diff --git a/.github/workflows/all.yml b/.github/workflows/all.yml index 458e4c8aa2..1410937967 100644 --- a/.github/workflows/all.yml +++ b/.github/workflows/all.yml @@ -20,93 +20,93 @@ jobs: id-token: 'write' uses: ./.github/workflows/base.yml secrets: inherit - lint-markdown: - name: Lint Markdown - permissions: - contents: 'read' - id-token: 'write' - uses: ./.github/workflows/lint_markdown.yml - nix: - name: Nix - permissions: - actions: 'write' - contents: 'read' - id-token: 'write' - uses: ./.github/workflows/nix.yml - secrets: inherit - ci: - name: Extended - permissions: - contents: 'read' - id-token: 'write' - needs: [ base, nix ] - uses: ./.github/workflows/ci.yml - secrets: inherit + # lint-markdown: + # name: Lint Markdown + # permissions: + # contents: 'read' + # id-token: 'write' + # uses: ./.github/workflows/lint_markdown.yml + # nix: + # name: Nix + # permissions: + # actions: 'write' + # contents: 'read' + # id-token: 'write' + # uses: ./.github/workflows/nix.yml + # secrets: inherit + # ci: + # name: Extended + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base, nix ] + # uses: ./.github/workflows/ci.yml + # secrets: inherit cbmc: name: CBMC permissions: contents: 'read' id-token: 'write' - needs: [ base, nix ] + # needs: [ base, nix ] uses: ./.github/workflows/cbmc.yml secrets: inherit - oqs_integration: - name: libOQS - permissions: - contents: 'read' - id-token: 'write' - needs: [ base ] - uses: ./.github/workflows/integration-liboqs.yml - secrets: inherit - opentitan_integration: - name: OpenTitan - permissions: - contents: 'read' - id-token: 'write' - needs: [ base ] - uses: ./.github/workflows/integration-opentitan.yml - secrets: inherit - awslc_integration_fixed: - name: AWS-LC (v1.64.0) - permissions: - contents: 'read' - id-token: 'write' - needs: [ base ] - uses: ./.github/workflows/integration-awslc.yml - with: - commit: 7187ab572ddcdae4fa408e932d3e878c9941137b # v1.64.0 - secrets: inherit - awslc_integration_head: - name: AWS-LC (HEAD) - permissions: - contents: 'read' - id-token: 'write' - needs: [ base ] - uses: ./.github/workflows/integration-awslc.yml - with: - commit: main - secrets: inherit - ct-test: - name: Constant-time - permissions: - contents: 'read' - id-token: 'write' - needs: [ base, nix ] - uses: ./.github/workflows/ct-tests.yml - secrets: inherit - slothy: - name: SLOTHY - permissions: - contents: 'read' - id-token: 'write' - needs: [ base, nix ] - uses: ./.github/workflows/slothy.yml - secrets: inherit - baremetal: - name: Baremetal - permissions: - contents: 'read' - id-token: 'write' - needs: [ base ] - uses: ./.github/workflows/baremetal.yml - secrets: inherit + # oqs_integration: + # name: libOQS + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base ] + # uses: ./.github/workflows/integration-liboqs.yml + # secrets: inherit + # opentitan_integration: + # name: OpenTitan + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base ] + # uses: ./.github/workflows/integration-opentitan.yml + # secrets: inherit + # awslc_integration_fixed: + # name: AWS-LC (v1.64.0) + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base ] + # uses: ./.github/workflows/integration-awslc.yml + # with: + # commit: 7187ab572ddcdae4fa408e932d3e878c9941137b # v1.64.0 + # secrets: inherit + # awslc_integration_head: + # name: AWS-LC (HEAD) + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base ] + # uses: ./.github/workflows/integration-awslc.yml + # with: + # commit: main + # secrets: inherit + # ct-test: + # name: Constant-time + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base, nix ] + # uses: ./.github/workflows/ct-tests.yml + # secrets: inherit + # slothy: + # name: SLOTHY + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base, nix ] + # uses: ./.github/workflows/slothy.yml + # secrets: inherit + # baremetal: + # name: Baremetal + # permissions: + # contents: 'read' + # id-token: 'write' + # needs: [ base ] + # uses: ./.github/workflows/baremetal.yml + # secrets: inherit diff --git a/mlkem/src/kem.c b/mlkem/src/kem.c index 0218c00b7e..2f12c49a9c 100644 --- a/mlkem/src/kem.c +++ b/mlkem/src/kem.c @@ -162,10 +162,16 @@ static int mlk_check_pct(uint8_t const pk[MLKEM_INDCCA_PUBLICKEYBYTES], #endif /* MLK_CONFIG_KEYGEN_PCT_BREAKAGE_TEST */ ret = mlk_ct_memcmp(ss_enc, ss_dec, MLKEM_SSBYTES); - -cleanup: /* The result of the PCT is public. */ MLK_CT_TESTING_DECLASSIFY(&ret, sizeof(ret)); + if (ret != 0) + { + /* The non-zero return value of mlk_ct_memcmp is unspecified. + * Map it to the toplevel error code. */ + ret = MLK_ERR_FAIL; + } + +cleanup: /* Specification: Partially implements * @[FIPS203, Section 3.3, Destruction of intermediate values] */ @@ -214,12 +220,7 @@ int crypto_kem_keypair_derand(uint8_t pk[MLKEM_INDCCA_PUBLICKEYBYTES], MLK_CT_TESTING_DECLASSIFY(pk, MLKEM_INDCCA_PUBLICKEYBYTES); /* Pairwise Consistency Test (PCT) @[FIPS140_3_IG, p.87] */ - if (mlk_check_pct(pk, sk)) - { - return MLK_ERR_FAIL; - } - - return 0; + return mlk_check_pct(pk, sk); } #if !defined(MLK_CONFIG_NO_RANDOMIZED_API) diff --git a/proofs/cbmc/check_pct/Makefile b/proofs/cbmc/check_pct/Makefile index 10208cdd77..a2ad3ab763 100644 --- a/proofs/cbmc/check_pct/Makefile +++ b/proofs/cbmc/check_pct/Makefile @@ -37,7 +37,7 @@ FUNCTION_NAME = mlk_check_pct # EXPENSIVE = true # This function is large enough to need... -CBMC_OBJECT_BITS = 8 +CBMC_OBJECT_BITS = 9 # If you require access to a file-local ("static") function or object to conduct # your proof, set the following (and do not include the original source file diff --git a/scripts/tests b/scripts/tests index 459e7c3068..be342698a7 100755 --- a/scripts/tests +++ b/scripts/tests @@ -917,7 +917,6 @@ class Tests: "python3", "run-cbmc-proofs.py", "--summarize", - "--no-coverage", "--per-proof-timeout", str(self.args.per_proof_timeout), "-p",