Merge branch 'main' into update-vectors-ci

Author: sgmenda

.github/workflows/image-build-windows.yml

@@ -17,6 +17,7 @@ on:
     paths:
       - .github/docker_images/aws-lc/windows/Dockerfile.ltsc2022
       - .github/docker_images/scripts/**
+      - .github/workflows/image-build-windows.yml
 concurrency:
   group: ${{ inputs.concurrency_prefix || github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
@@ -42,6 +43,8 @@ jobs:
       vs2022: ${{ steps.images.outputs.vs2022 }}
       sde: ${{ steps.images.outputs.sde }}
     steps:
+      - name: Enable long paths
+        run: git config --global core.longpaths true
       - uses: actions/checkout@v5
       - name: Login to Amazon ECR
         id: login-ecr
@@ -138,6 +141,8 @@ jobs:
     outputs:
       ltsc2022: ${{ steps.images.outputs.ltsc2022 }}
     steps:
+      - name: Enable long paths
+        run: git config --global core.longpaths true
       - uses: actions/checkout@v5
       - name: Login to Amazon ECR
         id: login-ecr

LICENSE

@@ -206,9 +206,6 @@ are met:
    written permission.
 
 
-The code in crypto/kyber/pqcrystals-kyber_kyber512_ref and
-crypto/ml_kem/ml_kem_ipd_ref_common carries the Public Domain license:
-
 Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)
 
 For Keccak and AES we are using public-domain

crypto/CMakeLists.txt

@@ -442,11 +442,6 @@ add_library(
   ex_data.c
   hpke/hpke.c
   hrss/hrss.c
-  kyber/kyber512r3_ref.c
-  kyber/kyber768r3_ref.c
-  kyber/kyber1024r3_ref.c
-  kyber/pqcrystals_kyber_ref_common/fips202.c
-  kyber/kem_kyber.c
   lhash/lhash.c
   mem.c
   obj/obj.c

crypto/evp_extra/evp_extra_test.cc

@@ -2200,9 +2200,6 @@ struct KnownKEM {
 };
 
 static const struct KnownKEM kKEMs[] = {
-  {"Kyber512r3", NID_KYBER512_R3, 800, 1632, 768, 32, 64, 32, "kyber/kat/kyber512r3.txt"},
-  {"Kyber768r3", NID_KYBER768_R3, 1184, 2400, 1088, 32, 64, 32, "kyber/kat/kyber768r3.txt"},
-  {"Kyber1024r3", NID_KYBER1024_R3, 1568, 3168, 1568, 32, 64, 32, "kyber/kat/kyber1024r3.txt"},
   {"MLKEM512", NID_MLKEM512, 800, 1632, 768, 32, 64, 32, "fipsmodule/ml_kem/kat/mlkem512.txt"},
   {"MLKEM768", NID_MLKEM768, 1184, 2400, 1088, 32, 64, 32, "fipsmodule/ml_kem/kat/mlkem768.txt"},
   {"MLKEM1024", NID_MLKEM1024, 1568, 3168, 1568, 32, 64, 32, "fipsmodule/ml_kem/kat/mlkem1024.txt"},

crypto/evp_extra/p_kem_test.cc

@@ -1,18 +1,21 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
+#include <algorithm>
 #include <gtest/gtest.h>
 #include <openssl/base.h>
 #include <openssl/bio.h>
 #include <openssl/evp.h>
+#include <openssl/experimental/kem_deterministic_api.h>
 #include <openssl/mem.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs8.h>
 #include <openssl/ssl.h>
 #include "../fipsmodule/evp/internal.h"
 #include "../fipsmodule/kem/internal.h"
+#include "../test/file_test.h"
 #include "../test/test_util.h"
-#include <openssl/experimental/kem_deterministic_api.h>
+#include "../test/wycheproof_util.h"
 
 
 // https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates/
@@ -927,3 +930,259 @@ TEST(KEMTest, InvalidSeedLength) {
 
   OPENSSL_free(der_priv);
 }
+
+
+// Wycheproof test vector mapping for KEMs
+struct WycheproofKEM {
+  const char name[20];
+  const int nid;
+  size_t ciphertext_len;
+  size_t shared_secret_len;
+  const char *encaps_test;
+  const char *decaps_seed_test;
+  const char *decaps_noseed_test;
+};
+
+//= third_party/vectors/vectors_spec.md#wycheproof
+//# AWS-LC MUST test against `testvectors_v1/mlkem_1024_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_512_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_768_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_1024_encaps_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_1024_semi_expanded_decaps_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_512_encaps_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_512_semi_expanded_decaps_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_768_encaps_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_768_semi_expanded_decaps_test.txt`.
+static const struct WycheproofKEM kWycheproofKEMs[] = {
+    {
+        "ML-KEM-512",
+        NID_MLKEM512,
+        768,
+        32,
+        "mlkem_512_encaps_test.txt",
+        "mlkem_512_test.txt",
+        "mlkem_512_semi_expanded_decaps_test.txt",
+    },
+    {
+        "ML-KEM-768",
+        NID_MLKEM768,
+        1088,
+        32,
+        "mlkem_768_encaps_test.txt",
+        "mlkem_768_test.txt",
+        "mlkem_768_semi_expanded_decaps_test.txt",
+    },
+    {
+        "ML-KEM-1024",
+        NID_MLKEM1024,
+        1568,
+        32,
+        "mlkem_1024_encaps_test.txt",
+        "mlkem_1024_test.txt",
+        "mlkem_1024_semi_expanded_decaps_test.txt",
+    },
+};
+
+class WycheproofKEMTest : public testing::TestWithParam<WycheproofKEM> {};
+
+INSTANTIATE_TEST_SUITE_P(
+    All, WycheproofKEMTest, testing::ValuesIn(kWycheproofKEMs),
+    [](const testing::TestParamInfo<WycheproofKEM> &params) -> std::string {
+      std::string name = params.param.name;
+      // Replace dashes with underscores for valid C++ test names
+      std::replace(name.begin(), name.end(), '-', '_');
+      return name;
+    });
+
+TEST_P(WycheproofKEMTest, Encaps) {
+  std::string test_path =
+      std::string(kWycheproofV1Path) + GetParam().encaps_test;
+  FileTestGTest(test_path.c_str(), [&](FileTest *t) {
+    std::vector<uint8_t> ek, m, expected_k, expected_c;
+    std::string param_set;
+
+    ASSERT_TRUE(t->GetInstruction(&param_set, "parameterSet"));
+    ASSERT_EQ(param_set, GetParam().name);
+
+    ASSERT_TRUE(t->GetBytes(&ek, "ek"));
+    ASSERT_TRUE(t->GetBytes(&m, "m"));
+    ASSERT_TRUE(t->GetBytes(&expected_k, "K"));
+    ASSERT_TRUE(t->GetBytes(&expected_c, "c"));
+
+    WycheproofResult result;
+    ASSERT_TRUE(GetWycheproofResult(t, &result));
+
+    bssl::UniquePtr<EVP_PKEY> pkey(
+        EVP_PKEY_kem_new_raw_public_key(GetParam().nid, ek.data(), ek.size()));
+
+    if (!result.IsValid() && result.HasFlag("ModulusOverflow")) {
+      if (pkey) {
+        // FIPS 203 only requires doing this check before encapsulation.
+        fprintf(stderr,
+                "WARNING: Successfully imported %s encapsulation key with "
+                "ModulusOverflow. This is allowed by FIPS 203.\n",
+                param_set.c_str());
+      }
+    }
+    if (pkey) {
+      bssl::UniquePtr<EVP_PKEY_CTX> ctx(EVP_PKEY_CTX_new(pkey.get(), nullptr));
+      ASSERT_TRUE(ctx);
+
+      // Perform deterministic encapsulation using the m field as seed
+      // see https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf#algorithm.17
+      std::vector<uint8_t> ciphertext(GetParam().ciphertext_len);
+      std::vector<uint8_t> shared_secret(GetParam().shared_secret_len);
+      size_t ciphertext_len = ciphertext.size();
+      size_t shared_secret_len = shared_secret.size();
+      size_t seed_len = m.size();
+      int encaps_result =
+          EVP_PKEY_encapsulate_deterministic(ctx.get(), ciphertext.data(), &ciphertext_len,
+                               shared_secret.data(), &shared_secret_len, m.data(), &seed_len);
+
+      if (result.IsValid()) {
+        EXPECT_TRUE(encaps_result);
+        EXPECT_EQ(Bytes(ciphertext.data(), ciphertext_len), Bytes(expected_c));
+        EXPECT_EQ(Bytes(shared_secret.data(), shared_secret_len),
+                  Bytes(expected_k));
+      } else {
+        EXPECT_FALSE(encaps_result)
+            << "Expected encapsulation to fail for flags: "
+            << result.StringifyFlags();
+      }
+    }
+  });
+}
+
+TEST_P(WycheproofKEMTest, DecapsSeed) {
+  std::string test_path =
+      std::string(kWycheproofV1Path) + GetParam().decaps_seed_test;
+  FileTestGTest(test_path.c_str(), [&](FileTest *t) {
+    std::vector<uint8_t> ek, seed, expected_k, ciphertext;
+    std::string param_set;
+
+    ASSERT_TRUE(t->GetInstruction(&param_set, "parameterSet"));
+    ASSERT_EQ(param_set, GetParam().name);
+
+    ASSERT_TRUE(t->GetBytes(&expected_k, "K"));
+    ASSERT_TRUE(t->GetBytes(&ciphertext, "c"));
+    
+    WycheproofResult result;
+    ASSERT_TRUE(GetWycheproofResult(t, &result));
+    ASSERT_TRUE(t->GetBytes(&seed, "seed"));
+
+    // Initialize using provided seed
+    bssl::UniquePtr<EVP_PKEY_CTX> ctx(
+        EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, nullptr));
+    ASSERT_TRUE(ctx);
+    ASSERT_TRUE(EVP_PKEY_CTX_kem_set_params(ctx.get(), GetParam().nid));
+    EVP_PKEY *raw = nullptr;
+    ASSERT_TRUE(EVP_PKEY_keygen_init(ctx.get()));
+    size_t seed_len = seed.size();
+    int keygen_result = EVP_PKEY_keygen_deterministic(ctx.get(), &raw, seed.data(), &seed_len);
+    
+    // For invalid test cases, key generation might fail
+    if (!result.IsValid() && !keygen_result) {
+      // Expected failure in key generation for invalid cases
+      return;
+    }
+    
+    ASSERT_TRUE(keygen_result);
+    ASSERT_TRUE(raw);
+    bssl::UniquePtr<EVP_PKEY> pkey(raw);
+
+    // Verify the generated public key matches the expected public key (if provided)
+    if (t->HasAttribute("ek")) {
+      ASSERT_TRUE(t->GetBytes(&ek, "ek"));
+      size_t actual_ek_len = 0;
+      ASSERT_TRUE(
+          EVP_PKEY_get_raw_public_key(pkey.get(), nullptr, &actual_ek_len));
+      ASSERT_EQ(actual_ek_len, ek.size());
+      std::vector<uint8_t> actual_ek(actual_ek_len);
+      ASSERT_TRUE(EVP_PKEY_get_raw_public_key(pkey.get(), actual_ek.data(),
+                                              &actual_ek_len));
+      EXPECT_EQ(Bytes(actual_ek), Bytes(ek));
+    }
+
+    // Perform decapsulation
+    ctx.reset(EVP_PKEY_CTX_new(pkey.get(), nullptr));
+    ASSERT_TRUE(ctx);
+    std::vector<uint8_t> shared_secret(GetParam().shared_secret_len);
+    size_t shared_secret_len = shared_secret.size();
+    int decaps_result = EVP_PKEY_decapsulate(
+        ctx.get(), shared_secret.data(), &shared_secret_len, ciphertext.data(),
+        ciphertext.size());
+
+    if (result.IsValid()) {
+      EXPECT_TRUE(decaps_result);
+      EXPECT_EQ(Bytes(shared_secret.data(), shared_secret_len),
+                Bytes(expected_k));
+    } else {
+      EXPECT_FALSE(decaps_result)
+          << "Expected decapsulation to fail for flags: "
+          << result.StringifyFlags();
+    }
+  });
+}
+
+// Test decapsulation with expanded decaps keys
+TEST_P(WycheproofKEMTest, DecapsNoSeed) {
+  std::string test_path =
+      std::string(kWycheproofV1Path) + GetParam().decaps_noseed_test;
+  FileTestGTest(test_path.c_str(), [&](FileTest *t) {
+    std::vector<uint8_t> dk, ciphertext;
+    std::string param_set;
+
+    ASSERT_TRUE(t->GetInstruction(&param_set, "parameterSet"));
+    ASSERT_EQ(param_set, GetParam().name);
+
+    ASSERT_TRUE(t->GetBytes(&dk, "dk"));
+    ASSERT_TRUE(t->GetBytes(&ciphertext, "c"));
+
+    WycheproofResult result;
+    ASSERT_TRUE(GetWycheproofResult(t, &result));
+
+    // Create key from raw private key bytes
+    bssl::UniquePtr<EVP_PKEY> pkey(
+        EVP_PKEY_kem_new_raw_secret_key(GetParam().nid, dk.data(), dk.size()));
+
+    // Key creation should fail for incorrect key length
+    if (result.HasFlag("IncorrectDecapsulationKeyLength")) {
+      EXPECT_FALSE(pkey)
+          << "Expected key creation to fail for incorrect key length";
+      return;
+    }
+
+    // Warn if we successfully imported an invalid private key
+    if (pkey && result.HasFlag("InvalidDecapsulationKey")) {
+      fprintf(stderr,
+              "WARNING: Successfully imported correct-length-but-invalid %s "
+              "decapsulation key. This is allowed by FIPS 203.\n",
+              param_set.c_str());
+    }
+
+    // For valid test cases, key creation should succeed
+    if (result.IsValid()) {
+      ASSERT_TRUE(pkey) << "Key creation failed unexpectedly for flags: "
+                        << result.StringifyFlags();
+    }
+
+    // Perform decapsulation
+    bssl::UniquePtr<EVP_PKEY_CTX> ctx(EVP_PKEY_CTX_new(pkey.get(), nullptr));
+    ASSERT_TRUE(ctx);
+
+    std::vector<uint8_t> shared_secret(GetParam().shared_secret_len);
+    size_t shared_secret_len = shared_secret.size();
+    int decaps_result = EVP_PKEY_decapsulate(
+        ctx.get(), shared_secret.data(), &shared_secret_len, ciphertext.data(),
+        ciphertext.size());
+
+    if (result.IsValid()) {
+      EXPECT_TRUE(decaps_result)
+          << "Expected decapsulation to succeed for valid test case";
+    } else {
+      EXPECT_FALSE(decaps_result)
+          << "Expected decapsulation to fail for flags: "
+          << result.StringifyFlags();
+    }
+  });
+}

crypto/fipsmodule/PQREADME.md

@@ -13,7 +13,7 @@ To support these initiatives, the U.S. Department of Commerce’s National Insti
 
 ## AWS-LC Post-Quantum Algorithms
 
-AWS-LC provides two post-quantum Key Encapsulation Mechanisms (KEMs), FIPS 203 ML-KEM and KyberR3, and a post-quantum digital signature scheme FIPS 204 ML-DSA. For details on the KEM API and how it can be used please see [README](https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/kem/README.md).
+AWS-LC supports the post-quantum Key Encapsulation Mechanisms (KEMs) FIPS 203 ML-KEM and the post-quantum digital signature scheme FIPS 204 ML-DSA. For details on the KEM API and how it can be used please see [README](https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/kem/README.md).
 
 ### FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)
 
@@ -29,10 +29,6 @@ Performance benchmarks for key generation, encapsulation, and decapsulation are
 
 ```aws-lc-build % ./tool/bssl speed -filter ML-KEM```
 
-#### KyberR3
-
-Round 3 Kyber (KyberR3) was added to AWS-LC in September 2021 ([README](https://github.com/aws/aws-lc/blob/main/crypto/kyber/README.md)). Once all existing deployments of Kyber are migrated over to ML-KEM we will be removing support for Kyber from AWS-LC.
-
 ### FIPS 204: Module-Lattice-Based Digital Signature Algorithm (ML-DSA)
 
 | Algorithm  | Public Key (B)  | Private Key (B)  | Signature (B)  |
@@ -47,19 +43,21 @@ The parameter set ML-DSA-44 is claimed to be in security strength category 2, ML
 
 ### Hybrid Post-Quantum TLS Specifications
 
-To utilize Post-Quantum key exchange in TLS we recommend using our open-source TLS implementation s2n-tls that now supports Hybrid key exchange in TLS 1.3 (draft-ietf-tls-hybrid-design). s2n-tls also provides support for Post-Quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3 (draft-kwiatkowski-tls-ecdhe-mlkem) with a proposal for new key share identifies for x25519 and ML-KEM-768.
-
+To utilize Post-Quantum key exchange in TLS we recommend using our open-source TLS implementation s2n-tls. However, AWS-LC libssl also supports Post-Quantum key exchange in TLS. Namely, ML-KEM-based cipher suites for TLSv1.3 (draft-kwiatkowski-tls-ecdhe-mlkem)
 
 | Supported Group       | IANA ID (Hex)  | IANA ID (Dec)  |
 |-----------------------|----------------|----------------|
-| x25519_kyber512       | 0x2f39         | 12089          |
-| p256_kyber512         | 0x2f3a         | 12090          |
-| X25519Kyber768Draft00 | 0x6399         | 25497          |
-| X25519Kyber768Draft00 | 0x639a         | 25498          |
 | SecP256r1MLKEM768     | 0x11eb         | 4587           |
+| SecP384r1MLKEM1024    | 0x11ed         | 4589           |
 | X25519MLKEM768        | 0x11ec         | 4588           |
 
-Note that pre-standard groups (those that include Kyber)  will stop being supported after the Kyber deprecation described above.
+In addition, AWS-LC libssl supports "pure" ML-KEM cipher suites (https://datatracker.ietf.org/doc/html/draft-connolly-tls-mlkem-key-agreement.html).
+
+| Supported Group       | IANA ID (Hex)  | IANA ID (Dec)  |
+|-----------------------|----------------|----------------|
+| MLKEM512              | 0x0200         | 512            |
+| MLKEM768              | 0x0201         | 513            |
+| MLKEM1024             | 0x0202         | 514            |
 
 ### AWS Java V2 SDK