From 6f25f3400cef589ad92991fc9502ce0b322cd900 Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Thu, 7 Sep 2023 16:44:01 -0400 Subject: [PATCH 1/6] Update McEliece supression files. --- .../kem/issues/classic-mceliece-348864 | 16 ++++++++ .../kem/issues/classic-mceliece-460896 | 40 +++++++++++++++++++ .../kem/issues/classic-mceliece-6960119 | 8 ++++ .../kem/issues/classic-mceliece-8192128 | 8 ++++ 4 files changed, 72 insertions(+) diff --git a/tests/constant_time/kem/issues/classic-mceliece-348864 b/tests/constant_time/kem/issues/classic-mceliece-348864 index c00d5f6fb3..f71ae9c0d3 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-348864 +++ b/tests/constant_time/kem/issues/classic-mceliece-348864 @@ -134,6 +134,14 @@ fun:PQCLEAN_MCELIECE348864_AVX2_crypto_kem_keypair } +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:pk_gen.c:314 + # fun:PQCLEAN_MCELIECE348864_AVX2_pk_gen + fun:PQCLEAN_MCELIECE348864_AVX2_crypto_kem_keypair +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 @@ -166,6 +174,14 @@ fun:PQCLEAN_MCELIECE348864_AVX2_crypto_kem_keypair } +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Cond + src:pk_gen.c:322 + # fun:PQCLEAN_MCELIECE348864_AVX2_pk_gen + fun:PQCLEAN_MCELIECE348864_AVX2_crypto_kem_keypair +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 diff --git a/tests/constant_time/kem/issues/classic-mceliece-460896 b/tests/constant_time/kem/issues/classic-mceliece-460896 index d6a33ceb47..83c9703071 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-460896 +++ b/tests/constant_time/kem/issues/classic-mceliece-460896 @@ -1,3 +1,19 @@ +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:pk_gen.c:35 + # fun:extract_01_masks + fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen +} + +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:pk_gen.c:43 + # fun:extract_mask256 + fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 @@ -30,6 +46,14 @@ fun:PQCLEAN_MCELIECE460896_AVX2_crypto_kem_keypair } +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:pk_gen.c:315 + # fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen + fun:PQCLEAN_MCELIECE460896_AVX2_crypto_kem_keypair +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Cond @@ -38,6 +62,22 @@ fun:PQCLEAN_MCELIECE460896_AVX2_crypto_kem_keypair } +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:pk_gen.c:320 + # fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen + fun:PQCLEAN_MCELIECE460896_AVX2_crypto_kem_keypair +} + +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:pk_gen.c:323 + # fun:PQCLEAN_MCELIECE460896_AVX2_pk_gen + fun:PQCLEAN_MCELIECE460896_AVX2_crypto_kem_keypair +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Value8 diff --git a/tests/constant_time/kem/issues/classic-mceliece-6960119 b/tests/constant_time/kem/issues/classic-mceliece-6960119 index 4b0646bccc..8732052e45 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-6960119 +++ b/tests/constant_time/kem/issues/classic-mceliece-6960119 @@ -62,6 +62,14 @@ fun:PQCLEAN_MCELIECE6960119_AVX2_crypto_kem_keypair } +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:pk_gen.c:326 + # fun:PQCLEAN_MCELIECE6960119_AVX2_pk_gen + fun:PQCLEAN_MCELIECE6960119_AVX2_crypto_kem_keypair +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Cond diff --git a/tests/constant_time/kem/issues/classic-mceliece-8192128 b/tests/constant_time/kem/issues/classic-mceliece-8192128 index c51c58ee69..ec6da0ba8a 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-8192128 +++ b/tests/constant_time/kem/issues/classic-mceliece-8192128 @@ -62,6 +62,14 @@ fun:PQCLEAN_MCELIECE8192128_AVX2_crypto_kem_keypair } +{ + + Memcheck:Value8 + src:pk_gen.c:323 + # fun:PQCLEAN_MCELIECE8192128_AVX2_pk_gen + fun:PQCLEAN_MCELIECE8192128_AVX2_crypto_kem_keypair +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Cond From 38fbdc4b359898e8802183508cb3bc9ef0c57d88 Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Thu, 7 Sep 2023 16:56:43 -0400 Subject: [PATCH 2/6] Update McEliece advisories. --- docs/algorithms/kem/classic_mceliece.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/algorithms/kem/classic_mceliece.md b/docs/algorithms/kem/classic_mceliece.md index 2efd78ebda..737cedcbf1 100644 --- a/docs/algorithms/kem/classic_mceliece.md +++ b/docs/algorithms/kem/classic_mceliece.md @@ -14,6 +14,7 @@ ## Advisories - Classic-McEliece-460896, Classic-McEliece-460896f, Classic-McEliece-6960119, and Classic-McEliece-6960119f parameter sets fail memory leak testing on x86-64 when building with ``clang`` using optimization level ``-O2`` and ``-O3``. Care is advised when using the algorithm at higher optimization levels, and any other compiler and architecture. +- Current implementation of the algorithm may not be constant-time. Additionally, environment specific constant-time leaks may not be documented; please report potential constant-time leaks when found. ## Parameter set summary From 91c6818ac3365436299015f675b59c0d30f1f4ab Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Thu, 7 Sep 2023 17:14:30 -0400 Subject: [PATCH 3/6] Update weekly constant time test workflow. --- .github/workflows/weekly.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml index 8fcbc049b1..db43200de2 100644 --- a/.github/workflows/weekly.yml +++ b/.github/workflows/weekly.yml @@ -16,7 +16,7 @@ jobs: container: openquantumsafe/ci-ubuntu-focal-x86_64:latest CMAKE_ARGS: -DOQS_OPT_TARGET=generic -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' - SKIP_ALGS: 'SPHINCS\+-SHA*,Classic-McEliece-6(.)*' + SKIP_ALGS: 'SPHINCS\+-SHA*' - name: extensions container: openquantumsafe/ci-ubuntu-focal-x86_64:latest CMAKE_ARGS: -DOQS_OPT_TARGET=haswell -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON From b4e1b0cc2b5bc4a43f8da7054e33cac5e6b88767 Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Mon, 11 Sep 2023 13:16:09 -0400 Subject: [PATCH 4/6] Update weekly constant time test workflow. Update McEliece supression files. --- .github/workflows/weekly.yml | 2 +- tests/constant_time/kem/issues/classic-mceliece-348864 | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml index db43200de2..b37e3b0f90 100644 --- a/.github/workflows/weekly.yml +++ b/.github/workflows/weekly.yml @@ -16,7 +16,7 @@ jobs: container: openquantumsafe/ci-ubuntu-focal-x86_64:latest CMAKE_ARGS: -DOQS_OPT_TARGET=generic -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' - SKIP_ALGS: 'SPHINCS\+-SHA*' + SKIP_ALGS: 'SPHINCS\+-SHA*, Classic-McEliece-(.)*, BIKE(.)*' - name: extensions container: openquantumsafe/ci-ubuntu-focal-x86_64:latest CMAKE_ARGS: -DOQS_OPT_TARGET=haswell -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON diff --git a/tests/constant_time/kem/issues/classic-mceliece-348864 b/tests/constant_time/kem/issues/classic-mceliece-348864 index f71ae9c0d3..07c1510ab1 100644 --- a/tests/constant_time/kem/issues/classic-mceliece-348864 +++ b/tests/constant_time/kem/issues/classic-mceliece-348864 @@ -174,6 +174,14 @@ fun:PQCLEAN_MCELIECE348864_AVX2_crypto_kem_keypair } +{ + This implementation of Classic McEliece may not be constant time. + Memcheck:Value8 + src:pk_gen.c:322 + # fun:PQCLEAN_MCELIECE348864_AVX2_pk_gen + fun:PQCLEAN_MCELIECE348864_AVX2_crypto_kem_keypair +} + { This implementation of Classic McEliece may not be constant time. Memcheck:Cond From 60a3778d2766c0dc68aeec71d3a83e1337e51c11 Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Mon, 11 Sep 2023 13:24:47 -0400 Subject: [PATCH 5/6] Update BIKE advisories. --- docs/algorithms/kem/bike.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/algorithms/kem/bike.md b/docs/algorithms/kem/bike.md index bbb2ebdc71..3dc496bcd8 100644 --- a/docs/algorithms/kem/bike.md +++ b/docs/algorithms/kem/bike.md @@ -11,6 +11,9 @@ - **Ancestors of primary source**: - https://bikesuite.org/files/v5.0/Reference_Implementation.2022.10.04.1.zip +## Advisories +This implementation of BIKE is not constant time. + ## Parameter set summary | Parameter set | Security model | Claimed NIST Level | Public key size (bytes) | Secret key size (bytes) | Ciphertext size (bytes) | Shared secret size (bytes) | From 62e2ec650b1b3985c1086583d8f7c6700522e7ec Mon Sep 17 00:00:00 2001 From: Pravek Sharma Date: Mon, 11 Sep 2023 15:15:06 -0400 Subject: [PATCH 6/6] Restored BIKE advisories. Deleted unused BIKE supressions. --- .github/workflows/weekly.yml | 2 +- docs/algorithms/kem/bike.md | 3 --- docs/algorithms/kem/classic_mceliece.yml | 1 + .../kem/issues/bike_has_no_timing_protections | 18 ------------------ 4 files changed, 2 insertions(+), 22 deletions(-) delete mode 100644 tests/constant_time/kem/issues/bike_has_no_timing_protections diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml index b37e3b0f90..cbfa2c3677 100644 --- a/.github/workflows/weekly.yml +++ b/.github/workflows/weekly.yml @@ -16,7 +16,7 @@ jobs: container: openquantumsafe/ci-ubuntu-focal-x86_64:latest CMAKE_ARGS: -DOQS_OPT_TARGET=generic -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON PYTEST_ARGS: --numprocesses=auto -k 'test_constant_time' - SKIP_ALGS: 'SPHINCS\+-SHA*, Classic-McEliece-(.)*, BIKE(.)*' + SKIP_ALGS: 'SPHINCS\+-SHA*, Classic-McEliece-(.)*' - name: extensions container: openquantumsafe/ci-ubuntu-focal-x86_64:latest CMAKE_ARGS: -DOQS_OPT_TARGET=haswell -DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON diff --git a/docs/algorithms/kem/bike.md b/docs/algorithms/kem/bike.md index 3dc496bcd8..bbb2ebdc71 100644 --- a/docs/algorithms/kem/bike.md +++ b/docs/algorithms/kem/bike.md @@ -11,9 +11,6 @@ - **Ancestors of primary source**: - https://bikesuite.org/files/v5.0/Reference_Implementation.2022.10.04.1.zip -## Advisories -This implementation of BIKE is not constant time. - ## Parameter set summary | Parameter set | Security model | Claimed NIST Level | Public key size (bytes) | Secret key size (bytes) | Ciphertext size (bytes) | Shared secret size (bytes) | diff --git a/docs/algorithms/kem/classic_mceliece.yml b/docs/algorithms/kem/classic_mceliece.yml index c09b364b1e..9208251b01 100644 --- a/docs/algorithms/kem/classic_mceliece.yml +++ b/docs/algorithms/kem/classic_mceliece.yml @@ -26,6 +26,7 @@ advisories: building with ``clang`` using optimization level ``-O2`` and ``-O3``. Care is advised when using the algorithm at higher optimization levels, and any other compiler and architecture. +- Current implementation of the algorithm may not be constant-time. Additionally, environment specific constant-time leaks may not be documented; please report potential constant-time leaks when found. parameter-sets: - name: Classic-McEliece-348864 claimed-nist-level: 1 diff --git a/tests/constant_time/kem/issues/bike_has_no_timing_protections b/tests/constant_time/kem/issues/bike_has_no_timing_protections deleted file mode 100644 index 83601cd748..0000000000 --- a/tests/constant_time/kem/issues/bike_has_no_timing_protections +++ /dev/null @@ -1,18 +0,0 @@ -{ - The implementation of BIKE in liboqs is not constant time - Memcheck:Cond - ... - fun:OQS_KEM_bike* -} -{ - The implementation of BIKE in liboqs is not constant time - Memcheck:Value1 - ... - fun:OQS_KEM_bike* -} -{ - The implementation of BIKE in liboqs is not constant time - Memcheck:Value8 - ... - fun:OQS_KEM_bike* -}