[openssl/openssl] 15e275: ML-KEM768
45 views
Skip to first unread message
openssl-machine
Jan 25, 2025, 7:20:39 AM1/25/25
to openssl...@openssl.org
Branch: refs/heads/feature/ml-kem
Home: https://github.com/openssl/openssl
Commit: 15e275eb3081ad358af050eb8ae4b0f37ee00e40
https://github.com/openssl/openssl/commit/15e275eb3081ad358af050eb8ae4b0f37ee00e40
Author: Michael Baentsch <57787676...@users.noreply.github.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M Configure
M crypto/build.info
A crypto/mlkem/build.info
A crypto/mlkem/mlkem768.c
A include/crypto/mlkem.h
M include/internal/constant_time.h
M include/internal/tlsgroups.h
M providers/common/capabilities.c
M providers/defltprov.c
M providers/implementations/include/prov/implementations.h
A providers/implementations/include/prov/mlkem.h
M providers/implementations/include/prov/names.h
M providers/implementations/kem/build.info
A providers/implementations/kem/ml_kem.c
M providers/implementations/keymgmt/build.info
A providers/implementations/keymgmt/mlkem_kmgmt.c
M test/build.info
M test/evp_extra_test.c
A test/mlkem_internal_test.c
Log Message:
-----------
ML-KEM768
Based on code from BoringSSL covered under Google CCLA
Original code at https://boringssl.googlesource.com/boringssl/+/HEAD/crypto/mlkem
VSCode automatic formatting (and...@openssl.org)
Just do some basic formatting to make diffs easier to read later: convert from 2 to 4 spaces, add newlines after function declarations, and move function open curly brace to new line (and...@openssl.org)
Move variable init to beginning of each function (and...@openssl.org)
replace CBB API
fixing up constants and parameter lists
replace BORINGSSL_keccac calls with EVP calls
added library symbols and low-level test case
switch boringssl constant time routines for OpenSSL ones
data type assertion and negative test added
moved mlkem.h to include/crypto
changed function naming to be in line with ossl convention
remove Google license terms based on CCLA
add constant_time_lt_32
convert asserts to ossl_asserts where possible
add bssl keccak, pubK recreation, formatting
add provider interface to utilize mlkem768 code enabling TLS1.3 use
revert to OpenSSL DigestXOF
use EVP_MD_xof() to determine digest finalisation (pa...@openssl.org)
change APIs to return error codes; reference new IANA number; move static asserts to one place
remove boringssl keccak for good
fix coding style and return value checks
ANSI C compatibility changes
remove static cache objects
all internal retval functions used leading to some new retval functions
Reviewed-by: Tomas Mraz <to...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25848)
Commit: 35eb0e5e25b1648351d0f2fc689fbc060657aed6
https://github.com/openssl/openssl/commit/35eb0e5e25b1648351d0f2fc689fbc060657aed6
Author: Andrew Dinh <and...@openssl.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/mlkem/mlkem768.c
M include/crypto/mlkem.h
M providers/implementations/include/prov/mlkem.h
M providers/implementations/kem/ml_kem.c
M providers/implementations/keymgmt/mlkem_kmgmt.c
M test/evp_extra_test.c
M test/evp_test.c
M test/mlkem_internal_test.c
A test/recipes/03-test_internal_mlkem.t
M test/recipes/30-test_evp.t
A test/recipes/30-test_evp_data/evppkey_mlkem768_decap.txt
A test/recipes/30-test_evp_data/evppkey_mlkem768_encap.txt
A test/recipes/30-test_evp_data/evppkey_mlkem768_keygen.txt
M test/recipes/30-test_evp_data/evppkey_rsa.txt
M test/testutil.h
M util/perl/OpenSSL/paramnames.pm
Log Message:
-----------
Add ML-KEM-768 KATs from BoringSSL
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/
These KATs test key generation, encapsulation, and decapsulation for the
ML-KEM-768 algorithm.
Relevant notes:
- Added functionality to the ML-KEM key management to export/import. These may not
be fully implemented yet (see openssl/openssl#25885)
- Exposed some more low-level ML-KEM API's to the provider implementation to
allow for deterministic encapsulation/key generation
- Actually run 'mlkem_internal_test' with `make test`
Reviewed-by: Neil Horman <nho...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25938)
Commit: 7503c916948ee00f73f481cacd4b3d624274966d
https://github.com/openssl/openssl/commit/7503c916948ee00f73f481cacd4b3d624274966d
Author: Michael Baentsch <57787676...@users.noreply.github.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M doc/build.info
A doc/designs/ML-KEM.md
M doc/man3/EVP_PKEY_decapsulate.pod
M doc/man3/EVP_PKEY_encapsulate.pod
A doc/man7/EVP_KEM-ML-KEM.pod
A doc/man7/EVP_PKEY-ML-KEM.pod
M doc/man7/OSSL_PROVIDER-default.pod
M doc/man7/provider-keymgmt.pod
Log Message:
-----------
Initial ML-KEM documentation
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26037)
Commit: e0fec96271da0f8c6beb312db5d441d6e7a21793
https://github.com/openssl/openssl/commit/e0fec96271da0f8c6beb312db5d441d6e7a21793
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M .github/workflows/run-checker-ci.yml
M Configure
M INSTALL.md
M crypto/build.info
A crypto/ml_kem/build.info
A crypto/ml_kem/ml_kem.c
R crypto/mlkem/build.info
R crypto/mlkem/mlkem768.c
A include/crypto/ml_kem.h
R include/crypto/mlkem.h
M include/crypto/types.h
M include/internal/tlsgroups.h
M providers/common/capabilities.c
M providers/defltprov.c
M providers/implementations/include/prov/implementations.h
R providers/implementations/include/prov/mlkem.h
M providers/implementations/include/prov/names.h
M providers/implementations/kem/build.info
M providers/implementations/kem/ml_kem.c
M providers/implementations/keymgmt/build.info
A providers/implementations/keymgmt/ml_kem_kmgmt.c
R providers/implementations/keymgmt/mlkem_kmgmt.c
M test/build.info
M test/evp_extra_test.c
M test/evp_test.c
A test/ml_kem_evp_extra_test.c
A test/ml_kem_internal_test.c
R test/mlkem_internal_test.c
A test/recipes/03-test_evp_extra_ml_kem.t
A test/recipes/03-test_internal_ml_kem.t
R test/recipes/03-test_internal_mlkem.t
M test/recipes/30-test_evp.t
A test/recipes/30-test_evp_data/evppkey_ml_kem_1024_decap.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_1024_encap.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_1024_keygen.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_512_decap.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_512_encap.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_512_keygen.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_768_decap.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_768_encap.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_768_keygen.txt
R test/recipes/30-test_evp_data/evppkey_mlkem768_decap.txt
R test/recipes/30-test_evp_data/evppkey_mlkem768_encap.txt
R test/recipes/30-test_evp_data/evppkey_mlkem768_keygen.txt
M test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh
M test/sslapitest.c
M util/perl/OpenSSL/paramnames.pm
Log Message:
-----------
Multi-variant ML-KEM
This introduces support for ML-KEM-512 and ML-KEM-1024 using the same
underlying implementation parameterised by a few macros for the
associated types and constants.
KAT tests are added for ML-KEM 512 and 1024, to complement the previous
tests for ML-KEM-768.
MLKEM{512,768,1024} TLS "group" codepoints are updated to match the
final IANA assigments and to make the additional KEMs known to the TLS
layer.
The pure-QC MLKEMs are not in the default list of supported groups, and
need to be explicitly enabled by the application. Future work will
introduce support for hybrids, and for more fine-grained policy of
which keyshares a client should send by default, and when a server
should request (HRR) a new mutually-supported group that was not
sent.
Tests for ML-KEM key exchange added to sslapitest to make sure that our
TLS client MLKEM{512,768,1024} implementations interoperate with our TLS
server, and that MLKEM* are not negotiated in TLS 1.2.
Tests also added to excercise non-derandomised ML-KEM APIs, both
directly (bypassing the provider layer), and through the generic EVP KEM
API (exercising the provider). These make sure that RNG input is used
correctly (KAT tests bypass the RNG by specifying seeds).
The API interface to the provider takes an "const ML_KEM_VINFO" pointer,
(obtained from ossl_ml_kem_get_vinfo()). This checks input and output
buffer sizes before passing control to internal code that assumes
correctly sized (for each variant) buffers.
The original BoringSSL API was refactored to eliminate the opaque
public/private key structure wrappers, since these structures are an
internal detail between libcrypto and the provider, they are not part of
the public (EVP) API.
New "clangover" counter-measures added, refined with much appreciated
input from David Benjamin (Chromium).
The internal steps of "encrypt_cpa" were reordered to reduce the
working-set size of the algorithm, now needs space for just two
temporary "vectors" rather than three. The "decap" function now process
the decrypted message in one call, rather than three separate calls to
scalar_decode_1, scalar_decompress and scalar_add.
Some loops were unrolled, improving performance of en/decapsulate
(pre-expanded vectors and matrix) by around 5%.
To handle, however unlikely, the SHA3 primitives not behaving like
"pure" functions and failing, the implementation of `decap` was modifed:
- To use the KDF to compute the Fujisaki-Okamoto (FO) failure secret
first thing, and if that fails, bail out returning an error, a shared
secret is still returned at random from the RNG, but it is OK for the
caller to not use it.
- If any of the subsequently used hash primitives fail, use the computed
FO failure secret (OK, despite no longer constant-time) and return
success (otherwise the RNG would replace the result).
- We quite reasonably assume that chosen-ciphertext attacks (of the
correct length) cannot cause hash functions to fail in a manner the
depends on the private key content.
Support for ML-KEM-512 required adding a centered binomial distribution
helper function to deal with η_1 == 3 in just that variant.
Some additional comments were added to highlight how the code relates to
the ML-KEM specification in FIPS 203.
Reviewed-by: Paul Dale <ppz...@gmail.com>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26172)
Commit: b52a49663d3e476ef225fb564a920b20eda8b787
https://github.com/openssl/openssl/commit/b52a49663d3e476ef225fb564a920b20eda8b787
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M providers/implementations/kem/ml_kem.c
Log Message:
-----------
Polish ML-KEM kem provider.
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26236)
Commit: 9772b73776ef1b0b481511759496dbdb30f56026
https://github.com/openssl/openssl/commit/9772b73776ef1b0b481511759496dbdb30f56026
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/ml_kem/ml_kem.c
M include/crypto/ml_kem.h
M include/crypto/types.h
A include/openssl/ml_kem.h
M providers/common/capabilities.c
M providers/implementations/keymgmt/ml_kem_kmgmt.c
M test/ml_kem_evp_extra_test.c
M test/ml_kem_internal_test.c
Log Message:
-----------
ML-KEM libcrypto implementation polish
* Core ML_KEM constants in new <openssl/ml_kem.h>
* Renamed variant ordinals to ML_KEM_<bits>_VARIANT, freeing
up the unadorned ML_KEM_<bits> names.
* Fewer/cleaner macros in <crypto/ml_kem.h>
* Fewer/cleaner macros for setting up the ML_KEM_VINFO table.
* Made (d, z) be separate inputs to the now single key generation
function. Both or neither have to be NULL. This supports potential
future callers that store them in a different order, or in separate
buffers.
- Random values are chosen when both are NULL, we never return the
generated seeds, rather we may, when/if (d, z) private key support
is added, store these in the expanded key, and make them available
for import/export.
* No need for a stand-by keygen encoded public key buffer when the
caller does not provide one (will ask for it later if needed).
New `hash_h_pubkey` function can compute the public hash from
the expanded form in constant space (384 bytes for 12-bit encoded
scalar).
* Simplified code in `scalar_mult`.
* New `scalar_mult_add` adds the product to an existing scalar.
Used in new `matrix_mult_transpose_add` replacing `matrix_mult_transpose`.
* Unrolled loop in `encode_12`.
* Folded decompression and inverse NTT into vecode_decode, the three
were always used together.
* Folded inverse NTT into former `matrix_mult` as `matrix_mult_intt`,
always used together.
* New gencbd_vector_ntt combines CBD vector generation with inverse NTT
in one pass.
* All this makes for more readable code in `decrypt_cpa` and especially
`genkey()`, which no longer requires caller-allocated variant-specific
temporary storage (just a single EVP_MD_CTX is still needed).
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26236)
Commit: af49ccf39f0a7ace4ede691186d9debaca498cbc
https://github.com/openssl/openssl/commit/af49ccf39f0a7ace4ede691186d9debaca498cbc
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M apps/pkeyutl.c
M doc/man1/openssl-pkeyutl.pod.in
M test/recipes/20-test_pkeyutl.t
Log Message:
-----------
Fix code and docs of pkeyutl en/decapsulation
Reviewed-by: Dmitry Belyavskiy <bel...@gmail.com>
Reviewed-by: Tim Hudson <t...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26281)
Commit: 9eea74758d2987c3b276d8574a0e064061fa707a
https://github.com/openssl/openssl/commit/9eea74758d2987c3b276d8574a0e064061fa707a
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M doc/designs/ML-KEM.md
M doc/man3/EVP_PKEY_decapsulate.pod
M doc/man3/EVP_PKEY_encapsulate.pod
M doc/man7/EVP_KEM-ML-KEM.pod
M doc/man7/EVP_PKEY-ML-KEM.pod
M doc/man7/OSSL_PROVIDER-default.pod
M doc/man7/provider-keymgmt.pod
Log Message:
-----------
Initial batch of ML-KEM doc updates.
With the soon-to-be-merged ML-KEM #26172 as the merge base.
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26217)
Commit: 9a19a8c69a261e436cfaa04d5798dc0ce4f54e53
https://github.com/openssl/openssl/commit/9a19a8c69a261e436cfaa04d5798dc0ce4f54e53
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M doc/HOWTO/keys.txt
M doc/designs/fips_indicator.md
M doc/internal/man7/EVP_PKEY.pod
M doc/man1/openssl-genpkey.pod.in
M doc/man1/openssl-pkeyutl.pod.in
M doc/man3/EVP_PKEY_CTX_ctrl.pod
M doc/man3/EVP_PKEY_CTX_set_params.pod
M doc/man3/EVP_PKEY_decapsulate.pod
M doc/man3/EVP_PKEY_encapsulate.pod
M doc/man3/EVP_PKEY_fromdata.pod
M doc/man3/EVP_PKEY_keygen.pod
M doc/man3/EVP_PKEY_new.pod
M doc/man3/EVP_PKEY_set1_encoded_public_key.pod
M doc/man3/EVP_PKEY_todata.pod
M doc/man3/SSL_CONF_cmd.pod
M doc/man3/SSL_CTX_set1_curves.pod
M doc/man7/OSSL_PROVIDER-FIPS.pod
M doc/man7/OSSL_PROVIDER-base.pod
M doc/man7/OSSL_PROVIDER-default.pod
M doc/man7/fips_module.pod
M doc/man7/ossl-guide-migration.pod
M doc/man7/provider-keymgmt.pod
Log Message:
-----------
Remaining batch of ML-KEM-related doc updates
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26217)
Commit: 898363ac6adef2ec82854ae063bf20aa644d5bee
https://github.com/openssl/openssl/commit/898363ac6adef2ec82854ae063bf20aa644d5bee
Author: Viktor Dukhovni <vik...@openssl.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/ml_kem/ml_kem.c
Log Message:
-----------
Prepare to detect side-channels in compiled ML-KEM code
Loosely based on similar code in BoringSSL.
Added the valgrind macros necessary to mark secret inputs as uninitialised on
entry to the ML-KEM keygen, encap and decap functions. The inputs and outputs
are then untagged before control returns to the caller, where, at least in the
case of tests and protocols that check whether the derived keys succeeded in
decoding a key-confirmation message, there will at some point be a branch based
on the *content* of the compute shared secret.
When a build is configured with `-DOPENSSL_CONSTANT_TIME_VALIDATION`, and
various tests that use ML-KEM are run under:
$ valgrind --tool=memcheck --error-exitcode=1 --exit-on-first-error=yes cmd [args]
any internal secret-data-dependent branches added by a mis-optimising
compiler, or inadvertently introduced into the source code would cause
the tests to fail, exposing the side channel.
Since the side-channels are liable to depend on the compiler and
selected optimisation flags, tests would need to cover a few combinations.
* clang vs. gcc
* debug builds
* default builds
* -O2
* -O3 -fno-vectorise (a problem with clang in "clangover")
* -Os (was a problem with clang in "clangover")
...
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26270)
Commit: e8cb78e8173c650f59ed6ae350b7137ad348f2fa
https://github.com/openssl/openssl/commit/e8cb78e8173c650f59ed6ae350b7137ad348f2fa
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M AUTHORS.md
M apps/list.c
M crypto/err/openssl.txt
M crypto/ml_kem/ml_kem.c
M doc/man1/openssl-list.pod.in
M doc/man1/openssl-s_client.pod.in
M doc/man1/openssl-s_server.pod.in
M doc/man3/SSL_CONF_cmd.pod
M doc/man3/SSL_CTX_set1_curves.pod
M doc/man7/ossl-guide-migration.pod
M include/crypto/ml_kem.h
M include/internal/tlsgroups.h
M include/openssl/core_dispatch.h
M include/openssl/proverr.h
M include/openssl/ssl.h.in
M providers/common/capabilities.c
M providers/common/include/prov/proverr.h
M providers/common/provider_err.c
M providers/defltprov.c
M providers/implementations/include/prov/implementations.h
A providers/implementations/include/prov/mlx_kem.h
M providers/implementations/include/prov/names.h
M providers/implementations/kem/build.info
M providers/implementations/kem/ml_kem.c
A providers/implementations/kem/mlx_kem.c
M providers/implementations/keymgmt/build.info
M providers/implementations/keymgmt/ml_kem_kmgmt.c
A providers/implementations/keymgmt/mlx_kmgmt.c
M ssl/s3_lib.c
M ssl/ssl_local.h
M ssl/t1_lib.c
M test/sslapitest.c
M util/other.syms
Log Message:
-----------
ML-KEM hybrids for TLS
- When used as KEMs in TLS the ECDHE algorithms are NOT subjected to
HPKE Extract/Expand key derivation. Instead the TLS HKDF is used
as usual.
- Consequently these KEMs are just the usual ECDHE key exchange
operations, be it with the encap ECDH private key unavoidably
ephemeral.
- A new "MLX" KEM provider is added that supports four hybrids of EC/ECX
DH with ML-KEM:
* ML-KEM-768 + X25519
* ML-KEM-1024 + X448
* P-256 + ML-KEM-768
* P-384 + ML-KEM-1024
- Support listing of implemented TLS groups.
The SSL_CTX_get0_implemented_groups() function and new
`openssl list -tls-groups` and `openssl list -all-tls-groups`
commands make it possible to determine which groups are
implemented by the SSL library for a particular TLS version
or range of versions matching an SSL_CTX.
Reviewed-by: Tomas Mraz <to...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26220)
Commit: 97a01d8de8c878eac762ea98d698c9e0e16f9937
https://github.com/openssl/openssl/commit/97a01d8de8c878eac762ea98d698c9e0e16f9937
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M test/evp_test.c
Log Message:
-----------
Clear param array to ensure it's initialised properly
Reviewed-by: Tomas Mraz <to...@openssl.org>
Reviewed-by: Todd Short <todd....@me.com>
Reviewed-by: Tom Cosgrove <tom.co...@arm.com>
Reviewed-by: Richard Levitte <lev...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26339)
Commit: 9aaa69c6e64749a77776f0cd0f7834cfd6b7a54d
https://github.com/openssl/openssl/commit/9aaa69c6e64749a77776f0cd0f7834cfd6b7a54d
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/ml_kem/build.info
M providers/implementations/kem/build.info
R providers/implementations/kem/ml_kem.c
A providers/implementations/kem/ml_kem_kem.c
M providers/implementations/keymgmt/build.info
Log Message:
-----------
update build infrastructure for ML-KEM in the FIPS provider
Also avoid a file name conflict when adding ML-KEM to the FIPS provider.
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: f6a21445d6444729c04082230d40220c8630cab4
https://github.com/openssl/openssl/commit/f6a21445d6444729c04082230d40220c8630cab4
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M include/openssl/self_test.h
Log Message:
-----------
fips: defined for ML-KEM CASTs
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: dbfe43c5376f97e59cc7b97a825e959219746e5f
https://github.com/openssl/openssl/commit/dbfe43c5376f97e59cc7b97a825e959219746e5f
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M providers/fips/fipsprov.c
M providers/fips/self_test_data.inc
M providers/fips/self_test_kats.c
Log Message:
-----------
fips: add ML-KEM to the FIPS provider
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: 516238f442ec429425ef2ca40b3661ca99224492
https://github.com/openssl/openssl/commit/516238f442ec429425ef2ca40b3661ca99224492
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M test/recipes/30-test_evp_data/evppkey_ml_kem_1024_decap.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_1024_encap.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_1024_keygen.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_512_decap.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_512_encap.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_512_keygen.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_768_decap.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_768_encap.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_768_keygen.txt
Log Message:
-----------
tests: run ML-KEM tests in FIPS builds too
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: 93905aa4ed9aaef4a7548e737fe0f4b95d686ed4
https://github.com/openssl/openssl/commit/93905aa4ed9aaef4a7548e737fe0f4b95d686ed4
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M test/recipes/30-test_evp.t
Log Message:
-----------
test: run ML-KEM tests for both default and FIPS providers
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: 67d5abb3e00a489574056b827572a36defab5454
https://github.com/openssl/openssl/commit/67d5abb3e00a489574056b827572a36defab5454
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M doc/man7/fips_module.pod
Log Message:
-----------
doc: remove ML-KEM line because it doesn't have an indicator associated with it
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: 886435c2e7e0fba90b43e86fb7a18f593004d930
https://github.com/openssl/openssl/commit/886435c2e7e0fba90b43e86fb7a18f593004d930
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M doc/man7/EVP_PKEY-ML-KEM.pod
M doc/man7/OSSL_PROVIDER-FIPS.pod
Log Message:
-----------
doc: update documentation now that ML-KEM is in the FIPS provider
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: 50d36f37f6458012b2f88c24bc8c9293d31e2698
https://github.com/openssl/openssl/commit/50d36f37f6458012b2f88c24bc8c9293d31e2698
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M include/openssl/self_test.h
Log Message:
-----------
self_test: add ML-KEM test description
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: fcfb0176bef776ab57006d46f5d7d769a0d65ba1
https://github.com/openssl/openssl/commit/fcfb0176bef776ab57006d46f5d7d769a0d65ba1
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M providers/implementations/keymgmt/ml_kem_kmgmt.c
Log Message:
-----------
fips: add pairwise consistency test for ML-KEM key generation
This is mandated by FIPS 140-3 IG 10.3.A resolution 14
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: 3ece63fa6d1d4dc43e54dcf2f03b41946adc6fb4
https://github.com/openssl/openssl/commit/3ece63fa6d1d4dc43e54dcf2f03b41946adc6fb4
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M test/recipes/03-test_fipsinstall.t
Log Message:
-----------
test: add fipsinstall corruption tests for KEMs
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: ef391f2845dbccb99297b0753a8adad7ca4ae530
https://github.com/openssl/openssl/commit/ef391f2845dbccb99297b0753a8adad7ca4ae530
Author: Tomas Mraz <to...@openssl.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M providers/implementations/include/prov/names.h
Log Message:
-----------
Provide alias names for ML-KEM algorithms without dashes
Fixes #26326
Reviewed-by: Dmitry Belyavskiy <bel...@gmail.com>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26328)
Commit: ae646b6da2cae9091992dca988945d37ff49ef24
https://github.com/openssl/openssl/commit/ae646b6da2cae9091992dca988945d37ff49ef24
Author: Tomas Mraz <to...@openssl.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M oqs-provider
Log Message:
-----------
Update oqs-provider to the latest commit
The oqs-provider testing is fixed so it doesn't fetch OpenSSL
implementations during its testing inadvertently.
Reviewed-by: Dmitry Belyavskiy <bel...@gmail.com>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26328)
Commit: ee8f6dbd573a9ab1089cab2b7ac178ac6d7f72d7
https://github.com/openssl/openssl/commit/ee8f6dbd573a9ab1089cab2b7ac178ac6d7f72d7
Author: Tomas Mraz <to...@openssl.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M ssl/t1_lib.c
Log Message:
-----------
libssl: Accept any key management which implements the group
Reviewed-by: Dmitry Belyavskiy <bel...@gmail.com>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26328)
Commit: fa0940a60f1d1de2e4295addc1879ead49a066d3
https://github.com/openssl/openssl/commit/fa0940a60f1d1de2e4295addc1879ead49a066d3
Author: Tomas Mraz <to...@openssl.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh
Log Message:
-----------
Temporarily disable oqsprovider testing
Reviewed-by: Dmitry Belyavskiy <bel...@gmail.com>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26328)
Commit: 557a680da5a6c280e074829dbd697fa7020747b2
https://github.com/openssl/openssl/commit/557a680da5a6c280e074829dbd697fa7020747b2
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/err/openssl.txt
M crypto/ml_kem/ml_kem.c
M doc/man7/EVP_PKEY-ML-KEM.pod
M include/crypto/ml_kem.h
M include/openssl/proverr.h
M providers/common/provider_err.c
M providers/decoders.inc
M providers/encoders.inc
M providers/fips/self_test_kats.c
M providers/implementations/encode_decode/decode_der2key.c
M providers/implementations/encode_decode/encode_key2any.c
M providers/implementations/encode_decode/encode_key2text.c
M providers/implementations/include/prov/implementations.h
M providers/implementations/include/prov/names.h
M providers/implementations/keymgmt/ml_kem_kmgmt.c
M providers/implementations/keymgmt/mlx_kmgmt.c
M test/endecode_test.c
M test/evp_extra_test.c
M test/evp_test.c
M test/ml_kem_evp_extra_test.c
M test/ml_kem_internal_test.c
M util/perl/OpenSSL/paramnames.pm
Log Message:
-----------
Encoders and Decoders for ML-KEM
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26341)
Commit: 78c7030c785f111d486d01294f96d6175ab6620f
https://github.com/openssl/openssl/commit/78c7030c785f111d486d01294f96d6175ab6620f
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/ml_kem/ml_kem.c
M providers/implementations/encode_decode/encode_key2any.c
M providers/implementations/keymgmt/ml_kem_kmgmt.c
M providers/implementations/keymgmt/mlx_kmgmt.c
M test/ml_kem_evp_extra_test.c
M test/ml_kem_internal_test.c
Log Message:
-----------
ML-KEM implementation cleanup/speedup
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26341)
Commit: 289e7a9069a686e5aa965ab89f4399e46c0744ca
https://github.com/openssl/openssl/commit/289e7a9069a686e5aa965ab89f4399e46c0744ca
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/ml_kem/ml_kem.c
Log Message:
-----------
Zeroise temporary secrets while doing ML-KEM
Reviewed-by: Richard Levitte <lev...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26456)
Compare: https://github.com/openssl/openssl/compare/0fb237fd40d3...289e7a9069a6
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Home: https://github.com/openssl/openssl
Commit: 15e275eb3081ad358af050eb8ae4b0f37ee00e40
https://github.com/openssl/openssl/commit/15e275eb3081ad358af050eb8ae4b0f37ee00e40
Author: Michael Baentsch <57787676...@users.noreply.github.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M Configure
M crypto/build.info
A crypto/mlkem/build.info
A crypto/mlkem/mlkem768.c
A include/crypto/mlkem.h
M include/internal/constant_time.h
M include/internal/tlsgroups.h
M providers/common/capabilities.c
M providers/defltprov.c
M providers/implementations/include/prov/implementations.h
A providers/implementations/include/prov/mlkem.h
M providers/implementations/include/prov/names.h
M providers/implementations/kem/build.info
A providers/implementations/kem/ml_kem.c
M providers/implementations/keymgmt/build.info
A providers/implementations/keymgmt/mlkem_kmgmt.c
M test/build.info
M test/evp_extra_test.c
A test/mlkem_internal_test.c
Log Message:
-----------
ML-KEM768
Based on code from BoringSSL covered under Google CCLA
Original code at https://boringssl.googlesource.com/boringssl/+/HEAD/crypto/mlkem
VSCode automatic formatting (and...@openssl.org)
Just do some basic formatting to make diffs easier to read later: convert from 2 to 4 spaces, add newlines after function declarations, and move function open curly brace to new line (and...@openssl.org)
Move variable init to beginning of each function (and...@openssl.org)
replace CBB API
fixing up constants and parameter lists
replace BORINGSSL_keccac calls with EVP calls
added library symbols and low-level test case
switch boringssl constant time routines for OpenSSL ones
data type assertion and negative test added
moved mlkem.h to include/crypto
changed function naming to be in line with ossl convention
remove Google license terms based on CCLA
add constant_time_lt_32
convert asserts to ossl_asserts where possible
add bssl keccak, pubK recreation, formatting
add provider interface to utilize mlkem768 code enabling TLS1.3 use
revert to OpenSSL DigestXOF
use EVP_MD_xof() to determine digest finalisation (pa...@openssl.org)
change APIs to return error codes; reference new IANA number; move static asserts to one place
remove boringssl keccak for good
fix coding style and return value checks
ANSI C compatibility changes
remove static cache objects
all internal retval functions used leading to some new retval functions
Reviewed-by: Tomas Mraz <to...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25848)
Commit: 35eb0e5e25b1648351d0f2fc689fbc060657aed6
https://github.com/openssl/openssl/commit/35eb0e5e25b1648351d0f2fc689fbc060657aed6
Author: Andrew Dinh <and...@openssl.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/mlkem/mlkem768.c
M include/crypto/mlkem.h
M providers/implementations/include/prov/mlkem.h
M providers/implementations/kem/ml_kem.c
M providers/implementations/keymgmt/mlkem_kmgmt.c
M test/evp_extra_test.c
M test/evp_test.c
M test/mlkem_internal_test.c
A test/recipes/03-test_internal_mlkem.t
M test/recipes/30-test_evp.t
A test/recipes/30-test_evp_data/evppkey_mlkem768_decap.txt
A test/recipes/30-test_evp_data/evppkey_mlkem768_encap.txt
A test/recipes/30-test_evp_data/evppkey_mlkem768_keygen.txt
M test/recipes/30-test_evp_data/evppkey_rsa.txt
M test/testutil.h
M util/perl/OpenSSL/paramnames.pm
Log Message:
-----------
Add ML-KEM-768 KATs from BoringSSL
Add KATs for ML-KEM-768 under CCLA from https://boringssl.googlesource.com/boringssl/
These KATs test key generation, encapsulation, and decapsulation for the
ML-KEM-768 algorithm.
Relevant notes:
- Added functionality to the ML-KEM key management to export/import. These may not
be fully implemented yet (see openssl/openssl#25885)
- Exposed some more low-level ML-KEM API's to the provider implementation to
allow for deterministic encapsulation/key generation
- Actually run 'mlkem_internal_test' with `make test`
Reviewed-by: Neil Horman <nho...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25938)
Commit: 7503c916948ee00f73f481cacd4b3d624274966d
https://github.com/openssl/openssl/commit/7503c916948ee00f73f481cacd4b3d624274966d
Author: Michael Baentsch <57787676...@users.noreply.github.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M doc/build.info
A doc/designs/ML-KEM.md
M doc/man3/EVP_PKEY_decapsulate.pod
M doc/man3/EVP_PKEY_encapsulate.pod
A doc/man7/EVP_KEM-ML-KEM.pod
A doc/man7/EVP_PKEY-ML-KEM.pod
M doc/man7/OSSL_PROVIDER-default.pod
M doc/man7/provider-keymgmt.pod
Log Message:
-----------
Initial ML-KEM documentation
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26037)
Commit: e0fec96271da0f8c6beb312db5d441d6e7a21793
https://github.com/openssl/openssl/commit/e0fec96271da0f8c6beb312db5d441d6e7a21793
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M .github/workflows/run-checker-ci.yml
M Configure
M INSTALL.md
M crypto/build.info
A crypto/ml_kem/build.info
A crypto/ml_kem/ml_kem.c
R crypto/mlkem/build.info
R crypto/mlkem/mlkem768.c
A include/crypto/ml_kem.h
R include/crypto/mlkem.h
M include/crypto/types.h
M include/internal/tlsgroups.h
M providers/common/capabilities.c
M providers/defltprov.c
M providers/implementations/include/prov/implementations.h
R providers/implementations/include/prov/mlkem.h
M providers/implementations/include/prov/names.h
M providers/implementations/kem/build.info
M providers/implementations/kem/ml_kem.c
M providers/implementations/keymgmt/build.info
A providers/implementations/keymgmt/ml_kem_kmgmt.c
R providers/implementations/keymgmt/mlkem_kmgmt.c
M test/build.info
M test/evp_extra_test.c
M test/evp_test.c
A test/ml_kem_evp_extra_test.c
A test/ml_kem_internal_test.c
R test/mlkem_internal_test.c
A test/recipes/03-test_evp_extra_ml_kem.t
A test/recipes/03-test_internal_ml_kem.t
R test/recipes/03-test_internal_mlkem.t
M test/recipes/30-test_evp.t
A test/recipes/30-test_evp_data/evppkey_ml_kem_1024_decap.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_1024_encap.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_1024_keygen.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_512_decap.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_512_encap.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_512_keygen.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_768_decap.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_768_encap.txt
A test/recipes/30-test_evp_data/evppkey_ml_kem_768_keygen.txt
R test/recipes/30-test_evp_data/evppkey_mlkem768_decap.txt
R test/recipes/30-test_evp_data/evppkey_mlkem768_encap.txt
R test/recipes/30-test_evp_data/evppkey_mlkem768_keygen.txt
M test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh
M test/sslapitest.c
M util/perl/OpenSSL/paramnames.pm
Log Message:
-----------
Multi-variant ML-KEM
This introduces support for ML-KEM-512 and ML-KEM-1024 using the same
underlying implementation parameterised by a few macros for the
associated types and constants.
KAT tests are added for ML-KEM 512 and 1024, to complement the previous
tests for ML-KEM-768.
MLKEM{512,768,1024} TLS "group" codepoints are updated to match the
final IANA assigments and to make the additional KEMs known to the TLS
layer.
The pure-QC MLKEMs are not in the default list of supported groups, and
need to be explicitly enabled by the application. Future work will
introduce support for hybrids, and for more fine-grained policy of
which keyshares a client should send by default, and when a server
should request (HRR) a new mutually-supported group that was not
sent.
Tests for ML-KEM key exchange added to sslapitest to make sure that our
TLS client MLKEM{512,768,1024} implementations interoperate with our TLS
server, and that MLKEM* are not negotiated in TLS 1.2.
Tests also added to excercise non-derandomised ML-KEM APIs, both
directly (bypassing the provider layer), and through the generic EVP KEM
API (exercising the provider). These make sure that RNG input is used
correctly (KAT tests bypass the RNG by specifying seeds).
The API interface to the provider takes an "const ML_KEM_VINFO" pointer,
(obtained from ossl_ml_kem_get_vinfo()). This checks input and output
buffer sizes before passing control to internal code that assumes
correctly sized (for each variant) buffers.
The original BoringSSL API was refactored to eliminate the opaque
public/private key structure wrappers, since these structures are an
internal detail between libcrypto and the provider, they are not part of
the public (EVP) API.
New "clangover" counter-measures added, refined with much appreciated
input from David Benjamin (Chromium).
The internal steps of "encrypt_cpa" were reordered to reduce the
working-set size of the algorithm, now needs space for just two
temporary "vectors" rather than three. The "decap" function now process
the decrypted message in one call, rather than three separate calls to
scalar_decode_1, scalar_decompress and scalar_add.
Some loops were unrolled, improving performance of en/decapsulate
(pre-expanded vectors and matrix) by around 5%.
To handle, however unlikely, the SHA3 primitives not behaving like
"pure" functions and failing, the implementation of `decap` was modifed:
- To use the KDF to compute the Fujisaki-Okamoto (FO) failure secret
first thing, and if that fails, bail out returning an error, a shared
secret is still returned at random from the RNG, but it is OK for the
caller to not use it.
- If any of the subsequently used hash primitives fail, use the computed
FO failure secret (OK, despite no longer constant-time) and return
success (otherwise the RNG would replace the result).
- We quite reasonably assume that chosen-ciphertext attacks (of the
correct length) cannot cause hash functions to fail in a manner the
depends on the private key content.
Support for ML-KEM-512 required adding a centered binomial distribution
helper function to deal with η_1 == 3 in just that variant.
Some additional comments were added to highlight how the code relates to
the ML-KEM specification in FIPS 203.
Reviewed-by: Paul Dale <ppz...@gmail.com>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26172)
Commit: b52a49663d3e476ef225fb564a920b20eda8b787
https://github.com/openssl/openssl/commit/b52a49663d3e476ef225fb564a920b20eda8b787
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M providers/implementations/kem/ml_kem.c
Log Message:
-----------
Polish ML-KEM kem provider.
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26236)
Commit: 9772b73776ef1b0b481511759496dbdb30f56026
https://github.com/openssl/openssl/commit/9772b73776ef1b0b481511759496dbdb30f56026
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/ml_kem/ml_kem.c
M include/crypto/ml_kem.h
M include/crypto/types.h
A include/openssl/ml_kem.h
M providers/common/capabilities.c
M providers/implementations/keymgmt/ml_kem_kmgmt.c
M test/ml_kem_evp_extra_test.c
M test/ml_kem_internal_test.c
Log Message:
-----------
ML-KEM libcrypto implementation polish
* Core ML_KEM constants in new <openssl/ml_kem.h>
* Renamed variant ordinals to ML_KEM_<bits>_VARIANT, freeing
up the unadorned ML_KEM_<bits> names.
* Fewer/cleaner macros in <crypto/ml_kem.h>
* Fewer/cleaner macros for setting up the ML_KEM_VINFO table.
* Made (d, z) be separate inputs to the now single key generation
function. Both or neither have to be NULL. This supports potential
future callers that store them in a different order, or in separate
buffers.
- Random values are chosen when both are NULL, we never return the
generated seeds, rather we may, when/if (d, z) private key support
is added, store these in the expanded key, and make them available
for import/export.
* No need for a stand-by keygen encoded public key buffer when the
caller does not provide one (will ask for it later if needed).
New `hash_h_pubkey` function can compute the public hash from
the expanded form in constant space (384 bytes for 12-bit encoded
scalar).
* Simplified code in `scalar_mult`.
* New `scalar_mult_add` adds the product to an existing scalar.
Used in new `matrix_mult_transpose_add` replacing `matrix_mult_transpose`.
* Unrolled loop in `encode_12`.
* Folded decompression and inverse NTT into vecode_decode, the three
were always used together.
* Folded inverse NTT into former `matrix_mult` as `matrix_mult_intt`,
always used together.
* New gencbd_vector_ntt combines CBD vector generation with inverse NTT
in one pass.
* All this makes for more readable code in `decrypt_cpa` and especially
`genkey()`, which no longer requires caller-allocated variant-specific
temporary storage (just a single EVP_MD_CTX is still needed).
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26236)
Commit: af49ccf39f0a7ace4ede691186d9debaca498cbc
https://github.com/openssl/openssl/commit/af49ccf39f0a7ace4ede691186d9debaca498cbc
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M apps/pkeyutl.c
M doc/man1/openssl-pkeyutl.pod.in
M test/recipes/20-test_pkeyutl.t
Log Message:
-----------
Fix code and docs of pkeyutl en/decapsulation
Reviewed-by: Dmitry Belyavskiy <bel...@gmail.com>
Reviewed-by: Tim Hudson <t...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26281)
Commit: 9eea74758d2987c3b276d8574a0e064061fa707a
https://github.com/openssl/openssl/commit/9eea74758d2987c3b276d8574a0e064061fa707a
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M doc/designs/ML-KEM.md
M doc/man3/EVP_PKEY_decapsulate.pod
M doc/man3/EVP_PKEY_encapsulate.pod
M doc/man7/EVP_KEM-ML-KEM.pod
M doc/man7/EVP_PKEY-ML-KEM.pod
M doc/man7/OSSL_PROVIDER-default.pod
M doc/man7/provider-keymgmt.pod
Log Message:
-----------
Initial batch of ML-KEM doc updates.
With the soon-to-be-merged ML-KEM #26172 as the merge base.
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26217)
Commit: 9a19a8c69a261e436cfaa04d5798dc0ce4f54e53
https://github.com/openssl/openssl/commit/9a19a8c69a261e436cfaa04d5798dc0ce4f54e53
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M doc/HOWTO/keys.txt
M doc/designs/fips_indicator.md
M doc/internal/man7/EVP_PKEY.pod
M doc/man1/openssl-genpkey.pod.in
M doc/man1/openssl-pkeyutl.pod.in
M doc/man3/EVP_PKEY_CTX_ctrl.pod
M doc/man3/EVP_PKEY_CTX_set_params.pod
M doc/man3/EVP_PKEY_decapsulate.pod
M doc/man3/EVP_PKEY_encapsulate.pod
M doc/man3/EVP_PKEY_fromdata.pod
M doc/man3/EVP_PKEY_keygen.pod
M doc/man3/EVP_PKEY_new.pod
M doc/man3/EVP_PKEY_set1_encoded_public_key.pod
M doc/man3/EVP_PKEY_todata.pod
M doc/man3/SSL_CONF_cmd.pod
M doc/man3/SSL_CTX_set1_curves.pod
M doc/man7/OSSL_PROVIDER-FIPS.pod
M doc/man7/OSSL_PROVIDER-base.pod
M doc/man7/OSSL_PROVIDER-default.pod
M doc/man7/fips_module.pod
M doc/man7/ossl-guide-migration.pod
M doc/man7/provider-keymgmt.pod
Log Message:
-----------
Remaining batch of ML-KEM-related doc updates
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26217)
Commit: 898363ac6adef2ec82854ae063bf20aa644d5bee
https://github.com/openssl/openssl/commit/898363ac6adef2ec82854ae063bf20aa644d5bee
Author: Viktor Dukhovni <vik...@openssl.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/ml_kem/ml_kem.c
Log Message:
-----------
Prepare to detect side-channels in compiled ML-KEM code
Loosely based on similar code in BoringSSL.
Added the valgrind macros necessary to mark secret inputs as uninitialised on
entry to the ML-KEM keygen, encap and decap functions. The inputs and outputs
are then untagged before control returns to the caller, where, at least in the
case of tests and protocols that check whether the derived keys succeeded in
decoding a key-confirmation message, there will at some point be a branch based
on the *content* of the compute shared secret.
When a build is configured with `-DOPENSSL_CONSTANT_TIME_VALIDATION`, and
various tests that use ML-KEM are run under:
$ valgrind --tool=memcheck --error-exitcode=1 --exit-on-first-error=yes cmd [args]
any internal secret-data-dependent branches added by a mis-optimising
compiler, or inadvertently introduced into the source code would cause
the tests to fail, exposing the side channel.
Since the side-channels are liable to depend on the compiler and
selected optimisation flags, tests would need to cover a few combinations.
* clang vs. gcc
* debug builds
* default builds
* -O2
* -O3 -fno-vectorise (a problem with clang in "clangover")
* -Os (was a problem with clang in "clangover")
...
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26270)
Commit: e8cb78e8173c650f59ed6ae350b7137ad348f2fa
https://github.com/openssl/openssl/commit/e8cb78e8173c650f59ed6ae350b7137ad348f2fa
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M AUTHORS.md
M apps/list.c
M crypto/err/openssl.txt
M crypto/ml_kem/ml_kem.c
M doc/man1/openssl-list.pod.in
M doc/man1/openssl-s_client.pod.in
M doc/man1/openssl-s_server.pod.in
M doc/man3/SSL_CONF_cmd.pod
M doc/man3/SSL_CTX_set1_curves.pod
M doc/man7/ossl-guide-migration.pod
M include/crypto/ml_kem.h
M include/internal/tlsgroups.h
M include/openssl/core_dispatch.h
M include/openssl/proverr.h
M include/openssl/ssl.h.in
M providers/common/capabilities.c
M providers/common/include/prov/proverr.h
M providers/common/provider_err.c
M providers/defltprov.c
M providers/implementations/include/prov/implementations.h
A providers/implementations/include/prov/mlx_kem.h
M providers/implementations/include/prov/names.h
M providers/implementations/kem/build.info
M providers/implementations/kem/ml_kem.c
A providers/implementations/kem/mlx_kem.c
M providers/implementations/keymgmt/build.info
M providers/implementations/keymgmt/ml_kem_kmgmt.c
A providers/implementations/keymgmt/mlx_kmgmt.c
M ssl/s3_lib.c
M ssl/ssl_local.h
M ssl/t1_lib.c
M test/sslapitest.c
M util/other.syms
Log Message:
-----------
ML-KEM hybrids for TLS
- When used as KEMs in TLS the ECDHE algorithms are NOT subjected to
HPKE Extract/Expand key derivation. Instead the TLS HKDF is used
as usual.
- Consequently these KEMs are just the usual ECDHE key exchange
operations, be it with the encap ECDH private key unavoidably
ephemeral.
- A new "MLX" KEM provider is added that supports four hybrids of EC/ECX
DH with ML-KEM:
* ML-KEM-768 + X25519
* ML-KEM-1024 + X448
* P-256 + ML-KEM-768
* P-384 + ML-KEM-1024
- Support listing of implemented TLS groups.
The SSL_CTX_get0_implemented_groups() function and new
`openssl list -tls-groups` and `openssl list -all-tls-groups`
commands make it possible to determine which groups are
implemented by the SSL library for a particular TLS version
or range of versions matching an SSL_CTX.
Reviewed-by: Tomas Mraz <to...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26220)
Commit: 97a01d8de8c878eac762ea98d698c9e0e16f9937
https://github.com/openssl/openssl/commit/97a01d8de8c878eac762ea98d698c9e0e16f9937
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M test/evp_test.c
Log Message:
-----------
Clear param array to ensure it's initialised properly
Reviewed-by: Tomas Mraz <to...@openssl.org>
Reviewed-by: Todd Short <todd....@me.com>
Reviewed-by: Tom Cosgrove <tom.co...@arm.com>
Reviewed-by: Richard Levitte <lev...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26339)
Commit: 9aaa69c6e64749a77776f0cd0f7834cfd6b7a54d
https://github.com/openssl/openssl/commit/9aaa69c6e64749a77776f0cd0f7834cfd6b7a54d
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/ml_kem/build.info
M providers/implementations/kem/build.info
R providers/implementations/kem/ml_kem.c
A providers/implementations/kem/ml_kem_kem.c
M providers/implementations/keymgmt/build.info
Log Message:
-----------
update build infrastructure for ML-KEM in the FIPS provider
Also avoid a file name conflict when adding ML-KEM to the FIPS provider.
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: f6a21445d6444729c04082230d40220c8630cab4
https://github.com/openssl/openssl/commit/f6a21445d6444729c04082230d40220c8630cab4
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M include/openssl/self_test.h
Log Message:
-----------
fips: defined for ML-KEM CASTs
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: dbfe43c5376f97e59cc7b97a825e959219746e5f
https://github.com/openssl/openssl/commit/dbfe43c5376f97e59cc7b97a825e959219746e5f
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M providers/fips/fipsprov.c
M providers/fips/self_test_data.inc
M providers/fips/self_test_kats.c
Log Message:
-----------
fips: add ML-KEM to the FIPS provider
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: 516238f442ec429425ef2ca40b3661ca99224492
https://github.com/openssl/openssl/commit/516238f442ec429425ef2ca40b3661ca99224492
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M test/recipes/30-test_evp_data/evppkey_ml_kem_1024_decap.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_1024_encap.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_1024_keygen.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_512_decap.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_512_encap.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_512_keygen.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_768_decap.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_768_encap.txt
M test/recipes/30-test_evp_data/evppkey_ml_kem_768_keygen.txt
Log Message:
-----------
tests: run ML-KEM tests in FIPS builds too
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: 93905aa4ed9aaef4a7548e737fe0f4b95d686ed4
https://github.com/openssl/openssl/commit/93905aa4ed9aaef4a7548e737fe0f4b95d686ed4
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M test/recipes/30-test_evp.t
Log Message:
-----------
test: run ML-KEM tests for both default and FIPS providers
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: 67d5abb3e00a489574056b827572a36defab5454
https://github.com/openssl/openssl/commit/67d5abb3e00a489574056b827572a36defab5454
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M doc/man7/fips_module.pod
Log Message:
-----------
doc: remove ML-KEM line because it doesn't have an indicator associated with it
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: 886435c2e7e0fba90b43e86fb7a18f593004d930
https://github.com/openssl/openssl/commit/886435c2e7e0fba90b43e86fb7a18f593004d930
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M doc/man7/EVP_PKEY-ML-KEM.pod
M doc/man7/OSSL_PROVIDER-FIPS.pod
Log Message:
-----------
doc: update documentation now that ML-KEM is in the FIPS provider
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: 50d36f37f6458012b2f88c24bc8c9293d31e2698
https://github.com/openssl/openssl/commit/50d36f37f6458012b2f88c24bc8c9293d31e2698
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M include/openssl/self_test.h
Log Message:
-----------
self_test: add ML-KEM test description
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: fcfb0176bef776ab57006d46f5d7d769a0d65ba1
https://github.com/openssl/openssl/commit/fcfb0176bef776ab57006d46f5d7d769a0d65ba1
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M providers/implementations/keymgmt/ml_kem_kmgmt.c
Log Message:
-----------
fips: add pairwise consistency test for ML-KEM key generation
This is mandated by FIPS 140-3 IG 10.3.A resolution 14
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: 3ece63fa6d1d4dc43e54dcf2f03b41946adc6fb4
https://github.com/openssl/openssl/commit/3ece63fa6d1d4dc43e54dcf2f03b41946adc6fb4
Author: Pauli <ppz...@gmail.com>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M test/recipes/03-test_fipsinstall.t
Log Message:
-----------
test: add fipsinstall corruption tests for KEMs
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
Reviewed-by: Hugo Landau <hla...@devever.net>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26338)
Commit: ef391f2845dbccb99297b0753a8adad7ca4ae530
https://github.com/openssl/openssl/commit/ef391f2845dbccb99297b0753a8adad7ca4ae530
Author: Tomas Mraz <to...@openssl.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M providers/implementations/include/prov/names.h
Log Message:
-----------
Provide alias names for ML-KEM algorithms without dashes
Fixes #26326
Reviewed-by: Dmitry Belyavskiy <bel...@gmail.com>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26328)
Commit: ae646b6da2cae9091992dca988945d37ff49ef24
https://github.com/openssl/openssl/commit/ae646b6da2cae9091992dca988945d37ff49ef24
Author: Tomas Mraz <to...@openssl.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M oqs-provider
Log Message:
-----------
Update oqs-provider to the latest commit
The oqs-provider testing is fixed so it doesn't fetch OpenSSL
implementations during its testing inadvertently.
Reviewed-by: Dmitry Belyavskiy <bel...@gmail.com>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26328)
Commit: ee8f6dbd573a9ab1089cab2b7ac178ac6d7f72d7
https://github.com/openssl/openssl/commit/ee8f6dbd573a9ab1089cab2b7ac178ac6d7f72d7
Author: Tomas Mraz <to...@openssl.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M ssl/t1_lib.c
Log Message:
-----------
libssl: Accept any key management which implements the group
Reviewed-by: Dmitry Belyavskiy <bel...@gmail.com>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26328)
Commit: fa0940a60f1d1de2e4295addc1879ead49a066d3
https://github.com/openssl/openssl/commit/fa0940a60f1d1de2e4295addc1879ead49a066d3
Author: Tomas Mraz <to...@openssl.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M test/recipes/95-test_external_oqsprovider_data/oqsprovider.sh
Log Message:
-----------
Temporarily disable oqsprovider testing
Reviewed-by: Dmitry Belyavskiy <bel...@gmail.com>
Reviewed-by: Viktor Dukhovni <vik...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26328)
Commit: 557a680da5a6c280e074829dbd697fa7020747b2
https://github.com/openssl/openssl/commit/557a680da5a6c280e074829dbd697fa7020747b2
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/err/openssl.txt
M crypto/ml_kem/ml_kem.c
M doc/man7/EVP_PKEY-ML-KEM.pod
M include/crypto/ml_kem.h
M include/openssl/proverr.h
M providers/common/provider_err.c
M providers/decoders.inc
M providers/encoders.inc
M providers/fips/self_test_kats.c
M providers/implementations/encode_decode/decode_der2key.c
M providers/implementations/encode_decode/encode_key2any.c
M providers/implementations/encode_decode/encode_key2text.c
M providers/implementations/include/prov/implementations.h
M providers/implementations/include/prov/names.h
M providers/implementations/keymgmt/ml_kem_kmgmt.c
M providers/implementations/keymgmt/mlx_kmgmt.c
M test/endecode_test.c
M test/evp_extra_test.c
M test/evp_test.c
M test/ml_kem_evp_extra_test.c
M test/ml_kem_internal_test.c
M util/perl/OpenSSL/paramnames.pm
Log Message:
-----------
Encoders and Decoders for ML-KEM
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26341)
Commit: 78c7030c785f111d486d01294f96d6175ab6620f
https://github.com/openssl/openssl/commit/78c7030c785f111d486d01294f96d6175ab6620f
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/ml_kem/ml_kem.c
M providers/implementations/encode_decode/encode_key2any.c
M providers/implementations/keymgmt/ml_kem_kmgmt.c
M providers/implementations/keymgmt/mlx_kmgmt.c
M test/ml_kem_evp_extra_test.c
M test/ml_kem_internal_test.c
Log Message:
-----------
ML-KEM implementation cleanup/speedup
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26341)
Commit: 289e7a9069a686e5aa965ab89f4399e46c0744ca
https://github.com/openssl/openssl/commit/289e7a9069a686e5aa965ab89f4399e46c0744ca
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2025-01-25 (Sat, 25 Jan 2025)
Changed paths:
M crypto/ml_kem/ml_kem.c
Log Message:
-----------
Zeroise temporary secrets while doing ML-KEM
Reviewed-by: Richard Levitte <lev...@openssl.org>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26456)
Compare: https://github.com/openssl/openssl/compare/0fb237fd40d3...289e7a9069a6
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Reply all
Reply to author
Forward
0 new messages