]> git.ipfire.org Git - thirdparty/openssl.git/commit
projects / thirdparty / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 39e286b) | patch
fips: implement deterministic ECDSA
authorDimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Fri, 8 Aug 2025 21:35:01 +0000 (22:35 +0100)
committerPauli <ppzgs1@gmail.com>
Wed, 20 Aug 2025 23:58:55 +0000 (09:58 +1000)
commitc281a7303c43dcbd2456c04e463de832f2fded6a
treec6020db83e3be64af22387378d497eabd2ca6cfbtree
parent39e286bd26c1e24fb354b30d729fb87015fc3bb3commit | diff
fips: implement deterministic ECDSA

[FIPS 186-5](https://doi.org/10.6028/NIST.FIPS.186-5) approved
deterministic ECDSA in the same manner as [RFC
6979](https://datatracker.ietf.org/doc/html/rfc6979).

Thus add deterministic ECDSA capability to the FIPS provider.

DSA signature generation has been deprecated and removed from FIPS
186-5, thus deterministic DSA signature creation is not added to the
FIPS provider.

Testing can be done by performing 20-test_dgst.t but need to version
guarded against different FIPS provider versions. Thus is left out of
this PR for now.

It is not clear if HMAC-DRBG-KDF should be exposed publically for
direct usage as an approved usage, or if it should be marked as
unapproved or better yet made completely internal to the FIPS
provider.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28213)
crypto/build.info diff | blob | blame | history
crypto/ec/ecdsa_ossl.c diff | blob | blame | history
providers/fips/fipsprov.c diff | blob | blame | history
providers/implementations/kdfs/build.info diff | blob | blame | history
Mirror of https://github.com/openssl/openssl.git