Add ML-KEM768 KATs from BoringSSL#25938
Add ML-KEM768 KATs from BoringSSL#25938andrewkdinh wants to merge 3 commits intoopenssl:feature/ml-kemfrom
Conversation
andrewkdinh
requested review from
baentsch,
mattcaswell,
paulidale,
slontis and
t8m
andrewkdinh
force-pushed
the
mlkem-kats
branch
4 times, most recently
from
54e6661 to
0b41144
Compare
github-actions
bot
added
the
severity: fips change
t8m
added
approval: review pending
|
CI is relevant. |
baentsch
left a comment
baentsch
left a comment
There was a problem hiding this comment.
Some nits, one basic design question.
| if (params == NULL) | ||
| return 1; | ||
|
|
||
| if ((p = OSSL_PARAM_locate_const(params, OSSL_KEM_PARAM_MLKEM_ENC_ENTROPY)) != NULL |
There was a problem hiding this comment.
Design question: Is this parameter OK to make available for general use? Or is there some mechanism I didn't spot that only makes this active during testing?
There was a problem hiding this comment.
I didn't use any mechanism to make this available only for testing (i.e. it's available for general use). But as whether to make this available to general use, I guess that's up to us. As far as I can tell, other providers don't usually hide params like this. However, BoringSSL doesn't make it available for general use (plus some other functions as shown here).
There was a problem hiding this comment.
I'm also undecided on that -- let's try to resolve that as part of the documentation as discussed.
There was a problem hiding this comment.
Now spent some time on this: FIPS 203 section 3.3 IMO is pretty clear on these parameters: "The interfaces for these functions should not be made available to applications other than for testing purposes".
"Funny" of course is that violating this is the basis for https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates/06/. I'm a bit wary wading into this: How far is OpenSSL willing to go supporting draft specs that are not final, @mattcaswell @t8m?
How can we make these params "test-time only" until that is sorted, @andrewkdinh ?
There was a problem hiding this comment.
@vdukhovni tagging you for input as discussed today...
There was a problem hiding this comment.
From the presentation I linked above:
@t8m the consensus among implementers right now can be summarized as:
There was a problem hiding this comment.
For the other issues emerged when interpreting FIPS 203 & co, this is a good overall summary:
There was a problem hiding this comment.
I agree with @t8m. This isn't a problem for now. Solve it later. It might mean we make this kind of interface available in the default provider, but not the FIPS provider.
There was a problem hiding this comment.
OK, I'll then document these params. Besides, a "should not" is not a "must not". Thanks for linking the presentation @romen .
There was a problem hiding this comment.
We can document them as a "should not" and explain they are intended for test purposes etc
andrewkdinh
force-pushed
the
mlkem-kats
branch
from
0b41144 to
87341db
Compare
andrewkdinh
force-pushed
the
mlkem-kats
branch
from
6a89b83 to
f2a0a55
Compare
Resolved. As a side note, running Edit: looks like there's still CI issues... will look into it |
andrewkdinh
force-pushed
the
mlkem-kats
branch
from
f2a0a55 to
ce8cdc0
Compare
Many files do that (fail check-format.pl) but the approach is to not touch them to avoid unnecessary back-porting hardships. Thanks for the other fixes. Please let me know if your QUIC obligations don't leave you time to keep working on this any more. |
andrewkdinh
force-pushed
the
mlkem-kats
branch
2 times, most recently
from
6bae839 to
8af0118
Compare
|
looks like you've got one more inadvertent memory leak: Its not the result of your code, but rather an idiosyncrasy of how the test tries to be more efficient in tracking generated keys. In the test file evppkey_mlkem768_keygen.txt, each test stanza denotes a new key to generate, but doesn't provide a KeyName field for any of the keys. While thats fine, since these tests don't reuse keys at all (which is what the KeyName field appears to be meant to do), it seems to trigger a long standing bug stemming from the fact that every other test case appears to always assign a name to a key. In keygen_test_run, iff a KeyName field is provided, it gets added to to the public_keys and private_keys arrays for later lookup, and freeing at the end of the test. If you don't provide a name however, keygen_test_run skips adding to those arrays (see test/evp_test.c line 4292). By not adding to those arrays however, the newly generated key leaks when the pkey stack value goes out of scope. I guess the choices for fix here are to either: I think (b) is probably the best solution here, as having a KeyName isn't a requirement for the test |
|
@nhorman please reconfirm as this was force-pushed |
|
ACK, approval holds |
mattcaswell
added
approval: done
t8m
added
approval: ready to merge
|
Squashed and merged to the feature branch. Thank you. |
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see #25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see openssl#25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see openssl#25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see openssl#25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see openssl#25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see openssl#25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see #25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see #25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see #25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see #25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see #25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see #25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see #25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see openssl#25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see #25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see openssl#25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see openssl#25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#25938)
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/ These KATs test key generation, encapsulation, and decapsulation for the ML-KEM-768 algorithm. Relevant notes: - Added functionality to the ML-KEM key management to export/import. These may not be fully implemented yet (see openssl#25885) - Exposed some more low-level ML-KEM API's to the provider implementation to allow for deterministic encapsulation/key generation - Actually run 'mlkem_internal_test' with `make test` Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#25938)
6 participants
Add KATs for ML-KEM768 under CCLA from https://boringssl.googlesource.com/boringssl/
Please advise for how I should credit BoringSSL in the test files.
These KATs test key generation, encapsulation, and decapsulation for the ML-KEM768 provider.
Relevant notes:
make testChecklist