Integrate Wycheproof ML-KEM test vectors (#2891)

### Description of changes:
Integrates 9 Wycheproof ML-KEM test vector files:
- 3 ML-KEM encapsulation test files (mlkem_512_encaps_test,
mlkem_768_encaps_test, mlkem_1024_encaps_test)
- 3 ML-KEM test files (mlkem_512_test, mlkem_768_test, mlkem_1024_test)
- 3 ML-KEM decapsulation test files
(mlkem_512_semi_expanded_decaps_test,
mlkem_768_semi_expanded_decaps_test,
mlkem_1024_semi_expanded_decaps_test)

Each integration adds upstream JSON vectors and converted txt files to
`third_party/vectors/`, and adds test code with duvet annotations for
traceability.

### Call-outs:
- **Generated new test vectors**: the ML-KEM decapsulation test vectors
(`mlkem_[512/768/1024]thu_semi_expanded_decaps_test`) are new, and have
been merged into upstream C2SP/wycheproof#202.
Adds `util/vecgen` that we used to generate the test vectors.
- **Missing encaps key import checks**: we successfully import ML-KEM
encapsulation keys with modulus overflow. This is allowed by FIPS 203,
but is not ideal, so the tests print a warning. We will resolve this in
an upcoming PR.
- **Missing decaps key import checks**: we successfully import ML-KEM
decapsulation keys with an inconsistent hash of the embedded encaps key.
This is also allowed by FIPS 203, so the tests print a warning, and we
will resolve this in an upcoming PR.

### Testing:

All new tests pass and duvet verification succeeds:
```bash
cd build && ./crypto/crypto_test --gtest_filter="*Wycheproof*"
cd third_party/vectors && python3 sync.py
```

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

---------

Signed-off-by: sanketh <sgmenda@amazon.com>

Author: sgmenda

crypto/evp_extra/p_kem_test.cc

@@ -1,18 +1,21 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0 OR ISC
 
+#include <algorithm>
 #include <gtest/gtest.h>
 #include <openssl/base.h>
 #include <openssl/bio.h>
 #include <openssl/evp.h>
+#include <openssl/experimental/kem_deterministic_api.h>
 #include <openssl/mem.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs8.h>
 #include <openssl/ssl.h>
 #include "../fipsmodule/evp/internal.h"
 #include "../fipsmodule/kem/internal.h"
+#include "../test/file_test.h"
 #include "../test/test_util.h"
-#include <openssl/experimental/kem_deterministic_api.h>
+#include "../test/wycheproof_util.h"
 
 
 // https://datatracker.ietf.org/doc/draft-ietf-lamps-kyber-certificates/
@@ -927,3 +930,259 @@ TEST(KEMTest, InvalidSeedLength) {
 
   OPENSSL_free(der_priv);
 }
+
+
+// Wycheproof test vector mapping for KEMs
+struct WycheproofKEM {
+  const char name[20];
+  const int nid;
+  size_t ciphertext_len;
+  size_t shared_secret_len;
+  const char *encaps_test;
+  const char *decaps_seed_test;
+  const char *decaps_noseed_test;
+};
+
+//= third_party/vectors/vectors_spec.md#wycheproof
+//# AWS-LC MUST test against `testvectors_v1/mlkem_1024_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_512_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_768_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_1024_encaps_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_1024_semi_expanded_decaps_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_512_encaps_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_512_semi_expanded_decaps_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_768_encaps_test.txt`.
+//# AWS-LC MUST test against `testvectors_v1/mlkem_768_semi_expanded_decaps_test.txt`.
+static const struct WycheproofKEM kWycheproofKEMs[] = {
+    {
+        "ML-KEM-512",
+        NID_MLKEM512,
+        768,
+        32,
+        "mlkem_512_encaps_test.txt",
+        "mlkem_512_test.txt",
+        "mlkem_512_semi_expanded_decaps_test.txt",
+    },
+    {
+        "ML-KEM-768",
+        NID_MLKEM768,
+        1088,
+        32,
+        "mlkem_768_encaps_test.txt",
+        "mlkem_768_test.txt",
+        "mlkem_768_semi_expanded_decaps_test.txt",
+    },
+    {
+        "ML-KEM-1024",
+        NID_MLKEM1024,
+        1568,
+        32,
+        "mlkem_1024_encaps_test.txt",
+        "mlkem_1024_test.txt",
+        "mlkem_1024_semi_expanded_decaps_test.txt",
+    },
+};
+
+class WycheproofKEMTest : public testing::TestWithParam<WycheproofKEM> {};
+
+INSTANTIATE_TEST_SUITE_P(
+    All, WycheproofKEMTest, testing::ValuesIn(kWycheproofKEMs),
+    [](const testing::TestParamInfo<WycheproofKEM> &params) -> std::string {
+      std::string name = params.param.name;
+      // Replace dashes with underscores for valid C++ test names
+      std::replace(name.begin(), name.end(), '-', '_');
+      return name;
+    });
+
+TEST_P(WycheproofKEMTest, Encaps) {
+  std::string test_path =
+      std::string(kWycheproofV1Path) + GetParam().encaps_test;
+  FileTestGTest(test_path.c_str(), [&](FileTest *t) {
+    std::vector<uint8_t> ek, m, expected_k, expected_c;
+    std::string param_set;
+
+    ASSERT_TRUE(t->GetInstruction(&param_set, "parameterSet"));
+    ASSERT_EQ(param_set, GetParam().name);
+
+    ASSERT_TRUE(t->GetBytes(&ek, "ek"));
+    ASSERT_TRUE(t->GetBytes(&m, "m"));
+    ASSERT_TRUE(t->GetBytes(&expected_k, "K"));
+    ASSERT_TRUE(t->GetBytes(&expected_c, "c"));
+
+    WycheproofResult result;
+    ASSERT_TRUE(GetWycheproofResult(t, &result));
+
+    bssl::UniquePtr<EVP_PKEY> pkey(
+        EVP_PKEY_kem_new_raw_public_key(GetParam().nid, ek.data(), ek.size()));
+
+    if (!result.IsValid() && result.HasFlag("ModulusOverflow")) {
+      if (pkey) {
+        // FIPS 203 only requires doing this check before encapsulation.
+        fprintf(stderr,
+                "WARNING: Successfully imported %s encapsulation key with "
+                "ModulusOverflow. This is allowed by FIPS 203.\n",
+                param_set.c_str());
+      }
+    }
+    if (pkey) {
+      bssl::UniquePtr<EVP_PKEY_CTX> ctx(EVP_PKEY_CTX_new(pkey.get(), nullptr));
+      ASSERT_TRUE(ctx);
+
+      // Perform deterministic encapsulation using the m field as seed
+      // see https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf#algorithm.17
+      std::vector<uint8_t> ciphertext(GetParam().ciphertext_len);
+      std::vector<uint8_t> shared_secret(GetParam().shared_secret_len);
+      size_t ciphertext_len = ciphertext.size();
+      size_t shared_secret_len = shared_secret.size();
+      size_t seed_len = m.size();
+      int encaps_result =
+          EVP_PKEY_encapsulate_deterministic(ctx.get(), ciphertext.data(), &ciphertext_len,
+                               shared_secret.data(), &shared_secret_len, m.data(), &seed_len);
+
+      if (result.IsValid()) {
+        EXPECT_TRUE(encaps_result);
+        EXPECT_EQ(Bytes(ciphertext.data(), ciphertext_len), Bytes(expected_c));
+        EXPECT_EQ(Bytes(shared_secret.data(), shared_secret_len),
+                  Bytes(expected_k));
+      } else {
+        EXPECT_FALSE(encaps_result)
+            << "Expected encapsulation to fail for flags: "
+            << result.StringifyFlags();
+      }
+    }
+  });
+}
+
+TEST_P(WycheproofKEMTest, DecapsSeed) {
+  std::string test_path =
+      std::string(kWycheproofV1Path) + GetParam().decaps_seed_test;
+  FileTestGTest(test_path.c_str(), [&](FileTest *t) {
+    std::vector<uint8_t> ek, seed, expected_k, ciphertext;
+    std::string param_set;
+
+    ASSERT_TRUE(t->GetInstruction(&param_set, "parameterSet"));
+    ASSERT_EQ(param_set, GetParam().name);
+
+    ASSERT_TRUE(t->GetBytes(&expected_k, "K"));
+    ASSERT_TRUE(t->GetBytes(&ciphertext, "c"));
+    
+    WycheproofResult result;
+    ASSERT_TRUE(GetWycheproofResult(t, &result));
+    ASSERT_TRUE(t->GetBytes(&seed, "seed"));
+
+    // Initialize using provided seed
+    bssl::UniquePtr<EVP_PKEY_CTX> ctx(
+        EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, nullptr));
+    ASSERT_TRUE(ctx);
+    ASSERT_TRUE(EVP_PKEY_CTX_kem_set_params(ctx.get(), GetParam().nid));
+    EVP_PKEY *raw = nullptr;
+    ASSERT_TRUE(EVP_PKEY_keygen_init(ctx.get()));
+    size_t seed_len = seed.size();
+    int keygen_result = EVP_PKEY_keygen_deterministic(ctx.get(), &raw, seed.data(), &seed_len);
+    
+    // For invalid test cases, key generation might fail
+    if (!result.IsValid() && !keygen_result) {
+      // Expected failure in key generation for invalid cases
+      return;
+    }
+    
+    ASSERT_TRUE(keygen_result);
+    ASSERT_TRUE(raw);
+    bssl::UniquePtr<EVP_PKEY> pkey(raw);
+
+    // Verify the generated public key matches the expected public key (if provided)
+    if (t->HasAttribute("ek")) {
+      ASSERT_TRUE(t->GetBytes(&ek, "ek"));
+      size_t actual_ek_len = 0;
+      ASSERT_TRUE(
+          EVP_PKEY_get_raw_public_key(pkey.get(), nullptr, &actual_ek_len));
+      ASSERT_EQ(actual_ek_len, ek.size());
+      std::vector<uint8_t> actual_ek(actual_ek_len);
+      ASSERT_TRUE(EVP_PKEY_get_raw_public_key(pkey.get(), actual_ek.data(),
+                                              &actual_ek_len));
+      EXPECT_EQ(Bytes(actual_ek), Bytes(ek));
+    }
+
+    // Perform decapsulation
+    ctx.reset(EVP_PKEY_CTX_new(pkey.get(), nullptr));
+    ASSERT_TRUE(ctx);
+    std::vector<uint8_t> shared_secret(GetParam().shared_secret_len);
+    size_t shared_secret_len = shared_secret.size();
+    int decaps_result = EVP_PKEY_decapsulate(
+        ctx.get(), shared_secret.data(), &shared_secret_len, ciphertext.data(),
+        ciphertext.size());
+
+    if (result.IsValid()) {
+      EXPECT_TRUE(decaps_result);
+      EXPECT_EQ(Bytes(shared_secret.data(), shared_secret_len),
+                Bytes(expected_k));
+    } else {
+      EXPECT_FALSE(decaps_result)
+          << "Expected decapsulation to fail for flags: "
+          << result.StringifyFlags();
+    }
+  });
+}
+
+// Test decapsulation with expanded decaps keys
+TEST_P(WycheproofKEMTest, DecapsNoSeed) {
+  std::string test_path =
+      std::string(kWycheproofV1Path) + GetParam().decaps_noseed_test;
+  FileTestGTest(test_path.c_str(), [&](FileTest *t) {
+    std::vector<uint8_t> dk, ciphertext;
+    std::string param_set;
+
+    ASSERT_TRUE(t->GetInstruction(&param_set, "parameterSet"));
+    ASSERT_EQ(param_set, GetParam().name);
+
+    ASSERT_TRUE(t->GetBytes(&dk, "dk"));
+    ASSERT_TRUE(t->GetBytes(&ciphertext, "c"));
+
+    WycheproofResult result;
+    ASSERT_TRUE(GetWycheproofResult(t, &result));
+
+    // Create key from raw private key bytes
+    bssl::UniquePtr<EVP_PKEY> pkey(
+        EVP_PKEY_kem_new_raw_secret_key(GetParam().nid, dk.data(), dk.size()));
+
+    // Key creation should fail for incorrect key length
+    if (result.HasFlag("IncorrectDecapsulationKeyLength")) {
+      EXPECT_FALSE(pkey)
+          << "Expected key creation to fail for incorrect key length";
+      return;
+    }
+
+    // Warn if we successfully imported an invalid private key
+    if (pkey && result.HasFlag("InvalidDecapsulationKey")) {
+      fprintf(stderr,
+              "WARNING: Successfully imported correct-length-but-invalid %s "
+              "decapsulation key. This is allowed by FIPS 203.\n",
+              param_set.c_str());
+    }
+
+    // For valid test cases, key creation should succeed
+    if (result.IsValid()) {
+      ASSERT_TRUE(pkey) << "Key creation failed unexpectedly for flags: "
+                        << result.StringifyFlags();
+    }
+
+    // Perform decapsulation
+    bssl::UniquePtr<EVP_PKEY_CTX> ctx(EVP_PKEY_CTX_new(pkey.get(), nullptr));
+    ASSERT_TRUE(ctx);
+
+    std::vector<uint8_t> shared_secret(GetParam().shared_secret_len);
+    size_t shared_secret_len = shared_secret.size();
+    int decaps_result = EVP_PKEY_decapsulate(
+        ctx.get(), shared_secret.data(), &shared_secret_len, ciphertext.data(),
+        ciphertext.size());
+
+    if (result.IsValid()) {
+      EXPECT_TRUE(decaps_result)
+          << "Expected decapsulation to succeed for valid test case";
+    } else {
+      EXPECT_FALSE(decaps_result)
+          << "Expected decapsulation to fail for flags: "
+          << result.StringifyFlags();
+    }
+  });
+}

crypto/test/wycheproof_util.cc

@@ -47,6 +47,21 @@ bool WycheproofResult::IsValid(
   abort();
 }
 
+bool WycheproofResult::HasFlag(const std::string &flag) const {
+  return std::find(flags.begin(), flags.end(), flag) != flags.end();
+}
+
+std::string WycheproofResult::StringifyFlags() {
+  std::string flags_str;
+  for (size_t i = 0; i < flags.size(); i++) {
+    if (i > 0) {
+      flags_str += ", ";
+    }
+    flags_str += flags[i];
+  }
+  return flags_str;
+}
+
 bool GetWycheproofResult(FileTest *t, WycheproofResult *out) {
   std::string result;
   if (!t->GetAttribute(&result, "result")) {

crypto/test/wycheproof_util.h

@@ -23,6 +23,9 @@
 
 // This header contains convenience functions for Wycheproof tests.
 
+static constexpr const char kWycheproofV1Path[] =
+    "third_party/vectors/converted/wycheproof/testvectors_v1/";
+
 class FileTest;
 
 enum class WycheproofRawResult {
@@ -39,6 +42,12 @@ struct WycheproofResult {
   // test result of "acceptable" is treated as valid if all flags are included
   // in |acceptable_flags| and invalid otherwise.
   bool IsValid(const std::vector<std::string> &acceptable_flags = {}) const;
+
+  // StringifyFlags returns a printable string of all flags.
+  std::string StringifyFlags();
+
+  // HasFlag returns true if |flag| is present in the flags vector.
+  bool HasFlag(const std::string &flag) const;
 };
 
 // GetWycheproofResult sets |*out| to the parsed "result" and "flags" keys of |t|.

generated-src/crypto_test_data.cc.tar.bz2

@@ -377,4 +377,13 @@ set(
   third_party/vectors/converted/wycheproof/testvectors_v1/rsa_signature_8192_sha512_test.txt
   third_party/wycheproof_testvectors/x25519_test.txt
   third_party/wycheproof_testvectors/xchacha20_poly1305_test.txt
+  third_party/vectors/converted/wycheproof/testvectors_v1/mlkem_512_encaps_test.txt
+  third_party/vectors/converted/wycheproof/testvectors_v1/mlkem_512_semi_expanded_decaps_test.txt
+  third_party/vectors/converted/wycheproof/testvectors_v1/mlkem_512_test.txt
+  third_party/vectors/converted/wycheproof/testvectors_v1/mlkem_768_encaps_test.txt
+  third_party/vectors/converted/wycheproof/testvectors_v1/mlkem_768_semi_expanded_decaps_test.txt
+  third_party/vectors/converted/wycheproof/testvectors_v1/mlkem_768_test.txt
+  third_party/vectors/converted/wycheproof/testvectors_v1/mlkem_1024_encaps_test.txt
+  third_party/vectors/converted/wycheproof/testvectors_v1/mlkem_1024_semi_expanded_decaps_test.txt
+  third_party/vectors/converted/wycheproof/testvectors_v1/mlkem_1024_test.txt
 )

sources.cmake

@@ -16,6 +16,15 @@ SPECIFICATION: [Test Vector Specification](vectors_spec.md)
     TEXT[test]: AWS-LC MUST test against `testvectors_v1/ecdsa_secp384r1_sha512_test.txt`.
     TEXT[test]: AWS-LC MUST test against `testvectors_v1/ecdsa_secp521r1_sha512_test.txt`.
     TEXT[test]: AWS-LC MUST test against `testvectors_v1/ed25519_test.txt`.
+    TEXT[test]: AWS-LC MUST test against `testvectors_v1/mlkem_1024_test.txt`.
+    TEXT[test]: AWS-LC MUST test against `testvectors_v1/mlkem_512_test.txt`.
+    TEXT[test]: AWS-LC MUST test against `testvectors_v1/mlkem_768_test.txt`.
+    TEXT[test]: AWS-LC MUST test against `testvectors_v1/mlkem_1024_encaps_test.txt`.
+    TEXT[test]: AWS-LC MUST test against `testvectors_v1/mlkem_1024_semi_expanded_decaps_test.txt`.
+    TEXT[test]: AWS-LC MUST test against `testvectors_v1/mlkem_512_encaps_test.txt`.
+    TEXT[test]: AWS-LC MUST test against `testvectors_v1/mlkem_512_semi_expanded_decaps_test.txt`.
+    TEXT[test]: AWS-LC MUST test against `testvectors_v1/mlkem_768_encaps_test.txt`.
+    TEXT[test]: AWS-LC MUST test against `testvectors_v1/mlkem_768_semi_expanded_decaps_test.txt`.
     TEXT[test]: AWS-LC MUST test against `testvectors_v1/rsa_pkcs1_1024_sig_gen_test.txt`.
     TEXT[test]: AWS-LC MUST test against `testvectors_v1/rsa_pkcs1_1536_sig_gen_test.txt`.
     TEXT[test]: AWS-LC MUST test against `testvectors_v1/rsa_pkcs1_2048_sig_gen_test.txt`.
@@ -55,6 +64,15 @@ SPECIFICATION: [Test Vector Specification](vectors_spec.md)
     TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/ecdsa_secp384r1_sha512_test.txt`.
     TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/ecdsa_secp521r1_sha512_test.txt`.
     TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/ed25519_test.txt`.
+    TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/mlkem_1024_test.txt`.
+    TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/mlkem_512_test.txt`.
+    TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/mlkem_768_test.txt`.
+    TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/mlkem_1024_encaps_test.txt`.
+    TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/mlkem_1024_semi_expanded_decaps_test.txt`.
+    TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/mlkem_512_encaps_test.txt`.
+    TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/mlkem_512_semi_expanded_decaps_test.txt`.
+    TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/mlkem_768_encaps_test.txt`.
+    TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/mlkem_768_semi_expanded_decaps_test.txt`.
     TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/rsa_pkcs1_1024_sig_gen_test.txt`.
     TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/rsa_pkcs1_1536_sig_gen_test.txt`.
     TEXT[!MUST]: AWS-LC MUST test against `testvectors_v1/rsa_pkcs1_2048_sig_gen_test.txt`.