Skip to content

Move FIPS Known Answer Tests in a single file#411

Merged
simo5 merged 3 commits intolatchset:mainfrom
simo5:fips_kats
Feb 2, 2026
Merged

Move FIPS Known Answer Tests in a single file#411
simo5 merged 3 commits intolatchset:mainfrom
simo5:fips_kats

Conversation

@simo5
Copy link
Member

@simo5 simo5 commented Jan 29, 2026

Description

Makes maintenance of FIPS KATs easier.

Checklist

  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Rustdoc string were added or updated
  • CHANGELOG and/or other documentation added or updated
  • This is not a code change

Reviewer's checklist:

  • Any issues marked for closing are fully addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • A changelog entry is added if the change is significant
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible text
  • Doc string are properly updated

@simo5 simo5 requested a review from Jakuje January 29, 2026 19:55
@simo5 simo5 force-pushed the fips_kats branch 2 times, most recently from f4e279f to f630c87 Compare January 29, 2026 22:17
Jakuje
Jakuje approved these changes Feb 2, 2026
View reviewed changes
simo5 and others added 3 commits February 2, 2026 09:21
@simo5
Move FIPS HMAC Known Answer Test
ef0328f 
Move the Known Answer Test (KAT) for HMAC-SHA256 under the fips module.
This test is executed once on the first HMAC operation when the `fips`
feature is enabled.

The test logic is encapsulated in a new `fips::kats` module, moving it
out of the `native::hmac` implementation for better code organization.
If the KAT fails, the library enters a FIPS error state, and subsequent
cryptographic operations will be blocked.

Co-authored-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5
Move TLS PRF FIPS self-test to kats module
345596c 
Relocate the FIPS Known Answer Test (KAT) for the TLS Pseudo-Random Function
(PRF) from `native/tlskdf.rs` to the centralized `fips/kats.rs` module. This
change consolidates all FIPS self-tests into a single location for better code
organization and consistency.

To enable this, the `TLSPRF` struct and its methods were made crate-public so
they can be accessed from the tests module. The KAT implementation now uses
the common `FIPSSelftest` framework.

Co-authored-by: Gemini <gemini@google.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5
Refactor TLS PRF self-test to remove panics
29cc1d0 
The TLS PRF Known Answer Test (KAT) is refactored to improve robustness and
readability.

A new `secret_key_object` helper function is introduced to create the secret
key object used in the test. This change, along with converting hex-decoded
test vectors to static byte arrays, removes all `unwrap()` calls from the
test's initialization logic.

This ensures that any potential errors during setup will cause the self-test
to fail gracefully rather than causing a panic.

Signed-off-by: Simo Sorce <simo@redhat.com>
@simo5 simo5 changed the title Move FIPS Known Answer Tests in a signle file Move FIPS Known Answer Tests in a single file Feb 2, 2026
@simo5
Copy link
Member Author

simo5 commented Feb 2, 2026

thanks for the review!

@simo5 simo5 merged commit a2c1ce2 into latchset:main Feb 2, 2026
50 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jakuje Jakuje Jakuje approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@simo5 @Jakuje