Add encap/decapKeyCheck support in ACVP

Author: samuel40791765

crypto/fipsmodule/ml_kem/ml_kem.c

@@ -394,3 +394,45 @@ int ml_kem_common_decapsulate(int (*decapsulate)(uint8_t *shared_secret, const u
   set_written_len_on_success(res, shared_secret);
   return res;
 }
+
+int ml_kem_512_check_pk(const uint8_t *public_key) {
+  if (public_key == NULL) {
+    return 1;
+  }
+  return mlkem512_check_pk(public_key);
+}
+
+int ml_kem_512_check_sk(const uint8_t *secret_key) {
+  if (secret_key == NULL) {
+    return 1;
+  }
+  return mlkem512_check_sk(secret_key);
+}
+
+int ml_kem_768_check_pk(const uint8_t *public_key) {
+  if (public_key == NULL) {
+    return 1;
+  }
+  return mlkem768_check_pk(public_key);
+}
+
+int ml_kem_768_check_sk(const uint8_t *secret_key) {
+  if (secret_key == NULL) {
+    return 1;
+  }
+  return mlkem768_check_sk(secret_key);
+}
+
+int ml_kem_1024_check_pk(const uint8_t *public_key) {
+  if (public_key == NULL) {
+    return 1;
+  }
+  return mlkem1024_check_pk(public_key);
+}
+
+int ml_kem_1024_check_sk(const uint8_t *secret_key) {
+  if (secret_key == NULL) {
+    return 1;
+  }
+  return mlkem1024_check_sk(secret_key);
+}

crypto/fipsmodule/ml_kem/ml_kem.h

@@ -79,6 +79,9 @@ int ml_kem_512_decapsulate_no_self_test(uint8_t *shared_secret    /* OUT */,
                                         const uint8_t *ciphertext /* IN  */,
                                         const uint8_t *secret_key /* IN  */);
 
+OPENSSL_EXPORT int ml_kem_512_check_pk(const uint8_t *public_key /* IN */);
+OPENSSL_EXPORT int ml_kem_512_check_sk(const uint8_t *secret_key /* IN */);
+
 OPENSSL_EXPORT int ml_kem_768_keypair_deterministic(uint8_t *public_key /* OUT */,
                                                     size_t *public_len  /* IN_OUT */,
                                                     uint8_t *secret_key /* OUT */,
@@ -126,6 +129,9 @@ int ml_kem_768_decapsulate_no_self_test(uint8_t *shared_secret    /* OUT */,
                            const uint8_t *ciphertext /* IN  */,
                            const uint8_t *secret_key /* IN  */);
 
+OPENSSL_EXPORT int ml_kem_768_check_pk(const uint8_t *public_key /* IN */);
+OPENSSL_EXPORT int ml_kem_768_check_sk(const uint8_t *secret_key /* IN */);
+
 OPENSSL_EXPORT int ml_kem_1024_keypair_deterministic(uint8_t *public_key /* OUT */,
                                                      size_t *public_len  /* IN_OUT */,
                                                      uint8_t *secret_key /* OUT */,
@@ -175,6 +181,9 @@ int ml_kem_1024_decapsulate_no_self_test(uint8_t *shared_secret    /* OUT */,
                                          const uint8_t *ciphertext /* IN  */,
                                          const uint8_t *secret_key /* IN  */);
 
+OPENSSL_EXPORT int ml_kem_1024_check_pk(const uint8_t *public_key /* IN */);
+OPENSSL_EXPORT int ml_kem_1024_check_sk(const uint8_t *secret_key /* IN */);
+
 #if defined(__cplusplus)
 }
 #endif

util/fipstools/acvp/acvptool/subprocess/ml_kem.go

@@ -113,9 +113,10 @@ type mlKemEncDecapTestGroupResponse struct {
 }
 
 type mlKemEncDecapTestCaseResponse struct {
-	ID uint64               `json:"tcId"`
-	C  hexEncodedByteString `json:"c,omitempty"`
-	K  hexEncodedByteString `json:"k,omitempty"`
+	ID     uint64               `json:"tcId"`
+	C      hexEncodedByteString `json:"c,omitempty"`
+	K      hexEncodedByteString `json:"k,omitempty"`
+	Passed *bool                `json:"testPassed,omitempty"`
 }
 
 func processMlKemEncapDecap(vectors json.RawMessage, m Transactable) (interface{}, error) {
@@ -129,7 +130,9 @@ func processMlKemEncapDecap(vectors json.RawMessage, m Transactable) (interface{
 
 	for _, group := range groups {
 		if (strings.EqualFold(group.Function, "encapsulation") && !strings.EqualFold(group.Type, "AFT")) ||
-			(strings.EqualFold(group.Function, "decapsulation") && !strings.EqualFold(group.Type, "VAL")) {
+			(strings.EqualFold(group.Function, "decapsulation") && !strings.EqualFold(group.Type, "VAL")) ||
+			(strings.EqualFold(group.Function, "decapsulationKeyCheck") && !strings.EqualFold(group.Type, "VAL")) ||
+			(strings.EqualFold(group.Function, "encapsulationKeyCheck") && !strings.EqualFold(group.Type, "VAL")) {
 			return nil, fmt.Errorf("unsupported encapDecap function and test group type pair: (%v, %v)", group.Function, group.Type)
 		}
 
@@ -148,6 +151,10 @@ func processMlKemEncapDecap(vectors json.RawMessage, m Transactable) (interface{
 				testResponse, err = processMlKemEncapTestCase(test.ID, group.ParameterSet, test.EK, test.M, m)
 			case strings.EqualFold(group.Function, "decapsulation"):
 				testResponse, err = processMlKemDecapTestCase(test.ID, group.ParameterSet, test.DK, test.C, m)
+			case strings.EqualFold(group.Function, "encapsulationKeyCheck"):
+				testResponse, err = processMlKemEncapKeyCheckTestCase(test.ID, group.ParameterSet, test.EK, m)
+			case strings.EqualFold(group.Function, "decapsulationKeyCheck"):
+				testResponse, err = processMlKemDecapKeyCheckTestCase(test.ID, group.ParameterSet, test.DK, m)
 			default:
 				return nil, fmt.Errorf("unknown encDecap function: %v", group.Function)
 			}
@@ -192,3 +199,32 @@ func processMlKemDecapTestCase(id uint64, algorithm string, dk []byte, c []byte,
 		K:  k,
 	}, nil
 }
+
+func processMlKemEncapKeyCheckTestCase(id uint64, algorithm string, ek []byte, t Transactable) (mlKemEncDecapTestCaseResponse, error) {
+	results, err := t.Transact("ML-KEM/"+algorithm+"/encapKeyCheck", 1, ek)
+	if err != nil {
+		return mlKemEncDecapTestCaseResponse{}, err
+	}
+
+    testPassed := results[0][0] == 1
+
+	return mlKemEncDecapTestCaseResponse{
+		ID: id,
+		Passed: &testPassed,
+	}, nil
+}
+
+func processMlKemDecapKeyCheckTestCase(id uint64, algorithm string, dk []byte, t Transactable) (mlKemEncDecapTestCaseResponse, error) {
+	results, err := t.Transact("ML-KEM/"+algorithm+"/decapKeyCheck", 1, dk)
+	if err != nil {
+		return mlKemEncDecapTestCaseResponse{}, err
+	}
+
+	testPassed := results[0][0] == 1
+
+	return mlKemEncDecapTestCaseResponse{
+		ID: id,
+		Passed: &testPassed,
+	}, nil
+}
+

util/fipstools/acvp/acvptool/test/expected/ML-KEM.bz2

@@ -59,6 +59,8 @@
 #include "../../../../crypto/fipsmodule/curve25519/internal.h"
 #include "../../../../crypto/fipsmodule/ml_dsa/ml_dsa.h"
 #include "../../../../crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.h"
+#include "../../../../crypto/fipsmodule/ml_kem/ml_kem.h"
+
 #include "modulewrapper.h"
 
 
@@ -1392,7 +1394,7 @@ static bool GetConfig(const Span<const uint8_t> args[],
         "mode": "encapDecap",
         "revision": "FIPS203",
         "parameterSets": ["ML-KEM-512", "ML-KEM-768", "ML-KEM-1024"],
-        "functions": ["encapsulation", "decapsulation"]
+        "functions": ["encapsulation", "decapsulation", "encapsulationKeyCheck", "decapsulationKeyCheck"]
       },)"
       R"({
         "algorithm": "EDDSA",
@@ -3170,6 +3172,67 @@ static bool ML_KEM_DECAP(const Span<const uint8_t> args[],
       {Span<const uint8_t>(shared_secret.data(), shared_secret_len)});
 }
 
+template <int nid>
+static bool MLKEM_ENCAP_CHECK(const Span<const uint8_t> args[],
+                         ReplyCallback write_reply) {
+  const Span<const uint8_t> ek = args[0];
+
+  size_t expected_size = 0;
+  int (*check_fn)(const uint8_t*) = nullptr;
+  if(nid == NID_MLKEM512) {
+    expected_size = MLKEM512_PUBLIC_KEY_BYTES;
+    check_fn = ml_kem_512_check_pk;
+  } else if(nid == NID_MLKEM768) {
+    expected_size = MLKEM768_PUBLIC_KEY_BYTES;
+    check_fn = ml_kem_768_check_pk;
+  } else if(nid == NID_MLKEM1024) {
+    expected_size = MLKEM1024_PUBLIC_KEY_BYTES;
+    check_fn = ml_kem_1024_check_pk;
+  } else {
+    return false;
+  }
+
+  // The check_sk function validates mandated by FIPS 203 Section 7.2.
+  uint8_t success_flag[1] = {0};
+  if(ek.size() != expected_size || check_fn(ek.data()) != 0) {
+    return write_reply({Span<const uint8_t>(success_flag)});
+  }
+
+  success_flag[0] = 1;
+  return write_reply({Span<const uint8_t>(success_flag)});
+}
+
+template <int nid>
+static bool MLKEM_DECAP_CHECK(const Span<const uint8_t> args[],
+                         ReplyCallback write_reply) {
+  const Span<const uint8_t> dk = args[0];
+
+  // Validate the secret key size matches the expected size.
+  size_t expected_size = 0;
+  int (*check_fn)(const uint8_t*) = nullptr;
+  if(nid == NID_MLKEM512) {
+    expected_size = MLKEM512_SECRET_KEY_BYTES;
+    check_fn = ml_kem_512_check_sk;
+  } else if(nid == NID_MLKEM768) {
+    expected_size = MLKEM768_SECRET_KEY_BYTES;
+    check_fn = ml_kem_768_check_sk;
+  } else if(nid == NID_MLKEM1024) {
+    expected_size = MLKEM1024_SECRET_KEY_BYTES;
+    check_fn = ml_kem_1024_check_sk;
+  } else {
+    return false;
+  }
+
+  // The check_sk function validates mandated by FIPS 203 Section 7.3.
+  uint8_t success_flag[1] = {0};
+  if(dk.size() != expected_size || check_fn(dk.data()) != 0) {
+    return write_reply({Span<const uint8_t>(success_flag)});
+  }
+
+  success_flag[0] = 1;
+  return write_reply({Span<const uint8_t>(success_flag)});
+}
+
 static bool ED25519KeyGen(const Span<const uint8_t> args[],
                           ReplyCallback write_reply) {
   std::vector<uint8_t> private_key(ED25519_PRIVATE_KEY_LEN);
@@ -3685,6 +3748,12 @@ static struct {
     {"ML-KEM/ML-KEM-512/decap", 2, ML_KEM_DECAP<NID_MLKEM512>},
     {"ML-KEM/ML-KEM-768/decap", 2, ML_KEM_DECAP<NID_MLKEM768>},
     {"ML-KEM/ML-KEM-1024/decap", 2, ML_KEM_DECAP<NID_MLKEM1024>},
+    {"ML-KEM/ML-KEM-512/encapKeyCheck", 1, MLKEM_ENCAP_CHECK<NID_MLKEM512>},
+    {"ML-KEM/ML-KEM-768/encapKeyCheck", 1, MLKEM_ENCAP_CHECK<NID_MLKEM768>},
+    {"ML-KEM/ML-KEM-1024/encapKeyCheck", 1, MLKEM_ENCAP_CHECK<NID_MLKEM1024>},
+    {"ML-KEM/ML-KEM-512/decapKeyCheck", 1, MLKEM_DECAP_CHECK<NID_MLKEM512>},
+    {"ML-KEM/ML-KEM-768/decapKeyCheck", 1, MLKEM_DECAP_CHECK<NID_MLKEM768>},
+    {"ML-KEM/ML-KEM-1024/decapKeyCheck", 1, MLKEM_DECAP_CHECK<NID_MLKEM1024>},
     {"EDDSA/ED-25519/keyGen", 0, ED25519KeyGen},
     {"EDDSA/ED-25519/keyVer", 1, ED25519KeyVer},
     {"EDDSA/ED-25519/sigGen", 2, ED25519SigGen},