Skip to content

Update ML-KEM for compatibility with OpenSSL 3.5 implementation #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mamckee wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Update ML-KEM for compatibility with OpenSSL 3.5 implementation #153

mamckee wants to merge 12 commits into from
+7,748 −1,009

Conversation

@mamckee
Copy link
Collaborator

@mamckee mamckee commented Nov 25, 2025

This PR updates the SymCrypt provider ML-KEM and ML-KEM hybrid to match the behavior of the OpenSSL default provider implementation, added in OpenSSL 3.5. This PR also fixes minor bugs and behavior differences found when testing the SymCrypt provider with OpenSSL 3.5's new ML-KEM tests.

  • Different ML-KEM parameter sets, and hybrid algorithms are now registered as their own algorithm for key management, KEM, encode, and decode.
  • Split ML-KEM hybrid into its own key management and KEM interfaces to better match OpenSSL's behavior and for maintainability.
  • Removed ML-KEM hybrid encoder and decoders since they don't exist in OpenSSL 3.5 and are based on test OIDS.

samuel-lee-msft
samuel-lee-msft reviewed Nov 25, 2025
View reviewed changes
@qmuntal
Copy link
Member

qmuntal commented Nov 25, 2025
edited by mamckee
Loading

FYI We recently added support for MLKEM to https://github.com/golang-fips/openssl, so you can use it to test that you will be at least compatible with the Microsoft build of Go. #Resolved

samuel-lee-msft
samuel-lee-msft reviewed Jan 9, 2026
View reviewed changes
samuel-lee-msft
samuel-lee-msft reviewed Jan 9, 2026
View reviewed changes
samuel-lee-msft
samuel-lee-msft reviewed Jan 9, 2026
View reviewed changes
samuel-lee-msft
samuel-lee-msft reviewed Jan 9, 2026
View reviewed changes
samuel-lee-msft
samuel-lee-msft reviewed Jan 9, 2026
View reviewed changes
samuel-lee-msft
samuel-lee-msft reviewed Jan 10, 2026
View reviewed changes
samuel-lee-msft
samuel-lee-msft reviewed Jan 10, 2026
View reviewed changes
samuel-lee-msft
samuel-lee-msft reviewed Jan 10, 2026
View reviewed changes
@samuel-lee-msft
Copy link
Contributor

samuel-lee-msft commented Jan 10, 2026
edited by mamckee
Loading 

return SCOSSL_SUCCESS;

Also should be return ret? #Resolved

Refers to: SymCryptProvider/src/keymgmt/p_scossl_mlkem_keymgmt.c:899 in 66b665e. [](commit_id = 66b665e, deletion_comment = False)

samuel-lee-msft
samuel-lee-msft reviewed Jan 10, 2026
View reviewed changes
samuel-lee-msft
samuel-lee-msft reviewed Jan 10, 2026
View reviewed changes
samuel-lee-msft
samuel-lee-msft reviewed Jan 10, 2026
View reviewed changes
samuel-lee-msft
samuel-lee-msft previously approved these changes Jan 10, 2026
View reviewed changes
Copy link
Contributor

@samuel-lee-msft samuel-lee-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM modulo feedback!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MS-megliu MS-megliu Awaiting requested review from MS-megliu

@samuel-lee-msft samuel-lee-msft Awaiting requested review from samuel-lee-msft

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mamckee @qmuntal @samuel-lee-msft