Added ML-KEM support

Author: antoinelochet

.github/workflows/ci.yml

@@ -88,6 +88,7 @@ jobs:
           LDFLAGS: "-Wl,-rpath,/usr/local/openssl-3.5/lib64 -L/usr/local/openssl-3.5/lib64"
           PKG_CONFIG_PATH: "/usr/local/openssl-3.5/lib64/pkgconfig"
         run: |
+          set -x
           sudo apt-get update -qq
           sudo apt-get install -y libcppunit-dev p11-kit build-essential checkinstall zlib1g-dev sudo autoconf libtool git
           # Install OpenSSL 3.5
@@ -108,6 +109,7 @@ jobs:
           LDFLAGS: "-Wl,-rpath,/usr/local/openssl-3.5/lib64 -L/usr/local/openssl-3.5/lib64"
           PKG_CONFIG_PATH: "/usr/local/openssl-3.5/lib64/pkgconfig"
         run: |
+          set -x
           ./autogen.sh
           ./configure --with-crypto-backend=openssl --with-openssl=${{ env.OPENSSL_INSTALL_DIR }}
           make -j$(nproc)
@@ -187,8 +189,9 @@ jobs:
             target-platform: x64
             ossl-version: "3.5.4"
             botan-version: ""
-            build-options: "-DENABLE_MLDSA=ON"
+            build-options: "-DENABLE_MLDSA=ON -DENABLE_MLKEM=ON"
             mldsa-test: "true"
+            mlkem-test: "true"
     steps:
       - uses: actions/checkout@v4
       - uses: ilammy/msvc-dev-cmd@v1
@@ -223,5 +226,6 @@ jobs:
         env:
           CTEST_OUTPUT_ON_FAILURE: 1
           MLDSA_TEST: ${{ matrix.mldsa-test || '' }}
+          MLKEM_TEST: ${{ matrix.mlkem-test || '' }}
         run: |
           cmake --build build --target RUN_TESTS

.gitignore

@@ -57,6 +57,8 @@ Botan-*
 ROOT
 *.cmake
 CMakeFiles
+.idea/
+.vscode/
 
 # Specifics
 softhsm2.module

CMAKE-NOTES.md

@@ -12,6 +12,7 @@ Some options (more can be found in CMakeLists.txt):
 	-DDISABLE_NON_PAGED_MEMORY=ON	Disable non-paged memory for secure storage
 	-DENABLE_EDDSA=ON		Enable support for EDDSA
 	-DENABLE_MLDSA=ON		Enable support for ML-DSA
+	-DENABLE_MLKEM=ON		Enable support for ML-KEM
 	-DWITH_MIGRATE=ON		Build migration tool
 	-DWITH_CRYPTO_BACKEND=openssl	Select crypto backend (openssl|botan)
 

CMAKE-WIN-NOTES.md

@@ -52,7 +52,8 @@ Some options (more can be found in CMakeLists.txt):
 
 	-DBUILD_TESTS=ON                Compile tests along with libraries
 	-DENABLE_EDDSA=ON               Enable support for EDDSA
-    -DENABLE_MLDSA=ON               Enable support for ML-DSA
+	-DENABLE_MLDSA=ON               Enable support for ML-DSA
+	-DENABLE_MLKEM=ON               Enable support for ML-KEM
 	-DWITH_MIGRATE=ON               Build migration tool
 	-DWITH_CRYPTO_BACKEND=          Select crypto backend (openssl|botan)
 	-DDISABLE_NON_PAGED_MEMORY=ON   Disable non-paged memory for secure storage

CMakeLists.txt

@@ -9,6 +9,7 @@ option(ENABLE_64bit "Enable 64-bit compiling" OFF)
 option(ENABLE_ECC "Enable support for ECC" ON)
 option(ENABLE_EDDSA "Enable support for EDDSA" ON)
 option(ENABLE_MLDSA "Enable support for ML-DSA" OFF)
+option(ENABLE_MLKEM "Enable support for ML-KEM" OFF)
 option(ENABLE_GOST "Enable support for GOST" OFF)
 option(ENABLE_FIPS "Enable support for FIPS 140-2 mode" OFF)
 option(ENABLE_P11_KIT "Enable p11-kit integration" ON)

README.md

@@ -82,7 +82,8 @@ Options:
 	--enable-ecc		Enable support for ECC (default detect)
 	--enable-gost		Enable support for GOST (default detect)
 	--enable-eddsa		Enable support for EDDSA (default detect)
-    --enable-mldsa		Enable support for ML-DSA (default detect)
+	--enable-mldsa		Enable support for ML-DSA (default detect)
+	--enable-mlkem		Enable support for ML-KEM (default detect)
 	--disable-visibility	Disable hidden visibilty link mode [enabled]
 	--with-crypto-backend	Select crypto backend (openssl|botan)
 	--with-openssl=PATH	Specify prefix of path of OpenSSL

cmake/modules/CompilerOptions.cmake

@@ -391,6 +391,27 @@ elseif(WITH_CRYPTO_BACKEND STREQUAL "openssl")
         message(STATUS "OpenSSL: Support for ML-DSA is disabled")
     endif(ENABLE_MLDSA)
 
+    # acx_openssl_mlkem.m4
+    if(ENABLE_MLKEM)
+        # ML-DSA
+        set(testfile ${CMAKE_SOURCE_DIR}/cmake/modules/tests/test_openssl_mlkem.c)
+        try_run(RUN_MLKEM COMPILE_RESULT
+                "${CMAKE_BINARY_DIR}/prebuild_santity_tests" ${testfile}
+                LINK_LIBRARIES ${CRYPTO_LIBS}
+                CMAKE_FLAGS
+                "-DINCLUDE_DIRECTORIES=${CRYPTO_INCLUDES}"
+        )
+        if(COMPILE_RESULT AND RUN_MLKEM EQUAL 0)
+            set(WITH_ML_KEM 1)
+            message(STATUS "OpenSSL: Found ML-KEM")
+        else()
+            set(error_msg "OpenSSL: Cannot find ML-KEM! OpenSSL library has no ML-KEM support!")
+            message(FATAL_ERROR ${error_msg})
+        endif()
+    else(ENABLE_MLKEM)
+        message(STATUS "OpenSSL: Support for ML-KEM is disabled")
+    endif(ENABLE_MLKEM)
+
     # acx_openssl_gost.m4
     if(ENABLE_GOST)
         set(testfile ${CMAKE_SOURCE_DIR}/cmake/modules/tests/test_openssl_gost.c)

cmake/modules/tests/test_openssl_mlkem.c

@@ -0,0 +1,12 @@
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+int main()
+{
+    EVP_PKEY_CTX *ctx;
+    ctx = EVP_PKEY_CTX_new_from_name(NULL, "ML-KEM-512", NULL);
+    
+    if (ctx == NULL)
+        return 1;
+    EVP_PKEY_CTX_free(ctx);
+    return 0;
+}

config.h.in.cmake

@@ -154,6 +154,9 @@
 /* Compile with ML-DSA support */
 #cmakedefine WITH_ML_DSA @WITH_ML_DSA@
 
+/* Compile with ML-KEM support */
+#cmakedefine WITH_ML_KEM @WITH_ML_KEM@
+
 /* Compile with FIPS 140-2 mode */
 #cmakedefine WITH_FIPS @WITH_FIPS@
 

m4/acx_crypto_backend.m4

@@ -38,6 +38,16 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 		[enable_mldsa="detect"]
 	)
 
+	# Add ML-KEM check
+
+	AC_ARG_ENABLE(mlkem,
+		AS_HELP_STRING([--enable-mlkem],
+			[Enable support for ML-KEM (default detect)]
+		),
+		[enable_mlkem="${enableval}"],
+		[enable_mlkem="detect"]
+	)
+
 	# Second check for the FIPS 140-2 mode
 
 	AC_ARG_ENABLE(fips,
@@ -119,6 +129,15 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 			detect-no) enable_mldsa="no";;
 		esac
 
+		case "${enable_mlkem}" in
+			yes|detect) ACX_OPENSSL_MLKEM;;
+		esac
+		case "${enable_mlkem}-${have_lib_openssl_mlkem_support}" in
+			yes-no) AC_MSG_ERROR([OpenSSL library has no ML-KEM support]);;
+			detect-yes) enable_mlkem="yes";;
+			detect-no) enable_mlkem="no";;
+		esac
+
 		case "${enable_gost}-${enable_fips}" in
 			yes-yes) AC_MSG_ERROR([GOST is not FIPS approved]);;
 			yes-no|detect-no) ACX_OPENSSL_GOST;;
@@ -189,6 +208,10 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
             AC_MSG_ERROR([Botan does not support ML-DSA])
         fi
 
+        if test "x${enable_mlkem}" = "xyes"; then
+            AC_MSG_ERROR([Botan does not support ML-KEM])
+        fi
+
 		case "${enable_gost}" in
 			yes|detect) ACX_BOTAN_GOST;;
 		esac
@@ -267,6 +290,19 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 	fi
 	AM_CONDITIONAL([WITH_ML_DSA], [test "x${enable_mldsa}" = "xyes"])
 
+	AC_MSG_CHECKING(for ML-KEM support)
+	if test "x${enable_mlkem}" = "xyes"; then
+		AC_MSG_RESULT(yes)
+		AC_DEFINE_UNQUOTED(
+			[WITH_ML_KEM],
+			[],
+			[Compile with ML-KEM support]
+		)
+	else
+		AC_MSG_RESULT(no)
+	fi
+	AM_CONDITIONAL([WITH_ML_KEM], [test "x${enable_mlkem}" = "xyes"])
+
 
 	AC_SUBST(CRYPTO_INCLUDES)
 	AC_SUBST(CRYPTO_LIBS)