Libacvp v2.3.0

Library changes:

• Fixes for symmetric cipher keywrap modes range validation to align with NIST server
• Support for ML-KEM keycheck modes
• Support for cSHAKE testing
• Substantial improvements to return codes and log message consistency due to refactoring test parsing logic
• Substantial amount of code style consistency fixes, typo fixes, misc. improvements

App changes:

• Updated all registrations for symmetric cipher keywrap algorithms to align with NIST server
• Efficiency improvements to hash LDT testing for OpenSSL harnesses
• Improved OpenSSL support for PQC algorithms including keycheck modes for ML-KEM
• Initial support for cSHAKE testing for future versions

Unit test changes:

• Unit tests have been completely restructured to use the Unity C test framework
• No longer requires external libraries/dependencies specifically for tests
• To build unit tests, use the --enable-unit-tests argument in configure
• This will create a runtest exectuable in the test dir as usual.
• Still should ensure LD_LIBRARY_PATH has the needed app/lib dependencies
• For more information, see README.md in the test directory
• Added a valgrind suppressions file for false positive leaks from dependencies

Build system changes:

• Fixes to be able to build non-OpenSSL harnesses without providing libcurl dir if distro has curl
  dev packages installed
• Misc. improvements and fixes

Libacvp v2.2.0

Libacvp 2.2.0 includes support for several post-quantum cryptography algorithms. In addition, the
application has been completely restructured to allow better support for testing different
implementations.

Library changes:

• Support for ML-DSA
• Support for ML-KEM
• Support for SLH-DSA
• Support for AES FPE (FF1/FF3)
• Support for an alternate monte-carlo testing method for SHA algorithms
• Improvements to RSA support for different modes of keygen
• Various misc. improvements and fixes

Application changes:

• Complete restructure to allow for better support for different implementations
• Now natively supports OpenSSL, liboqs (partial support), and JitterEntropy's SHA implementation.
• All implementations use the same flow code for consistent behavior with CLI commands
• Registration code has now been split out into multiple files to maintain consistency and improve readability
• Removed dependency on OpenSSL for TOTP generation
• Added support for "generic" vector sets, or vectors sets acquired outside of libacvp or from ACVP-server code, using the "--generic" flag when running offline tests
• Support for OpenSSL 3.4.0 and 3.5.0
  • NOTE: The algorithm registrations for these versions are not yet finalized and may not reflect all of the capabilities of the versions. Users are responsible for ensuring that they are testing all needed algorithms and capabilities.

Build system changes:

• apps built for other harnesses no longer have a hard requirement to link to OpenSSL
• In cases where a custom libcurl build is not needed, a distro's installed libcurl can be used
• Removed the "disable-lib-check" configure option; caused less identifiable errors
• Now have stricter linking checks for the IUT library; should help reduce cases of incorrect libraries being linked unknowingly
• Resolved some cases of errors being thrown due to changes in default CFLAGS in newer GCC versions

Libacvp v2.1.2

• Removed support for ECDSA signature verification component testing
• Resolved memory issue with generating TOTP for some platforms (Application only)
• Resolved API issue that would cause unintended registrations for DRBG (Library only)
• Misc. updates and improvements

Libacvp v2.1.1

• Adds option to specify max hash LDT size in GiB, --set_max_hash_size
• Several misc. fixes and improvements

Libacvp v2.1.0

IMPORTANT: This release is required to test any modules affected by FIPS 186-5. This includes ECDSA,, RSA, EDDSA, Deterministic ECDSA, and more. Since no current versions of OpenSSL have been validated with FIPS 186-5, acvp_app support for 186-5 is not enabled by default.

• Support for RSA revision FIPS186-5
• Support for ECDSA revision FIPS186-5
• Support for Deterministic ECDSA
• Support for EDDSA
• Support for Revision 2.0 of RSA Signature primitive
• Support for revision SP800-56Br2 of RSA Decryption Primitive
• Added support for testing DRBG both with and without prediction resistance at the same time
• Added XOF output length to test case structure for SHAKE tests
• Improved readability of log output in several cases
• Library version information now accessible via public headers at compile time
• Previous revisions of aforementioned updates are still supported by the library if the correct registration flags are set (see app/app_main.c for examples)
• Improved registration and support for OpenSSL 3.0 and 3.1
• Various misc. improvements and fixes
• NOTES:
  • Some API changes were required that are not backwards compatible with previous versions of the API. Please see the bottom of the migration guide for more information.
  • OpenSSL 1.1.1 build support has been removed, as it is EoL and there are no official FIPS modules for it. If you need OpenSSL 1.1.1 support, it should be possible to use previous versions of the app with the minimal API changes described in the migration guide.

Thank you for your patience as we worked through the 186-5 changes and various other updates. If you experience any problems related to this update, please open an issue on GitHub.

Libacvp v2.0.1

Resolved an issue with RSA Signature Primitive testing 1.0 due to changes on the NIST server

Libacvp v2.0.0

• Libacvp 2.0.0 adds support for new crypto modules and algorithms while removing support for older
  versions:
  • OpenSSL 3.0 is now supported (All-new application code)
  • OpenSSL 1.0.2/FOM is no longer supported
• Various API and test case structure changes are included that are NOT backwards compatible and
  will require alterations for test harnesses for other crypto modules (not included with libacvp)
  • For more details, look at the migration guide (Questions on the issues board are always welcomed)
  • Many of these changes (with one or two exceptions) will require very little work to accommodate
• Library support for new algorithms:
  • KMAC
  • KDA Twostep
  • KDF ANS X9.42
  • LMS (Leighton-Micali signatures)
• Various new features for existing algorithms:
  • ECDSA component testing
  • CRT key support for RSA/IFC
  • SP800-108 KDF KMAC mode (not tested by default yet)
  • Large data testing (multiple GiB) support for SHA (disabled by default)
  • KAS2 support for KAS-IFC
• Better application control over logging
• Cleaner log output by default
• New APIs and application arguments for:
  • Getting library-generated algorithm registration JSON
  • Getting the number of vector sets a given registration would generate
• Many internal improvements, fixes, cleanups
• This list is not exhaustive
• Review the README for more details about various changes to building, running, etc.
• Undiscovered issues are always possible with new major releases; please open an issue if you run into any. Thanks!

Libacvp v1.5.4

• Added option to disable ssp at configure time (--disable-ssp, disables fstack-protector cflag)
  • Not recommended unless absolutely required
• Removed obsolete python scripts for metadata handling and unit tests
• Improved handling and log messaging of combining sample session flag with manual registration
• Misc. improvements and fixes

Be on the lookout for libacvp v2.0.0 in the coming days!

Libacvp v1.5.3

-Fixed KDA revision SP800-56Cr2 in accordance with changes to the NIST demo server
-NOTE: This does not affect any clients tested by default in acvp_app
-This update is not required to continue testing with current versions of acvp_app
-This DOES affect openSSL 3.X testing (unreleased in TBD branch) and fixes have been applied there too

Libacvp v1.5.2

Fixes an issue with KDA testing (salt len check).
Note this fix has been in the libacvp_1_5_0-throttle branch since August; just failed to push a release tag.