Move EVP KEM implementation to in-module and correct OID

crypto/CMakeLists.txt

@@ -426,7 +426,6 @@ add_library(
   evp_extra/p_ec_asn1.c
   evp_extra/p_ed25519_asn1.c
   evp_extra/p_hmac_asn1.c
-  evp_extra/p_kem.c
   evp_extra/p_kem_asn1.c
   evp_extra/p_rsa_asn1.c
   evp_extra/p_x25519.c

crypto/evp_extra/internal.h

@@ -46,7 +46,6 @@ extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth;
 extern const EVP_PKEY_METHOD x25519_pkey_meth;
 extern const EVP_PKEY_METHOD hkdf_pkey_meth;
 extern const EVP_PKEY_METHOD dilithium3_pkey_meth;
-extern const EVP_PKEY_METHOD kem_pkey_meth;
 extern const EVP_PKEY_METHOD hmac_pkey_meth;
 extern const EVP_PKEY_METHOD dh_pkey_meth;
 

crypto/evp_extra/p_methods.c

@@ -12,7 +12,6 @@ static const EVP_PKEY_METHOD *const non_fips_pkey_evp_methods[] = {
 #ifdef ENABLE_DILITHIUM
   &dilithium3_pkey_meth,
 #endif
-  &kem_pkey_meth,
   &dh_pkey_meth,
 };
 

crypto/fipsmodule/bcm.c

@@ -115,6 +115,7 @@
 #include "evp/p_ed25519.c"
 #include "evp/p_hkdf.c"
 #include "evp/p_hmac.c"
+#include "evp/p_kem.c"
 #include "evp/p_rsa.c"
 #include "hkdf/hkdf.c"
 #include "hmac/hmac.c"

crypto/fipsmodule/evp/evp_ctx.c

@@ -74,19 +74,13 @@ DEFINE_LOCAL_DATA(struct fips_evp_pkey_methods, AWSLC_fips_evp_pkey_methods) {
   out->methods[3] = EVP_PKEY_hkdf_pkey_meth();
   out->methods[4] = EVP_PKEY_hmac_pkey_meth();
   out->methods[5] = EVP_PKEY_ed25519_pkey_meth();
+  out->methods[6] = EVP_PKEY_kem_pkey_meth();
 }
 
 static const EVP_PKEY_METHOD *evp_pkey_meth_find(int type) {
 
-  // First try the fips public key methods. At a later stage, we might want to
-  // reorder these such that we go through the list with the most used public
-  // key method first.
-  // Currently, ED25519 and x25519 in the non-fips list are likely not more popular
-  // than RSA and ECC in the fips list. They may make their way in the fips list when
-  // https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186-draft.pdf
-  // and
-  // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft.pdf
-  // are finalised.
+  // First we search through the FIPS public key methods. We assume these are
+  // the most popular.
   const struct fips_evp_pkey_methods *const fips_methods = AWSLC_fips_evp_pkey_methods();
   for (size_t i = 0; i < FIPS_EVP_PKEY_METHODS; i++) {
     if (fips_methods->methods[i]->pkey_id == type) {

crypto/fipsmodule/evp/internal.h

@@ -335,13 +335,13 @@ typedef struct {
 
 #define ED25519_PUBLIC_KEY_OFFSET 32
 
-#define FIPS_EVP_PKEY_METHODS 6
+#define FIPS_EVP_PKEY_METHODS 7
 
 #ifdef ENABLE_DILITHIUM
-#define NON_FIPS_EVP_PKEY_METHODS 4
+#define NON_FIPS_EVP_PKEY_METHODS 3
 #define ASN1_EVP_PKEY_METHODS 9
 #else
-#define NON_FIPS_EVP_PKEY_METHODS 3
+#define NON_FIPS_EVP_PKEY_METHODS 2
 #define ASN1_EVP_PKEY_METHODS 8
 #endif
 
@@ -355,6 +355,7 @@ const EVP_PKEY_METHOD *EVP_PKEY_ec_pkey_meth(void);
 const EVP_PKEY_METHOD *EVP_PKEY_hkdf_pkey_meth(void);
 const EVP_PKEY_METHOD *EVP_PKEY_hmac_pkey_meth(void);
 const EVP_PKEY_METHOD *EVP_PKEY_ed25519_pkey_meth(void);
+const EVP_PKEY_METHOD *EVP_PKEY_kem_pkey_meth(void);
 
 #if defined(__cplusplus)
 }  // extern C

crypto/evp_extra/p_kem.c → crypto/fipsmodule/evp/p_kem.c

@@ -6,10 +6,10 @@
 #include <openssl/err.h>
 #include <openssl/mem.h>
 
-#include "../fipsmodule/evp/internal.h"
-#include "../fipsmodule/delocate.h"
-#include "../fipsmodule/kem/internal.h"
-#include "../internal.h"
+#include "internal.h"
+#include "../delocate.h"
+#include "../kem/internal.h"
+#include "../../internal.h"
 #include "internal.h"
 
 typedef struct {
@@ -293,35 +293,35 @@ static int pkey_kem_decapsulate(EVP_PKEY_CTX *ctx,
     return 0;
   }
 
-  // The size of the shared secret that has been writen to the output buffer.
+  // The size of the shared secret that has been written to the output buffer.
   *shared_secret_len = kem->shared_secret_len;
 
   return 1;
 }
 
-const EVP_PKEY_METHOD kem_pkey_meth = {
-    EVP_PKEY_KEM,
-    pkey_kem_init,
-    NULL,
-    pkey_kem_cleanup,
-    pkey_kem_keygen,
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-    NULL,
-    pkey_kem_keygen_deterministic,
-    pkey_kem_encapsulate_deterministic,
-    pkey_kem_encapsulate,
-    pkey_kem_decapsulate,
-};
+DEFINE_METHOD_FUNCTION(EVP_PKEY_METHOD, EVP_PKEY_kem_pkey_meth) {
+  out->pkey_id = EVP_PKEY_KEM;
+  out->init = pkey_kem_init;
+  out->copy = NULL;
+  out->cleanup = pkey_kem_cleanup;
+  out->keygen = pkey_kem_keygen;
+  out->sign_init = NULL;
+  out->sign = NULL;
+  out->sign_message = NULL;
+  out->verify_init = NULL;
+  out->verify = NULL;
+  out->verify_message = NULL;
+  out->verify_recover = NULL;
+  out->encrypt = NULL;
+  out->decrypt = NULL;
+  out->derive = pkey_hkdf_derive;
+  out->paramgen = NULL;
+  out->ctrl = NULL;
+  out->keygen_deterministic = pkey_kem_keygen_deterministic;
+  out->encapsulate_deterministic = pkey_kem_encapsulate_deterministic;
+  out->encapsulate = pkey_kem_encapsulate;
+  out->decapsulate = pkey_kem_decapsulate;
+}
 
 // Additional KEM specific EVP functions.
 

crypto/fipsmodule/kem/kem.c

@@ -8,9 +8,13 @@
 #include "../ml_kem/ml_kem.h"
 #include "internal.h"
 
-static const uint8_t kOIDMLKEM512[]  = {0xff, 0xff, 0xff, 0xff};
-static const uint8_t kOIDMLKEM768[]  = {0xff, 0xff, 0xff, 0xff};
-static const uint8_t kOIDMLKEM1024[] = {0xff, 0xff, 0xff, 0xff};
+// https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration
+// 2.16.840.1.101.3.4.4.1
+static const uint8_t kOIDMLKEM512[]  = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x04, 0x01};
+// 2.16.840.1.101.3.4.4.2
+static const uint8_t kOIDMLKEM768[]  = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x04, 0x02};
+// 2.16.840.1.101.3.4.4.3
+static const uint8_t kOIDMLKEM1024[] = {0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x04, 0x03};
 
 static int ml_kem_1024_keygen_deterministic(uint8_t *public_key,
                                                 uint8_t *secret_key,

crypto/obj/obj_dat.h

@@ -7176,6 +7176,15 @@ static const uint8_t kObjectData[] = {
     0x04,
     0x02,
     0x0a,
+    /* NID_kem */
+    0x60,
+    0x86,
+    0x48,
+    0x01,
+    0x65,
+    0x03,
+    0x04,
+    0x04,
     /* NID_DILITHIUM3_R3 */
     0x2b,
     0x06,
@@ -7230,6 +7239,36 @@ static const uint8_t kObjectData[] = {
     0x0f,
     0x63,
     0x33,
+    /* NID_MLKEM512 */
+    0x60,
+    0x86,
+    0x48,
+    0x01,
+    0x65,
+    0x03,
+    0x04,
+    0x04,
+    0x01,
+    /* NID_MLKEM768 */
+    0x60,
+    0x86,
+    0x48,
+    0x01,
+    0x65,
+    0x03,
+    0x04,
+    0x04,
+    0x02,
+    /* NID_MLKEM1024 */
+    0x60,
+    0x86,
+    0x48,
+    0x01,
+    0x65,
+    0x03,
+    0x04,
+    0x04,
+    0x03,
 };
 
 static const ASN1_OBJECT kObjects[NUM_NID] = {
@@ -8882,30 +8921,30 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
     {"SHA3-384", "sha3-384", NID_sha3_384, 9, &kObjectData[6214], 0},
     {"SHA3-512", "sha3-512", NID_sha3_512, 9, &kObjectData[6223], 0},
     {"HKDF", "hkdf", NID_hkdf, 0, NULL, 0},
-    {"KEM", "kem", NID_kem, 0, NULL, 0},
+    {"KEM", "kem", NID_kem, 8, &kObjectData[6232], 0},
     {"KYBER512", "KYBER512", NID_KYBER512, 0, NULL, 0},
     {"KYBER512_R3", "KYBER512_R3", NID_KYBER512_R3, 0, NULL, 0},
     {"KYBER768_R3", "KYBER768_R3", NID_KYBER768_R3, 0, NULL, 0},
     {"KYBER1024_R3", "KYBER1024_R3", NID_KYBER1024_R3, 0, NULL, 0},
     {"DILITHIUM3_R3", "DILITHIUM3_R3", NID_DILITHIUM3_R3, 11,
-     &kObjectData[6232], 0},
+     &kObjectData[6240], 0},
     {"ffdhe2048", "ffdhe2048", NID_ffdhe2048, 0, NULL, 0},
     {"ffdhe4096", "ffdhe4096", NID_ffdhe4096, 0, NULL, 0},
-    {"SHA512-224", "sha512-224", NID_sha512_224, 9, &kObjectData[6243], 0},
-    {"SHAKE128", "shake128", NID_shake128, 9, &kObjectData[6252], 0},
-    {"SHAKE256", "shake256", NID_shake256, 9, &kObjectData[6261], 0},
+    {"SHA512-224", "sha512-224", NID_sha512_224, 9, &kObjectData[6251], 0},
+    {"SHAKE128", "shake128", NID_shake128, 9, &kObjectData[6260], 0},
+    {"SHAKE256", "shake256", NID_shake256, 9, &kObjectData[6269], 0},
     {"SecP256r1Kyber768Draft00", "SecP256r1Kyber768Draft00",
-     NID_SecP256r1Kyber768Draft00, 5, &kObjectData[6270], 0},
+     NID_SecP256r1Kyber768Draft00, 5, &kObjectData[6278], 0},
     {"X25519Kyber768Draft00", "X25519Kyber768Draft00",
-     NID_X25519Kyber768Draft00, 5, &kObjectData[6275], 0},
+     NID_X25519Kyber768Draft00, 5, &kObjectData[6283], 0},
     {"ffdhe3072", "ffdhe3072", NID_ffdhe3072, 0, NULL, 0},
     {"ffdhe8192", "ffdhe8192", NID_ffdhe8192, 0, NULL, 0},
     {"MLKEM512IPD", "MLKEM512IPD", NID_MLKEM512IPD, 0, NULL, 0},
     {"MLKEM768IPD", "MLKEM768IPD", NID_MLKEM768IPD, 0, NULL, 0},
     {"MLKEM1024IPD", "MLKEM1024IPD", NID_MLKEM1024IPD, 0, NULL, 0},
-    {"MLKEM512", "MLKEM512", NID_MLKEM512, 0, NULL, 0},
-    {"MLKEM768", "MLKEM768", NID_MLKEM768, 0, NULL, 0},
-    {"MLKEM1024", "MLKEM1024", NID_MLKEM1024, 0, NULL, 0},
+    {"MLKEM512", "MLKEM512", NID_MLKEM512, 9, &kObjectData[6288], 0},
+    {"MLKEM768", "MLKEM768", NID_MLKEM768, 9, &kObjectData[6297], 0},
+    {"MLKEM1024", "MLKEM1024", NID_MLKEM1024, 9, &kObjectData[6306], 0},
 };
 
 static const uint16_t kNIDsInShortNameOrder[] = {
@@ -11458,6 +11497,7 @@ static const uint16_t kNIDsInOIDOrder[] = {
     785 /* 1.3.6.1.5.5.7.48.5 (OBJ_caRepository) */,
     780 /* 1.3.6.1.5.5.8.1.1 (OBJ_hmac_md5) */,
     781 /* 1.3.6.1.5.5.8.1.2 (OBJ_hmac_sha1) */,
+    970 /* 2.16.840.1.101.3.4.4 (OBJ_kem) */,
     58 /* 2.16.840.1.113730.1 (OBJ_netscape_cert_extension) */,
     59 /* 2.16.840.1.113730.2 (OBJ_netscape_data_type) */,
     438 /* 0.9.2342.19200300.100.1 (OBJ_pilotAttributeType) */,
@@ -11593,6 +11633,9 @@ static const uint16_t kNIDsInOIDOrder[] = {
     980 /* 2.16.840.1.101.3.4.2.12 (OBJ_shake256) */,
     802 /* 2.16.840.1.101.3.4.3.1 (OBJ_dsa_with_SHA224) */,
     803 /* 2.16.840.1.101.3.4.3.2 (OBJ_dsa_with_SHA256) */,
+    988 /* 2.16.840.1.101.3.4.4.1 (OBJ_MLKEM512) */,
+    989 /* 2.16.840.1.101.3.4.4.2 (OBJ_MLKEM768) */,
+    990 /* 2.16.840.1.101.3.4.4.3 (OBJ_MLKEM1024) */,
     71 /* 2.16.840.1.113730.1.1 (OBJ_netscape_cert_type) */,
     72 /* 2.16.840.1.113730.1.2 (OBJ_netscape_base_url) */,
     73 /* 2.16.840.1.113730.1.3 (OBJ_netscape_revocation_url) */,

crypto/obj/objects.txt

@@ -1381,17 +1381,18 @@ nist_sha3hashalgs 12		: SHAKE256		: shake256
  : HKDF : hkdf
 
 # NIDs for KEM type and specific KEMs (no corresponding OID).
- : KEM : kem
+!Alias nist_kem nistAlgorithms 4
+nist_kem : KEM : kem
  : KYBER512
  : KYBER512_R3
  : KYBER768_R3
  : KYBER1024_R3
  : MLKEM512IPD
  : MLKEM768IPD
  : MLKEM1024IPD
- : MLKEM512
- : MLKEM768
- : MLKEM1024
+nist_kem 1 : MLKEM512
+nist_kem 2 : MLKEM768
+nist_kem 3 : MLKEM1024
 
 # OID for DILITHIUM3 SIG Round-3. These are temp values from
 # https://github.com/IETF-Hackathon/pqc-certificates/blob/master/docs/oid_mapping.md

include/openssl/nid.h

@@ -4281,6 +4281,7 @@ extern "C" {
 #define SN_kem "KEM"
 #define LN_kem "kem"
 #define NID_kem 970
+#define OBJ_kem 2L, 16L, 840L, 1L, 101L, 3L, 4L, 4L
 
 #define SN_KYBER512 "KYBER512"
 #define NID_KYBER512 971
@@ -4344,12 +4345,15 @@ extern "C" {
 
 #define SN_MLKEM512 "MLKEM512"
 #define NID_MLKEM512 988
+#define OBJ_MLKEM512 2L, 16L, 840L, 1L, 101L, 3L, 4L, 4L, 1L
 
 #define SN_MLKEM768 "MLKEM768"
 #define NID_MLKEM768 989
+#define OBJ_MLKEM768 2L, 16L, 840L, 1L, 101L, 3L, 4L, 4L, 2L
 
 #define SN_MLKEM1024 "MLKEM1024"
 #define NID_MLKEM1024 990
+#define OBJ_MLKEM1024 2L, 16L, 840L, 1L, 101L, 3L, 4L, 4L, 3L
 
 #if defined(__cplusplus)
 } /* extern C */