Add runtime options to break the pairwise consistency test for Ed, ML-KEM, and ML-DSA

[andrewhop]

Description of changes:

To easily demonstrate the pairwise consistency tests function this change adds support to the existing BORINGSSL_FIPS_BREAK_TEST environment variable.

Testing:

This adds a new test file for all the runtime tests and runs them from the run_fips_test.sh script on the break-able build.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.05%. Comparing base (154f998) to head (762bc9d).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2192   +/-   ##
=======================================
  Coverage   79.05%   79.05%           
=======================================
  Files         612      612           
  Lines      106159   106159           
  Branches    15002    15002           
=======================================
+ Hits        83923    83927    +4     
+ Misses      21582    21579    -3     
+ Partials      654      653    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jakemas]

LGTM!

[torben-hansen]

Suggested change

	echo "BoringSSL checkout and ensure that ./build-fips-break-test-binaries.sh"
	echo "AWS-LC checkout and ensure that ./build-fips-break-test-binaries.sh"

?

[skmcgrail]

Broader question, what is the purpose of test_fips.c. My recollection is that it is an abomination of a file with a very large main function, and I'm pretty sure doesn't include support for everything that is FIPS approved. Honestly it feels a bit duplicative to what should be in crypto_test?

[skmcgrail]

For example I'm pretty sure this doesn't have ed25519ph tested :)

[andrewhop]

You are correct, test_fips is a big file that turns into an executable with some of the algorithms. I think this file was used by BoringSSL to demonstrate certain things to their lab. We now use it in our CI to run/verify the break tests work as expected. In this case I needed to add algorithms to it to trigger the lazy self tests.

The break-tests could use crypto_test, but it's a little hard to write tests for the FIPS failure abort cases.

[andrewhop]

This doesn't need ed25519ph because this change is only adding support to break the pairwise consistency tests and all the Ed stuff uses the same keygen function. However I did need to add the the pre-hash changes to test breaking the self test and that's already checked in https://github.com/aws/aws-lc/blob/main/util/fipstools/test_fips.c#L416-L430.

[hanno-becker]

@andrewhop Could BORINGSSL_FIPS_BREAK_TEST be changed from a string to a numeric value? This would remove the need for the runtime getenv + strcmp check, and would instead allow to know statically whether a PCT breakage should be introduced. In mlkem-native, I could then similarly add a MLK_BREAK_PCT, and set that statically in the compatibility layer between BoringSSL<->mlkem-native.

[hanno-becker]

For the time being, I opened we merged pq-code-package/mlkem-native#788 to basically mirror AWS-LC's runtime behaviour; #2176 is updated accordingly. I'd still prefer not having to do this, though, and understand if/why the runtime logic is needed here.