diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index f59503faa5..8887df791e 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt @@ -426,7 +426,6 @@ add_library( evp_extra/p_ec_asn1.c evp_extra/p_ed25519_asn1.c evp_extra/p_hmac_asn1.c - evp_extra/p_kem.c evp_extra/p_kem_asn1.c evp_extra/p_rsa_asn1.c evp_extra/p_x25519.c diff --git a/crypto/evp_extra/internal.h b/crypto/evp_extra/internal.h index 2b21f574f4..85b4f123df 100644 --- a/crypto/evp_extra/internal.h +++ b/crypto/evp_extra/internal.h @@ -46,7 +46,6 @@ extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth; extern const EVP_PKEY_METHOD x25519_pkey_meth; extern const EVP_PKEY_METHOD hkdf_pkey_meth; extern const EVP_PKEY_METHOD dilithium3_pkey_meth; -extern const EVP_PKEY_METHOD kem_pkey_meth; extern const EVP_PKEY_METHOD hmac_pkey_meth; extern const EVP_PKEY_METHOD dh_pkey_meth; diff --git a/crypto/evp_extra/p_methods.c b/crypto/evp_extra/p_methods.c index 3f8428aa20..70f0573458 100644 --- a/crypto/evp_extra/p_methods.c +++ b/crypto/evp_extra/p_methods.c @@ -12,7 +12,6 @@ static const EVP_PKEY_METHOD *const non_fips_pkey_evp_methods[] = { #ifdef ENABLE_DILITHIUM &dilithium3_pkey_meth, #endif - &kem_pkey_meth, &dh_pkey_meth, }; diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c index 083247b89e..e83bc81076 100644 --- a/crypto/fipsmodule/bcm.c +++ b/crypto/fipsmodule/bcm.c @@ -115,6 +115,7 @@ #include "evp/p_ed25519.c" #include "evp/p_hkdf.c" #include "evp/p_hmac.c" +#include "evp/p_kem.c" #include "evp/p_rsa.c" #include "hkdf/hkdf.c" #include "hmac/hmac.c" diff --git a/crypto/fipsmodule/evp/evp_ctx.c b/crypto/fipsmodule/evp/evp_ctx.c index c7b391689d..e659e317dc 100644 --- a/crypto/fipsmodule/evp/evp_ctx.c +++ b/crypto/fipsmodule/evp/evp_ctx.c @@ -74,19 +74,13 @@ DEFINE_LOCAL_DATA(struct fips_evp_pkey_methods, AWSLC_fips_evp_pkey_methods) { out->methods[3] = EVP_PKEY_hkdf_pkey_meth(); out->methods[4] = EVP_PKEY_hmac_pkey_meth(); out->methods[5] = EVP_PKEY_ed25519_pkey_meth(); + out->methods[6] = EVP_PKEY_kem_pkey_meth(); } static const EVP_PKEY_METHOD *evp_pkey_meth_find(int type) { - // First try the fips public key methods. At a later stage, we might want to - // reorder these such that we go through the list with the most used public - // key method first. - // Currently, ED25519 and x25519 in the non-fips list are likely not more popular - // than RSA and ECC in the fips list. They may make their way in the fips list when - // https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186-draft.pdf - // and - // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf - // are finalised. + // First we search through the FIPS public key methods. We assume these are + // the most popular. const struct fips_evp_pkey_methods *const fips_methods = AWSLC_fips_evp_pkey_methods(); for (size_t i = 0; i < FIPS_EVP_PKEY_METHODS; i++) { if (fips_methods->methods[i]->pkey_id == type) { diff --git a/crypto/fipsmodule/evp/internal.h b/crypto/fipsmodule/evp/internal.h index be3eeaa29f..0a278a7959 100644 --- a/crypto/fipsmodule/evp/internal.h +++ b/crypto/fipsmodule/evp/internal.h @@ -335,13 +335,13 @@ typedef struct { #define ED25519_PUBLIC_KEY_OFFSET 32 -#define FIPS_EVP_PKEY_METHODS 6 +#define FIPS_EVP_PKEY_METHODS 7 #ifdef ENABLE_DILITHIUM -#define NON_FIPS_EVP_PKEY_METHODS 4 +#define NON_FIPS_EVP_PKEY_METHODS 3 #define ASN1_EVP_PKEY_METHODS 9 #else -#define NON_FIPS_EVP_PKEY_METHODS 3 +#define NON_FIPS_EVP_PKEY_METHODS 2 #define ASN1_EVP_PKEY_METHODS 8 #endif @@ -355,6 +355,7 @@ const EVP_PKEY_METHOD *EVP_PKEY_ec_pkey_meth(void); const EVP_PKEY_METHOD *EVP_PKEY_hkdf_pkey_meth(void); const EVP_PKEY_METHOD *EVP_PKEY_hmac_pkey_meth(void); const EVP_PKEY_METHOD *EVP_PKEY_ed25519_pkey_meth(void); +const EVP_PKEY_METHOD *EVP_PKEY_kem_pkey_meth(void); #if defined(__cplusplus) } // extern C diff --git a/crypto/evp_extra/p_kem.c b/crypto/fipsmodule/evp/p_kem.c similarity index 93% rename from crypto/evp_extra/p_kem.c rename to crypto/fipsmodule/evp/p_kem.c index 11395ad01b..c5c310e122 100644 --- a/crypto/evp_extra/p_kem.c +++ b/crypto/fipsmodule/evp/p_kem.c @@ -6,10 +6,10 @@ #include #include -#include "../fipsmodule/evp/internal.h" -#include "../fipsmodule/delocate.h" -#include "../fipsmodule/kem/internal.h" -#include "../internal.h" +#include "internal.h" +#include "../delocate.h" +#include "../kem/internal.h" +#include "../../internal.h" #include "internal.h" typedef struct { @@ -293,35 +293,35 @@ static int pkey_kem_decapsulate(EVP_PKEY_CTX *ctx, return 0; } - // The size of the shared secret that has been writen to the output buffer. + // The size of the shared secret that has been written to the output buffer. *shared_secret_len = kem->shared_secret_len; return 1; } -const EVP_PKEY_METHOD kem_pkey_meth = { - EVP_PKEY_KEM, - pkey_kem_init, - NULL, - pkey_kem_cleanup, - pkey_kem_keygen, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, - pkey_kem_keygen_deterministic, - pkey_kem_encapsulate_deterministic, - pkey_kem_encapsulate, - pkey_kem_decapsulate, -}; +DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_kem_pkey_meth) { + out->pkey_id = EVP_PKEY_KEM; + out->init = pkey_kem_init; + out->copy = NULL; + out->cleanup = pkey_kem_cleanup; + out->keygen = pkey_kem_keygen; + out->sign_init = NULL; + out->sign = NULL; + out->sign_message = NULL; + out->verify_init = NULL; + out->verify = NULL; + out->verify_message = NULL; + out->verify_recover = NULL; + out->encrypt = NULL; + out->decrypt = NULL; + out->derive = pkey_hkdf_derive; + out->paramgen = NULL; + out->ctrl = NULL; + out->keygen_deterministic = pkey_kem_keygen_deterministic; + out->encapsulate_deterministic = pkey_kem_encapsulate_deterministic; + out->encapsulate = pkey_kem_encapsulate; + out->decapsulate = pkey_kem_decapsulate; +} // Additional KEM specific EVP functions. diff --git a/crypto/fipsmodule/kem/kem.c b/crypto/fipsmodule/kem/kem.c index 2b81935b1e..5f8947cf33 100644 --- a/crypto/fipsmodule/kem/kem.c +++ b/crypto/fipsmodule/kem/kem.c @@ -8,9 +8,13 @@ #include "../ml_kem/ml_kem.h" #include "internal.h" -static const uint8_t kOIDMLKEM512[] = {0xff, 0xff, 0xff, 0xff}; -static const uint8_t kOIDMLKEM768[] = {0xff, 0xff, 0xff, 0xff}; -static const uint8_t kOIDMLKEM1024[] = {0xff, 0xff, 0xff, 0xff}; +// https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration +// 2.16.840.1.101.3.4.4.1 +static const uint8_t kOIDMLKEM512[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x04, 0x01}; +// 2.16.840.1.101.3.4.4.2 +static const uint8_t kOIDMLKEM768[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x04, 0x02}; +// 2.16.840.1.101.3.4.4.3 +static const uint8_t kOIDMLKEM1024[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x04, 0x03}; static int ml_kem_1024_keygen_deterministic(uint8_t *public_key, uint8_t *secret_key, diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h index 8f53d2ee83..f29f031bf2 100644 --- a/crypto/obj/obj_dat.h +++ b/crypto/obj/obj_dat.h @@ -7176,6 +7176,15 @@ static const uint8_t kObjectData[] = { 0x04, 0x02, 0x0a, + /* NID_kem */ + 0x60, + 0x86, + 0x48, + 0x01, + 0x65, + 0x03, + 0x04, + 0x04, /* NID_DILITHIUM3_R3 */ 0x2b, 0x06, @@ -7230,6 +7239,36 @@ static const uint8_t kObjectData[] = { 0x0f, 0x63, 0x33, + /* NID_MLKEM512 */ + 0x60, + 0x86, + 0x48, + 0x01, + 0x65, + 0x03, + 0x04, + 0x04, + 0x01, + /* NID_MLKEM768 */ + 0x60, + 0x86, + 0x48, + 0x01, + 0x65, + 0x03, + 0x04, + 0x04, + 0x02, + /* NID_MLKEM1024 */ + 0x60, + 0x86, + 0x48, + 0x01, + 0x65, + 0x03, + 0x04, + 0x04, + 0x03, }; static const ASN1_OBJECT kObjects[NUM_NID] = { @@ -8882,30 +8921,30 @@ static const ASN1_OBJECT kObjects[NUM_NID] = { {"SHA3-384", "sha3-384", NID_sha3_384, 9, &kObjectData[6214], 0}, {"SHA3-512", "sha3-512", NID_sha3_512, 9, &kObjectData[6223], 0}, {"HKDF", "hkdf", NID_hkdf, 0, NULL, 0}, - {"KEM", "kem", NID_kem, 0, NULL, 0}, + {"KEM", "kem", NID_kem, 8, &kObjectData[6232], 0}, {"KYBER512", "KYBER512", NID_KYBER512, 0, NULL, 0}, {"KYBER512_R3", "KYBER512_R3", NID_KYBER512_R3, 0, NULL, 0}, {"KYBER768_R3", "KYBER768_R3", NID_KYBER768_R3, 0, NULL, 0}, {"KYBER1024_R3", "KYBER1024_R3", NID_KYBER1024_R3, 0, NULL, 0}, {"DILITHIUM3_R3", "DILITHIUM3_R3", NID_DILITHIUM3_R3, 11, - &kObjectData[6232], 0}, + &kObjectData[6240], 0}, {"ffdhe2048", "ffdhe2048", NID_ffdhe2048, 0, NULL, 0}, {"ffdhe4096", "ffdhe4096", NID_ffdhe4096, 0, NULL, 0}, - {"SHA512-224", "sha512-224", NID_sha512_224, 9, &kObjectData[6243], 0}, - {"SHAKE128", "shake128", NID_shake128, 9, &kObjectData[6252], 0}, - {"SHAKE256", "shake256", NID_shake256, 9, &kObjectData[6261], 0}, + {"SHA512-224", "sha512-224", NID_sha512_224, 9, &kObjectData[6251], 0}, + {"SHAKE128", "shake128", NID_shake128, 9, &kObjectData[6260], 0}, + {"SHAKE256", "shake256", NID_shake256, 9, &kObjectData[6269], 0}, {"SecP256r1Kyber768Draft00", "SecP256r1Kyber768Draft00", - NID_SecP256r1Kyber768Draft00, 5, &kObjectData[6270], 0}, + NID_SecP256r1Kyber768Draft00, 5, &kObjectData[6278], 0}, {"X25519Kyber768Draft00", "X25519Kyber768Draft00", - NID_X25519Kyber768Draft00, 5, &kObjectData[6275], 0}, + NID_X25519Kyber768Draft00, 5, &kObjectData[6283], 0}, {"ffdhe3072", "ffdhe3072", NID_ffdhe3072, 0, NULL, 0}, {"ffdhe8192", "ffdhe8192", NID_ffdhe8192, 0, NULL, 0}, {"MLKEM512IPD", "MLKEM512IPD", NID_MLKEM512IPD, 0, NULL, 0}, {"MLKEM768IPD", "MLKEM768IPD", NID_MLKEM768IPD, 0, NULL, 0}, {"MLKEM1024IPD", "MLKEM1024IPD", NID_MLKEM1024IPD, 0, NULL, 0}, - {"MLKEM512", "MLKEM512", NID_MLKEM512, 0, NULL, 0}, - {"MLKEM768", "MLKEM768", NID_MLKEM768, 0, NULL, 0}, - {"MLKEM1024", "MLKEM1024", NID_MLKEM1024, 0, NULL, 0}, + {"MLKEM512", "MLKEM512", NID_MLKEM512, 9, &kObjectData[6288], 0}, + {"MLKEM768", "MLKEM768", NID_MLKEM768, 9, &kObjectData[6297], 0}, + {"MLKEM1024", "MLKEM1024", NID_MLKEM1024, 9, &kObjectData[6306], 0}, }; static const uint16_t kNIDsInShortNameOrder[] = { @@ -11458,6 +11497,7 @@ static const uint16_t kNIDsInOIDOrder[] = { 785 /* 1.3.6.1.5.5.7.48.5 (OBJ_caRepository) */, 780 /* 1.3.6.1.5.5.8.1.1 (OBJ_hmac_md5) */, 781 /* 1.3.6.1.5.5.8.1.2 (OBJ_hmac_sha1) */, + 970 /* 2.16.840.1.101.3.4.4 (OBJ_kem) */, 58 /* 2.16.840.1.113730.1 (OBJ_netscape_cert_extension) */, 59 /* 2.16.840.1.113730.2 (OBJ_netscape_data_type) */, 438 /* 0.9.2342.19200300.100.1 (OBJ_pilotAttributeType) */, @@ -11593,6 +11633,9 @@ static const uint16_t kNIDsInOIDOrder[] = { 980 /* 2.16.840.1.101.3.4.2.12 (OBJ_shake256) */, 802 /* 2.16.840.1.101.3.4.3.1 (OBJ_dsa_with_SHA224) */, 803 /* 2.16.840.1.101.3.4.3.2 (OBJ_dsa_with_SHA256) */, + 988 /* 2.16.840.1.101.3.4.4.1 (OBJ_MLKEM512) */, + 989 /* 2.16.840.1.101.3.4.4.2 (OBJ_MLKEM768) */, + 990 /* 2.16.840.1.101.3.4.4.3 (OBJ_MLKEM1024) */, 71 /* 2.16.840.1.113730.1.1 (OBJ_netscape_cert_type) */, 72 /* 2.16.840.1.113730.1.2 (OBJ_netscape_base_url) */, 73 /* 2.16.840.1.113730.1.3 (OBJ_netscape_revocation_url) */, diff --git a/crypto/obj/objects.txt b/crypto/obj/objects.txt index e928f13cf7..b11f231a16 100644 --- a/crypto/obj/objects.txt +++ b/crypto/obj/objects.txt @@ -1381,7 +1381,8 @@ nist_sha3hashalgs 12 : SHAKE256 : shake256 : HKDF : hkdf # NIDs for KEM type and specific KEMs (no corresponding OID). - : KEM : kem +!Alias nist_kem nistAlgorithms 4 +nist_kem : KEM : kem : KYBER512 : KYBER512_R3 : KYBER768_R3 @@ -1389,9 +1390,9 @@ nist_sha3hashalgs 12 : SHAKE256 : shake256 : MLKEM512IPD : MLKEM768IPD : MLKEM1024IPD - : MLKEM512 - : MLKEM768 - : MLKEM1024 +nist_kem 1 : MLKEM512 +nist_kem 2 : MLKEM768 +nist_kem 3 : MLKEM1024 # OID for DILITHIUM3 SIG Round-3. These are temp values from # https://github.com/IETF-Hackathon/pqc-certificates/blob/master/docs/oid_mapping.md diff --git a/include/openssl/nid.h b/include/openssl/nid.h index b39324b080..a88301fdf2 100644 --- a/include/openssl/nid.h +++ b/include/openssl/nid.h @@ -4281,6 +4281,7 @@ extern "C" { #define SN_kem "KEM" #define LN_kem "kem" #define NID_kem 970 +#define OBJ_kem 2L, 16L, 840L, 1L, 101L, 3L, 4L, 4L #define SN_KYBER512 "KYBER512" #define NID_KYBER512 971 @@ -4344,12 +4345,15 @@ extern "C" { #define SN_MLKEM512 "MLKEM512" #define NID_MLKEM512 988 +#define OBJ_MLKEM512 2L, 16L, 840L, 1L, 101L, 3L, 4L, 4L, 1L #define SN_MLKEM768 "MLKEM768" #define NID_MLKEM768 989 +#define OBJ_MLKEM768 2L, 16L, 840L, 1L, 101L, 3L, 4L, 4L, 2L #define SN_MLKEM1024 "MLKEM1024" #define NID_MLKEM1024 990 +#define OBJ_MLKEM1024 2L, 16L, 840L, 1L, 101L, 3L, 4L, 4L, 3L #if defined(__cplusplus) } /* extern C */