Skip to content

OQS CI: Enable constant-time tests #1200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 7, 2025
Merged

OQS CI: Enable constant-time tests #1200

merged 4 commits into from
Oct 7, 2025

Conversation

mkannwischer
Copy link
Contributor

@mkannwischer mkannwischer commented Sep 26, 2025
edited
Loading

Currently our liboqs integration tests are skipping the oqs constant time tests. There is no reason to skip those.

This commit adds
-DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON which enables the constant-time tests.

@mkannwischer mkannwischer changed the title OQS CI: Enable constant-time tets OQS CI: Enable constant-time tests Sep 26, 2025
@mkannwischer mkannwischer marked this pull request as ready for review September 26, 2025 05:53
@mkannwischer mkannwischer requested a review from a team as a code owner September 26, 2025 05:53
@mkannwischer mkannwischer marked this pull request as draft September 27, 2025 04:02
@mkannwischer
Copy link
Contributor Author

https://github.com/pq-code-package/mlkem-native/actions/runs/18054655007 shows that this does not work as expected - removing a declassification causes tests/test_leaks.py to fail, but test_constant_time.py still happily passes.
I need to look into this in more detail.

@mkannwischer mkannwischer mentioned this pull request Sep 27, 2025
Merged
@mkannwischer
Copy link
Contributor Author

https://github.com/pq-code-package/mlkem-native/actions/runs/18054655007 shows that this does not work as expected - removing a declassification causes tests/test_leaks.py to fail, but test_constant_time.py still happily passes. I need to look into this in more detail.

I looked into it. It turns out that the whitelist in OQS still matches the functions that were tested here.
When the whitelist is removed from OQS, it fails as it should:
https://github.com/pq-code-package/mlkem-native/actions/runs/18152553215

I added that removal to the CI workflow.

@mkannwischer mkannwischer marked this pull request as ready for review October 1, 2025 05:39
@mkannwischer mkannwischer mentioned this pull request Oct 3, 2025
Closed
@hanno-becker
Copy link
Contributor

@mkannwischer Can you open an issue so we don't forget to remove the patch once the fix has been merged?

mkannwischer and others added 4 commits October 7, 2025 10:10
@mkannwischer @hanno-becker
OQS CI: Enable constant-time tets
47d2d9e 
Currently our liboqs integration tests are skipping the oqs constant time
tests. There is no reason to skip those.

This commit adds
-DCMAKE_BUILD_TYPE=Debug -DOQS_ENABLE_TEST_CONSTANT_TIME=ON
which enables the constant-time tests.

Resolves #1199

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer @hanno-becker
Enable constant-time declassifications in liboqs
afb7d17 
This commit enables declassifications when constant-time tests are performed
in liboqs.
It is essential that MLK_CONFIG_CT_TESTING_ENABLED is set BEFORE sys.h
is included.
With this changed, the constant-time tests pass again in liboqs.

The reason that the constant time tests are not failing upstream is that
liboqs maintains a whitelist of code locations that are expected to fail
constant time testing.
In the meantime, we have ranamed checks_sk in
a00cc0d which is causing constant-time
failures as the whitelist was not updated.
The whitelist approach is not robust and we should not rely on it.

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@mkannwischer @hanno-becker
OQS CI: Remove upstream constant-time suppressions
1dee990 
In OQS constant-time testing is done by documenting all known potential
constant-time violations that are known to be false positives as
"passes".
In mlkem-native we take a diffeernt approach and have explicit declassifications
in the code.
The previous commit enabled the declassifications in the OQS CI.
However, as the "passes" are still in OQS upstream, tests would pass even if
our declassications would be removed.
This commit patches OQS as a part of our CI to remove the constant-time
passes.

I have tested in CI that this removal will make the constant-time tests
fail in case declassifcations are removed.

Signed-off-by: Matthias J. Kannwischer <matthias@kannwischer.eu>
@willieyz @hanno-becker
CI: Fix typo in config-variation action
cf7ac13 
- We found this typo during mldsa-native PR#489, fixing it with  this commit,
see:
pq-code-package/mldsa-native#489 (comment)

Signed-off-by: willieyz <willie.zhao@chelpis.com>
@hanno-becker hanno-becker merged commit d5eea7c into main Oct 7, 2025
379 checks passed
@hanno-becker hanno-becker deleted the oqs-ct branch October 7, 2025 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hanno-becker hanno-becker hanno-becker approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OQS CI: Constant-time tests are being skipped

3 participants

@mkannwischer @hanno-becker @willieyz