pq_crypto 0.6.1 → 0.6.3

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/cbmc.h

@@ -8,16 +8,27 @@
 /***************************************************
  * Basic replacements for __CPROVER_XXX contracts
  ***************************************************/
+/*
+ * The `__contract__` / `__loop__` annotation macros use a
+ * leading-double-underscore spelling in line with other CBMC macros.
+ * clang-tidy flags these as reserved identifiers; we suppress the diagnostic
+ * at each definition site (NOLINT) rather than disabling the check globally,
+ * so it stays active for the rest of the tree.
+ */
 #ifndef CBMC
 
-#define __contract__(x)
-#define __loop__(x)
+/* clang-format off */
+#define __contract__(x) /* NOLINT(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp) */
+#define __loop__(x) /* NOLINT(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp) */
+/* clang-format on */
 
 #else /* !CBMC */
 
 
-#define __contract__(x) x
-#define __loop__(x) x
+/* clang-format off */
+#define __contract__(x) x /* NOLINT(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp) */
+#define __loop__(x) x /* NOLINT(bugprone-reserved-identifier,cert-dcl37-c,cert-dcl51-cpp) */
+/* clang-format on */
 
 /* https://diffblue.github.io/cbmc/contracts-assigns.html */
 #define assigns(...) __CPROVER_assigns(__VA_ARGS__)
@@ -80,24 +91,36 @@
  * Quantifiers
  * Note that the range on qvar is _exclusive_ between qvar_lb .. qvar_ub
  * https://diffblue.github.io/cbmc/contracts-quantifiers.html
+ *
+ * The quantified variable is declared as uint32_t, so these macros
+ * quantify only over indices in [0, UINT32_MAX). Bounds larger than
+ * UINT32_MAX (4 GiB) are NOT supported: the explicit (uint32_t) casts
+ * on the bounds will trigger CBMC's conversion check if a wider bound
+ * (e.g. a size_t > UINT32_MAX) is passed.
+ *
+ * Quantifying over size_t (64-bit) was found to blow up SMT proof
+ * times, so we deliberately keep the index width at 32 bits. Callers
+ * dealing with size_t-typed buffers must add an explicit
+ *   requires(len <= UINT32_MAX)
+ * precondition.
  */
 
 /*
  * Prevent clang-format from corrupting CBMC's special ==> operator
  */
 /* clang-format off */
-#define forall(qvar, qvar_lb, qvar_ub, predicate)                 \
-  __CPROVER_forall                                                \
-  {                                                               \
-    unsigned qvar;                                                \
-    ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) ==> (predicate)   \
+#define forall(qvar, qvar_lb, qvar_ub, predicate)                              \
+  __CPROVER_forall                                                             \
+  {                                                                            \
+    uint32_t qvar;                                                             \
+    ((uint32_t) (qvar_lb) <= (qvar) && (qvar) < (uint32_t) (qvar_ub)) ==> (predicate) \
   }
 
-#define exists(qvar, qvar_lb, qvar_ub, predicate)               \
-  __CPROVER_exists                                              \
-  {                                                             \
-    unsigned qvar;                                              \
-    ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) && (predicate)  \
+#define exists(qvar, qvar_lb, qvar_ub, predicate)                              \
+  __CPROVER_exists                                                             \
+  {                                                                            \
+    uint32_t qvar;                                                             \
+    ((uint32_t) (qvar_lb) <= (qvar) && (qvar) < (uint32_t) (qvar_ub)) && (predicate) \
   }
 /* clang-format on */
 
@@ -126,8 +149,8 @@
                          value_lb, value_ub)                           \
   __CPROVER_forall                                                     \
   {                                                                    \
-    unsigned qvar;                                                     \
-    ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) ==>                    \
+    uint32_t qvar;                                                     \
+    ((uint32_t) (qvar_lb) <= (qvar) && (qvar) < (uint32_t) (qvar_ub)) ==> \
         (((int)(value_lb) <= ((array_var)[(qvar)])) &&                 \
          (((array_var)[(qvar)]) < (int)(value_ub)))                    \
   }
@@ -139,8 +162,8 @@
 #define array_unchanged_core(qvar, qvar_lb, qvar_ub, array_var)        \
   __CPROVER_forall                                                     \
   {                                                                    \
-    unsigned qvar;                                                     \
-    ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) ==>                    \
+    uint32_t qvar;                                                     \
+    ((uint32_t) (qvar_lb) <= (qvar) && (qvar) < (uint32_t) (qvar_ub)) ==> \
     ((array_var)[(qvar)]) == (old(* (int16_t (*)[(qvar_ub)])(array_var)))[(qvar)] \
   }
 
@@ -150,8 +173,8 @@
 #define array_unchanged_u64_core(qvar, qvar_lb, qvar_ub, array_var)    \
   __CPROVER_forall                                                     \
   {                                                                    \
-    unsigned qvar;                                                     \
-    ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) ==>                    \
+    uint32_t qvar;                                                     \
+    ((uint32_t) (qvar_lb) <= (qvar) && (qvar) < (uint32_t) (qvar_ub)) ==> \
     ((array_var)[(qvar)]) == (old(* (uint64_t (*)[(qvar_ub)])(array_var)))[(qvar)] \
   }
 

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/common.h

@@ -24,8 +24,12 @@
  * this can be overwritten by the user, e.g. for single-CU builds. */
 #if !defined(MLK_CONFIG_INTERNAL_API_QUALIFIER)
 #define MLK_INTERNAL_API
+#define MLK_INTERNAL_DATA_DECLARATION extern
+#define MLK_INTERNAL_DATA_DEFINITION
 #else
 #define MLK_INTERNAL_API MLK_CONFIG_INTERNAL_API_QUALIFIER
+#define MLK_INTERNAL_DATA_DECLARATION MLK_CONFIG_INTERNAL_API_QUALIFIER
+#define MLK_INTERNAL_DATA_DEFINITION MLK_CONFIG_INTERNAL_API_QUALIFIER
 #endif
 
 #if !defined(MLK_CONFIG_EXTERNAL_API_QUALIFIER)
@@ -218,14 +222,18 @@
 #if !defined(MLK_CONFIG_CUSTOM_ALLOC_FREE)
 /* Default: stack allocation */
 
+/* This is a declaration macro, not an expression macro: T is a type and v is
+ * a declarator, neither of which can be wrapped in parentheses. The
+ * bugprone-macro-parentheses diagnostic is therefore a false positive here. */
 #define MLK_ALLOC(v, T, N, context) \
   MLK_ALIGN T mlk_alloc_##v[N];     \
-  T *v = mlk_alloc_##v
+  T *v = mlk_alloc_##v /* NOLINT(bugprone-macro-parentheses) */
 
-/* TODO: This leads to a circular dependency between common and verify.h
- * It just works out before we're at the end of the file, but it's still
- * prone to issues in the future. */
-#include "verify.h"
+/* The MLK_FREE macro body references mlk_zeroize(), which is declared in
+ * verify.h. We deliberately do NOT include verify.h here: doing so would
+ * create a circular dependency (verify.h includes common.h), and common.h
+ * itself never calls mlk_zeroize() -- only the macro expansion does. Each
+ * translation unit that uses MLK_FREE therefore includes verify.h directly. */
 #define MLK_FREE(v, T, N, context)                     \
   do                                                   \
   {                                                    \
@@ -261,13 +269,13 @@
 /****************************** Error codes ***********************************/
 
 /* Generic failure condition */
-#define MLK_ERR_FAIL -1
+#define MLK_ERR_FAIL (-1)
 /* An allocation failed. This can only happen if MLK_CONFIG_CUSTOM_ALLOC_FREE
  * is defined and the provided MLK_CUSTOM_ALLOC can fail. */
-#define MLK_ERR_OUT_OF_MEMORY -2
+#define MLK_ERR_OUT_OF_MEMORY (-2)
 /* An rng failure occured. Might be due to insufficient entropy or
  * system misconfiguration. */
-#define MLK_ERR_RNG_FAIL -3
+#define MLK_ERR_RNG_FAIL (-3)
 
 #endif /* !__ASSEMBLER__ */
 

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/compress.c

@@ -32,7 +32,7 @@
  *            - In contrast to the reference implementation, we assume
  *              unsigned canonical coefficients here.
  *              The reference implementation works with coefficients
- *              in the range (-MLKEM_Q+1,...,MLKEM_Q-1). */
+ *              in the range [-(MLKEM_Q-1), MLKEM_Q-1]. */
 MLK_STATIC_TESTABLE void mlk_poly_compress_d4_c(
     uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D4], const mlk_poly *a)
 __contract__(
@@ -46,14 +46,16 @@ __contract__(
   mlk_assert_bound(a, MLKEM_N, 0, MLKEM_Q);
 
   for (i = 0; i < MLKEM_N / 8; i++)
-  __loop__(invariant(i <= MLKEM_N / 8))
+  __loop__(invariant(i <= MLKEM_N / 8)
+           decreases(MLKEM_N / 8 - i))
   {
     unsigned j;
     uint8_t t[8] = {0};
     for (j = 0; j < 8; j++)
     __loop__(
       invariant(i <= MLKEM_N / 8 && j <= 8)
-      invariant(array_bound(t, 0, j, 0, 16)))
+      invariant(array_bound(t, 0, j, 0, 16))
+      decreases(8 - j))
     {
       t[j] = mlk_scalar_compress_d4(a->coeffs[8 * i + j]);
     }
@@ -94,7 +96,7 @@ __contract__(
  *            - In contrast to the reference implementation, we assume
  *              unsigned canonical coefficients here.
  *              The reference implementation works with coefficients
- *              in the range (-MLKEM_Q+1,...,MLKEM_Q-1). */
+ *              in the range [-(MLKEM_Q-1), MLKEM_Q-1]. */
 MLK_STATIC_TESTABLE void mlk_poly_compress_d10_c(
     uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D10], const mlk_poly *a)
 __contract__(
@@ -107,14 +109,16 @@ __contract__(
   unsigned j;
   mlk_assert_bound(a, MLKEM_N, 0, MLKEM_Q);
   for (j = 0; j < MLKEM_N / 4; j++)
-  __loop__(invariant(j <= MLKEM_N / 4))
+  __loop__(invariant(j <= MLKEM_N / 4)
+           decreases(MLKEM_N / 4 - j))
   {
     unsigned k;
     uint16_t t[4];
     for (k = 0; k < 4; k++)
     __loop__(
       invariant(k <= 4)
-      invariant(forall(r, 0, k, t[r] < (1u << 10))))
+      invariant(forall(r, 0, k, t[r] < (1u << 10)))
+      decreases(4 - k))
     {
       t[k] = mlk_scalar_compress_d10(a->coeffs[4 * j + k]);
     }
@@ -169,7 +173,8 @@ __contract__(
   for (i = 0; i < MLKEM_N / 2; i++)
   __loop__(
     invariant(i <= MLKEM_N / 2)
-    invariant(array_bound(r->coeffs, 0, 2 * i, 0, MLKEM_Q)))
+    invariant(array_bound(r->coeffs, 0, 2 * i, 0, MLKEM_Q))
+    decreases(MLKEM_N / 2 - i))
   {
     r->coeffs[2 * i + 0] = mlk_scalar_decompress_d4((a[i] >> 0) & 0xF);
     r->coeffs[2 * i + 1] = mlk_scalar_decompress_d4((a[i] >> 4) & 0xF);
@@ -216,7 +221,8 @@ __contract__(
   for (j = 0; j < MLKEM_N / 4; j++)
   __loop__(
     invariant(j <= MLKEM_N / 4)
-    invariant(array_bound(r->coeffs, 0, 4 * j, 0, MLKEM_Q)))
+    invariant(array_bound(r->coeffs, 0, 4 * j, 0, MLKEM_Q))
+    decreases(MLKEM_N / 4 - j))
   {
     unsigned k;
     uint16_t t[4];
@@ -230,7 +236,8 @@ __contract__(
     for (k = 0; k < 4; k++)
     __loop__(
       invariant(k <= 4)
-      invariant(array_bound(r->coeffs, 0, 4 * j + k, 0, MLKEM_Q)))
+      invariant(array_bound(r->coeffs, 0, 4 * j + k, 0, MLKEM_Q))
+      decreases(4 - k))
     {
       r->coeffs[4 * j + k] = mlk_scalar_decompress_d10(t[k]);
     }
@@ -269,7 +276,7 @@ __contract__(
  *            - In contrast to the reference implementation, we assume
  *              unsigned canonical coefficients here.
  *              The reference implementation works with coefficients
- *              in the range (-MLKEM_Q+1,...,MLKEM_Q-1). */
+ *              in the range [-(MLKEM_Q-1), MLKEM_Q-1]. */
 MLK_STATIC_TESTABLE void mlk_poly_compress_d5_c(
     uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D5], const mlk_poly *a)
 __contract__(
@@ -283,14 +290,16 @@ __contract__(
   mlk_assert_bound(a, MLKEM_N, 0, MLKEM_Q);
 
   for (i = 0; i < MLKEM_N / 8; i++)
-  __loop__(invariant(i <= MLKEM_N / 8))
+  __loop__(invariant(i <= MLKEM_N / 8)
+           decreases(MLKEM_N / 8 - i))
   {
     unsigned j;
     uint8_t t[8] = {0};
     for (j = 0; j < 8; j++)
     __loop__(
       invariant(i <= MLKEM_N / 8 && j <= 8)
-      invariant(array_bound(t, 0, j, 0, 32)))
+      invariant(array_bound(t, 0, j, 0, 32))
+      decreases(8 - j))
     {
       t[j] = mlk_scalar_compress_d5(a->coeffs[8 * i + j]);
     }
@@ -331,7 +340,7 @@ __contract__(
  *            - In contrast to the reference implementation, we assume
  *              unsigned canonical coefficients here.
  *              The reference implementation works with coefficients
- *              in the range (-MLKEM_Q+1,...,MLKEM_Q-1). */
+ *              in the range [-(MLKEM_Q-1), MLKEM_Q-1]. */
 MLK_STATIC_TESTABLE void mlk_poly_compress_d11_c(
     uint8_t r[MLKEM_POLYCOMPRESSEDBYTES_D11], const mlk_poly *a)
 __contract__(
@@ -345,14 +354,16 @@ __contract__(
   mlk_assert_bound(a, MLKEM_N, 0, MLKEM_Q);
 
   for (j = 0; j < MLKEM_N / 8; j++)
-  __loop__(invariant(j <= MLKEM_N / 8))
+  __loop__(invariant(j <= MLKEM_N / 8)
+           decreases(MLKEM_N / 8 - j))
   {
     unsigned k;
     uint16_t t[8];
     for (k = 0; k < 8; k++)
     __loop__(
       invariant(k <= 8)
-      invariant(forall(r, 0, k, t[r] < (1u << 11))))
+      invariant(forall(r, 0, k, t[r] < (1u << 11)))
+      decreases(8 - k))
     {
       t[k] = mlk_scalar_compress_d11(a->coeffs[8 * j + k]);
     }
@@ -413,7 +424,8 @@ __contract__(
   for (i = 0; i < MLKEM_N / 8; i++)
   __loop__(
     invariant(i <= MLKEM_N / 8)
-    invariant(array_bound(r->coeffs, 0, 8 * i, 0, MLKEM_Q)))
+    invariant(array_bound(r->coeffs, 0, 8 * i, 0, MLKEM_Q))
+    decreases(MLKEM_N / 8 - i))
   {
     unsigned j;
     uint8_t t[8];
@@ -441,7 +453,8 @@ __contract__(
     for (j = 0; j < 8; j++)
     __loop__(
       invariant(j <= 8 && i <= MLKEM_N / 8)
-      invariant(array_bound(r->coeffs, 0, 8 * i + j, 0, MLKEM_Q)))
+      invariant(array_bound(r->coeffs, 0, 8 * i + j, 0, MLKEM_Q))
+      decreases(8 - j))
     {
       r->coeffs[8 * i + j] = mlk_scalar_decompress_d5(t[j]);
     }
@@ -488,7 +501,8 @@ __contract__(
   for (j = 0; j < MLKEM_N / 8; j++)
   __loop__(
     invariant(j <= MLKEM_N / 8)
-    invariant(array_bound(r->coeffs, 0, 8 * j, 0, MLKEM_Q)))
+    invariant(array_bound(r->coeffs, 0, 8 * j, 0, MLKEM_Q))
+    decreases(MLKEM_N / 8 - j))
   {
     unsigned k;
     uint16_t t[8];
@@ -507,7 +521,8 @@ __contract__(
     for (k = 0; k < 8; k++)
     __loop__(
       invariant(k <= 8)
-      invariant(array_bound(r->coeffs, 0, 8 * j + k, 0, MLKEM_Q)))
+      invariant(array_bound(r->coeffs, 0, 8 * j + k, 0, MLKEM_Q))
+      decreases(8 - k))
     {
       r->coeffs[8 * j + k] = mlk_scalar_decompress_d11(t[k]);
     }
@@ -545,7 +560,7 @@ __contract__(
  *            - In contrast to the reference implementation, we assume
  *              unsigned canonical coefficients here.
  *              The reference implementation works with coefficients
- *              in the range (-MLKEM_Q+1,...,MLKEM_Q-1). */
+ *              in the range [-(MLKEM_Q-1), MLKEM_Q-1]. */
 MLK_STATIC_TESTABLE void mlk_poly_tobytes_c(uint8_t r[MLKEM_POLYBYTES],
                                             const mlk_poly *a)
 __contract__(
@@ -559,7 +574,8 @@ __contract__(
   mlk_assert_bound(a, MLKEM_N, 0, MLKEM_Q);
 
   for (i = 0; i < MLKEM_N / 2; i++)
-  __loop__(invariant(i <= MLKEM_N / 2))
+  __loop__(invariant(i <= MLKEM_N / 2)
+           decreases(MLKEM_N / 2 - i))
   {
     /* The conversion to uint16_t is safe since we assume that
      * the coefficients of `a` are non-negative. */
@@ -619,12 +635,18 @@ __contract__(
   for (i = 0; i < MLKEM_N / 2; i++)
   __loop__(
     invariant(i <= MLKEM_N / 2)
-    invariant(array_bound(r->coeffs, 0, 2 * i, 0, MLKEM_UINT12_LIMIT)))
+    invariant(array_bound(r->coeffs, 0, 2 * i, 0, MLKEM_UINT12_LIMIT))
+    decreases(MLKEM_N / 2 - i))
   {
     const uint8_t t0 = a[3 * i + 0];
     const uint8_t t1 = a[3 * i + 1];
     const uint8_t t2 = a[3 * i + 2];
-    r->coeffs[2 * i + 0] = (int16_t)(t0 | ((t1 << 8) & 0xFFF));
+    /* Safety:
+     * - The explicit cast to uint16_t ensures that << 8 does
+     *   not signed-overflow even on a 16-bit system.
+     * - The cast to int16_t is safe due to the explicit 0xFFF truncation.
+     */
+    r->coeffs[2 * i + 0] = (int16_t)(t0 | (((uint16_t)t1 << 8) & 0xFFF));
     r->coeffs[2 * i + 1] = (int16_t)((t1 >> 4) | (t2 << 4));
   }
 
@@ -664,13 +686,15 @@ void mlk_poly_frommsg(mlk_poly *r, const uint8_t msg[MLKEM_INDCPA_MSGBYTES])
   for (i = 0; i < MLKEM_N / 8; i++)
   __loop__(
     invariant(i <= MLKEM_N / 8)
-    invariant(array_bound(r->coeffs, 0, 8 * i, 0, MLKEM_Q)))
+    invariant(array_bound(r->coeffs, 0, 8 * i, 0, MLKEM_Q))
+    decreases(MLKEM_N / 8 - i))
   {
     unsigned j;
     for (j = 0; j < 8; j++)
     __loop__(
       invariant(i <  MLKEM_N / 8 && j <= 8)
-      invariant(array_bound(r->coeffs, 0, 8 * i + j, 0, MLKEM_Q)))
+      invariant(array_bound(r->coeffs, 0, 8 * i + j, 0, MLKEM_Q))
+      decreases(8 - j))
     {
       /* mlk_ct_sel_int16(MLKEM_Q_HALF, 0, b) is `Decompress_1(b != 0)`
        * as per @[FIPS203, Eq (4.8)]. */
@@ -687,24 +711,26 @@ void mlk_poly_frommsg(mlk_poly *r, const uint8_t msg[MLKEM_INDCPA_MSGBYTES])
  *            - In contrast to the reference implementation, we assume
  *              unsigned canonical coefficients here.
  *              The reference implementation works with coefficients
- *              in the range (-MLKEM_Q+1,...,MLKEM_Q-1).
+ *              in the range [-(MLKEM_Q-1), MLKEM_Q-1].
  */
 MLK_INTERNAL_API
-void mlk_poly_tomsg(uint8_t msg[MLKEM_INDCPA_MSGBYTES], const mlk_poly *a)
+void mlk_poly_tomsg(uint8_t msg[MLKEM_INDCPA_MSGBYTES], const mlk_poly *r)
 {
   unsigned i;
-  mlk_assert_bound(a, MLKEM_N, 0, MLKEM_Q);
+  mlk_assert_bound(r, MLKEM_N, 0, MLKEM_Q);
 
   for (i = 0; i < MLKEM_N / 8; i++)
-  __loop__(invariant(i <= MLKEM_N / 8))
+  __loop__(invariant(i <= MLKEM_N / 8)
+           decreases(MLKEM_N / 8 - i))
   {
     unsigned j;
     msg[i] = 0;
     for (j = 0; j < 8; j++)
     __loop__(
-      invariant(i <= MLKEM_N / 8 && j <= 8))
+      invariant(i <= MLKEM_N / 8 && j <= 8)
+      decreases(8 - j))
     {
-      uint32_t t = mlk_scalar_compress_d1(a->coeffs[8 * i + j]);
+      uint32_t t = mlk_scalar_compress_d1(r->coeffs[8 * i + j]);
       msg[i] |= (uint8_t)(t << j);
     }
   }