Skip to content

Commit 6a0b31e

Browse files
bifurcationbifurcation
authored
Add support for ML-KEM (#453)
* Add support for ML-KEM * clang-format * Add testing of ML-KEM * Specuatively enable OQS for OpenSSL 3 and BoringSSL * Update build configuration to work for OpenSSL 3 and BoringSSL * Add implementations using OpenSSL3 and BoringSSL * Remove BoringSSL support because of missing SHAKE256 * clang-format * CI fixes * Test against the HPKE PQ test vectors * Pass test vectors * clang-format * Change config order to avoid imposing flags on libOQS * Use liboqs from environment instead of vendored version * Use vcpkg for libOQS * Revert hack changes * Build interop tests with OpenSSL 3
1 parent c13d725 commit 6a0b31e

File tree

23 files changed

+4677
-66
lines changed

23 files changed

+4677
-66
lines changed

.github/workflows/main_ci.yml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ jobs:
3535
matrix: ${{ steps.set-matrix.outputs.matrix }}
3636
steps:
3737
- uses: dorny/paths-filter@v3
38-
id: filterV
38+
id: filter_version
3939
with:
4040
filters: |
4141
hpke:
@@ -45,7 +45,7 @@ jobs:
4545
4646
- id: set-matrix
4747
run: |
48-
if [ ${{ steps.filter.outputs.hpke }} = "true" ];
48+
if [ ${{ steps.filter_version.outputs.hpke }} = "true" ];
4949
then
5050
echo "matrix=[\"openssl_1.1\",\"openssl_3\",\"boringssl\"]" >> $GITHUB_OUTPUT;
5151
else
@@ -63,7 +63,7 @@ jobs:
6363
uses: jidicula/[email protected]
6464
with:
6565
clang-format-version: 16
66-
include-regex: '^\./(src|include|test|cmd)/.*\.(cpp|h)$'
66+
include-regex: '^\./(src|include|test|cmd|lib)/.*\.(cpp|h)$'
6767
fallback-style: 'Mozilla'
6868

6969
build-and-unit-test:
@@ -81,7 +81,7 @@ jobs:
8181
steps:
8282
- uses: actions/checkout@v4
8383
with:
84-
submodules: recursive
84+
submodules: true
8585
fetch-depth: 0
8686

8787
- uses: ./.github/actions/prepare-build
@@ -106,7 +106,7 @@ jobs:
106106
runs-on: ubuntu-latest
107107

108108
env:
109-
CRYPTO_DIR: "./alternatives/openssl_1.1"
109+
CRYPTO_DIR: "./alternatives/openssl_3"
110110

111111
steps:
112112
- uses: actions/checkout@v4
@@ -117,13 +117,13 @@ jobs:
117117
- uses: ./.github/actions/prepare-build
118118
with:
119119
os: ubuntu-latest
120-
crypto-dir: openssl_1.1
120+
crypto-dir: openssl_3
121121
cache-dir: ${{ github.workspace }}/vcpkg_cache
122122

123123
- name: Build
124124
run: |
125-
cmake -B "${{ runner.temp }}/build_openssl_1.1" -DVCPKG_MANIFEST_DIR="${{ env.CRYPTO_DIR }}"
126-
cmake --build "${{ runner.temp }}/build_openssl_1.1"
125+
cmake -B "${{ runner.temp }}/build_openssl_3" -DVCPKG_MANIFEST_DIR="${{ env.CRYPTO_DIR }}"
126+
cmake --build "${{ runner.temp }}/build_openssl_3"
127127
128128
- name: Build (Interop Harness)
129129
run: |

alternatives/openssl_1.1/vcpkg.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,10 @@
88
"version>=": "1.1.1n"
99
},
1010
"catch2",
11+
"liboqs",
1112
"nlohmann-json"
1213
],
13-
"builtin-baseline": "eb33d2f7583405fca184bcdf7fdd5828ec88ac05",
14+
"builtin-baseline": "3bbc2809d3625cb83a0d7cbd413bd6ad769d46d4",
1415
"overrides": [
1516
{
1617
"name": "openssl",

alternatives/openssl_3/vcpkg.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
"dependencies": [
66
{
77
"name": "openssl",
8-
"version>=": "3.0.7"
8+
"version>=": "3.5.0"
99
},
1010
"catch2",
1111
"nlohmann-json"
@@ -14,7 +14,7 @@
1414
"overrides": [
1515
{
1616
"name": "openssl",
17-
"version": "3.0.7"
17+
"version": "3.5.0"
1818
},
1919
{
2020
"name": "catch2",

cmd/interop/CMakeLists.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ set(CMAKE_CXX_STANDARD_REQUIRED ON)
1414

1515
if (CMAKE_CXX_COMPILER_ID MATCHES "Clang" OR CMAKE_CXX_COMPILER_ID MATCHES "GNU")
1616
# XXX(RLB) -Wmissing-declarations causes gRPC generated code not to build
17-
add_compile_options(-Wall -pedantic -Wextra -Werror)
17+
add_compile_options(-Wall -pedantic -Wextra -Werror -Wno-nullability-extension)
1818
elseif(MSVC)
1919
# XXX(RLB) Protobuf and gRPC cannot build with these additional errors enabled
2020
# add_compile_options(/W4 /WX)

cmd/interop/Makefile

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,15 @@
11
BUILD_DIR=build
22
TEST_VECTOR_DIR=${BUILD_DIR}/third_party/src/mls-interop-extern/test-vectors
33
APP_NAME=mlspp_client
4+
TOOLCHAIN_FILE=../../vcpkg/scripts/buildsystems/vcpkg.cmake
45

56
.PHONY: all run format clean cclean
67

78
all: ${BUILD_DIR}/${APP_NAME}
89

910
${BUILD_DIR}:
10-
cmake -B${BUILD_DIR} -DCMAKE_BUILD_TYPE=Debug .
11+
cmake -B${BUILD_DIR} -DCMAKE_BUILD_TYPE=Debug . \
12+
-DCMAKE_TOOLCHAIN_FILE=${TOOLCHAIN_FILE}
1113

1214
${BUILD_DIR}/${APP_NAME}: ${BUILD_DIR} src/*.cpp
1315
cmake --build ${BUILD_DIR} --target ${APP_NAME}

cmd/interop/vcpkg.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,18 +5,18 @@
55
"dependencies": [
66
{
77
"name": "openssl",
8-
"version>=": "1.1.1n"
8+
"version>=": "3.5.0"
99
},
1010
"protobuf",
1111
"grpc",
1212
"gflags",
1313
"nlohmann-json"
1414
],
15-
"builtin-baseline": "0d5cae153065957df7f382de7c1549ccc88027e5",
15+
"builtin-baseline": "3bbc2809d3625cb83a0d7cbd413bd6ad769d46d4",
1616
"overrides": [
1717
{
1818
"name": "openssl",
19-
"version-string": "1.1.1n"
19+
"version-string": "3.5.0"
2020
}
2121
]
2222
}

lib/hpke/CMakeLists.txt

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -42,11 +42,11 @@ if ( OPENSSL_FOUND )
4242

4343
elseif (REQUIRE_BORINGSSL)
4444
message(FATAL_ERROR "BoringSSL required but not found")
45-
endif ()
46-
47-
if (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 3)
45+
elseif (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 3)
4846
target_compile_definitions(${CURRENT_LIB_NAME} PUBLIC WITH_OPENSSL3)
49-
elseif(${OPENSSL_VERSION} VERSION_LESS 1.1.1)
47+
elseif (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 1.1.1)
48+
set(USING_LIBOQS ON)
49+
else()
5050
message(FATAL_ERROR "OpenSSL 1.1.1 or greater is required")
5151
endif()
5252
message(STATUS "OpenSSL Found: ${OPENSSL_VERSION}")
@@ -63,6 +63,12 @@ target_link_libraries(${CURRENT_LIB_NAME}
6363
OpenSSL::Crypto
6464
)
6565

66+
# LibOQS as needed.
67+
if(USING_LIBOQS)
68+
find_package(liboqs)
69+
target_link_libraries(${CURRENT_LIB_NAME} PRIVATE OQS::oqs)
70+
endif()
71+
6672
target_include_directories(${CURRENT_LIB_NAME}
6773
PUBLIC
6874
$<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>

lib/hpke/include/hpke/hpke.h

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,9 @@ struct KEM
1919
DHKEM_X25519_SHA256 = 0x0020,
2020
#if !defined(WITH_BORINGSSL)
2121
DHKEM_X448_SHA512 = 0x0021,
22+
MLKEM512 = 0x0040,
23+
MLKEM768 = 0x0041,
24+
MLKEM1024 = 0x0042,
2225
#endif
2326
};
2427

lib/hpke/scripts/format-test-vectors.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -63,10 +63,10 @@ func (b ByteString) MarhsalTLS() ([]byte, error) {
6363
}
6464

6565
type EncryptionTestVector struct {
66-
Plaintext ByteString `json:"plaintext"`
66+
Plaintext ByteString `json:"pt"`
6767
AAD ByteString `json:"aad"`
6868
Nonce ByteString `json:"nonce"`
69-
Ciphertext ByteString `json:"ciphertext"`
69+
Ciphertext ByteString `json:"ct"`
7070
}
7171

7272
type EncryptionTestVectors []EncryptionTestVector

lib/hpke/scripts/go.mod

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
module main
22

3-
go 1.16
3+
go 1.23.0
4+
5+
toolchain go1.24.10
46

57
require (
68
github.com/cisco/go-tls-syntax v0.0.0-20200617162716-46b0cfb76b9b

0 commit comments

Comments
 (0)