From: Pauli Date: Wed, 8 Jan 2025 01:56:21 +0000 (+1100) Subject: fips: add ML-KEM to the FIPS provider X-Git-Tag: openssl-3.5.0-alpha1~539 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff40a08deeb2a24229f5d9074e9a57717a90edf6;p=thirdparty%2Fopenssl.git fips: add ML-KEM to the FIPS provider Reviewed-by: Matt Caswell Reviewed-by: Viktor Dukhovni Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/26338) --- diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 19771eddc28..798d776fcdf 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -510,6 +510,11 @@ static const OSSL_ALGORITHM fips_asym_cipher[] = { static const OSSL_ALGORITHM fips_asym_kem[] = { { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_kem_functions }, +#ifndef OPENSSL_NO_ML_KEM + { PROV_NAMES_ML_KEM_512, FIPS_DEFAULT_PROPERTIES, ossl_ml_kem_asym_kem_functions }, + { PROV_NAMES_ML_KEM_768, FIPS_DEFAULT_PROPERTIES, ossl_ml_kem_asym_kem_functions }, + { PROV_NAMES_ML_KEM_1024, FIPS_DEFAULT_PROPERTIES, ossl_ml_kem_asym_kem_functions }, +#endif { NULL, NULL, NULL } }; @@ -559,6 +564,14 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { #ifndef OPENSSL_NO_CMAC { PROV_NAMES_CMAC, FIPS_DEFAULT_PROPERTIES, ossl_cmac_legacy_keymgmt_functions, PROV_DESCS_CMAC_SIGN }, +#endif +#ifndef OPENSSL_NO_ML_KEM + { PROV_NAMES_ML_KEM_512, FIPS_DEFAULT_PROPERTIES, + ossl_ml_kem_512_keymgmt_functions, PROV_DESCS_ML_KEM_512 }, + { PROV_NAMES_ML_KEM_768, FIPS_DEFAULT_PROPERTIES, + ossl_ml_kem_768_keymgmt_functions, PROV_DESCS_ML_KEM_768 }, + { PROV_NAMES_ML_KEM_1024, FIPS_DEFAULT_PROPERTIES, + ossl_ml_kem_1024_keymgmt_functions, PROV_DESCS_ML_KEM_1024 }, #endif { NULL, NULL, NULL } }; diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc index 940d5b8d48e..7afa3724328 100644 --- a/providers/fips/self_test_data.inc +++ b/providers/fips/self_test_data.inc @@ -154,6 +154,24 @@ typedef struct st_kat_keygen_st { const ST_KAT_PARAM *expected_params; } ST_KAT_ASYM_KEYGEN; +typedef struct st_kat_kem_st { + const char *desc; + const char *algorithm; + const unsigned char *cipher_text; + size_t cipher_text_len; + const unsigned char *private_key; + size_t private_key_len; + const unsigned char *public_key; + size_t public_key_len; + const unsigned char *entropy; + size_t entropy_len; + const unsigned char *seed; + size_t seed_len; + const unsigned char *secret; + size_t secret_len; + const unsigned char *reject_secret; +} ST_KAT_KEM; + /*- DIGEST SELF TEST DATA */ static const unsigned char sha512_pt[] = "abc"; static const unsigned char sha512_digest[] = { @@ -2930,7 +2948,6 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { #endif /* OPENSSL_NO_ML_DSA */ }; - #if !defined(OPENSSL_NO_ML_DSA) static const ST_KAT_PARAM ml_dsa_keygen_params[] = { ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_ML_DSA_SEED, sig_kat_entropyin), @@ -2946,3 +2963,471 @@ static const ST_KAT_ASYM_KEYGEN st_kat_asym_keygen_tests[] = { }, }; #endif /* !OPENSSL_NO_ML_DSA */ + +/*- KEM SELF TEST DATA */ + +/* + * Test case generated via the OpenSSL commands: + * + * openssl genpkey -algorithm ML-KEM-512 -out priv-ml-kem-512.pem + * openssl pkey -in priv-ml-kem-512.pem -pubout -out pub-ml-kem-512.pem + * openssl pkeyutl -encap -inkey pub-ml-kem-512.pem \ + * -pkeyopt ikme:00000000000000000000000000000000 -secret good.dat \ + * -out ctext.dat + * openssl pkeyutl -decap -inkey priv-ml-kem-512.pem \ + * -secret goodcmp.dat -in ctext.dat + * apps/openssl pkeyutl -decap -inkey priv-ml-kem-512.pem \ + * -secret implicit-reject.dat -in <(head -c 768 /dev/zero) + * openssl pkey -in priv-ml-kem-512.pem -text | + * sed '1,/^priv:/d; /^pub:/,$d' | + * tr -d ' :\n' | + * xxd -r -p | + * tail -c 32 > z.dat + * (cat z.dat; head -c 768 /dev/zero) | + * openssl dgst -shake256 -xoflen 32 -binary > expected.dat + */ + +static const unsigned char ml_kem_512_cipher_text[] = { + 0x6b, 0xc5, 0x04, 0x00, 0x27, 0x7a, 0xbb, 0x7e, + 0x6b, 0xf9, 0xfb, 0x56, 0x82, 0x01, 0x75, 0xeb, + 0xb7, 0xb9, 0xf4, 0xf2, 0x82, 0x2c, 0x6d, 0x0a, + 0xe0, 0x80, 0xa3, 0x49, 0x92, 0x0f, 0x6d, 0x00, + 0x8e, 0xba, 0x35, 0xb5, 0x42, 0xb9, 0xd7, 0xed, + 0x89, 0xcb, 0xfd, 0x38, 0xd7, 0x9f, 0x55, 0x3b, + 0xf0, 0x8e, 0x63, 0x80, 0x95, 0xcf, 0x0d, 0x4f, + 0x50, 0x40, 0xac, 0x1d, 0x1b, 0xdc, 0x24, 0x84, + 0x3b, 0x18, 0xc2, 0x77, 0x9f, 0x24, 0x11, 0x81, + 0xa6, 0xcc, 0xd8, 0xf4, 0xe8, 0x00, 0xdc, 0x26, + 0x61, 0x36, 0xd1, 0xb6, 0x5d, 0x9c, 0x12, 0x6d, + 0xf5, 0xe7, 0x93, 0xc8, 0x6d, 0xac, 0xaf, 0x3c, + 0x78, 0x3f, 0xa9, 0xc1, 0x00, 0x6f, 0x08, 0x29, + 0x4f, 0x1a, 0x4d, 0x3b, 0xb4, 0x4b, 0x6f, 0xc2, + 0x09, 0x00, 0x4b, 0xc1, 0xf0, 0xe6, 0x7f, 0x48, + 0x48, 0x09, 0x40, 0xf2, 0x0a, 0x86, 0x18, 0xbf, + 0xc6, 0x4e, 0xb2, 0xb0, 0xab, 0xfe, 0x1b, 0xea, + 0x91, 0x58, 0x8c, 0x18, 0x6e, 0x30, 0xe8, 0x33, + 0x87, 0x29, 0x26, 0xef, 0xe9, 0x0c, 0x3b, 0x8b, + 0x0c, 0x99, 0x40, 0x53, 0xb9, 0x30, 0xba, 0x17, + 0xb3, 0x8a, 0x74, 0x59, 0x5d, 0x4c, 0x76, 0x1a, + 0xd3, 0x3f, 0xe4, 0xf7, 0xa3, 0x0f, 0x3a, 0x2c, + 0x85, 0xc1, 0x46, 0xf0, 0xa4, 0x91, 0xa3, 0x12, + 0xb2, 0xa4, 0x4b, 0x88, 0x8d, 0x1c, 0x85, 0xb1, + 0xe4, 0x41, 0x1f, 0x9d, 0xb7, 0x91, 0x2f, 0x60, + 0x98, 0xfd, 0xfc, 0x29, 0x89, 0x11, 0x7d, 0x16, + 0x09, 0x9e, 0x76, 0xf1, 0x9c, 0xb3, 0x50, 0xb9, + 0xd0, 0x02, 0xd2, 0xa2, 0x0d, 0xdd, 0xee, 0x90, + 0x47, 0x0d, 0xb9, 0x4a, 0x53, 0x11, 0xa2, 0x4f, + 0x13, 0x5a, 0x40, 0xdc, 0xc6, 0xfe, 0xd7, 0x28, + 0x36, 0xec, 0xa0, 0x5e, 0xab, 0xc1, 0x7d, 0x19, + 0x33, 0x59, 0xe2, 0xe4, 0xea, 0x26, 0x67, 0x2f, + 0xe5, 0x05, 0xd8, 0x34, 0x6e, 0x3c, 0xab, 0x63, + 0x8b, 0x24, 0x16, 0xc7, 0x1b, 0x2a, 0x9b, 0xe5, + 0x04, 0x78, 0x98, 0x6c, 0x6c, 0x1e, 0x94, 0xe3, + 0x7f, 0x86, 0x52, 0xc0, 0x17, 0x56, 0x8d, 0x01, + 0x7a, 0x28, 0x81, 0x07, 0x3d, 0x61, 0x2a, 0xcd, + 0xc8, 0xb6, 0x7e, 0x5b, 0xad, 0xa8, 0x90, 0xbd, + 0x0c, 0x95, 0xb5, 0x09, 0x9d, 0x7c, 0x34, 0x8c, + 0x74, 0x8f, 0x8e, 0x7c, 0x28, 0x6c, 0xe2, 0x2f, + 0xa2, 0x87, 0x7f, 0x80, 0x43, 0x46, 0x1c, 0xb2, + 0x1c, 0x5a, 0xd2, 0xec, 0xad, 0xf9, 0x55, 0xe3, + 0x6b, 0x19, 0x54, 0x08, 0x84, 0x1a, 0x34, 0x82, + 0xf4, 0x9c, 0xec, 0x3d, 0x65, 0xf9, 0x78, 0x7f, + 0x37, 0x47, 0xcf, 0xf1, 0xcb, 0x15, 0xf2, 0xac, + 0xff, 0x3b, 0x8f, 0xa0, 0x8c, 0x25, 0x88, 0x5c, + 0x38, 0x23, 0x9a, 0x27, 0x16, 0x6a, 0xdf, 0xa3, + 0x98, 0x1d, 0x16, 0x33, 0x4b, 0x4f, 0xfb, 0x83, + 0x85, 0x66, 0x76, 0x03, 0xb9, 0xb5, 0x46, 0x21, + 0xb9, 0xf3, 0xf4, 0xf1, 0x3a, 0x85, 0xec, 0x9e, + 0x56, 0x6a, 0xb6, 0x1d, 0xcc, 0xca, 0xfb, 0x11, + 0xae, 0x47, 0x7d, 0x93, 0xa5, 0xbc, 0x90, 0x32, + 0xde, 0xa1, 0xa5, 0x1e, 0x5d, 0x52, 0x17, 0x98, + 0x0a, 0x8b, 0xc4, 0x1a, 0x28, 0x7c, 0x9c, 0x22, + 0x3e, 0x33, 0x06, 0x40, 0x77, 0xe5, 0x22, 0x49, + 0x86, 0xf9, 0x3c, 0xc5, 0xc1, 0xb9, 0x77, 0x25, + 0x53, 0x66, 0x5a, 0x18, 0x83, 0x5a, 0x2b, 0xbf, + 0xac, 0x04, 0x70, 0x26, 0xe8, 0x2b, 0xb6, 0x0c, + 0xe8, 0x00, 0x95, 0xbb, 0x08, 0x75, 0xf3, 0x37, + 0x31, 0x2e, 0xef, 0x28, 0x8d, 0x58, 0x92, 0xd4, + 0xfd, 0xd7, 0x02, 0xce, 0x8f, 0x11, 0x83, 0x17, + 0x53, 0x19, 0x44, 0xd7, 0xd5, 0x6d, 0x44, 0x04, + 0x3a, 0x0a, 0x01, 0x46, 0xf2, 0xd2, 0xa5, 0x05, + 0x88, 0xa0, 0xd9, 0x0d, 0xe1, 0xa0, 0x7a, 0xf2, + 0x20, 0x2e, 0x5b, 0x05, 0xe4, 0x2b, 0x11, 0x3d, + 0xb3, 0x82, 0x64, 0x3b, 0xef, 0xc1, 0x53, 0xba, + 0x9f, 0x7f, 0x29, 0x59, 0x87, 0x39, 0x52, 0xda, + 0x7b, 0xff, 0xd7, 0xdd, 0xa1, 0xa9, 0x9f, 0xa1, + 0xe2, 0x38, 0x74, 0xb0, 0x94, 0xdc, 0xc5, 0xb5, + 0xf3, 0x61, 0xdf, 0x92, 0x62, 0xe1, 0x96, 0x87, + 0x6d, 0xb4, 0x2c, 0xc7, 0xf0, 0x38, 0xe9, 0x5e, + 0xfc, 0xff, 0x4c, 0x01, 0xc7, 0x59, 0x39, 0xe5, + 0x9b, 0xfb, 0xf5, 0x2b, 0x1b, 0xe5, 0xf8, 0x25, + 0x06, 0x07, 0xc7, 0x82, 0x46, 0x2a, 0x99, 0xd0, + 0xa9, 0x67, 0x81, 0xd7, 0xa2, 0x29, 0x96, 0x1a, + 0x94, 0x8e, 0x7d, 0x51, 0x76, 0x99, 0xad, 0x61, + 0xec, 0xb6, 0xc0, 0x58, 0x8e, 0xd0, 0x9d, 0xff, + 0x58, 0x57, 0x1b, 0x2e, 0xad, 0x65, 0xd8, 0xde, + 0xa5, 0xfa, 0x81, 0x4b, 0x2c, 0x06, 0x1b, 0xfe, + 0x49, 0x20, 0x4d, 0x5e, 0x1b, 0xb7, 0x40, 0x96, + 0xaa, 0x81, 0x25, 0xeb, 0x84, 0xdb, 0xea, 0x5d, + 0x0b, 0xaf, 0xf9, 0x8e, 0x41, 0xa6, 0xdd, 0x91, + 0x3a, 0x68, 0x54, 0xb7, 0x2e, 0xb1, 0x74, 0xff, + 0xf5, 0x0d, 0xa7, 0x3c, 0xc7, 0x30, 0x5b, 0x55, + 0xc6, 0x2d, 0xc8, 0x4c, 0xb4, 0xad, 0xcc, 0xd0, + 0xa1, 0x1b, 0x41, 0xc7, 0x23, 0xe8, 0xda, 0xff, + 0xb7, 0x3a, 0x12, 0xc2, 0xdc, 0x39, 0x7c, 0xf4, + 0xb9, 0x50, 0x00, 0x53, 0x88, 0xc8, 0x77, 0x49, + 0xfd, 0x70, 0x3d, 0xe0, 0xaa, 0x0c, 0x28, 0xd4, + 0xa2, 0xec, 0x82, 0x5d, 0xda, 0xe8, 0x05, 0x2f, + 0xe8, 0x9c, 0x21, 0x39, 0x3a, 0x22, 0x2f, 0x0a, + 0x5c, 0x6d, 0x01, 0xdf, 0xc8, 0x9f, 0x46, 0xf7, + 0x15, 0x02, 0xad, 0x19, 0x35, 0x63, 0x55, 0x58, + 0xf5, 0x7a, 0x46, 0xc9, 0x7a, 0xe6, 0x33, 0x84, + 0x48, 0x2b, 0xf0, 0xe7, 0xc5, 0x72, 0x98, 0x43, + 0x6a, 0x99, 0xba, 0x00, 0x57, 0x4f, 0xaa, 0x0a +}; + +static const unsigned char ml_kem_512_private_key[] = { + 0x87, 0xca, 0x19, 0x93, 0xb6, 0x4d, 0x89, 0x32, + 0xae, 0x3b, 0x22, 0x52, 0x82, 0xa1, 0xb3, 0xc1, + 0x37, 0x65, 0xdc, 0xc1, 0x22, 0x4c, 0x43, 0x77, + 0x33, 0x0a, 0x04, 0xec, 0xec, 0x0b, 0x25, 0x05, + 0x40, 0x07, 0x53, 0x82, 0xbe, 0x37, 0x52, 0x53, + 0x12, 0x87, 0x7d, 0x77, 0x69, 0xfd, 0x59, 0x4f, + 0xbd, 0x16, 0x42, 0x82, 0x58, 0x9d, 0xee, 0x5c, + 0x0f, 0x2c, 0x14, 0x7f, 0xc6, 0x2a, 0x95, 0x42, + 0x10, 0x3c, 0x08, 0xbc, 0xcc, 0xa0, 0x05, 0x82, + 0xe9, 0xc5, 0x26, 0x81, 0xfa, 0xb8, 0x79, 0x78, + 0x5b, 0x3e, 0x79, 0x49, 0x68, 0x44, 0xb3, 0x7b, + 0xf5, 0x26, 0x62, 0x7a, 0x8a, 0x3c, 0xd8, 0x82, + 0x1f, 0x16, 0x1d, 0x92, 0x99, 0xac, 0xc4, 0xa9, + 0xb9, 0x30, 0x32, 0x6b, 0x6b, 0x67, 0x3d, 0x16, + 0x13, 0x1d, 0xf0, 0x98, 0x94, 0x42, 0x90, 0x68, + 0xfc, 0x65, 0xa3, 0xe5, 0x16, 0x22, 0x09, 0x64, + 0xc0, 0x7d, 0x54, 0x03, 0x47, 0x89, 0xbe, 0xae, + 0x61, 0x4b, 0x13, 0xa1, 0xcd, 0xad, 0xbc, 0x20, + 0x5e, 0x36, 0x36, 0x34, 0x41, 0x1d, 0x5b, 0x3a, + 0x26, 0x91, 0x80, 0x75, 0xe0, 0x63, 0x9d, 0xd6, + 0x35, 0xc9, 0x28, 0x81, 0xa4, 0x6e, 0xfb, 0x95, + 0x01, 0x11, 0x8f, 0xcc, 0x18, 0xb3, 0x9a, 0x91, + 0x66, 0xa6, 0x37, 0x6c, 0xeb, 0x71, 0x42, 0x29, + 0xec, 0x71, 0xa4, 0x99, 0x6d, 0x92, 0x97, 0x9d, + 0x94, 0x64, 0x6e, 0xc3, 0xf0, 0x5d, 0xa5, 0x49, + 0x8f, 0x66, 0xa5, 0x0a, 0x9a, 0xb9, 0xcf, 0x85, + 0x20, 0xa7, 0x28, 0xe1, 0xc2, 0x10, 0x08, 0x72, + 0x58, 0x71, 0x56, 0x3e, 0x7b, 0x47, 0x46, 0x81, + 0x7d, 0x74, 0xfa, 0xb2, 0xb6, 0xf2, 0xa0, 0xe3, + 0x4a, 0x0a, 0x5e, 0x95, 0x2b, 0x32, 0xf1, 0x07, + 0x2c, 0x30, 0x5e, 0x81, 0x84, 0x58, 0xf3, 0x42, + 0x34, 0xdb, 0xaa, 0xc4, 0x06, 0xcb, 0x63, 0x72, + 0xfa, 0x01, 0x86, 0xe8, 0xca, 0xd7, 0x73, 0x1d, + 0xac, 0xd8, 0x64, 0x60, 0x66, 0xb1, 0x19, 0xb1, + 0x59, 0xac, 0x78, 0x21, 0xab, 0x9a, 0x62, 0xbf, + 0xe8, 0x1b, 0xd1, 0xdc, 0x75, 0x08, 0xa4, 0x9e, + 0x22, 0x54, 0xa8, 0x36, 0x68, 0x4b, 0xb7, 0x22, + 0xa3, 0xbc, 0x04, 0x09, 0xe2, 0xe9, 0x4d, 0xce, + 0xf5, 0x46, 0x69, 0x1a, 0x47, 0x80, 0xb2, 0xa5, + 0xa0, 0x24, 0xcf, 0x0d, 0x60, 0x95, 0x99, 0x33, + 0xad, 0x6a, 0x58, 0x7a, 0x56, 0x53, 0x86, 0x44, + 0xa8, 0x3c, 0x1f, 0x92, 0x55, 0x3f, 0x3a, 0x3b, + 0x5f, 0x81, 0xaa, 0x0c, 0xc4, 0x4b, 0x1a, 0xe3, + 0x61, 0x8a, 0xd0, 0x5d, 0x29, 0x87, 0xb6, 0x7d, + 0x1c, 0x85, 0xa5, 0x14, 0xb0, 0xde, 0x1c, 0x8d, + 0x5c, 0xc1, 0x5c, 0x04, 0xfc, 0x77, 0xad, 0x03, + 0x55, 0x96, 0xe0, 0xa7, 0x43, 0xb5, 0x95, 0x9a, + 0xd5, 0x22, 0xef, 0x13, 0x5f, 0x14, 0x9c, 0x0e, + 0x7e, 0x56, 0x89, 0x37, 0x33, 0xc9, 0x00, 0x54, + 0x7e, 0xea, 0x32, 0x4f, 0x02, 0x85, 0xcd, 0xe5, + 0x9c, 0x25, 0x00, 0x3b, 0xad, 0xc2, 0x72, 0x3a, + 0x38, 0x66, 0x95, 0xf9, 0xf4, 0x22, 0x1f, 0x50, + 0x19, 0x20, 0x6a, 0x31, 0x03, 0xf8, 0x97, 0x91, + 0xf0, 0x42, 0xbb, 0xc0, 0x86, 0xde, 0x56, 0x93, + 0xf2, 0x78, 0x9b, 0xc9, 0x98, 0x16, 0x47, 0x83, + 0x67, 0x55, 0x92, 0x4e, 0x5a, 0xfa, 0x5d, 0x88, + 0xf9, 0xc8, 0xef, 0xa8, 0x21, 0x34, 0x58, 0x5f, + 0xca, 0xbb, 0x52, 0x98, 0xbc, 0x5c, 0xf5, 0xa7, + 0xae, 0xc5, 0xfc, 0x78, 0xf9, 0xa5, 0x30, 0x16, + 0x68, 0x9d, 0x62, 0x17, 0x41, 0x7a, 0x95, 0xcf, + 0x27, 0xb6, 0x6d, 0xae, 0x58, 0xa7, 0x28, 0x8c, + 0x8f, 0xc3, 0x28, 0xac, 0x06, 0x79, 0x9d, 0x94, + 0xc4, 0x9d, 0xed, 0xb2, 0x61, 0xf4, 0x44, 0x86, + 0xec, 0x12, 0xc3, 0x13, 0x97, 0xa7, 0x8b, 0x9a, + 0x63, 0x2e, 0xf1, 0x66, 0x08, 0x84, 0x32, 0xf6, + 0x15, 0x3b, 0x91, 0xca, 0xce, 0xf7, 0x40, 0x53, + 0xa9, 0x28, 0x11, 0x63, 0xa0, 0x23, 0x2e, 0xc4, + 0x44, 0x28, 0x05, 0x01, 0x02, 0x74, 0xcf, 0x9c, + 0x3a, 0x1a, 0xbc, 0x93, 0x8a, 0x2c, 0xe8, 0x9a, + 0xca, 0xe1, 0x74, 0x62, 0x03, 0x88, 0xc7, 0x12, + 0x20, 0x96, 0x3c, 0x4d, 0x10, 0x79, 0x28, 0x6f, + 0x7b, 0xa8, 0x1b, 0xfb, 0x5e, 0x57, 0x17, 0xcc, + 0x6d, 0xd0, 0x72, 0x8a, 0xb2, 0x70, 0xa3, 0x0a, + 0x88, 0x03, 0x5b, 0x88, 0x5d, 0x35, 0x12, 0x8e, + 0xac, 0xc1, 0x81, 0xca, 0xb7, 0x2b, 0xb1, 0x96, + 0xf6, 0x35, 0xce, 0xbb, 0x75, 0xad, 0x0d, 0xd0, + 0xba, 0x4e, 0x43, 0x5b, 0x31, 0x08, 0x93, 0x32, + 0x72, 0x63, 0x58, 0xc5, 0xa2, 0x70, 0x95, 0x12, + 0x8f, 0xf2, 0xc1, 0x61, 0xeb, 0x22, 0xe9, 0x4a, + 0x65, 0xa5, 0x48, 0x5d, 0x4c, 0x11, 0x78, 0x69, + 0x0b, 0x1f, 0x39, 0x2b, 0x7f, 0x63, 0x77, 0xad, + 0x96, 0x6b, 0x67, 0x80, 0x90, 0x70, 0x57, 0x2b, + 0xbc, 0x68, 0x9c, 0xaa, 0xb2, 0xd8, 0x3c, 0xbf, + 0xd6, 0x4f, 0xc4, 0x28, 0x65, 0x74, 0x54, 0x84, + 0x43, 0x9a, 0x1c, 0x96, 0x50, 0x02, 0x97, 0xc6, + 0xcf, 0xb0, 0xb1, 0x1d, 0x98, 0x9a, 0x32, 0x94, + 0x73, 0x88, 0x94, 0x78, 0x2d, 0x5f, 0x25, 0x05, + 0x5f, 0xa6, 0x96, 0x7a, 0xc8, 0x3a, 0xdf, 0xa8, + 0x19, 0xb2, 0x53, 0x53, 0x05, 0xf9, 0x31, 0xdc, + 0x58, 0x6c, 0xd1, 0x3a, 0x9b, 0x47, 0x3b, 0x7d, + 0x87, 0xe5, 0xb4, 0xb2, 0xd9, 0x96, 0x2a, 0x59, + 0x90, 0x3c, 0xcc, 0xad, 0xdc, 0xa2, 0x57, 0x87, + 0x71, 0xc6, 0x7e, 0x5a, 0x49, 0x98, 0xc8, 0x94, + 0x29, 0x30, 0x7b, 0x0e, 0x01, 0x97, 0x53, 0x18, + 0x32, 0x50, 0x73, 0x9e, 0x14, 0x47, 0x97, 0xbd, + 0xcc, 0x22, 0xab, 0x02, 0x95, 0xd7, 0xc5, 0x32, + 0xdf, 0x17, 0x84, 0x86, 0x77, 0x41, 0x6e, 0x95, + 0x4d, 0x66, 0xf9, 0xb0, 0x9e, 0x12, 0x81, 0x53, + 0x2a, 0x2e, 0x8f, 0x0c, 0x6a, 0xbe, 0x00, 0x37, + 0xe7, 0xe8, 0x11, 0x90, 0x97, 0xc9, 0xec, 0x84, + 0x5a, 0xa0, 0x69, 0x85, 0xc0, 0x88, 0x55, 0x2c, + 0x41, 0xb6, 0x15, 0x17, 0x36, 0x42, 0xc1, 0x02, + 0x51, 0xc0, 0x6e, 0x91, 0xa2, 0x5c, 0x24, 0x3c, + 0x02, 0x63, 0xb6, 0x75, 0xc7, 0x20, 0x7d, 0x58, + 0x70, 0x1d, 0x13, 0xa5, 0x2e, 0xab, 0x92, 0x56, + 0x5e, 0xf1, 0xa1, 0xde, 0xfb, 0xae, 0xfe, 0x4c, + 0x0b, 0x03, 0xf5, 0x04, 0x44, 0xa3, 0xbe, 0x20, + 0xb1, 0x71, 0x31, 0x0b, 0xa3, 0xf2, 0x08, 0x52, + 0xf3, 0xa2, 0xa1, 0x8e, 0x72, 0x29, 0x40, 0x70, + 0x15, 0x64, 0x60, 0x52, 0xd2, 0xe7, 0x3a, 0xbe, + 0xe3, 0x18, 0xd7, 0x55, 0x89, 0x9c, 0x78, 0x4a, + 0x6f, 0xb5, 0xaa, 0xb1, 0x7c, 0x90, 0x2c, 0xb6, + 0x8a, 0xfa, 0x36, 0x57, 0xb9, 0x01, 0x2e, 0x1b, + 0xb8, 0xb6, 0xaa, 0xc2, 0x68, 0x9a, 0xa4, 0x8c, + 0x2d, 0x42, 0x62, 0xbb, 0x29, 0x63, 0xb0, 0x6a, + 0x24, 0x22, 0x82, 0x54, 0x1c, 0xf6, 0x14, 0x19, + 0xd9, 0x0e, 0x2b, 0xd3, 0x66, 0xbe, 0xe7, 0xa4, + 0x36, 0x9b, 0x72, 0x41, 0xa6, 0x6b, 0xf2, 0x64, + 0x5d, 0x8e, 0x90, 0x4c, 0x3f, 0x7b, 0x30, 0x0c, + 0x04, 0x1d, 0x56, 0x87, 0x39, 0x3d, 0x2c, 0xa9, + 0x29, 0x75, 0xcb, 0xfd, 0xc0, 0x18, 0xdd, 0xc6, + 0x0a, 0xf5, 0x62, 0x00, 0x9e, 0xb0, 0x88, 0x8e, + 0x5a, 0x05, 0x76, 0x24, 0x6a, 0xce, 0x74, 0x5b, + 0xb1, 0x63, 0x40, 0x8b, 0x5a, 0x9a, 0xe3, 0xc1, + 0x94, 0xa8, 0x5c, 0x21, 0x90, 0x7b, 0x37, 0xb1, + 0x62, 0x8e, 0xcd, 0x9a, 0x15, 0xec, 0x20, 0x24, + 0x87, 0x30, 0x27, 0x34, 0x44, 0xb0, 0xa2, 0xf4, + 0x54, 0xf9, 0xb4, 0x73, 0x0f, 0x33, 0x91, 0x50, + 0x47, 0x6e, 0xe0, 0x70, 0x98, 0xf6, 0xbc, 0x1b, + 0x97, 0xcc, 0x1b, 0xd3, 0xb8, 0xc1, 0xa2, 0xeb, + 0x0e, 0x50, 0xa7, 0x82, 0xf2, 0x11, 0x5d, 0xf6, + 0x17, 0x49, 0x6f, 0x6c, 0x6f, 0x8c, 0x09, 0xb0, + 0x5f, 0x88, 0x8d, 0x9e, 0x93, 0x3d, 0x28, 0x77, + 0x46, 0xc6, 0x31, 0xb3, 0x10, 0x87, 0x26, 0xb0, + 0xc4, 0xa7, 0xc8, 0x8b, 0x09, 0xc8, 0x60, 0xac, + 0xd7, 0x52, 0x35, 0x70, 0xc8, 0x02, 0xbd, 0x38, + 0x72, 0x43, 0x16, 0x2d, 0x12, 0x8c, 0xa2, 0x29, + 0x4c, 0x83, 0x43, 0x18, 0xcc, 0x21, 0xfb, 0x14, + 0xd2, 0xab, 0x37, 0x3f, 0x22, 0x4e, 0x3f, 0xd4, + 0x98, 0x43, 0x85, 0x95, 0x09, 0xf4, 0xca, 0x1a, + 0x1a, 0x56, 0x6c, 0x05, 0x67, 0x88, 0xa3, 0xaa, + 0x48, 0x4a, 0xaa, 0xbd, 0xf1, 0xa0, 0x8f, 0x1b, + 0x44, 0xc7, 0x56, 0xab, 0x2a, 0x0c, 0x8b, 0xc5, + 0x85, 0x1e, 0xe2, 0xeb, 0x23, 0x03, 0x4c, 0x2e, + 0xaa, 0x5a, 0xc1, 0x5f, 0x89, 0x75, 0x1b, 0xd5, + 0xca, 0xe1, 0xd5, 0x90, 0x89, 0xd5, 0x00, 0x2b, + 0xb1, 0xb3, 0xbf, 0xca, 0x4a, 0xde, 0x09, 0x82, + 0xad, 0x67, 0x83, 0xe9, 0xd3, 0x7f, 0xb3, 0xe3, + 0x20, 0xac, 0x98, 0x55, 0xdf, 0x66, 0x6b, 0xfd, + 0x7c, 0x6b, 0x87, 0xa9, 0xa4, 0x6e, 0x25, 0x97, + 0x12, 0x56, 0x11, 0x61, 0x50, 0x7e, 0x17, 0x35, + 0x98, 0xf9, 0x88, 0xac, 0xb6, 0xf9, 0xab, 0x3a, + 0x10, 0x92, 0x63, 0x24, 0x46, 0x88, 0xc7, 0x08, + 0x78, 0x75, 0x8f, 0xf4, 0xd4, 0x31, 0x3b, 0x76, + 0x64, 0xf0, 0xf5, 0x10, 0xe9, 0x13, 0xca, 0x01, + 0xc5, 0x2b, 0x3a, 0x1b, 0x46, 0x53, 0x51, 0x44, + 0xe2, 0xdb, 0x0c, 0xac, 0xe8, 0xa6, 0x46, 0x66, + 0x00, 0xcf, 0x2a, 0x87, 0x83, 0x50, 0x07, 0xe1, + 0x6a, 0xa5, 0x07, 0x80, 0x1d, 0x86, 0xb7, 0x38, + 0x5e, 0x66, 0x9b, 0xfa, 0xf6, 0xba, 0x1d, 0xf5, + 0x68, 0x31, 0x63, 0xc2, 0xd5, 0x70, 0x53, 0x2f, + 0xd7, 0x43, 0x90, 0x54, 0x64, 0x0f, 0x24, 0x4c, + 0x52, 0x87, 0x13, 0x59, 0xd2, 0x84, 0x2f, 0xc3, + 0x37, 0xa0, 0x60, 0x03, 0x3a, 0xf0, 0x5e, 0xaa, + 0x00, 0x1c, 0x34, 0xfc, 0x7b, 0xd8, 0xf9, 0x10, + 0x29, 0xe4, 0x6c, 0x29, 0x43, 0x36, 0x27, 0x64, + 0x5d, 0x67, 0x86, 0x64, 0x21, 0xd6, 0x61, 0xaf, + 0x25, 0x74, 0x80, 0x53, 0x2b, 0x88, 0x78, 0x50, + 0xdc, 0x49, 0x9f, 0xfe, 0xd5, 0xb1, 0x40, 0x98, + 0xa0, 0x33, 0x72, 0x5e, 0x82, 0x0a, 0x5b, 0xe1, + 0x40, 0x0a, 0x0c, 0xb7, 0x03, 0x74, 0x1c, 0xa7, + 0x4b, 0x47, 0x86, 0x73, 0xaa, 0xcf, 0x85, 0x16, + 0x6e, 0xe8, 0xa1, 0x84, 0xdb, 0x2c, 0x58, 0x54, + 0x9c, 0x22, 0x40, 0xb8, 0x30, 0x8c, 0x27, 0xbe, + 0xba, 0x40, 0xc3, 0xb9, 0xd7, 0x29, 0xed, 0xb1, + 0x8c, 0xc2, 0x06, 0x8e, 0xcd, 0xb2, 0x7d, 0xa2, + 0x2b, 0x2c, 0xd3, 0xe7, 0xa0, 0xba, 0xa5, 0x30, + 0xc5, 0x19, 0x3c, 0xd3, 0xc8, 0x6b, 0xf8, 0x6a, + 0x44, 0xf0, 0x79, 0x9e, 0x51, 0x55, 0xb0, 0x9b, + 0xe2, 0x50, 0x98, 0x85, 0x23, 0xb3, 0xa7, 0x31, + 0xdd, 0x89, 0x1b, 0xc2, 0x00, 0x60, 0x11, 0xa0, + 0x65, 0xc0, 0xab, 0x57, 0xf1, 0xa6, 0xc1, 0x78, + 0x89, 0x55, 0xe0, 0x13, 0x5f, 0xa5, 0xca, 0x8f, + 0x3e, 0x52, 0xc7, 0x5d, 0x37, 0x16, 0x97, 0x3a, + 0x2f, 0xb2, 0x2c, 0x0e, 0xb1, 0x7c, 0x1b, 0x32, + 0x85, 0x29, 0xd9, 0xfa, 0x76, 0x56, 0xd7, 0x4d, + 0xea, 0x74, 0x0d, 0x9f, 0x07, 0x97, 0x77, 0xc3, + 0x6c, 0x17, 0xa1, 0x9c, 0x19, 0x58, 0x9e, 0x84, + 0xd2, 0xb8, 0xe4, 0xd1, 0xbc, 0x31, 0x07, 0xcb, + 0xd2, 0x78, 0x14, 0x22, 0x48, 0x35, 0x48, 0x44, + 0x6c, 0x89, 0x93, 0x14, 0x77, 0x44, 0xaa, 0x9e, + 0xc1, 0xc5, 0x93, 0xec, 0x2d, 0x5b, 0xaa, 0xc8, + 0x6a, 0x0a, 0xf6, 0x4a, 0x85, 0xe9, 0x09, 0xdf, + 0x8e, 0x28, 0x16, 0x60, 0x5d, 0x20, 0xb4, 0xe3, + 0x82, 0xb3, 0x0b, 0xbb, 0x61, 0xbf, 0x3a, 0x5f, + 0x82, 0x1a, 0x0b, 0x5d, 0xba, 0x9a, 0xd3, 0xe7, + 0xe5, 0xbd, 0x1b, 0x37, 0xa7, 0x5e, 0x0f, 0x09, + 0x29, 0x74, 0xe8, 0x46, 0xe8, 0xc3, 0x7c, 0x45, + 0x48, 0x7d, 0x60, 0x73, 0x9f, 0x99, 0x35, 0x17, + 0x19, 0xa5, 0x39, 0x47, 0x23, 0x26, 0x2b, 0x3b, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + +static const unsigned char ml_kem_512_public_key[] = { + 0x61, 0xb5, 0x0f, 0x5f, 0xf3, 0x80, 0x25, 0xa9, + 0x13, 0x9c, 0x0a, 0xc0, 0x21, 0x9b, 0xae, 0xc8, + 0xa8, 0xb7, 0x1c, 0xc5, 0x50, 0xfd, 0x06, 0x29, + 0x56, 0x17, 0xcf, 0x0c, 0x84, 0x54, 0xaf, 0xfc, + 0x8e, 0xa0, 0x26, 0x1b, 0xe8, 0xbb, 0x2f, 0xd4, + 0x77, 0x3c, 0xdd, 0xf2, 0x3e, 0x2c, 0x55, 0x47, + 0x27, 0xf9, 0x64, 0x60, 0x2c, 0x9e, 0x67, 0xb5, + 0x6e, 0x6e, 0xfa, 0xae, 0xca, 0x1b, 0x95, 0x08, + 0x67, 0xc4, 0xc5, 0x5b, 0xb1, 0xd7, 0x50, 0x34, + 0x27, 0x65, 0x0b, 0xeb, 0xda, 0x23, 0x55, 0xb9, + 0x24, 0x30, 0x62, 0x19, 0xad, 0x07, 0x3b, 0x98, + 0x78, 0x2a, 0xec, 0x54, 0xa8, 0xc7, 0x04, 0xcf, + 0x31, 0x13, 0xc7, 0x8b, 0x17, 0x4b, 0xa8, 0x97, + 0x66, 0x6c, 0xb0, 0x1b, 0x08, 0xb7, 0x05, 0x6d, + 0x5c, 0x6f, 0x17, 0x87, 0x0f, 0x72, 0xd4, 0x5a, + 0x9e, 0x04, 0xb0, 0xc0, 0x01, 0x7c, 0x0f, 0x96, + 0xad, 0x2c, 0x52, 0x5d, 0x98, 0xc0, 0x49, 0x83, + 0x6a, 0x59, 0x19, 0xb3, 0x66, 0xef, 0x48, 0x97, + 0x95, 0x14, 0x5f, 0x56, 0x64, 0x68, 0x93, 0x03, + 0x31, 0x3f, 0x4a, 0xa5, 0x7c, 0x55, 0x7f, 0x3c, + 0xcc, 0x3b, 0x3f, 0x59, 0xbc, 0x6f, 0xb3, 0xcb, + 0xdb, 0x78, 0x50, 0x2f, 0x1b, 0x33, 0x28, 0x4c, + 0x65, 0x80, 0x55, 0x89, 0xca, 0xbb, 0x4b, 0x5e, + 0x14, 0x24, 0xe3, 0x46, 0x7b, 0x68, 0x62, 0x1d, + 0x83, 0x60, 0x58, 0x02, 0xc0, 0x82, 0x7d, 0x45, + 0x5f, 0x73, 0x84, 0xa3, 0x58, 0xd7, 0xbb, 0xdb, + 0x16, 0xa3, 0x71, 0x63, 0x9c, 0x7c, 0x45, 0x55, + 0x9b, 0x79, 0x1c, 0x53, 0x9c, 0x99, 0xc9, 0xd7, + 0xc1, 0x47, 0x70, 0xc6, 0x76, 0xd6, 0x76, 0xef, + 0x07, 0x2b, 0xff, 0x19, 0x8e, 0x8e, 0x28, 0x89, + 0x7e, 0xa2, 0xaa, 0x12, 0x9c, 0x8b, 0xba, 0x77, + 0x46, 0xdc, 0xb6, 0xcd, 0xc0, 0x9b, 0x04, 0x47, + 0x30, 0xb4, 0xd9, 0xb8, 0x95, 0x96, 0x11, 0x6b, + 0xb5, 0xf8, 0x6a, 0xd9, 0x25, 0xb9, 0xcb, 0x2b, + 0x2c, 0x16, 0x08, 0x31, 0x47, 0x78, 0x90, 0xe4, + 0x53, 0x7e, 0x36, 0xa1, 0x53, 0x4e, 0xc5, 0x73, + 0x2f, 0xc0, 0xac, 0x0b, 0x40, 0x40, 0x5a, 0x91, + 0x25, 0xe7, 0x01, 0x7e, 0x6a, 0x41, 0x7d, 0xff, + 0x1a, 0x8f, 0x01, 0xd3, 0x36, 0x0e, 0xa8, 0x7a, + 0x03, 0x80, 0xa3, 0x30, 0xcb, 0x04, 0x69, 0x59, + 0x71, 0x9b, 0x43, 0x96, 0x1d, 0xa0, 0xb1, 0x6d, + 0x96, 0xcf, 0x61, 0x9c, 0x30, 0xbf, 0xba, 0x0d, + 0x5a, 0x19, 0x88, 0x42, 0x00, 0x90, 0x23, 0x18, + 0xbf, 0xdd, 0x68, 0xae, 0x80, 0x3b, 0x96, 0x28, + 0x5a, 0x5f, 0xb9, 0x98, 0x2b, 0x37, 0x65, 0x21, + 0x6c, 0x51, 0xc2, 0xce, 0x76, 0xc6, 0x3c, 0xd4, + 0x27, 0xbb, 0xe5, 0x9c, 0x31, 0xd4, 0x62, 0x7c, + 0x77, 0xa5, 0xc7, 0x88, 0x55, 0x90, 0x70, 0x15, + 0x13, 0xcc, 0x0c, 0x9a, 0x20, 0x15, 0xb4, 0xf2, + 0x8e, 0xf0, 0x33, 0x32, 0xcf, 0xc5, 0x4f, 0x23, + 0x56, 0xa3, 0xef, 0xf4, 0x93, 0x82, 0xf4, 0x1b, + 0x55, 0xfa, 0x5f, 0x12, 0x79, 0xb2, 0xa1, 0x88, + 0xb8, 0x88, 0xb6, 0x87, 0x66, 0xc5, 0x9e, 0x44, + 0xd2, 0xb2, 0x14, 0x74, 0x9b, 0x14, 0x25, 0x93, + 0xf0, 0x87, 0x30, 0x12, 0x5b, 0x20, 0x2e, 0x06, + 0xcb, 0xd1, 0x24, 0x0f, 0x5b, 0x25, 0x9f, 0x12, + 0x9a, 0x1b, 0x0c, 0xc8, 0xa8, 0x05, 0x40, 0xbb, + 0xb7, 0x79, 0x4e, 0x72, 0x49, 0x4d, 0x43, 0x92, + 0x73, 0xf4, 0x54, 0x42, 0x86, 0xc9, 0x90, 0x26, + 0xb0, 0x4f, 0x0c, 0xca, 0x2f, 0xf0, 0x4b, 0x48, + 0x27, 0x59, 0xba, 0x6b, 0xb7, 0x67, 0xa3, 0x93, + 0x1e, 0x7c, 0x17, 0x57, 0xa6, 0x47, 0xb0, 0xf3, + 0x78, 0x58, 0xf1, 0xe7, 0xc9, 0xbe, 0x8c, 0x4b, + 0x4e, 0xe2, 0xcd, 0xe2, 0x81, 0x25, 0xa8, 0x94, + 0x08, 0x9d, 0x70, 0xa1, 0x1e, 0x24, 0x28, 0xa4, + 0x1b, 0x2f, 0x4a, 0xf5, 0x9b, 0xc9, 0x67, 0x5a, + 0x60, 0x48, 0x3b, 0xa3, 0x86, 0x94, 0x83, 0x06, + 0x40, 0x27, 0x80, 0x79, 0xd1, 0x28, 0x03, 0x6b, + 0x23, 0x5c, 0x5f, 0xc6, 0xa8, 0xfe, 0x5a, 0xab, + 0x38, 0x9a, 0x36, 0x11, 0xf1, 0x92, 0x53, 0x30, + 0xc3, 0x0c, 0x8b, 0xba, 0xa2, 0x2a, 0x2a, 0x60, + 0x47, 0x67, 0x61, 0x72, 0x48, 0x18, 0x45, 0x37, + 0x64, 0x76, 0x2f, 0x0a, 0x35, 0x17, 0xf6, 0xf8, + 0xbc, 0x09, 0xa8, 0x41, 0x2e, 0xab, 0xa9, 0xd4, + 0x66, 0x65, 0xf5, 0x71, 0x5a, 0x7c, 0xf1, 0x0b, + 0x41, 0x25, 0x9b, 0xd8, 0xd4, 0x2b, 0xb4, 0x80, + 0x48, 0xb9, 0xbb, 0x6c, 0xd3, 0x0b, 0xcc, 0x64, + 0x7b, 0xb9, 0x46, 0x07, 0xac, 0xb8, 0xa1, 0x33, + 0xac, 0x69, 0x17, 0xa3, 0xc9, 0xbd, 0xce, 0x84, + 0xbb, 0xb2, 0x84, 0x2f, 0x60, 0xab, 0x6a, 0xa7, + 0xd2, 0x94, 0x5b, 0x6b, 0xa0, 0xcb, 0x82, 0x6f, + 0x9b, 0x97, 0xb3, 0x95, 0xe2, 0x86, 0x25, 0x77, + 0x4b, 0x6d, 0x39, 0x81, 0xb5, 0x83, 0xb6, 0x68, + 0x92, 0x73, 0x03, 0xc9, 0x3f, 0x55, 0x78, 0x5f, + 0x21, 0x93, 0xce, 0x69, 0x72, 0x18, 0x6e, 0xf7, + 0x58, 0xdf, 0x10, 0x1b, 0x31, 0x47, 0x6f, 0x7e, + 0x28, 0x1c, 0x42, 0x0a, 0x5b, 0xbe, 0x06, 0x61, + 0x4f, 0x2b, 0x06, 0xc2, 0x9c, 0x41, 0xce, 0x4b, + 0x94, 0x9e, 0xb1, 0x00, 0x0f, 0xc4, 0xb6, 0x8c, + 0x09, 0x54, 0x38, 0x7c, 0x43, 0x8b, 0x6b, 0x08, + 0xb0, 0x1c, 0x00, 0x78, 0x79, 0xae, 0xda, 0x00, + 0x9f, 0x47, 0xc6, 0x6f, 0x12, 0x05, 0xab, 0x43, + 0x15, 0x88, 0x10, 0x75, 0xbb, 0x3a, 0xdc, 0x59, + 0x98, 0xd9, 0x1d, 0x59, 0xb9, 0x7d, 0x64, 0x02, + 0xbc, 0x36, 0xc5, 0x3a, 0x27, 0xa2, 0xb0, 0x88, + 0x81, 0x20, 0x33, 0xbc, 0x5a, 0x79, 0xe6, 0x87, + 0x2f, 0x72, 0x3a, 0x7e, 0x0e, 0xa5, 0x3c, 0x8e, + 0xdc, 0x4e, 0x73, 0x4d, 0xae, 0x85, 0xe5, 0x04, + 0x18, 0x84, 0x50, 0x24, 0x85, 0xa1, 0xae, 0x53, + 0x29, 0x16, 0x22, 0xe9, 0xd4, 0xa5, 0xba, 0xd4 +}; + +static const unsigned char ml_kem_512_secret[] = { + 0x4a, 0xd5, 0x3a, 0x06, 0xb2, 0x9f, 0x12, 0x56, + 0x84, 0x21, 0xa5, 0x52, 0xc0, 0x81, 0x95, 0xb5, + 0x86, 0x73, 0xc8, 0x2f, 0x87, 0x0c, 0xc1, 0xcc, + 0xd6, 0x5a, 0x08, 0xe4, 0x32, 0x5f, 0xeb, 0x27 +}; + +static const unsigned char ml_kem_512_reject_secret[] = { + 0x87, 0xf1, 0xe8, 0x13, 0xb7, 0x2e, 0x04, 0x87, + 0x47, 0x22, 0x56, 0x6e, 0x12, 0x80, 0xd8, 0x9d, + 0x8b, 0x44, 0xb7, 0xfd, 0xff, 0x7d, 0x69, 0x23, + 0x36, 0xd7, 0xb8, 0x7f, 0x38, 0xe7, 0x85, 0xce +}; + +static const unsigned char ml_kem_512_entropy[ML_KEM_RANDOM_BYTES] = { + 0 +}; + +static const unsigned char ml_kem_512_seed[ML_KEM_SEED_BYTES] = { + 0 +}; + +static const ST_KAT_KEM st_kat_kem_tests[] = { + { + OSSL_SELF_TEST_DESC_KEM, + "ML-KEM-512", + ITM(ml_kem_512_cipher_text), + ITM(ml_kem_512_private_key), + ITM(ml_kem_512_public_key), + ITM(ml_kem_512_entropy), + ITM(ml_kem_512_seed), + ITM(ml_kem_512_secret), + ml_kem_512_reject_secret /* No length because same as _secret's */ + }, +}; diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c index 1cbb30f1846..06e06a89ecf 100644 --- a/providers/fips/self_test_kats.c +++ b/providers/fips/self_test_kats.c @@ -18,6 +18,7 @@ #include "internal/cryptlib.h" #include "internal/nelem.h" #include "self_test.h" +#include "crypto/ml_kem.h" #include "self_test_data.inc" static int set_kat_drbg(OSSL_LIB_CTX *ctx, @@ -624,6 +625,202 @@ err: } #endif /* OPENSSL_NO_ML_DSA */ +/* + * FIPS 140-3 IG 10.3.A resolution 14 mandates a CAST for ML-KEM + * encapsulation. + */ +static int self_test_kem_encapsulate(const ST_KAT_KEM *t, OSSL_SELF_TEST *st, + OSSL_LIB_CTX *libctx, EVP_PKEY *pkey) +{ + int ret = 0; + EVP_PKEY_CTX *ctx; + unsigned char *wrapped = NULL, *secret = NULL; + size_t wrappedlen = t->cipher_text_len, secretlen = t->secret_len; + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KEM, + OSSL_SELF_TEST_DESC_ENCAP_KEM); + + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, ""); + if (ctx == NULL) + goto err; + + *params = OSSL_PARAM_construct_octet_string(OSSL_KEM_PARAM_IKME, + (unsigned char *)t->entropy, + t->entropy_len); + if (EVP_PKEY_encapsulate_init(ctx, params) <= 0) + goto err; + + /* Allocate output buffers */ + wrapped = OPENSSL_malloc(wrappedlen); + secret = OPENSSL_malloc(secretlen); + if (wrapped == NULL || secret == NULL) + goto err; + + /* Encapsulate */ + if (EVP_PKEY_encapsulate(ctx, wrapped, &wrappedlen, secret, &secretlen) <= 0) + goto err; + + /* Compare outputs */ + OSSL_SELF_TEST_oncorrupt_byte(st, wrapped); + if (wrappedlen != t->cipher_text_len + || memcmp(wrapped, t->cipher_text, t->cipher_text_len) != 0) + goto err; + + OSSL_SELF_TEST_oncorrupt_byte(st, secret); + if (secretlen != t->secret_len + || memcmp(secret, t->secret, t->secret_len) != 0) + goto err; + + ret = 1; + err: + OPENSSL_free(wrapped); + OPENSSL_free(secret); + EVP_PKEY_CTX_free(ctx); + OSSL_SELF_TEST_onend(st, ret); + return ret; +} + +/* + * FIPS 140-3 IG 10.3.A resolution 14 mandates a CAST for ML-KEM + * decapsulation both for the rejection path and the normal path. + */ +static int self_test_kem_decapsulate(const ST_KAT_KEM *t, OSSL_SELF_TEST *st, + OSSL_LIB_CTX *libctx, EVP_PKEY *pkey, + int reject) +{ + int ret = 0; + EVP_PKEY_CTX *ctx = NULL; + unsigned char *secret = NULL, *alloced = NULL; + const unsigned char *test_secret = t->secret; + const unsigned char *cipher_text = t->cipher_text; + size_t secretlen = t->secret_len; + + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KEM, + reject ? OSSL_SELF_TEST_DESC_DECAP_KEM_FAIL + : OSSL_SELF_TEST_DESC_DECAP_KEM); + + if (reject) { + cipher_text = alloced = OPENSSL_zalloc(t->cipher_text_len); + if (alloced == NULL) + goto err; + test_secret = t->reject_secret; + } + + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, ""); + if (ctx == NULL) + goto err; + + if (EVP_PKEY_decapsulate_init(ctx, NULL) <= 0) + goto err; + + /* Allocate output buffer */ + secret = OPENSSL_malloc(secretlen); + if (secret == NULL) + goto err; + + /* Decapsulate */ + if (EVP_PKEY_decapsulate(ctx, secret, &secretlen, + cipher_text, t->cipher_text_len) <= 0) + goto err; + + /* Compare output */ + OSSL_SELF_TEST_oncorrupt_byte(st, secret); + if (secretlen != t->secret_len + || memcmp(secret, test_secret, t->secret_len) != 0) + goto err; + + ret = 1; + err: + OPENSSL_free(alloced); + OPENSSL_free(secret); + EVP_PKEY_CTX_free(ctx); + OSSL_SELF_TEST_onend(st, ret); + return ret; +} + +/* + * FIPS 140-3 IG 10.3.A resolution 14 mandates a CAST for ML-KEM + * key generation. + */ +static EVP_PKEY *self_test_kem_keygen(const ST_KAT_KEM *t, OSSL_SELF_TEST *st, + OSSL_LIB_CTX *libctx) +{ + EVP_PKEY_CTX *genctx; + EVP_PKEY *ret = NULL, *r = NULL; + OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END }; + unsigned char *buf = NULL; + const size_t s = t->public_key_len < t->private_key_len ? t->private_key_len + : t->public_key_len; + + OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_KAT_KEM, + OSSL_SELF_TEST_DESC_KEYGEN_KEM); + + genctx = EVP_PKEY_CTX_new_from_name(libctx, t->algorithm, ""); + if (genctx == NULL || EVP_PKEY_keygen_init(genctx) <= 0) + goto err; + *params = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_ML_KEM_SEED, + (unsigned char *)t->seed, + t->seed_len); + if (!EVP_PKEY_CTX_set_params(genctx, params) + || !EVP_PKEY_keygen(genctx, &r)) + goto err; + + /* Allocate output space */ + buf = OPENSSL_malloc(s); + if (buf == NULL) + goto err; + + /* Compare outputs */ + *params = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, + buf, s); + if (!EVP_PKEY_get_params(r, params)) + goto err; + OSSL_SELF_TEST_oncorrupt_byte(st, buf); + if (params->return_size != t->private_key_len + || memcmp(buf, t->private_key, t->private_key_len) != 0) + goto err; + + ret = r; + r = NULL; + err: + OPENSSL_free(buf); + EVP_PKEY_CTX_free(genctx); + EVP_PKEY_free(r); + OSSL_SELF_TEST_onend(st, ret != NULL); + return ret; +} + +/* + * Test encapsulation, decapsulation for KEM. + * + * FIPS 140-3 IG 10.3.A resolution 14 mandates a CAST for: + * 1 ML-KEM encapsulation + * 2a ML-KEM decapsulation non-rejection path + * 2b ML-KEM decapsulation implicit rejection path + * 3 ML-KEM key generation + */ +static int self_test_kem(const ST_KAT_KEM *t, OSSL_SELF_TEST *st, + OSSL_LIB_CTX *libctx) +{ + int ret = 0; + EVP_PKEY *pkey = NULL; + + pkey = self_test_kem_keygen(t, st, libctx); + if (pkey == NULL) + goto err; + + if (!self_test_kem_encapsulate(t, st, libctx, pkey) + || !self_test_kem_decapsulate(t, st, libctx, pkey, 0) + || !self_test_kem_decapsulate(t, st, libctx, pkey, 1)) + goto err; + + ret = 1; +err: + EVP_PKEY_free(pkey); + return ret; +} + /* * Test a data driven list of KAT's for digest algorithms. * All tests are run regardless of if they fail or not. @@ -651,6 +848,17 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) return ret; } +static int self_test_kems(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) +{ + int i, ret = 1; + + for (i = 0; i < (int)OSSL_NELEM(st_kat_kem_tests); ++i) { + if (!self_test_kem(&st_kat_kem_tests[i], st, libctx)) + ret = 0; + } + return ret; +} + static int self_test_kdfs(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) { int i, ret = 1; @@ -888,6 +1096,8 @@ int SELF_TEST_kats(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) ret = 0; if (!self_test_asym_keygens(st, libctx)) ret = 0; + if (!self_test_kems(st, libctx)) + ret = 0; RAND_set0_private(libctx, saved_rand); return ret;