Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove enable_dilithium flag #2081

Closed
wants to merge 1 commit into from
Closed

Remove enable_dilithium flag #2081

wants to merge 1 commit into from

Conversation

jakemas
Copy link
Contributor

@jakemas jakemas commented Dec 26, 2024
edited
Loading

Need to merge #2072 first

Issues:

It's time. (also we need to do this to add ML-DSA to the FIPS module)

Description of changes:

  • Removed the enable_dilithium flag
  • Added a description to APIs to indicate the external APIs may still be subject to change as the standards space develops. (We don't envision them changing, but they are extremely new).

Call-outs:

Removing the flag has little consequence -- other than it makes the APIs we expose in include/openssl/evp.h that much more "final". We should consider how much we like them before we commit to them. We made a point to refer to asymmetric keypairs as public and private keys, rather than public and secret keys. However, we haven't always been consistant with this, so there is a mix of both in the library. Users will find the consistency between EVP_PKEY_pqdsa_new_raw_secret_key and EVP_PKEY_kem_new_raw_secret_key more satisfying.

However, after internal discussions, we'd also like to change the name of EVP_PKEY_kem_new_raw_public_key and EVP_PKEY_kem_new_raw_secret_key to EVP_PKEY_kem_new_raw_encapsulation_key and EVP_PKEY_kem_new_raw_decapsulation_key to match the names within FIPS 203. Thus, we should stick with secret.

We did consider the use of an experimental flag (by using the OPENSSL_DEPRECATED alias), but, this seems a little over the top. If there are any discrepancy with the API down the line, we will make a change as we are proposing with the kem APIs above. Alternatively, we could place the EVP APIs in include/openssl/experimental/.

Testing:

To celebrate the removal of this flag, enjoy this haiku:

feature flag removed,
post-quantum strength stands alone,
simpler code prevails.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@jakemas jakemas requested a review from a team as a code owner December 26, 2024 19:53
@jakemas jakemas mentioned this pull request Dec 26, 2024
Closed
@jakemas jakemas closed this Dec 26, 2024
@codecov-commenter
Copy link

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.93%. Comparing base (2329adb) to head (c1ad06d).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2081      +/-   ##
==========================================
+ Coverage   78.75%   78.93%   +0.18%     
==========================================
  Files         598      610      +12     
  Lines      103650   105175    +1525     
  Branches    14719    14907     +188     
==========================================
+ Hits        81625    83023    +1398     
- Misses      21371    21500     +129     
+ Partials      654      652       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jakemas @codecov-commenter