public/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add ML-KEM-768 implementation

Browse source 
Based on code from BoringSSL covered under Google CCLA
Original code at https://boringssl.googlesource.com/boringssl/+/HEAD/crypto/mlkem

- VSCode automatic formatting (andrewd@openssl.org)
- Just do some basic formatting to make diffs easier to read later: convert
  from 2 to 4 spaces, add newlines after function declarations, and move
  function open curly brace to new line (andrewd@openssl.org)
- Move variable init to beginning of each function (andrewd@openssl.org)
- Replace CBB API
- Fixing up constants and parameter lists
- Replace BORINGSSL_keccak calls with EVP calls
- Added library symbols and low-level test case
- Switch boringssl constant time routines for OpenSSL ones
- Data type assertion and negative test added
- Moved mlkem.h to include/crypto
- Changed function naming to be in line with ossl convention
- Remove Google license terms based on CCLA
- Add constant_time_lt_32
- Convert asserts to ossl_asserts where possible
- Add bssl keccak, pubK recreation, formatting
- Add provider interface to utilize mlkem768 code enabling TLS1.3 use
- Revert to OpenSSL DigestXOF
- Use EVP_MD_xof() to determine digest finalisation (pauli@openssl.org)
- Change APIs to return error codes; reference new IANA number; move static asserts
  to one place
- Remove boringssl keccak for good
- Fix coding style and return value checks
- ANSI C compatibility changes
- Remove static cache objects
- All internal retval functions used leading to some new retval functions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25848)
This commit is contained in:
Michael Baentsch 2024-11-11 09:08:06 +01:00 committed by Tomas Mraz
parent 605b82d7ee
commit 96a079a03f
19 changed files with 2483 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Configure
View file

@ -487,6 +487,7 @@ my @disablables = (
"md4",
"mdc2",
"ml-dsa",
"mlkem",
"module",
"msan",
"multiblock",

2
crypto/build.info
View file

@ -2,7 +2,7 @@
# there for further explanations.
SUBDIRS=objects buffer bio stack lhash hashtable rand evp asn1 pem x509 conf \
txt_db pkcs7 pkcs12 ui kdf store property \
md2 md4 md5 sha mdc2 hmac ripemd whrlpool poly1305 \
md2 md4 md5 sha mdc2 mlkem hmac ripemd whrlpool poly1305 \
siphash sm3 des aes rc2 rc4 rc5 idea aria bf cast camellia \
seed sm4 chacha modes bn ec rsa dsa dh sm2 dso engine \
err comp http ocsp cms ts srp cmac ct async ess crmf cmp encode_decode \

3
crypto/mlkem/build.info Normal file
View file

@ -0,0 +1,3 @@
LIBS = ../../libcrypto
SOURCE[../../libcrypto] = mlkem768.c

1197
crypto/mlkem/mlkem768.c Normal file
View file

File diff suppressed because it is too large Load diff

179
include/crypto/mlkem.h Normal file
View file

@ -0,0 +1,179 @@
/*
* Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/* Copyright (c) 2024, Google Inc. */
#ifndef OPENSSL_HEADER_MLKEM_H
# define OPENSSL_HEADER_MLKEM_H
# include <stdint.h>
# include <openssl/e_os2.h>
# include <crypto/evp.h>
# if defined(__cplusplus)
extern "C" {
# endif
# ifndef OPENSSL_NO_MLKEM
typedef struct ossl_mlkem_ctx {
EVP_MD *shake128_cache;
EVP_MD *shake256_cache;
EVP_MD *sha3_256_cache;
EVP_MD *sha3_512_cache;
OSSL_LIB_CTX *libctx;
char *properties;
} ossl_mlkem_ctx;
/* General ctx functions */
ossl_mlkem_ctx *ossl_mlkem_newctx(OSSL_LIB_CTX *libctx, const char *properties);
void ossl_mlkem_ctx_free(ossl_mlkem_ctx *ctx);
/*
* ML-KEM-768.
*
* This implements the Module-Lattice-Based Key-Encapsulation Mechanism from
* https://csrc.nist.gov/pubs/fips/203/final
*/
/*
* ossl_mlkem768_public_key contains an ML-KEM-768 public key. The contents of this
* object should never leave the address space since the format is unstable.
*/
/* TODO: Review alignment as per https://github.com/openssl/private/issues/702 */
typedef struct ossl_mlkem768_public_key {
union {
uint8_t bytes[512 * (3 + 9) + 32 + 32];
uint16_t alignment;
} opaque;
} ossl_mlkem768_public_key;
/*
* ossl_mlkem768_private_key contains an ML-KEM-768 private key. The contents of this
* object should never leave the address space since the format is unstable.
*/
typedef struct ossl_mlkem768_private_key {
union {
uint8_t bytes[512 * (3 + 3 + 9) + 32 + 32 + 32];
uint16_t alignment;
} opaque;
} ossl_mlkem768_private_key;
/*
* Parameters from FIPS 203 Section 8: Parameter Sets
* Reference: https://csrc.nist.gov/pubs/fips/203/final
*/
# define OSSL_MLKEM768_SECURITY_BITS 192
/*
* OSSL_MLKEM1024_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-1024
* public key.
*/
# define OSSL_MLKEM1024_PUBLIC_KEY_BYTES 1568
/*
* OSSL_MLKEM768_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-768
* public key.
*/
# define OSSL_MLKEM768_PUBLIC_KEY_BYTES 1184
/* MLKEM_SEED_BYTES is the number of bytes in an ML-KEM seed. */
# define MLKEM_SEED_BYTES 64
/*
* ossl_mlkem768_generate_key generates a random public/private key pair, writes the
* encoded public key to |out_encoded_public_key| and sets |out_private_key| to
* the private key. If |optional_out_seed| is not NULL then the seed used to
* generate the private key is written to it as well.
* out_encoded_public_key must be allocated to store ossl_mlkem768_PUBLIC_KEY_BYTES
* optional_out_seed if not NULL must be allocated to store MLKEM_SEED_BYTES
*/
int ossl_mlkem768_generate_key(uint8_t *out_encoded_public_key,
uint8_t *optional_out_seed,
struct ossl_mlkem768_private_key *out_private_key,
ossl_mlkem_ctx *mlkem_ctx);
/*
* ossl_mlkem768_private_key_from_seed derives a private key from a seed that was
* generated by |ossl_mlkem768_generate_key|. It fails and returns 0 if |seed_len| is
* incorrect, otherwise it writes |*out_private_key| and returns 1.
*/
int ossl_mlkem768_private_key_from_seed(ossl_mlkem768_private_key *out_private_key,
const uint8_t *seed,
size_t seed_len,
ossl_mlkem_ctx *mlkem_ctx);
/*
* ossl_mlkem768_public_from_private sets |*out_public_key| to the public key that
* corresponds to |private_key|. (This is faster than parsing the output of
* |ossl_mlkem768_generate_key| if, for some reason, you need to encapsulate to a key
* that was just generated.)
*/
int ossl_mlkem768_public_from_private(ossl_mlkem768_public_key *out_public_key,
const ossl_mlkem768_private_key *private_key);
/* ossl_mlkem1024_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-1024 ciphertext. */
# define OSSL_MLKEM1024_CIPHERTEXT_BYTES 1568
/* ossl_mlkem768_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-768 ciphertext. */
# define OSSL_MLKEM768_CIPHERTEXT_BYTES 1088
/* ossl_mlkem768_SHARED_SECRET_BYTES is the number of bytes in an ML-KEM shared secret. */
# define OSSL_MLKEM768_SHARED_SECRET_BYTES 32
/*
* ossl_mlkem768_encap encrypts a random shared secret for |public_key|, writes the
* ciphertext to |out_ciphertext|, and writes the random shared secret to
* |out_shared_secret|.
* it is assumed out_ciphertext has been allocated ossl_mlkem768_CIPHERTEXT_BYTES bytes
* and out_shared_secret has been allocated MLKEM_SHARED_SECRET_BYTES bytes
*/
int ossl_mlkem768_encap(uint8_t *out_ciphertext,
uint8_t *out_shared_secret,
const ossl_mlkem768_public_key *public_key,
ossl_mlkem_ctx *mlkem_ctx);
/*
* ossl_mlkem768_decap decrypts a shared secret from |ciphertext| using |private_key|
* and writes it to |out_shared_secret|. If |ciphertext_len| is incorrect it
* returns 0, otherwise it returns 1. If |ciphertext| is invalid (but of the
* correct length), |out_shared_secret| is filled with a key that will always be
* the same for the same |ciphertext| and |private_key|, but which appears to be
* random unless one has access to |private_key|. These alternatives occur in
* constant time. Any subsequent symmetric encryption using |out_shared_secret|
* must use an authenticated encryption scheme in order to discover the
* decapsulation failure.
* it is assumed out_shared_secret has been allocated MLKEM_SHARED_SECRET_BYTES bytes
*/
int ossl_mlkem768_decap(uint8_t *out_shared_secret,
const uint8_t *ciphertext, size_t ciphertext_len,
const ossl_mlkem768_private_key *private_key,
ossl_mlkem_ctx *mlkem_ctx);
/*
* ossl_mlkem768_recreate_public_key recreates a fully formed ossl_mlkem768_public_key
* from an input |encoded_public_key| of size ossl_mlkem768_PUBLIC_KEY_BYTES.
* |pub| is expected to point to an allocated memory area of
* sizeof(ossl_mlkem768_public_key)
*/
int ossl_mlkem768_recreate_public_key(const uint8_t *encoded_public_key,
ossl_mlkem768_public_key *pub,
ossl_mlkem_ctx *mlkem_ctx);
# endif /* OPENSSL_NO_MLKEM */
# if defined(__cplusplus)
} /* extern C */
# endif
#endif /* OPENSSL_HEADER_MLKEM_H */

1
include/internal/constant_time.h
View file

@ -42,7 +42,6 @@ static ossl_inline unsigned int constant_time_lt(unsigned int a,
/* Convenience method for getting an 8-bit mask. */
static ossl_inline unsigned char constant_time_lt_8(unsigned int a,
unsigned int b);
/* Convenience method for uint32_t. */
static ossl_inline uint32_t constant_time_lt_32(uint32_t a, uint32_t b);

7
include/internal/tlsgroups.h
View file

@ -56,5 +56,12 @@
# define OSSL_TLS_GROUP_ID_ffdhe4096 0x0102
# define OSSL_TLS_GROUP_ID_ffdhe6144 0x0103
# define OSSL_TLS_GROUP_ID_ffdhe8192 0x0104
/*
* TODO(ML-KEM): Update to 513 as per IANA
* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
* Not done yet to not break interop testing with OQS test server; change when that
* gets updated in line with whatever IANA eventually defines
*/
# define OSSL_TLS_GROUP_ID_mlkem768 0x0768
#endif

86
providers/common/capabilities.c
View file

@ -18,6 +18,7 @@
#include "internal/tlsgroups.h"
#include "prov/providercommon.h"
#include "internal/e_os.h"
#include "crypto/mlkem.h"
/* If neither ec or dh is available then we have no TLS-GROUP capabilities */
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
@ -28,73 +29,76 @@ typedef struct tls_group_constants_st {
int maxtls; /* Maximum TLS version (or 0 for undefined) */
int mindtls; /* Minimum DTLS version, -1 unsupported */
int maxdtls; /* Maximum DTLS version (or 0 for undefined) */
int is_kem; /* Indicates utility as KEM */
} TLS_GROUP_CONSTANTS;
static const TLS_GROUP_CONSTANTS group_list[] = {
{ OSSL_TLS_GROUP_ID_sect163k1, 80, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect163r1, 80, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect163r2, 80, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect193r1, 80, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect193r2, 80, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect233k1, 112, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect233r1, 112, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect239k1, 112, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect283k1, 128, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect283r1, 128, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect409k1, 192, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect409r1, 192, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect571k1, 256, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_sect571r1, 256, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_secp160k1, 80, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_secp160r1, 80, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_secp160r2, 80, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_secp192k1, 80, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_secp192r1, 80, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_secp224k1, 112, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_secp224r1, 112, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_secp256k1, 128, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
{ OSSL_TLS_GROUP_ID_secp256r1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_secp384r1, 192, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_secp521r1, 256, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_secp256r1, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0, 0 },
{ OSSL_TLS_GROUP_ID_secp384r1, 192, TLS1_VERSION, 0, DTLS1_VERSION, 0, 0 },
{ OSSL_TLS_GROUP_ID_secp521r1, 256, TLS1_VERSION, 0, DTLS1_VERSION, 0, 0 },
{ OSSL_TLS_GROUP_ID_brainpoolP256r1, 128, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_brainpoolP384r1, 192, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_brainpoolP512r1, 256, TLS1_VERSION, TLS1_2_VERSION,
DTLS1_VERSION, DTLS1_2_VERSION },
{ OSSL_TLS_GROUP_ID_x25519, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_x448, 224, TLS1_VERSION, 0, DTLS1_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13, 128, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13, 192, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13, 256, TLS1_3_VERSION, 0, -1, -1 },
DTLS1_VERSION, DTLS1_2_VERSION, 0 },
{ OSSL_TLS_GROUP_ID_x25519, 128, TLS1_VERSION, 0, DTLS1_VERSION, 0, 0 },
{ OSSL_TLS_GROUP_ID_x448, 224, TLS1_VERSION, 0, DTLS1_VERSION, 0, 0 },
{ OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13, 128, TLS1_3_VERSION, 0, -1, -1, 0 },
{ OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13, 192, TLS1_3_VERSION, 0, -1, -1, 0 },
{ OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13, 256, TLS1_3_VERSION, 0, -1, -1, 0 },
/* Security bit values as given by BN_security_bits() */
{ OSSL_TLS_GROUP_ID_ffdhe2048, 112, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_ffdhe3072, 128, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_ffdhe4096, 128, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_ffdhe6144, 128, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_ffdhe8192, 192, TLS1_3_VERSION, 0, -1, -1 },
{ OSSL_TLS_GROUP_ID_ffdhe2048, 112, TLS1_3_VERSION, 0, -1, -1, 0 },
{ OSSL_TLS_GROUP_ID_ffdhe3072, 128, TLS1_3_VERSION, 0, -1, -1, 0 },
{ OSSL_TLS_GROUP_ID_ffdhe4096, 128, TLS1_3_VERSION, 0, -1, -1, 0 },
{ OSSL_TLS_GROUP_ID_ffdhe6144, 128, TLS1_3_VERSION, 0, -1, -1, 0 },
{ OSSL_TLS_GROUP_ID_ffdhe8192, 192, TLS1_3_VERSION, 0, -1, -1, 0 },
{ OSSL_TLS_GROUP_ID_mlkem768, OSSL_MLKEM768_SECURITY_BITS,
TLS1_3_VERSION, 0, -1, -1, 1 },
};
#define TLS_GROUP_ENTRY(tlsname, realname, algorithm, idx) \
@ -120,10 +124,12 @@ static const TLS_GROUP_CONSTANTS group_list[] = {
(unsigned int *)&group_list[idx].mindtls), \
OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_MAX_DTLS, \
(unsigned int *)&group_list[idx].maxdtls), \
OSSL_PARAM_int(OSSL_CAPABILITY_TLS_GROUP_IS_KEM, \
(unsigned int *)&group_list[idx].is_kem), \
OSSL_PARAM_END \
}
static const OSSL_PARAM param_group_list[][10] = {
static const OSSL_PARAM param_group_list[][11] = {
# ifndef OPENSSL_NO_EC
# ifndef OPENSSL_NO_EC2M
TLS_GROUP_ENTRY("sect163k1", "sect163k1", "EC", 0),
@ -204,6 +210,8 @@ static const OSSL_PARAM param_group_list[][10] = {
TLS_GROUP_ENTRY("ffdhe6144", "ffdhe6144", "DH", 36),
TLS_GROUP_ENTRY("ffdhe8192", "ffdhe8192", "DH", 37),
# endif
/* TODO(ML-KEM): Decide final name, e.g., ML-KEM768 or MLKEM768 */
TLS_GROUP_ENTRY("MLKEM768", "MLKEM768", "ML-KEM-768", 38),
};
#endif /* !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH) */

3
providers/defltprov.c
View file

@ -482,6 +482,7 @@ static const OSSL_ALGORITHM deflt_asym_kem[] = {
# endif
{ PROV_NAMES_EC, "provider=default", ossl_ec_asym_kem_functions },
#endif
{ PROV_NAMES_MLKEM768, "provider=default", ossl_mlkem768_asym_kem_functions },
{ NULL, NULL, NULL }
};
@ -544,6 +545,8 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = {
{ PROV_NAMES_SM2, "provider=default", ossl_sm2_keymgmt_functions,
PROV_DESCS_SM2 },
#endif
{ PROV_NAMES_MLKEM768, "provider=default", ossl_mlkem768_keymgmt_functions,
PROV_DESCS_MLKEM768 },
{ NULL, NULL, NULL }
};

2
providers/implementations/include/prov/implementations.h
View file

@ -324,6 +324,7 @@ extern const OSSL_DISPATCH ossl_sm2_keymgmt_functions[];
extern const OSSL_DISPATCH ossl_ml_dsa_44_keymgmt_functions[];
extern const OSSL_DISPATCH ossl_ml_dsa_65_keymgmt_functions[];
extern const OSSL_DISPATCH ossl_ml_dsa_87_keymgmt_functions[];
extern const OSSL_DISPATCH ossl_mlkem768_keymgmt_functions[];
/* Key Exchange */
extern const OSSL_DISPATCH ossl_dh_keyexch_functions[];
@ -400,6 +401,7 @@ extern const OSSL_DISPATCH ossl_sm2_asym_cipher_functions[];
extern const OSSL_DISPATCH ossl_rsa_asym_kem_functions[];
extern const OSSL_DISPATCH ossl_ecx_asym_kem_functions[];
extern const OSSL_DISPATCH ossl_ec_asym_kem_functions[];
extern const OSSL_DISPATCH ossl_mlkem768_asym_kem_functions[];
/* Encoders */
extern const OSSL_DISPATCH ossl_rsa_to_PKCS1_der_encoder_functions[];

36
providers/implementations/include/prov/mlkem.h Normal file
View file

@ -0,0 +1,36 @@
/*
* Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef OSSL_INTERNAL_MLKEM_H
# define OSSL_INTERNAL_MLKEM_H
# pragma once
# ifndef OPENSSL_NO_MLKEM
# include <stdint.h>
# include <crypto/mlkem.h>
# define MLKEM_KEY_TYPE_512 0
# define MLKEM_KEY_TYPE_768 1
# define MLKEY_KEY_TYPE_1024 2
typedef struct mlkem768_key_st {
int keytype;
ossl_mlkem768_private_key seckey;
ossl_mlkem768_public_key pubkey;
uint8_t *encoded_pubkey;
int pubkey_initialized;
int seckey_initialized;
ossl_mlkem_ctx *mlkem_ctx;
void *provctx;
} MLKEM768_KEY;
# endif /* OPENSSL_NO_MLKEM */
#endif /* OSSL_INTERNAL_MLKEM_H */

2
providers/implementations/include/prov/names.h
View file

@ -390,3 +390,5 @@
#define PROV_DESCS_ML_DSA_65 "OpenSSL ML-DSA-65 implementation"
#define PROV_NAMES_ML_DSA_87 "ML-DSA-87:2.16.840.1.101.3.4.3.19:id-ml-dsa-87"
#define PROV_DESCS_ML_DSA_87 "OpenSSL ML-DSA-87 implementation"
#define PROV_NAMES_MLKEM768 "ML-KEM-768"
#define PROV_DESCS_MLKEM768 "OpenSSL ML-KEM-768 implementation"

2
providers/implementations/kem/build.info
View file

@ -4,6 +4,7 @@
$RSA_KEM_GOAL=../../libdefault.a ../../libfips.a
$EC_KEM_GOAL=../../libdefault.a
$TEMPLATE_KEM_GOAL=../../libtemplate.a
$ML_KEM_GOAL=../../libdefault.a
SOURCE[$RSA_KEM_GOAL]=rsa_kem.c
@ -15,3 +16,4 @@ IF[{- !$disabled{ec} -}]
ENDIF
SOURCE[$TEMPLATE_KEM_GOAL]=template_kem.c
SOURCE[$ML_KEM_GOAL]=ml_kem.c

210
providers/implementations/kem/ml_kem.c Normal file
View file

@ -0,0 +1,210 @@
/*
* Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/params.h>
#include <openssl/err.h>
#include <openssl/proverr.h>
#include "prov/provider_ctx.h"
#include "prov/implementations.h"
#include "prov/securitycheck.h"
#include "prov/providercommon.h"
#include "prov/mlkem.h"
#define BUFSIZE 1000
#if defined(NDEBUG) || defined(OPENSSL_NO_STDIO)
/* TODO(ML-KEM) to remove or replace with TRACE */
static void debug_print(char *fmt, ...)
{
}
#else
static void debug_print(char *fmt, ...)
{
char out[BUFSIZE];
va_list argptr;
va_start(argptr, fmt);
vsnprintf(out, BUFSIZE, fmt, argptr);
va_end(argptr);
if (getenv("TEMPLATEKM"))
fprintf(stderr, "TEMPLATE_KM: %s", out);
}
#endif
typedef struct {
OSSL_LIB_CTX *libctx;
MLKEM768_KEY *key;
int op;
} PROV_MLKEM_CTX;
static OSSL_FUNC_kem_newctx_fn mlkem_newctx;
static OSSL_FUNC_kem_encapsulate_init_fn mlkem_encapsulate_init;
static OSSL_FUNC_kem_encapsulate_fn mlkem_encapsulate;
static OSSL_FUNC_kem_decapsulate_init_fn mlkem_decapsulate_init;
static OSSL_FUNC_kem_decapsulate_fn mlkem_decapsulate;
static OSSL_FUNC_kem_freectx_fn mlkem_freectx;
static OSSL_FUNC_kem_set_ctx_params_fn mlkem_set_ctx_params;
static void *mlkem_newctx(void *provctx)
{
PROV_MLKEM_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
debug_print("MLKEMKEM newctx called\n");
if (ctx == NULL)
return NULL;
ctx->libctx = PROV_LIBCTX_OF(provctx);
debug_print("MLKEMKEM newctx returns %p\n", ctx);
return ctx;
}
static void mlkem_freectx(void *vctx)
{
PROV_MLKEM_CTX *ctx = (PROV_MLKEM_CTX *)vctx;
debug_print("MLKEMKEM freectx %p\n", ctx);
OPENSSL_free(ctx);
}
static int mlkem_init(void *vctx, int operation, void *vkey, void *vauth,
ossl_unused const OSSL_PARAM params[])
{
PROV_MLKEM_CTX *ctx = (PROV_MLKEM_CTX *)vctx;
MLKEM768_KEY *mlkemkey = vkey;
debug_print("MLKEMKEM init %p / %p\n", ctx, mlkemkey);
if (!ossl_prov_is_running())
return 0;
if (mlkemkey->keytype != MLKEM_KEY_TYPE_768)
return 0;
ctx->key = mlkemkey;
ctx->op = operation;
debug_print("MLKEMKEM init OK\n");
return 1;
}
static int mlkem_encapsulate_init(void *vctx, void *vkey,
const OSSL_PARAM params[])
{
return mlkem_init(vctx, EVP_PKEY_OP_ENCAPSULATE, vkey, NULL, params);
}
static int mlkem_decapsulate_init(void *vctx, void *vkey,
const OSSL_PARAM params[])
{
return mlkem_init(vctx, EVP_PKEY_OP_DECAPSULATE, vkey, NULL, params);
}
static int mlkem_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
PROV_MLKEM_CTX *ctx = (PROV_MLKEM_CTX *)vctx;
debug_print("MLKEMKEM set ctx params %p\n", ctx);
if (ctx == NULL)
return 0;
if (params == NULL)
return 1;
debug_print("MLKEMKEM set ctx params OK\n");
return 1;
}
static const OSSL_PARAM known_settable_mlkem_ctx_params[] = {
OSSL_PARAM_END
};
static const OSSL_PARAM *mlkem_settable_ctx_params(ossl_unused void *vctx,
ossl_unused void *provctx)
{
return known_settable_mlkem_ctx_params;
}
static int mlkem_encapsulate(void *vctx, unsigned char *out, size_t *outlen,
unsigned char *secret, size_t *secretlen)
{
PROV_MLKEM_CTX *ctx = (PROV_MLKEM_CTX *)vctx;
int ret;
debug_print("MLKEMKEM encaps %p to %p\n", ctx, out);
if (outlen != NULL)
*outlen = OSSL_MLKEM768_CIPHERTEXT_BYTES;
if (secretlen != NULL)
*secretlen = OSSL_MLKEM768_SHARED_SECRET_BYTES;
if (out == NULL) {
debug_print("MLKEMKEM encaps outlens set to %ld and %ld\n", *outlen, *secretlen);
return 1;
}
if (ctx->key == NULL
|| ctx->key->keytype != MLKEM_KEY_TYPE_768
|| ctx->key->pubkey_initialized == 0
|| secret == NULL)
return 0;
ret = ossl_mlkem768_encap(out, (uint8_t *)secret, &ctx->key->pubkey, ctx->key->mlkem_ctx);
debug_print("MLKEMKEM encaps returns %d\n", ret);
return ret;
}
static int mlkem_decapsulate(void *vctx, unsigned char *out, size_t *outlen,
const unsigned char *in, size_t inlen)
{
PROV_MLKEM_CTX *ctx = (PROV_MLKEM_CTX *)vctx;
int ret;
debug_print("MLKEMKEM decaps %p to %p\n", ctx, out);
debug_print("MLKEMKEM decaps inlen at %ld\n", inlen);
if (outlen != NULL)
*outlen = OSSL_MLKEM768_SHARED_SECRET_BYTES;
if (out == NULL) {
debug_print("MLKEMKEM decaps outlen set to %ld \n", *outlen);
return 1;
}
if (ctx->key == NULL
|| ctx->key->keytype != MLKEM_KEY_TYPE_768
|| ctx->key->seckey_initialized == 0
|| in == NULL)
return 0;
if (inlen != OSSL_MLKEM768_CIPHERTEXT_BYTES)
return 0;
ret = ossl_mlkem768_decap((uint8_t *)out, (uint8_t *)in, inlen, &ctx->key->seckey,
ctx->key->mlkem_ctx);
debug_print("MLKEMKEM decaps returns %d\n", ret);
return ret;
}
const OSSL_DISPATCH ossl_mlkem768_asym_kem_functions[] = {
{ OSSL_FUNC_KEM_NEWCTX, (void (*)(void))mlkem_newctx },
{ OSSL_FUNC_KEM_ENCAPSULATE_INIT,
(void (*)(void))mlkem_encapsulate_init },
{ OSSL_FUNC_KEM_ENCAPSULATE, (void (*)(void))mlkem_encapsulate },
{ OSSL_FUNC_KEM_DECAPSULATE_INIT,
(void (*)(void))mlkem_decapsulate_init },
{ OSSL_FUNC_KEM_DECAPSULATE, (void (*)(void))mlkem_decapsulate },
{ OSSL_FUNC_KEM_FREECTX, (void (*)(void))mlkem_freectx },
{ OSSL_FUNC_KEM_SET_CTX_PARAMS,
(void (*)(void))mlkem_set_ctx_params },
{ OSSL_FUNC_KEM_SETTABLE_CTX_PARAMS,
(void (*)(void))mlkem_settable_ctx_params },
OSSL_DISPATCH_END
};

2
providers/implementations/keymgmt/build.info
View file

@ -10,6 +10,7 @@ $MAC_GOAL=../../libdefault.a ../../libfips.a
$RSA_GOAL=../../libdefault.a ../../libfips.a
$TEMPLATE_GOAL=../../libtemplate.a
$ML_DSA_GOAL=../../libdefault.a ../../libfips.a
$MLKEM_GOAL=../../libdefault.a
IF[{- !$disabled{dh} -}]
SOURCE[$DH_GOAL]=dh_kmgmt.c
@ -49,3 +50,4 @@ SOURCE[$TEMPLATE_GOAL]=template_kmgmt.c
IF[{- !$disabled{'ml-dsa'} -}]
SOURCE[$ML_DSA_GOAL]=ml_dsa_kmgmt.c
ENDIF
SOURCE[$MLKEM_GOAL]=mlkem_kmgmt.c

590
providers/implementations/keymgmt/mlkem_kmgmt.c Normal file
View file

@ -0,0 +1,590 @@
/*
* Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/core_dispatch.h>
#include <openssl/core_names.h>
#include <openssl/params.h>
#include <openssl/err.h>
#include <openssl/proverr.h>
#include <openssl/rand.h>
#include <openssl/self_test.h>
#include "internal/param_build_set.h"
#include <openssl/param_build.h>
#include "prov/mlkem.h"
#include "prov/implementations.h"
#include "prov/providercommon.h"
#include "prov/provider_ctx.h"
#include "prov/securitycheck.h"
#include <assert.h>
#define BUFSIZE 1000
#if defined(NDEBUG) || defined(OPENSSL_NO_STDIO)
/* TODO(ML-KEM) to remove or replace with TRACE */
static void debug_print(char *fmt, ...)
{
}
#else
static void debug_print(char *fmt, ...)
{
char out[BUFSIZE];
va_list argptr;
va_start(argptr, fmt);
vsnprintf(out, BUFSIZE, fmt, argptr);
va_end(argptr);
if (getenv("TEMPLATEKM"))
fprintf(stderr, "TEMPLATE_KM: %s", out);
}
#endif
static void print_hex(const uint8_t *data, int len, const char *msg)
{
#ifndef NDEBUG
if (msg)
printf("%s: \n", msg);
BIO_dump_fp(stdout, data, len);
printf("\n\n");
#endif
}
static OSSL_FUNC_keymgmt_new_fn mlkem_new;
static OSSL_FUNC_keymgmt_free_fn mlkem_free;
static OSSL_FUNC_keymgmt_gen_init_fn mlkem_gen_init;
static OSSL_FUNC_keymgmt_gen_fn mlkem_gen;
static OSSL_FUNC_keymgmt_gen_cleanup_fn mlkem_gen_cleanup;
static OSSL_FUNC_keymgmt_gen_set_params_fn mlkem_gen_set_params;
static OSSL_FUNC_keymgmt_gen_settable_params_fn mlkem_gen_settable_params;
static OSSL_FUNC_keymgmt_get_params_fn mlkem_get_params;
static OSSL_FUNC_keymgmt_gettable_params_fn mlkem_gettable_params;
static OSSL_FUNC_keymgmt_set_params_fn mlkem_set_params;
static OSSL_FUNC_keymgmt_settable_params_fn mlkem_settable_params;
static OSSL_FUNC_keymgmt_has_fn mlkem_has;
static OSSL_FUNC_keymgmt_match_fn mlkem_match;
/* implement only when encode/decode logic becomes required/standardized: */
#ifdef UNDEF
static OSSL_FUNC_keymgmt_import_fn mlkem_import;
static OSSL_FUNC_keymgmt_export_fn mlkem_export;
static OSSL_FUNC_keymgmt_import_types_fn mlkem_imexport_types;
static OSSL_FUNC_keymgmt_export_types_fn mlkem_imexport_types;
static OSSL_FUNC_keymgmt_dup_fn mlkem_dup;
#endif /* UNDEF */
struct mlkem_gen_ctx {
void *provctx;
int selection;
};
static void *mlkem_new(void *provctx)
{
MLKEM768_KEY *key = NULL;
debug_print("MLKEMKM new key req\n");
if (!ossl_prov_is_running())
return 0;
key = OPENSSL_zalloc(sizeof(MLKEM768_KEY));
if (key != NULL) {
key->keytype = MLKEM_KEY_TYPE_768; /* TODO(ML-KEM) any type */
key->provctx = provctx;
/*
* ideally, this is a one-time allocation and ctx that should be within the
* provider context: OK to move it there to improve performance?? It would be
* the first algorithmspecific context stored: Feels weird (TODO(ML-KEM)).
*/
key->mlkem_ctx = ossl_mlkem_newctx(provctx == NULL ? NULL : PROV_LIBCTX_OF(provctx), NULL);
if (key->mlkem_ctx == NULL) {
OPENSSL_free(key);
key = NULL;
}
}
debug_print("MLKEMKM new key = %p\n", key);
return key;
}
static void mlkem_free(void *vkey)
{
MLKEM768_KEY *mkey = (MLKEM768_KEY *)vkey;
debug_print("MLKEMKM free key %p\n", mkey);
if (mkey == NULL)
return;
ossl_mlkem_ctx_free(mkey->mlkem_ctx);
OPENSSL_free(mkey->encoded_pubkey);
OPENSSL_free(mkey);
}
static int mlkem_has(const void *keydata, int selection)
{
const MLKEM768_KEY *key = keydata;
int ok = 0;
debug_print("MLKEMKM has %p\n", key);
if (ossl_prov_is_running() && key != NULL) {
/*
* ML-KEM keys always have all the parameters they need (i.e. none).
* Therefore we always return with 1, if asked about parameters.
*/
ok = 1;
if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
ok = ok && key->pubkey_initialized == 1;
if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0)
ok = ok && key->seckey_initialized == 1;
}
debug_print("MLKEMKM has result %d\n", ok);
return ok;
}
static int mlkem_match(const void *keydata1, const void *keydata2, int selection)
{
const MLKEM768_KEY *key1 = keydata1;
const MLKEM768_KEY *key2 = keydata2;
int ok = 1;
debug_print("MLKEMKM matching %p and %p\n", key1, key2);
if (!ossl_prov_is_running())
return 0;
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
ok = ok && key1->keytype == key2->keytype;
/* TODO(ML-KEM) */
debug_print("MLKEMKM matching for now NOT YET IMPLEMENTED\n");
/* TODO(ML-KEM) template code to be completed as and when needed: */
#ifdef UNDEF
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
int key_checked = 0;
if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
const uint8_t *pa = key1->pubkey;
const uint8_t *pb = key2->pubkey;
if (pa != NULL && pb != NULL) {
ok = ok
&& key1->keytype == key2->keytype
&& CRYPTO_memcmp(pa, pb, MLKEM768_PUBLICKEYBYTES) == 0;
key_checked = 1;
}
}
if (!key_checked
&& (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
const uint8_t *pa = key1->seckey;
const uint8_t *pb = key2->seckey;
if (pa != NULL && pb != NULL) {
ok = ok
&& key1->keytype == key2->keytype
&& CRYPTO_memcmp(pa, pb, MLKEM768_SECRETKEYBYTES) == 0;
key_checked = 1;
}
}
ok = ok && key_checked;
}
#endif /* UNDEF */
debug_print("MLKEMKM match result %d\n", ok);
return ok;
}
/* TODO(ML-KEM) as and when encode/decode becomes needed/standardized */
#ifdef UNDEF
static int key_to_params(MLKEM768_KEY *key, OSSL_PARAM_BLD *tmpl,
OSSL_PARAM params[], int include_private)
{
if (key == NULL)
return 0;
if (key->keytype != MLKEM_KEY_TYPE_768)
return 0;
if (!ossl_param_build_set_octet_string(tmpl, params,
OSSL_PKEY_PARAM_PUB_KEY,
key->pubkey, MLKEM768_PUBLICKEYBYTES))
return 0;
if (include_private
&& key->seckey != NULL
&& !ossl_param_build_set_octet_string(tmpl, params,
OSSL_PKEY_PARAM_PRIV_KEY,
key->seckey, MLKEM768_SECRETKEYBYTES))
return 0;
return 1;
}
static int mlkem_export(void *key, int selection, OSSL_CALLBACK *param_cb,
void *cbarg)
{
MLKEM768_KEY *mkey = key;
OSSL_PARAM_BLD *tmpl;
OSSL_PARAM *params = NULL;
int ret = 0;
debug_print("MLKEMKM export %p\n", key);
if (!ossl_prov_is_running() || key == NULL)
return 0;
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
return 0;
tmpl = OSSL_PARAM_BLD_new();
if (tmpl == NULL)
return 0;
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) {
int include_private = ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0);
if (!key_to_params(mkey, tmpl, NULL, include_private))
goto err;
}
params = OSSL_PARAM_BLD_to_param(tmpl);
if (params == NULL)
goto err;
ret = param_cb(params, cbarg);
OSSL_PARAM_free(params);
err:
OSSL_PARAM_BLD_free(tmpl);
debug_print("MLKEMKM export result %d\n", ret);
return ret;
}
static int ossl_mlkem_key_fromdata(MLKEM768_KEY *key,
const OSSL_PARAM params[],
int include_private)
{
size_t privkeylen = 0, pubkeylen = 0;
const OSSL_PARAM *param_priv_key = NULL, *param_pub_key;
unsigned char *pubkey;
if (key == NULL)
return 0;
if (key->keytype != MLKEM_KEY_TYPE_768)
return 0;
param_pub_key = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PUB_KEY);
if (include_private)
param_priv_key =
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY);
if (param_pub_key == NULL && param_priv_key == NULL)
return 0;
if (param_priv_key != NULL) {
if (!OSSL_PARAM_get_octet_string(param_priv_key,
(void **)&key->seckey,
MLKEM768_SECRETKEYBYTES,
&privkeylen))
return 0;
if (privkeylen != MLKEM768_SECRETKEYBYTES) {
debug_print("sec key len mismatch in import: %ld vs %d: HOWCAN?\n",
privkeylen, MLKEM768_SECRETKEYBYTES);
OPENSSL_secure_clear_free(key->seckey, privkeylen);
key->seckey = NULL;
return 0;
}
}
pubkey = key->pubkey;
if (param_pub_key != NULL
&& !OSSL_PARAM_get_octet_string(param_pub_key,
(void **)&pubkey,
ossl_mlkem768_PUBLIC_KEY_BYTES,
&pubkeylen))
return 0;
if ((param_pub_key != NULL && pubkeylen != ossl_mlkem768_PUBLIC_KEY_BYTES)) {
debug_print("sec key len mismatch in import: %ld vs %d: HOWCAN?\n",
pubkeylen, ossl_mlkem768_PUBLIC_KEY_BYTES);
return 0;
}
/*
* TBD if hybrid logic is not getting cleanly implemented in separate logic:
* reconstitute (only) classic part here
*/
return 1;
}
static int mlkem_import(void *key, int selection, const OSSL_PARAM params[])
{
MLKEM768_KEY *mkey = key;
int ok = 1;
int include_private;
debug_print("MLKEMKM import %p\n", mkey);
if (!ossl_prov_is_running() || key == NULL)
return 0;
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0)
return 0;
include_private = selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
ok = ok && ossl_mlkem_key_fromdata(mkey, params, include_private);
debug_print("MLKEMKM import result %d\n", ok);
return ok;
}
# define MLKEM768_KEY_TYPES() \
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0), \
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0)
static const OSSL_PARAM mlkem_key_types[] = {
MLKEM768_KEY_TYPES(),
OSSL_PARAM_END
};
static const OSSL_PARAM *mlkem_imexport_types(int selection)
{
debug_print("MLKEMKM getting imexport types\n");
if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0)
return mlkem_key_types;
return NULL;
}
#endif /* UNDEF */
static int mlkem_get_params(void *key, OSSL_PARAM params[])
{
MLKEM768_KEY *mkey = key;
OSSL_PARAM *p;
debug_print("MLKEMKM get params %p\n", mkey);
if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_BITS)) != NULL
&& !OSSL_PARAM_set_int(p, sizeof(ossl_mlkem768_private_key) * 8))
return 0;
if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_SECURITY_BITS)) != NULL
&& !OSSL_PARAM_set_int(p, OSSL_MLKEM768_SECURITY_BITS))
return 0;
if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_MAX_SIZE)) != NULL
&& !OSSL_PARAM_set_int(p, OSSL_MLKEM768_CIPHERTEXT_BYTES))
return 0;
if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY)) != NULL
&& mkey->pubkey_initialized == 1) {
if (!OSSL_PARAM_set_octet_string(p, mkey->encoded_pubkey, OSSL_MLKEM768_PUBLIC_KEY_BYTES))
return 0;
debug_print("MLKEMKM got encoded public key of len %d\n", OSSL_MLKEM768_PUBLIC_KEY_BYTES);
print_hex(mkey->encoded_pubkey, OSSL_MLKEM768_PUBLIC_KEY_BYTES, "enc PK");
}
debug_print("MLKEMKM get params OK\n");
return 1;
}
static const OSSL_PARAM mlkem_gettable_params_arr[] = {
OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL),
OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL),
OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL),
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
OSSL_PARAM_END
};
static const OSSL_PARAM *mlkem_gettable_params(void *provctx)
{
debug_print("MLKEMKM gettable params called\n");
return mlkem_gettable_params_arr;
}
static int mlkem_set_params(void *key, const OSSL_PARAM params[])
{
MLKEM768_KEY *mkey = key;
const OSSL_PARAM *p;
debug_print("MLKEMKM set params called for %p\n", mkey);
if (params == NULL)
return 1;
p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY);
if (p != NULL) {
size_t len_stored;
if (p->data_size != OSSL_MLKEM768_PUBLIC_KEY_BYTES
|| !OSSL_PARAM_get_octet_string(p, (void **)&mkey->encoded_pubkey,
OSSL_MLKEM768_PUBLIC_KEY_BYTES,
&len_stored))
return 0;
debug_print("encoded pub key successfully stored with %ld bytes\n", len_stored);
if (!ossl_mlkem768_recreate_public_key(mkey->encoded_pubkey, &mkey->pubkey,
mkey->mlkem_ctx))
return 0;
mkey->pubkey_initialized = 1;
}
debug_print("MLKEMKM set params OK\n");
return 1;
}
static const OSSL_PARAM mlkem_settable_params_arr[] = {
OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
OSSL_PARAM_END
};
static const OSSL_PARAM *mlkem_settable_params(void *provctx)
{
debug_print("MLKEMKM settable params called\n");
return mlkem_settable_params_arr;
}
static void *mlkem_gen_init(void *provctx, int selection,
const OSSL_PARAM params[])
{
struct mlkem_gen_ctx *gctx = NULL;
debug_print("MLKEMKM gen init called for %p\n", provctx);
if (!ossl_prov_is_running())
return NULL;
if ((gctx = OPENSSL_zalloc(sizeof(*gctx))) != NULL) {
gctx->provctx = provctx;
gctx->selection = selection;
}
if (!mlkem_gen_set_params(gctx, params)) {
OPENSSL_free(gctx);
gctx = NULL;
}
debug_print("MLKEMKM gen init returns %p\n", gctx);
return gctx;
}
static int mlkem_gen_set_params(void *genctx, const OSSL_PARAM params[])
{
struct mlkem_gen_ctx *gctx = genctx;
if (gctx == NULL)
return 0;
debug_print("MLKEMKM empty gen_set params called for %p\n", gctx);
return 1;
}
static const OSSL_PARAM *mlkem_gen_settable_params(ossl_unused void *genctx,
ossl_unused void *provctx)
{
static OSSL_PARAM settable[] = {
OSSL_PARAM_END
};
return settable;
}
static void *mlkem_gen(void *vctx, OSSL_CALLBACK *osslcb, void *cbarg)
{
struct mlkem_gen_ctx *gctx = (struct mlkem_gen_ctx *)vctx;
MLKEM768_KEY *mkey;
debug_print("MLKEMKM gen called for %p\n", gctx);
if (gctx == NULL)
return NULL;
if ((mkey = mlkem_new(gctx->provctx)) == NULL) {
ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR);
return NULL;
}
/* If we're doing parameter generation then we just return a blank key */
if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) == 0) {
debug_print("MLKEMKM gen returns blank %p\n", mkey);
return mkey;
}
mkey->keytype = MLKEM_KEY_TYPE_768;
if (mkey->encoded_pubkey == NULL) {
mkey->encoded_pubkey = OPENSSL_malloc(OSSL_MLKEM768_PUBLIC_KEY_BYTES);
if (mkey->encoded_pubkey == NULL)
goto err;
}
if (!ossl_mlkem768_generate_key(mkey->encoded_pubkey, NULL, &mkey->seckey,
mkey->mlkem_ctx)
|| !ossl_mlkem768_public_from_private(&mkey->pubkey, &mkey->seckey))
goto err;
mkey->seckey_initialized = 1;
mkey->pubkey_initialized = 1;
debug_print("MLKEMKM gen returns set %p\n", mkey);
return mkey;
err:
OPENSSL_free(mkey);
return NULL;
}
static void mlkem_gen_cleanup(void *genctx)
{
struct mlkem_gen_ctx *gctx = genctx;
debug_print("MLKEMKM gen cleanup for %p\n", gctx);
OPENSSL_free(gctx);
}
static void *mlkem_dup(const void *vsrckey, int selection)
{
const MLKEM768_KEY *srckey = (const MLKEM768_KEY *)vsrckey;
MLKEM768_KEY *dstkey;
debug_print("MLKEMKM dup called for %p\n", srckey);
if (!ossl_prov_is_running())
return NULL;
dstkey = mlkem_new(srckey->provctx);
if (dstkey == NULL)
return NULL;
dstkey->keytype = srckey->keytype;
if (srckey->pubkey_initialized == 1
&& (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
memcpy((void *)&dstkey->pubkey, (void *)&srckey->pubkey, sizeof(srckey->pubkey));
dstkey->encoded_pubkey = OPENSSL_malloc(OSSL_MLKEM768_PUBLIC_KEY_BYTES);
if (srckey->encoded_pubkey != NULL)
memcpy(dstkey->encoded_pubkey, srckey->encoded_pubkey, OSSL_MLKEM768_PUBLIC_KEY_BYTES);
dstkey->pubkey_initialized = 1;
}
if (srckey->seckey_initialized == 1
&& (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
memcpy((void *)&dstkey->seckey, (void *)&srckey->seckey, sizeof(srckey->seckey));
dstkey->seckey_initialized = 1;
}
debug_print("MLKEMKM dup returns %p\n", dstkey);
return dstkey;
}
const OSSL_DISPATCH ossl_mlkem768_keymgmt_functions[] = {
{ OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))mlkem_new },
{ OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))mlkem_free },
{ OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))mlkem_get_params },
{ OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))mlkem_gettable_params },
{ OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*) (void))mlkem_set_params },
{ OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*) (void))mlkem_settable_params },
{ OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))mlkem_has },
{ OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))mlkem_match },
{ OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))mlkem_gen_init },
{ OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS, (void (*)(void))mlkem_gen_set_params },
{ OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS,
(void (*)(void))mlkem_gen_settable_params },
{ OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))mlkem_gen },
{ OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))mlkem_gen_cleanup },
{ OSSL_FUNC_KEYMGMT_DUP, (void (*)(void))mlkem_dup },
/*
* TODO(ML-KEM) don't do for now, see https://github.com/openssl/private/issues/698
* { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))mlkem_imexport_types },
* { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))mlkem_imexport_types },
* { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))mlkem_export },
* { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))mlkem_import },
*/
OSSL_DISPATCH_END
};

7
test/build.info
View file

@ -1011,6 +1011,13 @@ IF[{- !$disabled{tests} -}]
INCLUDE[asn1_dsa_internal_test]=.. ../include ../apps/include
DEPEND[asn1_dsa_internal_test]=../libcrypto.a libtestutil.a
IF[{- !$disabled{'mlkem'} -}]
PROGRAMS{noinst}=mlkem_internal_test
SOURCE[mlkem_internal_test]=mlkem_internal_test.c
INCLUDE[mlkem_internal_test]=../include ../apps/include
DEPEND[mlkem_internal_test]=../libcrypto.a libtestutil.a
ENDIF
SOURCE[keymgmt_internal_test]=keymgmt_internal_test.c
INCLUDE[keymgmt_internal_test]=.. ../include ../apps/include
DEPEND[keymgmt_internal_test]=../libcrypto.a libtestutil.a

104
test/evp_extra_test.c
View file

@ -5912,6 +5912,109 @@ static int test_invalid_ctx_for_digest(void)
return ret;
}
static int test_ml_kem(void)
{
EVP_PKEY *akey, *bkey = NULL;
int res = 0;
size_t publen;
unsigned char *rawpub = NULL;
EVP_PKEY_CTX *ctx = NULL;
unsigned char *wrpkey = NULL, *agenkey = NULL, *bgenkey = NULL;
size_t wrpkeylen, agenkeylen, bgenkeylen, i;
/* Generate Alice's key */
akey = EVP_PKEY_Q_keygen(testctx, NULL, "ML-KEM-768");
if (!TEST_ptr(akey))
goto err;
/* Get the raw public key */
publen = EVP_PKEY_get1_encoded_public_key(akey, &rawpub);
if (!TEST_size_t_gt(publen, 0))
goto err;
/* Create Bob's key and populate it with Alice's public key data */
bkey = EVP_PKEY_new();
if (!TEST_ptr(bkey))
goto err;
if (!TEST_int_gt(EVP_PKEY_copy_parameters(bkey, akey), 0))
goto err;
if (!TEST_true(EVP_PKEY_set1_encoded_public_key(bkey, rawpub, publen)))
goto err;
/* Encapsulate Bob's key */
ctx = EVP_PKEY_CTX_new_from_pkey(testctx, bkey, NULL);
if (!TEST_ptr(ctx))
goto err;
if (!TEST_int_gt(EVP_PKEY_encapsulate_init(ctx, NULL), 0))
goto err;
if (!TEST_int_gt(EVP_PKEY_encapsulate(ctx, NULL, &wrpkeylen, NULL,
&bgenkeylen), 0))
goto err;
if (!TEST_size_t_gt(wrpkeylen, 0) || !TEST_size_t_gt(bgenkeylen, 0))
goto err;
wrpkey = OPENSSL_zalloc(wrpkeylen);
bgenkey = OPENSSL_zalloc(bgenkeylen);
if (!TEST_ptr(wrpkey) || !TEST_ptr(bgenkey))
goto err;
if (!TEST_int_gt(EVP_PKEY_encapsulate(ctx, wrpkey, &wrpkeylen, bgenkey,
&bgenkeylen), 0))
goto err;
EVP_PKEY_CTX_free(ctx);
/* Alice now decapsulates Bob's key */
ctx = EVP_PKEY_CTX_new_from_pkey(testctx, akey, NULL);
if (!TEST_ptr(ctx))
goto err;
if (!TEST_int_gt(EVP_PKEY_decapsulate_init(ctx, NULL), 0))
goto err;
if (!TEST_int_gt(EVP_PKEY_decapsulate(ctx, NULL, &agenkeylen, wrpkey,
wrpkeylen), 0))
goto err;
if (!TEST_size_t_gt(agenkeylen, 0))
goto err;
agenkey = OPENSSL_zalloc(agenkeylen);
if (!TEST_ptr(agenkey))
goto err;
if (!TEST_int_gt(EVP_PKEY_decapsulate(ctx, agenkey, &agenkeylen, wrpkey,
wrpkeylen), 0))
goto err;
/* Hopefully we ended up with a shared key */
if (!TEST_mem_eq(agenkey, agenkeylen, bgenkey, bgenkeylen))
goto err;
/* Verify we generated a non-zero shared key */
for (i = 0; i < agenkeylen; i++)
if (agenkey[i] != 0)
break;
if (!TEST_size_t_ne(i, agenkeylen))
return 0;
res = 1;
err:
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(akey);
EVP_PKEY_free(bkey);
OPENSSL_free(rawpub);
OPENSSL_free(wrpkey);
OPENSSL_free(agenkey);
OPENSSL_free(bgenkey);
return res;
}
static int test_evp_cipher_pipeline(void)
{
OSSL_PROVIDER *fake_pipeline = NULL;
@ -6310,6 +6413,7 @@ int setup_tests(void)
#endif
ADD_TEST(test_invalid_ctx_for_digest);
ADD_TEST(test_ml_kem);
ADD_TEST(test_evp_cipher_pipeline);

90
test/mlkem_internal_test.c Normal file
View file

@ -0,0 +1,90 @@
/*
* Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/opensslconf.h>
#ifndef OPENSSL_NO_STDIO
# include <stdio.h>
#endif
#include <crypto/mlkem.h>
#include <string.h>
#include "testutil.h"
#include "testutil/output.h"
int main(void)
{
uint8_t out_encoded_public_key[OSSL_MLKEM768_PUBLIC_KEY_BYTES];
uint8_t out_ciphertext[OSSL_MLKEM768_CIPHERTEXT_BYTES];
uint8_t out_shared_secret[OSSL_MLKEM768_SHARED_SECRET_BYTES];
uint8_t out_shared_secret2[OSSL_MLKEM768_SHARED_SECRET_BYTES];
ossl_mlkem768_private_key private_key;
ossl_mlkem768_public_key public_key;
ossl_mlkem768_public_key recreated_public_key;
uint8_t *p1, *p2;
ossl_mlkem_ctx *mlkem_ctx = ossl_mlkem_newctx(NULL, NULL);
int ret = 1;
/* enable TEST_* API */
test_open_streams();
/* first, generate a key pair */
if (!ossl_mlkem768_generate_key(out_encoded_public_key, NULL,
&private_key, mlkem_ctx)) {
ret = -1;
goto end;
}
/* public key component to be created from private key */
if (!ossl_mlkem768_public_from_private(&public_key, &private_key)) {
ret = -2;
goto end;
}
/* try to re-create public key structure from encoded public key */
if (!ossl_mlkem768_recreate_public_key(out_encoded_public_key,
&recreated_public_key, mlkem_ctx)) {
ret = -3;
goto end;
}
/* validate identity of both public key structures */
p1 = (uint8_t *)&public_key;
p2 = (uint8_t *)&recreated_public_key;
if (!TEST_int_eq(memcmp(p1, p2, sizeof(public_key)), 0)) {
ret = -4;
goto end;
}
/* encaps - decaps test: validate shared secret identity */
if (!ossl_mlkem768_encap(out_ciphertext, out_shared_secret,
&recreated_public_key, mlkem_ctx)) {
ret = -5;
goto end;
}
if (!ossl_mlkem768_decap(out_shared_secret2, out_ciphertext,
OSSL_MLKEM768_CIPHERTEXT_BYTES, &private_key, mlkem_ctx)) {
ret = -6;
goto end;
}
if (!TEST_int_eq(memcmp(out_shared_secret, out_shared_secret2,
OSSL_MLKEM768_SHARED_SECRET_BYTES), 0)) {
ret = -7;
goto end;
}
/* so far so good, now a quick negative test by breaking the ciphertext */
out_ciphertext[0]++;
if (!ossl_mlkem768_decap(out_shared_secret2, out_ciphertext,
OSSL_MLKEM768_CIPHERTEXT_BYTES, &private_key, mlkem_ctx))
goto end;
/* If decap passed, ensure we at least have a mismatch */
if (!TEST_int_ne(memcmp(out_shared_secret, out_shared_secret2,
OSSL_MLKEM768_SHARED_SECRET_BYTES), 0))
ret = -8;
end:
ossl_mlkem_ctx_free(mlkem_ctx);
return ret;
}