From 8835f07bb5edc815161663c87917cb560eed169c Mon Sep 17 00:00:00 2001 From: Andrew Hopkins Date: Mon, 9 Sep 2024 15:22:23 -0700 Subject: [PATCH 1/3] Update benchmark documentation in tool/readme.md (#1812) ### Description of changes: Update the documentation to use the more flexible `BENCHMARK_LIBS` option that supports more libraries than the previous options. ### Testing: Ran all the commands locally to ensure they work as expected. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. --- tool/README.md | 75 ++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 60 insertions(+), 15 deletions(-) diff --git a/tool/README.md b/tool/README.md index af04cef42e..d03e847910 100644 --- a/tool/README.md +++ b/tool/README.md @@ -15,10 +15,9 @@ The speed subtool of `bssl` runs a performance test for a number of cryptographi ## Benchmarking Tools When compiled, AWS-LC will generate separate benchmarking tools when provided with corresponding compiler flags. These tools take the same arguments as `bssl speed` tool. -The `awslc_bm` tool is expected to be used when benchmarking an installation of AWS-LC with a different speed tool: e.g. +This tool also supports building a newer benchmark with an older version of AWS-LC's code: e.g. build and install AWS-LC FIPS from 2021 but run the latest benchmark tool from main. To benchmark the AWS-LC libcrypto -from the current folder it is recomended to run `bssl speed` which executes the same code as other benchmarks: e.g. -`ossl_1_1_bm`. +from the current folder it is recommended to run `bssl speed` which executes the same code as other benchmarks. Additionally, the speed tool now prints a message when it is benchmarking a non-release build of AWS-LC instead of a release build of the project. @@ -28,24 +27,70 @@ Running each tool without any options (e.g. `./awslc_bm`) will run all available Additionally, there are a number of arguments that enable different functionality: * `-filter` provides a filter on the benchmarking tests to be run. * `-timeout` sets the number of seconds each test is run for (default 1). +* `-threads` is a comma-separated list of thread counts to run multithreaded benchmarks (default is "1,2,4,8,16,32,64") * `-chunks` is a comma-separated list of input sizes to run tests at (default is " "16,256,1350,8192,16384) * `-json` has the tool print the output of each benchmark in JSON format. For example, `./awslc_bm -filter AES -timeout 10 -chunks 16, 256, -json` will run all AES-related tests with input sizes of 16 and 256 for 10 seconds, and output the results in JSON format. -## Setup -In order to build the above-mentioned benchmarking tools, absolute paths to each libaries' install location must be provided via compiler flags. - -### Compiler Flags -| Tool Name | Compiler Flag | -| ------------- | ------------- | - | bssl speed | (none) | -| awslc_bm | -DAWSLC_INSTALL_DIR | -| bssl_bm | -DBORINGSSL_INSTALL_DIR | -| ossl_1_0_bm | -DOPENSSL_1_0_INSTALL_DIR | -| ossl_1_1_bm | -DOPENSSL_1_1_INSTALL_DIR | -| ossl_3_0_bm | -DOPENSSL_3_0_INSTALL_DIR | +## Comparison Setup +The AWS-LC benchmark supports building and running with other common libcryptos. +Build and install the other libcryptos you would like to test with locally, for +example building AWS-LC 2022 FIPS branch and OpenSSL 3.3 to compare with AWS-LC +main branch: + +```bash +mkdir ~/aws-lc-benchmark && pushd ~/aws-lc-benchmark + +git clone -b openssl-3.3 --depth 1 https://github.com/openssl/openssl.git openssl-3.3-src +pushd openssl-3.3-src +./config --prefix="${HOME}/aws-lc-benchmark/openssl-3.3-install" --openssldir="${HOME}/aws-lc-benchmark/openssl-3.3-install" +make -j +make install_sw +popd + + +git clone -b fips-2022-11-02 --depth 1 https://github.com/aws/aws-lc.git aws-lc-fips-src +pushd aws-lc-fips-src +cmake -DCMAKE_INSTALL_PREFIX="${HOME}/aws-lc-benchmark/aws-lc-fips-install" -DCMAKE_BUILD_TYPE=Release -DFIPS=1 -DBUILD_SHARED_LIBS=1 +make -j install +popd && popd +``` + +To build the main branch speed.cc against other libraries pass in the +BENCHMARK_LIBS option when running CMake. BENCHMARK_LIBS is a list of tuples, +the format is `executable_name:install_path`. `executable_name` is the name for +the benchmark that AWS-LC will build with whatever library is in `install_path`. +Multiple libraries can be specified with a semicolon between them: +`executable1_name:executable1_install_path;executable1_name:executable1_install_path;` + +To build AWS-LC main speed.cc against the two previously built libcrypto libraries +(AWS-LC FIPS 2022 and OpenSSL 3.3): +```bash +pushd ~/aws-lc-benchmark +git clone -b main --depth 1 https://github.com/aws/aws-lc.git aws-lc-main-src +pushd aws-lc-main-src +cmake -DCMAKE_BUILD_TYPE=Release -DBENCHMARK_LIBS="\ +aws-lc-fips-2022:${HOME}/aws-lc-benchmark/aws-lc-fips-install;\ +openssl-3-3:${HOME}/aws-lc-benchmark/openssl-3.3-install;" +make -j +popd && popd +``` + +This will build 3 relevant binaries: +* `~/aws-lc-benchmark/aws-lc-main-src/tool/bssl` is the complete tool build with the main branch of code, `speed` is required to run the benchmark +* `~/aws-lc-benchmark/aws-lc-main-src/tool/aws-lc-fips-2022` is the main branch of speed.cc built with the AWS-LC FIPS 2022 install +* `~/aws-lc-benchmark/aws-lc-main-src/tool/openssl-3-3` is the main branch of speed.cc built with the OpenSSL 3.3 install + +Not all benchmarks will be available with all libraries, for example OpenSSL 3.3 +does not support ML-KEM. + +``` +~/aws-lc-benchmark/aws-lc-main-src/tool/bssl speed -filter P-256 +~/aws-lc-benchmark/aws-lc-main-src/tool/aws-lc-fips-2022 -filter P-256 +~/aws-lc-benchmark/aws-lc-main-src/tool/openssl-3-3 -filter P-256 +``` ### Expected Directory Structure Additionally, the benchmarking tools expects specific directory structures for the provided install locations for each From 89683991d1e664b6b0ed93feb9c25a0a30015954 Mon Sep 17 00:00:00 2001 From: torben-hansen <50673096+torben-hansen@users.noreply.github.com> Date: Mon, 9 Sep 2024 15:25:50 -0700 Subject: [PATCH 2/3] Pre jail unit test (#1835) #1825 improved the sandbox mode. This PR adds a unit test to catch obvious sandbox configuration oversights. It works by creating a small application that installs a seccomp filter. Any syscalls, except a small subset, invoked by AWS-LC will trigger the filter. We both check that the filter will trip on AWS-LC without configuration sandbox mode and that the filter doesn't trip when sandbox mode is configured. --- .github/workflows/misc-tests.yaml | 28 +++++++++++++ SANDBOXING.md | 5 +++ tests/ci/run_presandbox_tests.sh | 70 +++++++++++++++++++++++++++++++ tests/ci/test_apps/seccomp_app.c | 60 ++++++++++++++++++++++++++ 4 files changed, 163 insertions(+) create mode 100644 .github/workflows/misc-tests.yaml create mode 100755 tests/ci/run_presandbox_tests.sh create mode 100644 tests/ci/test_apps/seccomp_app.c diff --git a/.github/workflows/misc-tests.yaml b/.github/workflows/misc-tests.yaml new file mode 100644 index 0000000000..126111a88c --- /dev/null +++ b/.github/workflows/misc-tests.yaml @@ -0,0 +1,28 @@ +name: Misc tests +on: + push: + branches: [ '*' ] + pull_request: + branches: [ '*' ] +concurrency: + group: ${{ github.workflow }}-${{ github.ref_name }} + cancel-in-progress: true +jobs: + pre-sandbox: + if: github.repository_owner == 'aws' + runs-on: ubuntu-latest + steps: + - name: Install OS Dependencies + run: | + sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none + sudo apt-get -y --no-install-recommends install \ + cmake clang ninja-build golang + echo "CC=clang" >> $GITHUB_ENV + echo "CXX=clang++" >> $GITHUB_ENV + - name: Install seccomp dependencies + run: | + sudo apt-get -y --no-install-recommends install libseccomp-dev + - uses: actions/checkout@v3 + - name: Test sandbox configuration + run: | + ./tests/ci/run_presandbox_tests.sh diff --git a/SANDBOXING.md b/SANDBOXING.md index 0f3eb70051..f2d5b97ae1 100644 --- a/SANDBOXING.md +++ b/SANDBOXING.md @@ -120,6 +120,11 @@ Once initialized, this mechanism does not require system calls in the steady state, though note the configured page will be inherited across privilege transitions. +### Snapsafe protection + +Similar considerations to fork protection. The Snapsafe protection +implementation maps a page that can trip sandboxes. + ## C and C++ standard library BoringSSL depends on the C and C++ standard libraries which, themselves, do not diff --git a/tests/ci/run_presandbox_tests.sh b/tests/ci/run_presandbox_tests.sh new file mode 100755 index 0000000000..839f3b0170 --- /dev/null +++ b/tests/ci/run_presandbox_tests.sh @@ -0,0 +1,70 @@ +#!/usr/bin/env bash +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 OR ISC + +# We expect an executable failure in this test. Hence, don't use -e. +set -xo pipefail + +source tests/ci/common_posix_setup.sh + +# libseccomp is required to run this tests. Typically this package is named +# either libseccomp-dev or libseccomp-devel. + +# Set up environment. + +# SYS_ROOT +# | +# - SRC_ROOT(aws-lc) +# | +# - SCRATCH_FOLDER +# | +# - seccomp app binary +# - AWS_LC_BUILD_FOLDER +# - AWS_LC_INSTALL_FOLDER + +# Assumes script is executed from the root of aws-lc directory +SCRATCH_FOLDER=${SYS_ROOT}/"SCRATCH_AWSLC_PRESANDBOX_TEST" +AWS_LC_BUILD_FOLDER="${SCRATCH_FOLDER}/aws-lc-build" +AWS_LC_INSTALL_FOLDER="${SCRATCH_FOLDER}/aws-lc-install" +: "${CC:=gcc}" + +# Make script execution idempotent. +mkdir -p ${SCRATCH_FOLDER} +rm -rf "${SCRATCH_FOLDER:?}"/* +cd ${SCRATCH_FOLDER} + +aws_lc_build "$SRC_ROOT" "$AWS_LC_BUILD_FOLDER" "$AWS_LC_INSTALL_FOLDER" \ + -DBUILD_TESTING=OFF -DBUILD_TOOL=OFF -DCMAKE_BUILD_TYPE=RelWithDebInfo \ + -DBUILD_SHARED_LIBS=OFF + +# Check which AWS-LC library folder name we must use. +if [ -d ${AWS_LC_INSTALL_FOLDER}/lib64 ]; then + AWS_LC_LIBRARY_FOLDER="lib64" +else + AWS_LC_LIBRARY_FOLDER="lib" +fi + +function seccomp_build() { + __CFLAGS=${1} + ${CC} -I${SRC_ROOT}/include ${__CFLAGS} \ + ${SRC_ROOT}/tests/ci/test_apps/seccomp_app.c -o seccomp_app \ + -lseccomp -L${AWS_LC_INSTALL_FOLDER}/${AWS_LC_LIBRARY_FOLDER} -lcrypto -pthread +} + +echo "Test that AWS-LC performs syscalls that will trip the seccomp filter." +seccomp_build "" +./seccomp_app +if [ $? -eq 0 ]; then + echo "Failure: expected AWS-LC syscalls to trip the seccomp filter." + exit 1 +fi + +echo "Test that when AWS-LC is sandbox configured, the seccomp filter does not trip." +seccomp_build "-DUSE_AWS_LC_PRE_SANDBOX" +./seccomp_app +if [ $? -ne 0 ]; then + echo "Failure: AWS-LC is sandbox configured but something tripped the seccomp filter." + exit 1 +fi + +echo "Pre-sandbox test succeeded." diff --git a/tests/ci/test_apps/seccomp_app.c b/tests/ci/test_apps/seccomp_app.c new file mode 100644 index 0000000000..a58fa0302e --- /dev/null +++ b/tests/ci/test_apps/seccomp_app.c @@ -0,0 +1,60 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 OR ISC + +#include +#include +#include +#include + +#include +#include + +static void enable_seccomp(void) { + + // Kill on all system calls by default. + scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) { + exit(EXIT_FAILURE); + } + + // Allow write and exit system calls. In addition, on success we exit with + // exit_group. Hence, allow that as well. + seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); + seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0); + seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); + + if (seccomp_load(ctx) < 0) { + seccomp_release(ctx); + exit(EXIT_FAILURE); + } + + seccomp_release(ctx); +} + +int main() { + + const char notice[] = "\nTesting AWS-LC pre-sandbox.\n"; +#if defined(USE_AWS_LC_PRE_SANDBOX) + const char status[] = "Pre-sandbox configuration is ENABLED, expect success.\n\n"; +#else + const char status[] = "Pre-sandbox configuration is DISABLED, expect failure.\n\n"; +#endif + + write(STDOUT_FILENO, notice, sizeof(notice)); + write(STDOUT_FILENO, status, sizeof(status)); + +#if defined(USE_AWS_LC_PRE_SANDBOX) + // Must be invoked before enabling seccomp filter. + CRYPTO_pre_sandbox_init(); +#endif + + // Enable seccomp filter. + enable_seccomp(); + + uint8_t buffer[10]; + if (RAND_bytes(buffer, 10) != 1) { + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} From e4092fb224a2336b8e0d908f311924794d739042 Mon Sep 17 00:00:00 2001 From: torben-hansen <50673096+torben-hansen@users.noreply.github.com> Date: Mon, 9 Sep 2024 16:05:44 -0700 Subject: [PATCH 3/3] Move EVP KEM implementation to in-module and correct OID (#1838) Moves EVP KEM virtual method tables to in-module. Also adds the OIDs for ML-KEM. --- crypto/CMakeLists.txt | 1 - crypto/evp_extra/internal.h | 1 - crypto/evp_extra/p_methods.c | 1 - crypto/fipsmodule/bcm.c | 1 + crypto/fipsmodule/evp/evp_ctx.c | 12 +--- crypto/fipsmodule/evp/internal.h | 7 ++- crypto/{evp_extra => fipsmodule/evp}/p_kem.c | 56 ++++++++--------- crypto/fipsmodule/kem/kem.c | 10 +++- crypto/obj/obj_dat.h | 63 ++++++++++++++++---- crypto/obj/objects.txt | 9 +-- include/openssl/nid.h | 4 ++ 11 files changed, 105 insertions(+), 60 deletions(-) rename crypto/{evp_extra => fipsmodule/evp}/p_kem.c (93%) diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index f59503faa5..8887df791e 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt @@ -426,7 +426,6 @@ add_library( evp_extra/p_ec_asn1.c evp_extra/p_ed25519_asn1.c evp_extra/p_hmac_asn1.c - evp_extra/p_kem.c evp_extra/p_kem_asn1.c evp_extra/p_rsa_asn1.c evp_extra/p_x25519.c diff --git a/crypto/evp_extra/internal.h b/crypto/evp_extra/internal.h index 2b21f574f4..85b4f123df 100644 --- a/crypto/evp_extra/internal.h +++ b/crypto/evp_extra/internal.h @@ -46,7 +46,6 @@ extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth; extern const EVP_PKEY_METHOD x25519_pkey_meth; extern const EVP_PKEY_METHOD hkdf_pkey_meth; extern const EVP_PKEY_METHOD dilithium3_pkey_meth; -extern const EVP_PKEY_METHOD kem_pkey_meth; extern const EVP_PKEY_METHOD hmac_pkey_meth; extern const EVP_PKEY_METHOD dh_pkey_meth; diff --git a/crypto/evp_extra/p_methods.c b/crypto/evp_extra/p_methods.c index 3f8428aa20..70f0573458 100644 --- a/crypto/evp_extra/p_methods.c +++ b/crypto/evp_extra/p_methods.c @@ -12,7 +12,6 @@ static const EVP_PKEY_METHOD *const non_fips_pkey_evp_methods[] = { #ifdef ENABLE_DILITHIUM &dilithium3_pkey_meth, #endif - &kem_pkey_meth, &dh_pkey_meth, }; diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c index 083247b89e..e83bc81076 100644 --- a/crypto/fipsmodule/bcm.c +++ b/crypto/fipsmodule/bcm.c @@ -115,6 +115,7 @@ #include "evp/p_ed25519.c" #include "evp/p_hkdf.c" #include "evp/p_hmac.c" +#include "evp/p_kem.c" #include "evp/p_rsa.c" #include "hkdf/hkdf.c" #include "hmac/hmac.c" diff --git a/crypto/fipsmodule/evp/evp_ctx.c b/crypto/fipsmodule/evp/evp_ctx.c index c7b391689d..e659e317dc 100644 --- a/crypto/fipsmodule/evp/evp_ctx.c +++ b/crypto/fipsmodule/evp/evp_ctx.c @@ -74,19 +74,13 @@ DEFINE_LOCAL_DATA(struct fips_evp_pkey_methods, AWSLC_fips_evp_pkey_methods) { out->methods[3] = EVP_PKEY_hkdf_pkey_meth(); out->methods[4] = EVP_PKEY_hmac_pkey_meth(); out->methods[5] = EVP_PKEY_ed25519_pkey_meth(); + out->methods[6] = EVP_PKEY_kem_pkey_meth(); } static const EVP_PKEY_METHOD *evp_pkey_meth_find(int type) { - // First try the fips public key methods. At a later stage, we might want to - // reorder these such that we go through the list with the most used public - // key method first. - // Currently, ED25519 and x25519 in the non-fips list are likely not more popular - // than RSA and ECC in the fips list. They may make their way in the fips list when - // https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186-draft.pdf - // and - // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf - // are finalised. + // First we search through the FIPS public key methods. We assume these are + // the most popular. const struct fips_evp_pkey_methods *const fips_methods = AWSLC_fips_evp_pkey_methods(); for (size_t i = 0; i < FIPS_EVP_PKEY_METHODS; i++) { if (fips_methods->methods[i]->pkey_id == type) { diff --git a/crypto/fipsmodule/evp/internal.h b/crypto/fipsmodule/evp/internal.h index be3eeaa29f..0a278a7959 100644 --- a/crypto/fipsmodule/evp/internal.h +++ b/crypto/fipsmodule/evp/internal.h @@ -335,13 +335,13 @@ typedef struct { #define ED25519_PUBLIC_KEY_OFFSET 32 -#define FIPS_EVP_PKEY_METHODS 6 +#define FIPS_EVP_PKEY_METHODS 7 #ifdef ENABLE_DILITHIUM -#define NON_FIPS_EVP_PKEY_METHODS 4 +#define NON_FIPS_EVP_PKEY_METHODS 3 #define ASN1_EVP_PKEY_METHODS 9 #else -#define NON_FIPS_EVP_PKEY_METHODS 3 +#define NON_FIPS_EVP_PKEY_METHODS 2 #define ASN1_EVP_PKEY_METHODS 8 #endif @@ -355,6 +355,7 @@ const EVP_PKEY_METHOD *EVP_PKEY_ec_pkey_meth(void); const EVP_PKEY_METHOD *EVP_PKEY_hkdf_pkey_meth(void); const EVP_PKEY_METHOD *EVP_PKEY_hmac_pkey_meth(void); const EVP_PKEY_METHOD *EVP_PKEY_ed25519_pkey_meth(void); +const EVP_PKEY_METHOD *EVP_PKEY_kem_pkey_meth(void); #if defined(__cplusplus) } // extern C diff --git a/crypto/evp_extra/p_kem.c b/crypto/fipsmodule/evp/p_kem.c similarity index 93% rename from crypto/evp_extra/p_kem.c rename to crypto/fipsmodule/evp/p_kem.c index 11395ad01b..c5c310e122 100644 --- a/crypto/evp_extra/p_kem.c +++ b/crypto/fipsmodule/evp/p_kem.c @@ -6,10 +6,10 @@ #include #include -#include "../fipsmodule/evp/internal.h" -#include "../fipsmodule/delocate.h" -#include "../fipsmodule/kem/internal.h" -#include "../internal.h" +#include "internal.h" +#include "../delocate.h" +#include "../kem/internal.h" +#include "../../internal.h" #include "internal.h" typedef struct { @@ -293,35 +293,35 @@ static int pkey_kem_decapsulate(EVP_PKEY_CTX *ctx, return 0; } - // The size of the shared secret that has been writen to the output buffer. + // The size of the shared secret that has been written to the output buffer. *shared_secret_len = kem->shared_secret_len; return 1; } -const EVP_PKEY_METHOD kem_pkey_meth = { - EVP_PKEY_KEM, - pkey_kem_init, - NULL, - pkey_kem_cleanup, - pkey_kem_keygen, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - pkey_kem_keygen_deterministic, - pkey_kem_encapsulate_deterministic, - pkey_kem_encapsulate, - pkey_kem_decapsulate, -}; +DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_kem_pkey_meth) { + out->pkey_id = EVP_PKEY_KEM; + out->init = pkey_kem_init; + out->copy = NULL; + out->cleanup = pkey_kem_cleanup; + out->keygen = pkey_kem_keygen; + out->sign_init = NULL; + out->sign = NULL; + out->sign_message = NULL; + out->verify_init = NULL; + out->verify = NULL; + out->verify_message = NULL; + out->verify_recover = NULL; + out->encrypt = NULL; + out->decrypt = NULL; + out->derive = pkey_hkdf_derive; + out->paramgen = NULL; + out->ctrl = NULL; + out->keygen_deterministic = pkey_kem_keygen_deterministic; + out->encapsulate_deterministic = pkey_kem_encapsulate_deterministic; + out->encapsulate = pkey_kem_encapsulate; + out->decapsulate = pkey_kem_decapsulate; +} // Additional KEM specific EVP functions. diff --git a/crypto/fipsmodule/kem/kem.c b/crypto/fipsmodule/kem/kem.c index 2b81935b1e..5f8947cf33 100644 --- a/crypto/fipsmodule/kem/kem.c +++ b/crypto/fipsmodule/kem/kem.c @@ -8,9 +8,13 @@ #include "../ml_kem/ml_kem.h" #include "internal.h" -static const uint8_t kOIDMLKEM512[] = {0xff, 0xff, 0xff, 0xff}; -static const uint8_t kOIDMLKEM768[] = {0xff, 0xff, 0xff, 0xff}; -static const uint8_t kOIDMLKEM1024[] = {0xff, 0xff, 0xff, 0xff}; +// https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration +// 2.16.840.1.101.3.4.4.1 +static const uint8_t kOIDMLKEM512[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x04, 0x01}; +// 2.16.840.1.101.3.4.4.2 +static const uint8_t kOIDMLKEM768[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x04, 0x02}; +// 2.16.840.1.101.3.4.4.3 +static const uint8_t kOIDMLKEM1024[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x04, 0x03}; static int ml_kem_1024_keygen_deterministic(uint8_t *public_key, uint8_t *secret_key, diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h index 8f53d2ee83..f29f031bf2 100644 --- a/crypto/obj/obj_dat.h +++ b/crypto/obj/obj_dat.h @@ -7176,6 +7176,15 @@ static const uint8_t kObjectData[] = { 0x04, 0x02, 0x0a, + /* NID_kem */ + 0x60, + 0x86, + 0x48, + 0x01, + 0x65, + 0x03, + 0x04, + 0x04, /* NID_DILITHIUM3_R3 */ 0x2b, 0x06, @@ -7230,6 +7239,36 @@ static const uint8_t kObjectData[] = { 0x0f, 0x63, 0x33, + /* NID_MLKEM512 */ + 0x60, + 0x86, + 0x48, + 0x01, + 0x65, + 0x03, + 0x04, + 0x04, + 0x01, + /* NID_MLKEM768 */ + 0x60, + 0x86, + 0x48, + 0x01, + 0x65, + 0x03, + 0x04, + 0x04, + 0x02, + /* NID_MLKEM1024 */ + 0x60, + 0x86, + 0x48, + 0x01, + 0x65, + 0x03, + 0x04, + 0x04, + 0x03, }; static const ASN1_OBJECT kObjects[NUM_NID] = { @@ -8882,30 +8921,30 @@ static const ASN1_OBJECT kObjects[NUM_NID] = { {"SHA3-384", "sha3-384", NID_sha3_384, 9, &kObjectData[6214], 0}, {"SHA3-512", "sha3-512", NID_sha3_512, 9, &kObjectData[6223], 0}, {"HKDF", "hkdf", NID_hkdf, 0, NULL, 0}, - {"KEM", "kem", NID_kem, 0, NULL, 0}, + {"KEM", "kem", NID_kem, 8, &kObjectData[6232], 0}, {"KYBER512", "KYBER512", NID_KYBER512, 0, NULL, 0}, {"KYBER512_R3", "KYBER512_R3", NID_KYBER512_R3, 0, NULL, 0}, {"KYBER768_R3", "KYBER768_R3", NID_KYBER768_R3, 0, NULL, 0}, {"KYBER1024_R3", "KYBER1024_R3", NID_KYBER1024_R3, 0, NULL, 0}, {"DILITHIUM3_R3", "DILITHIUM3_R3", NID_DILITHIUM3_R3, 11, - &kObjectData[6232], 0}, + &kObjectData[6240], 0}, {"ffdhe2048", "ffdhe2048", NID_ffdhe2048, 0, NULL, 0}, {"ffdhe4096", "ffdhe4096", NID_ffdhe4096, 0, NULL, 0}, - {"SHA512-224", "sha512-224", NID_sha512_224, 9, &kObjectData[6243], 0}, - {"SHAKE128", "shake128", NID_shake128, 9, &kObjectData[6252], 0}, - {"SHAKE256", "shake256", NID_shake256, 9, &kObjectData[6261], 0}, + {"SHA512-224", "sha512-224", NID_sha512_224, 9, &kObjectData[6251], 0}, + {"SHAKE128", "shake128", NID_shake128, 9, &kObjectData[6260], 0}, + {"SHAKE256", "shake256", NID_shake256, 9, &kObjectData[6269], 0}, {"SecP256r1Kyber768Draft00", "SecP256r1Kyber768Draft00", - NID_SecP256r1Kyber768Draft00, 5, &kObjectData[6270], 0}, + NID_SecP256r1Kyber768Draft00, 5, &kObjectData[6278], 0}, {"X25519Kyber768Draft00", "X25519Kyber768Draft00", - NID_X25519Kyber768Draft00, 5, &kObjectData[6275], 0}, + NID_X25519Kyber768Draft00, 5, &kObjectData[6283], 0}, {"ffdhe3072", "ffdhe3072", NID_ffdhe3072, 0, NULL, 0}, {"ffdhe8192", "ffdhe8192", NID_ffdhe8192, 0, NULL, 0}, {"MLKEM512IPD", "MLKEM512IPD", NID_MLKEM512IPD, 0, NULL, 0}, {"MLKEM768IPD", "MLKEM768IPD", NID_MLKEM768IPD, 0, NULL, 0}, {"MLKEM1024IPD", "MLKEM1024IPD", NID_MLKEM1024IPD, 0, NULL, 0}, - {"MLKEM512", "MLKEM512", NID_MLKEM512, 0, NULL, 0}, - {"MLKEM768", "MLKEM768", NID_MLKEM768, 0, NULL, 0}, - {"MLKEM1024", "MLKEM1024", NID_MLKEM1024, 0, NULL, 0}, + {"MLKEM512", "MLKEM512", NID_MLKEM512, 9, &kObjectData[6288], 0}, + {"MLKEM768", "MLKEM768", NID_MLKEM768, 9, &kObjectData[6297], 0}, + {"MLKEM1024", "MLKEM1024", NID_MLKEM1024, 9, &kObjectData[6306], 0}, }; static const uint16_t kNIDsInShortNameOrder[] = { @@ -11458,6 +11497,7 @@ static const uint16_t kNIDsInOIDOrder[] = { 785 /* 1.3.6.1.5.5.7.48.5 (OBJ_caRepository) */, 780 /* 1.3.6.1.5.5.8.1.1 (OBJ_hmac_md5) */, 781 /* 1.3.6.1.5.5.8.1.2 (OBJ_hmac_sha1) */, + 970 /* 2.16.840.1.101.3.4.4 (OBJ_kem) */, 58 /* 2.16.840.1.113730.1 (OBJ_netscape_cert_extension) */, 59 /* 2.16.840.1.113730.2 (OBJ_netscape_data_type) */, 438 /* 0.9.2342.19200300.100.1 (OBJ_pilotAttributeType) */, @@ -11593,6 +11633,9 @@ static const uint16_t kNIDsInOIDOrder[] = { 980 /* 2.16.840.1.101.3.4.2.12 (OBJ_shake256) */, 802 /* 2.16.840.1.101.3.4.3.1 (OBJ_dsa_with_SHA224) */, 803 /* 2.16.840.1.101.3.4.3.2 (OBJ_dsa_with_SHA256) */, + 988 /* 2.16.840.1.101.3.4.4.1 (OBJ_MLKEM512) */, + 989 /* 2.16.840.1.101.3.4.4.2 (OBJ_MLKEM768) */, + 990 /* 2.16.840.1.101.3.4.4.3 (OBJ_MLKEM1024) */, 71 /* 2.16.840.1.113730.1.1 (OBJ_netscape_cert_type) */, 72 /* 2.16.840.1.113730.1.2 (OBJ_netscape_base_url) */, 73 /* 2.16.840.1.113730.1.3 (OBJ_netscape_revocation_url) */, diff --git a/crypto/obj/objects.txt b/crypto/obj/objects.txt index e928f13cf7..b11f231a16 100644 --- a/crypto/obj/objects.txt +++ b/crypto/obj/objects.txt @@ -1381,7 +1381,8 @@ nist_sha3hashalgs 12 : SHAKE256 : shake256 : HKDF : hkdf # NIDs for KEM type and specific KEMs (no corresponding OID). - : KEM : kem +!Alias nist_kem nistAlgorithms 4 +nist_kem : KEM : kem : KYBER512 : KYBER512_R3 : KYBER768_R3 @@ -1389,9 +1390,9 @@ nist_sha3hashalgs 12 : SHAKE256 : shake256 : MLKEM512IPD : MLKEM768IPD : MLKEM1024IPD - : MLKEM512 - : MLKEM768 - : MLKEM1024 +nist_kem 1 : MLKEM512 +nist_kem 2 : MLKEM768 +nist_kem 3 : MLKEM1024 # OID for DILITHIUM3 SIG Round-3. These are temp values from # https://github.com/IETF-Hackathon/pqc-certificates/blob/master/docs/oid_mapping.md diff --git a/include/openssl/nid.h b/include/openssl/nid.h index b39324b080..a88301fdf2 100644 --- a/include/openssl/nid.h +++ b/include/openssl/nid.h @@ -4281,6 +4281,7 @@ extern "C" { #define SN_kem "KEM" #define LN_kem "kem" #define NID_kem 970 +#define OBJ_kem 2L, 16L, 840L, 1L, 101L, 3L, 4L, 4L #define SN_KYBER512 "KYBER512" #define NID_KYBER512 971 @@ -4344,12 +4345,15 @@ extern "C" { #define SN_MLKEM512 "MLKEM512" #define NID_MLKEM512 988 +#define OBJ_MLKEM512 2L, 16L, 840L, 1L, 101L, 3L, 4L, 4L, 1L #define SN_MLKEM768 "MLKEM768" #define NID_MLKEM768 989 +#define OBJ_MLKEM768 2L, 16L, 840L, 1L, 101L, 3L, 4L, 4L, 2L #define SN_MLKEM1024 "MLKEM1024" #define NID_MLKEM1024 990 +#define OBJ_MLKEM1024 2L, 16L, 840L, 1L, 101L, 3L, 4L, 4L, 3L #if defined(__cplusplus) } /* extern C */