1 files changed, 0 insertions, 149 deletions
diff --git a/src/regress/lib/libcrypto/mlkem/mlkem768_iteration_test.c b/src/regress/lib/libcrypto/mlkem/mlkem768_iteration_test.c
deleted file mode 100644
index 9517980d7b..0000000000
--- a/src/regress/lib/libcrypto/mlkem/mlkem768_iteration_test.c
+++ /dev/null
@@ -1,149 +0,0 @@
-/*      $OpenBSD: mlkem768_iteration_test.c,v 1.3 2024/12/20 00:07:12 tb Exp $ */
-/*
- * Copyright (c) 2024 Google Inc.
- * Copyright (c) 2024 Bob Beck <beck@obtuse.com>
- * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <err.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include "mlkem.h"
-#include "mlkem_internal.h"
-#include "mlkem_tests_util.h"
-#include "sha3_internal.h"
-/*
- * The structure of this test is taken from
- *  https://github.com/C2SP/CCTV/blob/main/ML-KEM/README.md?ref=words.filippo.io#accumulated-pq-crystals-vectors
- *  but the final value has been updated to reflect the change from Kyber to
- *  ML-KEM.
- *
- * The deterministic RNG is a single SHAKE-128 instance with an empty input.
- * (The RNG stream starts with 7f9c2ba4e88f827d616045507605853e.)
- */
-static int
-MlkemIterativeTest(void)
-{
-        /* https://github.com/C2SP/CCTV/tree/main/ML-KEM */
-        /*
-         * The deterministic RNG is a single SHAKE-128 instance with an empty input.
-         * (The RNG stream starts with 7f9c2ba4e88f827d616045507605853e.)
-         */
-        const uint8_t kExpectedSeedStart[16] = {
-                0x7f, 0x9c, 0x2b, 0xa4, 0xe8, 0x8f, 0x82, 0x7d, 0x61, 0x60, 0x45,
-                0x50, 0x76, 0x05, 0x85, 0x3e
-        };
-        /*
-         * Filippo says:
-         * ML-KEM-768: f7db260e1137a742e05fe0db9525012812b004d29040a5b606aad3d134b548d3
-         * but Boring believes this:
-         */
-        const uint8_t kExpectedAdam[32] = {
-                0xf9, 0x59, 0xd1, 0x8d, 0x3d, 0x11, 0x80, 0x12, 0x14, 0x33, 0xbf,
-                0x0e, 0x05, 0xf1, 0x1e, 0x79, 0x08, 0xcf, 0x9d, 0x03, 0xed, 0xc1,
-                0x50, 0xb2, 0xb0, 0x7c, 0xb9, 0x0b, 0xef, 0x5b, 0xc1, 0xc1
-        };
-        uint8_t encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES];
-        uint8_t invalid_ciphertext[MLKEM768_CIPHERTEXT_BYTES];
-        uint8_t shared_secret[MLKEM_SHARED_SECRET_BYTES];
-        uint8_t ciphertext[MLKEM768_CIPHERTEXT_BYTES];
-        uint8_t encap_entropy[MLKEM_ENCAP_ENTROPY];
-        uint8_t seed[MLKEM_SEED_BYTES] = {0};
-        struct MLKEM768_private_key priv;
-        struct MLKEM768_public_key pub;
-        sha3_ctx drng, results;
-        uint8_t out[32];
-        int i;
-        shake128_init(&drng);
-        shake128_init(&results);
-        shake_xof(&drng);
-        for (i = 0; i < 10000; i++) {
-                uint8_t *encoded_private_key = NULL;
-                size_t encoded_private_key_len;
-                /*
-                 * This should draw both d and z from DRNG concatenating in
-                 * seed.
-                 */
-                shake_out(&drng, seed, sizeof(seed));
-                if (i == 0) {
-                        if (compare_data(seed, kExpectedSeedStart,
-                            sizeof(kExpectedSeedStart), 0, "seed start") != 0)
-                                errx(1, "compare_data");
-                }
-                /* generate ek as encoded_public_key */
-                MLKEM768_generate_key_external_entropy(encoded_public_key,
-                    &priv, seed);
-                MLKEM768_public_from_private(&pub, &priv);
-                /* hash in ek */
-                shake_update(&results, encoded_public_key,
-                    sizeof(encoded_public_key));
-                /* marshal priv to dk as encoded_private_key */
-                if (!mlkem768_encode_private_key(&priv, &encoded_private_key,
-                    &encoded_private_key_len))
-                        errx(1, "mlkem768_encode_private_key");
-                /* hash in dk */
-                shake_update(&results, encoded_private_key,
-                    encoded_private_key_len);
-                free(encoded_private_key);
-                /* draw m as encap entropy from DRNG */
-                shake_out(&drng, encap_entropy, sizeof(encap_entropy));
-                /* generate ct as ciphertext, k as shared_secret */
-                MLKEM768_encap_external_entropy(ciphertext, shared_secret,
-                    &pub, encap_entropy);
-                /* hash in ct */
-                shake_update(&results, ciphertext, sizeof(ciphertext));
-                /* hash in k */
-                shake_update(&results, shared_secret, sizeof(shared_secret));
-                /* draw ct as invalid_ciphertxt from DRNG */
-                shake_out(&drng, invalid_ciphertext,
-                    sizeof(invalid_ciphertext));
-                /* generte k as shared secret from invalid ciphertext */
-                if (!MLKEM768_decap(shared_secret, invalid_ciphertext,
-                    sizeof(invalid_ciphertext), &priv))
-                        errx(1, "decap failed");
-                /* hash in k */
-                shake_update(&results, shared_secret, sizeof(shared_secret));
-        }
-        shake_xof(&results);
-        shake_out(&results, out, sizeof(out));
-        return compare_data(kExpectedAdam, out, sizeof(out), i, "final result hash");
-}
-int
-main(int argc, char **argv)
-{
-        return MlkemIterativeTest();
-}

diff --git a/src/regress/lib/libcrypto/mlkem/mlkem768_iteration_test.c b/src/regress/lib/libcrypto/mlkem/mlkem768_iteration_test.c deleted file mode 100644 index 9517980d7b..0000000000 --- a/src/regress/lib/libcrypto/mlkem/mlkem768_iteration_test.c +++ /dev/null
@@ -1,149 +0,0 @@
1	/* $OpenBSD: mlkem768_iteration_test.c,v 1.3 2024/12/20 00:07:12 tb Exp $ */
2	/*
3	* Copyright (c) 2024 Google Inc.
4	* Copyright (c) 2024 Bob Beck <beck@obtuse.com>
5	* Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
6	*
7	* Permission to use, copy, modify, and/or distribute this software for any
8	* purpose with or without fee is hereby granted, provided that the above
9	* copyright notice and this permission notice appear in all copies.
10	*
11	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
14	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
16	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
17	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18	*/
19
20	#include <err.h>
21	#include <stdint.h>
22	#include <stdio.h>
23	#include <stdlib.h>
24
25	#include "mlkem.h"
26
27	#include "mlkem_internal.h"
28	#include "mlkem_tests_util.h"
29	#include "sha3_internal.h"
30
31	/*
32	* The structure of this test is taken from
33	* https://github.com/C2SP/CCTV/blob/main/ML-KEM/README.md?ref=words.filippo.io#accumulated-pq-crystals-vectors
34	* but the final value has been updated to reflect the change from Kyber to
35	* ML-KEM.
36	*
37	* The deterministic RNG is a single SHAKE-128 instance with an empty input.
38	* (The RNG stream starts with 7f9c2ba4e88f827d616045507605853e.)
39	*/
40
41	static int
42	MlkemIterativeTest(void)
43	{
44	/* https://github.com/C2SP/CCTV/tree/main/ML-KEM */
45	/*
46	* The deterministic RNG is a single SHAKE-128 instance with an empty input.
47	* (The RNG stream starts with 7f9c2ba4e88f827d616045507605853e.)
48	*/
49	const uint8_t kExpectedSeedStart[16] = {
50	0x7f, 0x9c, 0x2b, 0xa4, 0xe8, 0x8f, 0x82, 0x7d, 0x61, 0x60, 0x45,
51	0x50, 0x76, 0x05, 0x85, 0x3e
52	};
53
54	/*
55	* Filippo says:
56	* ML-KEM-768: f7db260e1137a742e05fe0db9525012812b004d29040a5b606aad3d134b548d3
57	* but Boring believes this:
58	*/
59	const uint8_t kExpectedAdam[32] = {
60	0xf9, 0x59, 0xd1, 0x8d, 0x3d, 0x11, 0x80, 0x12, 0x14, 0x33, 0xbf,
61	0x0e, 0x05, 0xf1, 0x1e, 0x79, 0x08, 0xcf, 0x9d, 0x03, 0xed, 0xc1,
62	0x50, 0xb2, 0xb0, 0x7c, 0xb9, 0x0b, 0xef, 0x5b, 0xc1, 0xc1
63	};
64	uint8_t encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES];
65	uint8_t invalid_ciphertext[MLKEM768_CIPHERTEXT_BYTES];
66	uint8_t shared_secret[MLKEM_SHARED_SECRET_BYTES];
67	uint8_t ciphertext[MLKEM768_CIPHERTEXT_BYTES];
68	uint8_t encap_entropy[MLKEM_ENCAP_ENTROPY];
69	uint8_t seed[MLKEM_SEED_BYTES] = {0};
70	struct MLKEM768_private_key priv;
71	struct MLKEM768_public_key pub;
72	sha3_ctx drng, results;
73	uint8_t out[32];
74	int i;
75
76	shake128_init(&drng);
77	shake128_init(&results);
78
79	shake_xof(&drng);
80	for (i = 0; i < 10000; i++) {
81	uint8_t *encoded_private_key = NULL;
82	size_t encoded_private_key_len;
83
84	/*
85	* This should draw both d and z from DRNG concatenating in
86	* seed.
87	*/
88	shake_out(&drng, seed, sizeof(seed));
89	if (i == 0) {
90	if (compare_data(seed, kExpectedSeedStart,
91	sizeof(kExpectedSeedStart), 0, "seed start") != 0)
92	errx(1, "compare_data");
93	}
94
95	/* generate ek as encoded_public_key */
96	MLKEM768_generate_key_external_entropy(encoded_public_key,
97	&priv, seed);
98	MLKEM768_public_from_private(&pub, &priv);
99
100	/* hash in ek */
101	shake_update(&results, encoded_public_key,
102	sizeof(encoded_public_key));
103
104	/* marshal priv to dk as encoded_private_key */
105	if (!mlkem768_encode_private_key(&priv, &encoded_private_key,
106	&encoded_private_key_len))
107	errx(1, "mlkem768_encode_private_key");
108
109	/* hash in dk */
110	shake_update(&results, encoded_private_key,
111	encoded_private_key_len);
112
113	free(encoded_private_key);
114
115	/* draw m as encap entropy from DRNG */
116	shake_out(&drng, encap_entropy, sizeof(encap_entropy));
117
118	/* generate ct as ciphertext, k as shared_secret */
119	MLKEM768_encap_external_entropy(ciphertext, shared_secret,
120	&pub, encap_entropy);
121
122	/* hash in ct */
123	shake_update(&results, ciphertext, sizeof(ciphertext));
124	/* hash in k */
125	shake_update(&results, shared_secret, sizeof(shared_secret));
126
127	/* draw ct as invalid_ciphertxt from DRNG */
128	shake_out(&drng, invalid_ciphertext,
129	sizeof(invalid_ciphertext));
130
131	/* generte k as shared secret from invalid ciphertext */
132	if (!MLKEM768_decap(shared_secret, invalid_ciphertext,
133	sizeof(invalid_ciphertext), &priv))
134	errx(1, "decap failed");
135
136	/* hash in k */
137	shake_update(&results, shared_secret, sizeof(shared_secret));
138	}
139	shake_xof(&results);
140	shake_out(&results, out, sizeof(out));
141
142	return compare_data(kExpectedAdam, out, sizeof(out), i, "final result hash");
143	}
144
145	int
146	main(int argc, char **argv)
147	{
148	return MlkemIterativeTest();
149	}