Add ML-KEM support when using BoringSSL#14673
Merged
reaperhulk merged 4 commits intomainfrom Apr 16, 2026
Merged
Conversation
BoringSSL supports ML-KEM-768 and ML-KEM-1024 via its EVP_PKEY API. This mirrors the existing ML-DSA BoringSSL support pattern, using EVP_pkey_ml_kem_768/1024 and EVP_PKEY_from_private_seed for key creation, and EVP_PKEY_encapsulate/decapsulate with the required _init calls for encapsulation/decapsulation. Key changes: - cryptography-openssl mlkem module: cfg-gated for both BoringSSL and AWS-LC with variant-specific code paths via cfg_if - Added is_mlkem_pkey_type() function (like mldsa) to replace single PKEY_ID matching, since BoringSSL uses per-variant NIDs - Key parsing (pkcs8/spki) enabled for BoringSSL - Python backend: mlkem_supported() now returns True for BoringSSL https://claude.ai/code/session_01CQzkjEGQfv1xVZ4UXy6Jqj
alex
commented
Apr 16, 2026
| cvt(ffi::EVP_PKEY_encapsulate_init( | ||
| ctx.as_ptr(), | ||
| std::ptr::null(), | ||
| ))?; |
Member
Author
There was a problem hiding this comment.
this code needs to be reformatted for coverage reasons. something like let res = ffi::EVP_PKEY_encapsulate_init(...); cvt(res)?;` probably
| cvt(ffi::EVP_PKEY_decapsulate_init( | ||
| ctx.as_ptr(), | ||
| std::ptr::null(), | ||
| ))?; |
Split the unsafe FFI call from the cvt() error check so that coverage tools can distinguish the call site from the error path. https://claude.ai/code/session_01CQzkjEGQfv1xVZ4UXy6Jqj
The undocumented_unsafe_blocks lint requires SAFETY comments directly above the unsafe block, not separated by #[cfg] attrs. https://claude.ai/code/session_01CQzkjEGQfv1xVZ4UXy6Jqj
reaperhulk
approved these changes
Apr 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
EVP_pkey_ml_kem_768/1024+EVP_PKEY_from_private_seedfor key creation, andEVP_PKEY_encapsulate/decapsulatewith_initcallsis_mlkem_pkey_type()function (likeis_mldsa_pkey_type()) to replace singlePKEY_IDmatching, since BoringSSL uses per-variant NIDsmlkem_supported()now enabled for BoringSSLTest plan
OPENSSL_DIR=path-to-boringssl nox -e localpasses (3209 passed, 938 skipped)cargo check --all --testscompiles cleanlyhttps://claude.ai/code/session_01CQzkjEGQfv1xVZ4UXy6Jqj