Update liboqs and oqs-provider submodules - Add X25519MLKEM768 NIST f… #2091
Conversation
…inalized PQ Key exchange
|
I don't have access to coverity, so I can't tell for sure if updating like this fixes the problems. Would you be able to check? |
|
coverity runs daily, let's see tomorrow |
|
Has the coverity scan reported no errors with the submodules? I can see the overview but not the details. |
|
https://github.com/SoftEtherVPN/SoftEtherVPN/actions/workflows/coverity.yml scan was 20 hours ago, 1 hour before merge. |
|
Oh I didn't realize that was before merge! |
|
What's the result? As far as I can tell, the action just shows that Coverity ran not the results. |
|
|
|
Does Coverity have the potential for false positives? We should create issue reports in the oqs-provider repository if these are true positives. |
|
I thought it would be "update submodule and forget", seems we'll dig deeper
…On Thu, Jan 16, 2025, 07:42 siddharth-narayan ***@***.***> wrote:
Does Coverity have the potential for false positives?
We should create issue reports in the oqs-provider repository if these are
true positives.
—
Reply to this email directly, view it on GitHub
<#2091 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAQ5KUF6JK5NLAYCEZ4O3ET2K5IE5AVCNFSM6AAAAABVGBB5R6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOJUGY2TEMRWG4>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
|
@siddharth-narayan , I've approved your account, feel free to review findings. here's an example of automated workflow https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/.github/workflows/coverity.yml |
|
I thought it would be very simple too :( I saw the aproval, so I'll check out the code, but I'm not at all famililar with it. I'm not associated with oqs at all, so we might have to make an issue on their repo. |
|
It seems like the scan might be broken? Take this code that it marked as an out of bounds read: Where |
|
I'd say that coverity has lowest false positive rate compared to other analyzers. of course false are possible |
|
btw, you can set "classification" to false positive and it won't appear in scan result anymore |
|
I've already covered a few issues but most issues seem to be false positives. Look at this code for example. All the errors are the same as the one I posted previously, and additionally the offset There's also this much more reasonable example where Coverity can't reasonably be expected to follow the flow properly, but The problem is this type of code is duplicated quite a bit everywhere, considering that they support the same algorithms with different sizes, so it results in many false positives. |
Fixes #2090
This PR updates submodules:
The NIST has finalized Crystals Kyber into what is now ML-KEM. ML-KEM has been added in this liboqs version, so it has also been added into the list of TLS groups that we attempt to connect with.
This version of liboqs is the last with support for the previous x25519_kyber768 exchange, so in the future, if these submodules are updated, those keys will have to be removed.