3-512.
- ECDSA sigGen FIPS186-5 - Adds testing support for SHAKE-128 and SHAKE-256
- RSA sigGen FIPS186-5 and RSA sigVer FIPS186-5 - Adds testing support for SHAKE and SHA3.
v1.1.0.27
Demo: 2022-12-3
Prod: 2022-12-28
CLIENT-BREAKING CHANGE -- PLEASE SEE THE "KDA HKDF Sp800-56Cr2 and KDA TwoStep Sp800-56Cr2" SECTION OF THE RELEASE NOTES FOR A CLIENT-BREAKING CHANGE
- RSA decryptionPrimitive Sp800-56Br2 - New algorithm with improved testing, support for additional modulo and support for the CRT key format.
- KDA HKDF Sp800-56Cr2 and KDA TwoStep Sp800-56Cr2 - corrects the hybrid shared secret testing for these two algorithms. This is considered a client-breaking change as registrations for these algorithms will now require the
usesHybridSharedSecretregistration property to be provided to indicate whether a hybrid shared secret is being tested. If a hybrid shared secret is being tested, then the auxSharedSecretLen registration property is also required. The auxiliary shared secret is no longer treated as a potential component of the fixedInfoPattern, but rather Z prime = Z || T as per SP 800-56Cr2. Several new properties are also added at the test group level of the prompt file. For more information see the HKDF and TwoStep algorithm specification documents.
Prod Update: 2023-02-03
- FIPS 186-5 algorithms enabled on Prod, including EdDSA, Deterministic ECDSA, updated ECDAS and RSA testing.
v1.1.0.26
Demo: 2022-10-27
Prod: 2022-11-21
- hashDRBG - Corrects the maximum security strength values used to calculate several minimum values associated with hashDRBG.
- KAS-IFC-SSC - Fixes issue for KAS-IFC-SSC VAL test cases where, when a Z value was changed, that change was not taken into account when calculating the hashZ value.
- kdf-components / ikev2 - Adds the derivedKeyingMaterialChildLength registration property to IKEv2 KDF. The addition of this optional property allows derivedKeyingMaterialChildLength != derivedKeyingMaterialLength. If derivedKeyingMaterialChildLength is not supplied as part of the registration, derivedKeyingMaterialChildLength will be set equal to derivedKeyingMaterialLength. Adds the derivedKeyingMaterialChildLength property to the test group level of the prompt file. This property applies to the derivedKeyingMaterialChild and derivedKeyingMaterialDh test case properties of the response.
v1.1.0.25
Prod: 2022-9-23
Demo: 2022-8-12
POTENTIALLY CLIENT BREAKING CHANGE -- PLEASE SEE THE "SHAKE, cSHAKE, KMAC, ParallelHash, and TupleHash" SECTION OF THE RELEASE NOTES FOR A POTENTIALLY CLIENT BREAKING CHANGE RELATED TO AN UPDATE TO THE CASING OF THE cSHAKE, ParallelHash, and TupleHash ALGORITHM NAMES
- KDF KMAC Sp800-108r1 - New algorithm to support the addition of KMAC in SP 800-108r1.
- RSA sigVer - Updates the "reason" given when an IUT returns testPassed:false when testPassed:true is expected for RSA sigVer to give the tester some additional clarity. Changes reason from "No modification" to "No modification, i.e., "testPassed": true expected".
- AES KWP - AES KW payloadLens are limited to multiples of 64 and AES KWP payloadLens must be multiples of 8. The "multiple of 64" AES KW restriction was inadvertently also being applied to AES KWP payloadLens. The inadvertent restriction on AES KWP payloadLens is now removed.
- KTS IFC - For KTS IFC, "encoding" was being required in the registration when an associatedDataPattern was not supplied. This behavior is now corrected. "encoding" is now only required when an associatedDataPattern is supplied.
- AES XTS - Fixes the AES XTS implementation mistakenly setting the data unit length for each test case to be the length of the payload instead of the actual value of the data unit length for the test case. It will now be possible for "dataUnitLenMatchesPayload": false to be tested for XTS.
- AES-GCM-SIV - Fixes an issue where the AES-GCM-SIV testing was incrementing the counter by 8 bits vs the required 32 bits. The counter is now incremented by 32 bits.
- KAS - Enforces case sensitivity for some registration parameters where enforcement of case sensitivity had been previously overlooked/not enforced
- Updates GenValAppRunner to use the -a and -b switches in lieu of -n and -r as using '-r' as a command line switch conflicts with the -r switch for
dotnet run. - KDA - Corrects saltLen values for KDA/TwoStep/56C, KDA/OneStep/56C, KDA/OneStepNoCounter/56C and KDA/HKDF/56C to be the length of the hash's input block for HMAC and the values set out in the SP for the KMAC when they are used.
- Addresses #210
- ECDSA SigVer
- Adds tests to cover CVE-2022-21449
- SHAKE, cSHAKE, KMAC, ParallelHash, and TupleHash
- Updates the casing of several XOF algorithm names from all caps to cSHAKE, ParallelHash, and TupleHash. <-- NOTE: THIS IS A POTENTIALLY CLIENT BREAKING CHANGE. AFTER THIS CHANGE ACVTS WILL NO LONGER ACCEPT REGISTRATIONS FOR "CSHAKE-128", "CSHAKE-256", "PARALLELHASH-128", "PARALLELHASH-256", "TUPLEHASH-128", AND "TUPLEHASH-256", BUT WILL REQUIRE "cSHAKE-128", "cSHAKE-256", "ParallelHash-128", "ParallelHash-256", "TupleHash-128", AND "TupleHash-256".
- Adds the outLenIncrement value to cSHAKE, ParallelHash, and TupleHash prompts at the test group level for MCT tests.
- Corrects an issue where the server was including two additional name/value pairs, tuple and customization, in the TupleHash MCT resultsArray objects when Expected Results were generated. Also updates the example TupleHash json files to remove these additional name/value pairs.
- SHAKE, cSHAKE, KMAC, ParallelHash & TupleHash - Updates the type used internally by ACVTS for several XOF properties from the Range type to the Domain type.
- Algorithms and Properties:
- cSHAKE: msgLen & outputLen
- KMAC: msgLen, keyLen & macLen
- ParallelHash: msgLen & outputLen
- SHAKE: outputLen
- TupleHash: msgLen & outputLen
- #184
- Algorithms and Properties:
v1.1.0.24
v1.1.0.23
Demo: 2022-01-04
Prod: 2022-01-07
- Updates expected answers endpoint to account for situations where the test session does not yet exist.
- Previously, a similar check was done on the prompt file endpoint, as the expectation was the questions would always be retrieved before the answers. Since that is not always the flow used, adding the check to this endpoint as well.
- #39
- Corrects the AES-GCM-SIV type for payloadLength from array to Domain.
- Updates returned message if a certification is requested while a certification request is already active/approved.
- Misc Algorithms
- MCT validators now check for appropriate length arrays, to prevent not returning a result file in cases where the IUT did not provide all elements
v1.1.0.22
Demo: 2021-11-16
Prod: 2021-12-09
BREAKING CHANGE for crypto implementations around XOF MCT and tls v1.3, see their line items below and corresponding issues for more details.
- TLS v1.3 - updates the generation of secrets to utilize the range of messages posted to the transcript hash, rather than just "the first and last message"
- This is a breaking change to existing harnesses/implementations, but does not invalidate previous testing
- #151
- KAS KDFs adds SaltLen to prompt projection
- EDDSA
- Previously the act of mangling, then encoding/decoding the mangled key would often put the point back onto the curve. We're now validating after a encoding/decode cycle that the key fails validation, rather than just checking pre-encode/decode that the point isn't on the curve.
- There was a test for ensuring the IUT can detect bad keys that are outside of the valid range of values for the group. This test is not really valid since public keys are communicated in an encoded form, and the act of decoding them takes their value modulo the field size - the decoded key can never be outside of the range for that reason
- #146
- XOF MCTs - updates XOF MCTs to account for the provided math domain
- This is a breaking change to existing harnesses/implementations, but does not invalidate previous testing
- usnistgov/ACVP#1246
- AES-CCM - correction to max testable AAD from 256 -> 4096, in "non 1<<19" testing scenarios.