Added support for ML-KEM #874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

antoinelochet wants to merge 1 commit into softhsm:main from antoinelochet:feature/ml-kem-pr

.github/workflows/ci.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -88,6 +88,7 @@ jobs: @@
               LDFLAGS: "-Wl,-rpath,/usr/local/openssl-3.5/lib64 -L/usr/local/openssl-3.5/lib64"
               PKG_CONFIG_PATH: "/usr/local/openssl-3.5/lib64/pkgconfig"
             run: |
+              set -x
               sudo apt-get update -qq
               sudo apt-get install -y libcppunit-dev p11-kit build-essential checkinstall zlib1g-dev sudo autoconf libtool git
               # Install OpenSSL 3.5
@@ Expand All / @@ -108,6 +109,7 @@ jobs: @@
               LDFLAGS: "-Wl,-rpath,/usr/local/openssl-3.5/lib64 -L/usr/local/openssl-3.5/lib64"
               PKG_CONFIG_PATH: "/usr/local/openssl-3.5/lib64/pkgconfig"
             run: |
+              set -x
               ./autogen.sh
               ./configure --with-crypto-backend=openssl --with-openssl=${{ env.OPENSSL_INSTALL_DIR }}
               make -j$(nproc)
@@ Expand Down Expand Up / @@ -187,8 +189,9 @@ jobs: @@
                 target-platform: x64
                 ossl-version: "3.5.4"
                 botan-version: ""
-                build-options: "-DENABLE_MLDSA=ON"
+                build-options: "-DENABLE_MLDSA=ON -DENABLE_MLKEM=ON"
                 mldsa-test: "true"
+                mlkem-test: "true"
         steps:
           - uses: actions/checkout@v4
           - uses: ilammy/msvc-dev-cmd@v1
@@ Expand Down Expand Up / @@ -223,5 +226,6 @@ jobs: @@
             env:
               CTEST_OUTPUT_ON_FAILURE: 1
               MLDSA_TEST: ${{ matrix.mldsa-test || '' }}
+              MLKEM_TEST: ${{ matrix.mlkem-test || '' }}
             run: |
               cmake --build build --target RUN_TESTS

.gitignore

-Original file line number
+Diff line change
@@ Expand Up / @@ -57,6 +57,8 @@ Botan-* @@
     ROOT
     *.cmake
     CMakeFiles
+    .idea/
+    .vscode/
     # Specifics
     softhsm2.module
@@ Expand Down @@

CMAKE-NOTES.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -12,6 +12,7 @@ Some options (more can be found in CMakeLists.txt): @@
     	-DDISABLE_NON_PAGED_MEMORY=ON	Disable non-paged memory for secure storage
     	-DENABLE_EDDSA=ON		Enable support for EDDSA
     	-DENABLE_MLDSA=ON		Enable support for ML-DSA
+    	-DENABLE_MLKEM=ON		Enable support for ML-KEM
     	-DWITH_MIGRATE=ON		Build migration tool
     	-DWITH_CRYPTO_BACKEND=openssl	Select crypto backend (openssl|botan)
@@ Expand Down @@

CMAKE-WIN-NOTES.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -52,7 +52,8 @@ Some options (more can be found in CMakeLists.txt): @@
     	-DBUILD_TESTS=ON                Compile tests along with libraries
     	-DENABLE_EDDSA=ON               Enable support for EDDSA
-        -DENABLE_MLDSA=ON               Enable support for ML-DSA
+    	-DENABLE_MLDSA=ON               Enable support for ML-DSA
+    	-DENABLE_MLKEM=ON               Enable support for ML-KEM
     	-DWITH_MIGRATE=ON               Build migration tool
     	-DWITH_CRYPTO_BACKEND=          Select crypto backend (openssl|botan)
     	-DDISABLE_NON_PAGED_MEMORY=ON   Disable non-paged memory for secure storage
@@ Expand Down @@

CMakeLists.txt

-Original file line number
+Diff line change
@@ Expand Up / @@ -9,6 +9,7 @@ option(ENABLE_64bit "Enable 64-bit compiling" OFF) @@
     option(ENABLE_ECC "Enable support for ECC" ON)
     option(ENABLE_EDDSA "Enable support for EDDSA" ON)
     option(ENABLE_MLDSA "Enable support for ML-DSA" OFF)
+    option(ENABLE_MLKEM "Enable support for ML-KEM" OFF)
     option(ENABLE_GOST "Enable support for GOST" OFF)
     option(ENABLE_FIPS "Enable support for FIPS 140-2 mode" OFF)
     option(ENABLE_P11_KIT "Enable p11-kit integration" ON)
@@ Expand Down @@

README.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -82,7 +82,8 @@ Options: @@
     	--enable-ecc		Enable support for ECC (default detect)
     	--enable-gost		Enable support for GOST (default detect)
     	--enable-eddsa		Enable support for EDDSA (default detect)
-        --enable-mldsa		Enable support for ML-DSA (default detect)
+    	--enable-mldsa		Enable support for ML-DSA (default detect)
+    	--enable-mlkem		Enable support for ML-KEM (default detect)
     	--disable-visibility	Disable hidden visibilty link mode [enabled]
     	--with-crypto-backend	Select crypto backend (openssl|botan)
     	--with-openssl=PATH	Specify prefix of path of OpenSSL
@@ Expand Down @@

cmake/modules/CompilerOptions.cmake

-Original file line number
+Diff line change
@@ Expand Up / @@ -391,6 +391,27 @@ elseif(WITH_CRYPTO_BACKEND STREQUAL "openssl") @@
             message(STATUS "OpenSSL: Support for ML-DSA is disabled")
         endif(ENABLE_MLDSA)
+        # acx_openssl_mlkem.m4
+        if(ENABLE_MLKEM)
+            # ML-DSA
+            set(testfile ${CMAKE_SOURCE_DIR}/cmake/modules/tests/test_openssl_mlkem.c)
+            try_run(RUN_MLKEM COMPILE_RESULT
+                    "${CMAKE_BINARY_DIR}/prebuild_santity_tests" ${testfile}
+                    LINK_LIBRARIES ${CRYPTO_LIBS}
+                    CMAKE_FLAGS
+                    "-DINCLUDE_DIRECTORIES=${CRYPTO_INCLUDES}"
+            )
+            if(COMPILE_RESULT AND RUN_MLKEM EQUAL 0)
+                set(WITH_ML_KEM 1)
+                message(STATUS "OpenSSL: Found ML-KEM")
+            else()
+                set(error_msg "OpenSSL: Cannot find ML-KEM! OpenSSL library has no ML-KEM support!")
+                message(FATAL_ERROR ${error_msg})
+            endif()
+        else(ENABLE_MLKEM)
+            message(STATUS "OpenSSL: Support for ML-KEM is disabled")
+        endif(ENABLE_MLKEM)
         # acx_openssl_gost.m4
         if(ENABLE_GOST)
             set(testfile ${CMAKE_SOURCE_DIR}/cmake/modules/tests/test_openssl_gost.c)
@@ Expand Down @@

cmake/modules/tests/test_openssl_mlkem.c

-Original file line number
+Diff line change
@@ -0,0 +1,12 @@
+    #include <openssl/evp.h>
+    #include <openssl/objects.h>
+    int main()
+    {
+        EVP_PKEY_CTX *ctx;
+        ctx = EVP_PKEY_CTX_new_from_name(NULL, "ML-KEM-512", NULL);
+        if (ctx == NULL)
+            return 1;
+        EVP_PKEY_CTX_free(ctx);
+        return 0;
+    }

config.h.in.cmake

-Original file line number
+Diff line change
@@ Expand Up / @@ -154,6 +154,9 @@ @@
     /* Compile with ML-DSA support */
     #cmakedefine WITH_ML_DSA @WITH_ML_DSA@
+    /* Compile with ML-KEM support */
+    #cmakedefine WITH_ML_KEM @WITH_ML_KEM@
     /* Compile with FIPS 140-2 mode */
     #cmakedefine WITH_FIPS @WITH_FIPS@
@@ Expand Down @@

m4/acx_crypto_backend.m4

-Original file line number
+Diff line change
@@ Expand Up / @@ -38,6 +38,16 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[ @@
     		[enable_mldsa="detect"]
     	)
+    	# Add ML-KEM check
+    	AC_ARG_ENABLE(mlkem,
+    		AS_HELP_STRING([--enable-mlkem],
+    			[Enable support for ML-KEM (default detect)]
+    		),
+    		[enable_mlkem="${enableval}"],
+    		[enable_mlkem="detect"]
+    	)
     	# Second check for the FIPS 140-2 mode
     	AC_ARG_ENABLE(fips,
@@ Expand Down Expand Up / @@ -119,6 +129,15 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[ @@
     			detect-no) enable_mldsa="no";;
     		esac
+    		case "${enable_mlkem}" in
+    			yes|detect) ACX_OPENSSL_MLKEM;;
+    		esac
+    		case "${enable_mlkem}-${have_lib_openssl_mlkem_support}" in
+    			yes-no) AC_MSG_ERROR([OpenSSL library has no ML-KEM support]);;
+    			detect-yes) enable_mlkem="yes";;
+    			detect-no) enable_mlkem="no";;
+    		esac
     		case "${enable_gost}-${enable_fips}" in
     			yes-yes) AC_MSG_ERROR([GOST is not FIPS approved]);;
     			yes-no|detect-no) ACX_OPENSSL_GOST;;
@@ Expand Down Expand Up / @@ -189,6 +208,10 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[ @@
                 AC_MSG_ERROR([Botan does not support ML-DSA])
             fi
+            if test "x${enable_mlkem}" = "xyes"; then
+                AC_MSG_ERROR([Botan does not support ML-KEM])
+            fi
     		case "${enable_gost}" in
     			yes|detect) ACX_BOTAN_GOST;;
     		esac
@@ Expand Down Expand Up / @@ -267,6 +290,19 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[ @@
     	fi
     	AM_CONDITIONAL([WITH_ML_DSA], [test "x${enable_mldsa}" = "xyes"])
+    	AC_MSG_CHECKING(for ML-KEM support)
+    	if test "x${enable_mlkem}" = "xyes"; then
+    		AC_MSG_RESULT(yes)
+    		AC_DEFINE_UNQUOTED(
+    			[WITH_ML_KEM],
+    			[],
+    			[Compile with ML-KEM support]
+    		)
+    	else
+    		AC_MSG_RESULT(no)
+    	fi
+    	AM_CONDITIONAL([WITH_ML_KEM], [test "x${enable_mlkem}" = "xyes"])
     	AC_SUBST(CRYPTO_INCLUDES)
     	AC_SUBST(CRYPTO_LIBS)
@@ Expand Down @@

m4/acx_openssl_mlkem.m4

-Original file line number
+Diff line change
@@ -0,0 +1,43 @@
+    AC_DEFUN([ACX_OPENSSL_MLKEM],[
+    	AC_MSG_CHECKING(for OpenSSL ML-KEM support)
+    	tmp_CPPFLAGS=$CPPFLAGS
+    	tmp_LIBS=$LIBS
+    	CPPFLAGS="$CPPFLAGS $CRYPTO_INCLUDES"
+    	LIBS="$CRYPTO_LIBS $LIBS"
+    	AC_LANG_PUSH([C])
+    	AC_CACHE_VAL([acx_cv_lib_openssl_mlkem_support],[
+    		acx_cv_lib_openssl_mlkem_support=no
+    		AC_RUN_IFELSE([
+    			AC_LANG_SOURCE([[
+    				#include <openssl/evp.h>
+    				#include <openssl/objects.h>
+    				int main()
+    				{
+    					EVP_PKEY_CTX *pctx =
+        					EVP_PKEY_CTX_new_from_name(NULL, "ML-KEM-512", NULL);
+    						if (pctx == NULL)
+    							return 1;
+    						return 0;
+    				}
+    			]])
+    		],[
+    			AC_MSG_RESULT([yes])
+    			acx_cv_lib_openssl_mlkem_support=yes
+    		],[
+    			AC_MSG_RESULT([no])
+    			acx_cv_lib_openssl_mlkem_support=no
+    		],[
+    			AC_MSG_WARN([Cannot test, ML-KEM])
+    			acx_cv_lib_openssl_mlkem_support=no
+    		])
+    	])
+    	AC_LANG_POP([C])
+    	CPPFLAGS=$tmp_CPPFLAGS
+    	LIBS=$tmp_LIBS
+    	have_lib_openssl_mlkem_support="${acx_cv_lib_openssl_mlkem_support}"
+    ])

src/bin/dump/tables.h

-Original file line number
+Diff line change
@@ Expand Up @@
     	t[CKM_EDDSA] = "CKM_EDDSA";
     	t[CKM_ML_DSA_KEY_PAIR_GEN] = "CKM_ML_DSA_KEY_PAIR_GEN";
     	t[CKM_ML_DSA] = "CKM_ML_DSA";
+    	t[CKM_ML_KEM_KEY_PAIR_GEN] = "CKM_ML_KEM_KEY_PAIR_GEN";
+    	t[CKM_ML_KEM] = "CKM_ML_KEM";
     }
     void fill_CKO_table(std::map<unsigned long, std::string> &t)
@@ Expand Down Expand Up @@
     	t[CKK_GOST28147] = "CKK_GOST28147";
     	t[CKK_EC_EDWARDS] = "CKK_EC_EDWARDS";
     	t[CKK_ML_DSA] = "CKK_ML_DSA";
+    	t[CKK_ML_KEM] = "CKK_ML_KEM";
     }
     void fill_CKC_table(std::map<unsigned long, std::string> &t)
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added support for ML-KEM #874

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!

Added support for ML-KEM #874

Are you sure you want to change the base?

Uh oh!

Added support for ML-KEM #874

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!

Uh oh!