softhsm
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 36 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎CMAKE-NOTES.md‎
Lines changed: 1 addition & 0 deletions b/‎CMAKE-NOTES.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎CMAKE-WIN-NOTES.md‎
Lines changed: 1 addition & 0 deletions b/‎CMAKE-WIN-NOTES.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎CMakeLists.txt‎
Lines changed: 1 addition & 0 deletions b/‎CMakeLists.txt‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 0 deletions b/‎README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎config.h.in.cmake‎
Lines changed: 3 additions & 0 deletions b/‎config.h.in.cmake‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎m4/acx_botan_mldsa.m4‎
Lines changed: 38 additions & 0 deletions b/‎m4/acx_botan_mldsa.m4‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎m4/acx_crypto_backend.m4‎
Lines changed: 40 additions & 0 deletions b/‎m4/acx_crypto_backend.m4‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎m4/acx_openssl_mldsa.m4‎
Lines changed: 43 additions & 0 deletions b/‎m4/acx_openssl_mldsa.m4‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎src/bin/dump/tables.h‎
Lines changed: 5 additions & 0 deletions b/‎src/bin/dump/tables.h‎
Lines changed: 5 additions & 0 deletions
@@ -76,6 +76,42 @@ jobs:
         run: |
           make check || (find . -name test-suite.log -exec cat {} \; && false)
 
+  linux_ossl_35:
+    name: Linux with OpenSSL 3.5.2
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Prepare
+        env:
+          OPENSSL_VERSION: 3.5.2
+          OPENSSL_INSTALL_DIR: /usr/local/openssl-3.5
+          LDFLAGS: "-Wl,-R/usr/local/openssl-3.5/lib64 -L/usr/local/openssl-3.5/lib64"
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y libcppunit-dev p11-kit build-essential checkinstall zlib1g-dev sudo autoconf libtool git
+          # Install OpenSSL 3.5
+          curl -L -O https://github.com/openssl/openssl/releases/download/openssl-${{ env.OPENSSL_VERSION }}/openssl-${{ env.OPENSSL_VERSION }}.tar.gz
+          tar -xf openssl-${{ env.OPENSSL_VERSION }}.tar.gz
+          cd openssl-${{ env.OPENSSL_VERSION }}
+          ./config shared zlib no-ssl3 no-weak-ssl-ciphers --prefix=${{ env.OPENSSL_INSTALL_DIR }} --openssldir=${{ env.OPENSSL_INSTALL_DIR }}
+          make -j$(nproc) > build.log
+          sudo make install > install.log
+          cd ${{ env.OPENSSL_INSTALL_DIR }}
+          sudo ln -s lib64 lib
+      - name: Build
+        env:
+          # Once all OpenSSL deprecations fixed, uncomment this
+          #   CXXFLAGS: -Werror
+          OPENSSL_INSTALL_DIR: /usr/local/openssl-3.5
+          LDFLAGS: "-Wl,-R/usr/local/openssl-3.5/lib64 -L/usr/local/openssl-3.5/lib64"
+        run: |
+          ./autogen.sh
+          ./configure --with-crypto-backend=openssl --with-openssl=${{ env.OPENSSL_INSTALL_DIR }}
+          make -j$(nproc)
+      - name: Test
+        run: |
+          make check || (find . -name test-suite.log -exec cat {} \; && false)
+
   macos:
     name: macOS (${{ matrix.backend }})
     runs-on: macos-14
 
@@ -11,6 +11,7 @@ Some options (more can be found in CMakeLists.txt):
 	-DBUILD_TESTS=ON		Compile tests along with libraries
 	-DDISABLE_NON_PAGED_MEMORY=ON	Disable non-paged memory for secure storage
 	-DENABLE_EDDSA=ON		Enable support for EDDSA
+	-DENABLE_MLDSA=ON		Enable support for ML-DSA
 	-DWITH_MIGRATE=ON		Build migration tool
 	-DWITH_CRYPTO_BACKEND=openssl	Select crypto backend (openssl|botan)
 
 
@@ -52,6 +52,7 @@ Some options (more can be found in CMakeLists.txt):
 
 	-DBUILD_TESTS=ON                Compile tests along with libraries
 	-DENABLE_EDDSA=ON               Enable support for EDDSA
+	-DENABLE_MLDSA=ON               Enable support for ML-DSA
 	-DWITH_MIGRATE=ON               Build migration tool
 	-DWITH_CRYPTO_BACKEND=          Select crypto backend (openssl|botan)
 	-DDISABLE_NON_PAGED_MEMORY=ON   Disable non-paged memory for secure storage
 
@@ -8,6 +8,7 @@ option(DISABLE_VISIBILITY "Disables and unsets -fvisibility=hidden" OFF)
 option(ENABLE_64bit "Enable 64-bit compiling" OFF)
 option(ENABLE_ECC "Enable support for ECC" ON)
 option(ENABLE_EDDSA "Enable support for EDDSA" ON)
+option(ENABLE_MLDSA "Enable support for ML-DSA" ON)
 option(ENABLE_GOST "Enable support for GOST" OFF)
 option(ENABLE_FIPS "Enable support for FIPS 140-2 mode" OFF)
 option(ENABLE_P11_KIT "Enable p11-kit integration" ON)
 
@@ -82,6 +82,7 @@ Options:
 	--enable-ecc		Enable support for ECC (default detect)
 	--enable-gost		Enable support for GOST (default detect)
 	--enable-eddsa		Enable support for EDDSA (default detect)
+	--enable-mldsa		Enable support for ML-DSA (default detect)
 	--disable-visibility	Disable hidden visibilty link mode [enabled]
 	--with-crypto-backend	Select crypto backend (openssl|botan)
 	--with-openssl=PATH	Specify prefix of path of OpenSSL
 
@@ -151,6 +151,9 @@
 /* Compile with EDDSA support */
 #cmakedefine WITH_EDDSA @WITH_EDDSA@
 
+/* Compile with ML-DSA support */
+#cmakedefine WITH_ML_DSA @WITH_ML_DSA@
+
 /* Compile with FIPS 140-2 mode */
 #cmakedefine WITH_FIPS @WITH_FIPS@
 
 
@@ -0,0 +1,38 @@
+AC_DEFUN([ACX_BOTAN_MLDSA],[
+	AC_MSG_CHECKING(for Botan ML-DSA support)
+
+	tmp_CPPFLAGS=$CPPFLAGS
+	tmp_LIBS=$LIBS
+
+	CPPFLAGS="$CPPFLAGS $CRYPTO_INCLUDES"
+	LIBS="$CRYPTO_LIBS $LIBS"
+
+	AC_LANG_PUSH([C++])
+	AC_CACHE_VAL([acx_cv_lib_botan_mldsa_support],[
+		acx_cv_lib_botan_mldsa_support=no
+		AC_RUN_IFELSE([
+			AC_LANG_SOURCE([[
+				#include <botan/version.h>
+				int main()
+				{
+					// TODO
+					return 1;
+				}
+			]])
+		],[
+			AC_MSG_RESULT([yes])
+			acx_cv_lib_botan_mldsa_support=yes
+		],[
+			AC_MSG_RESULT([no])
+			acx_cv_lib_botan_mldsa_support=no
+		],[
+			AC_MSG_WARN([Cannot test, assuming no ML-DSA])
+			acx_cv_lib_botan_mldsa_support=no
+		])
+	])
+	AC_LANG_POP([C++])
+
+	CPPFLAGS=$tmp_CPPFLAGS
+	LIBS=$tmp_LIBS
+	have_lib_botan_mldsa_support="${acx_cv_lib_botan_mldsa_support}"
+])
@@ -28,6 +28,16 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 		[enable_eddsa="detect"]
 	)
 
+	# Add ML-DSA check
+
+	AC_ARG_ENABLE(mldsa,
+		AS_HELP_STRING([--enable-mldsa],
+			[Enable support for ML-DSA (default detect)]
+		),
+		[enable_mldsa="${enableval}"],
+		[enable_mldsa="detect"]
+	)
+
 	# Second check for the FIPS 140-2 mode
 
 	AC_ARG_ENABLE(fips,
@@ -100,6 +110,15 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 			detect*-no*) enable_eddsa="no";;
 		esac
 
+		case "${enable_mldsa}" in
+			yes|detect) ACX_OPENSSL_MLDSA;;
+		esac
+		case "${enable_mldsa}-${have_lib_openssl_mldsa_support}" in
+			yes-no) AC_MSG_ERROR([OpenSSL library has no ML-DSA support]);;
+			detect-yes) enable_mldsa="yes";;
+			detect-no) enable_mldsa="no";;
+		esac
+
 		case "${enable_gost}-${enable_fips}" in
 			yes-yes) AC_MSG_ERROR([GOST is not FIPS approved]);;
 			yes-no|detect-no) ACX_OPENSSL_GOST;;
@@ -166,6 +185,14 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 			detect-*) enable_eddsa="${have_lib_botan_eddsa_support}";;
 		esac
 
+		case "${enable_mldsa}" in
+			yes|detect) ACX_BOTAN_MLDSA;;
+		esac
+		case "${enable_mldsa}-${have_lib_botan_mldsa_support}" in
+			yes-no) AC_MSG_ERROR([Botan library has no ML-DSA support]);;
+			detect-*) enable_mldsa="${have_lib_botan_mldsa_support}";;
+		esac
+
 		case "${enable_gost}" in
 			yes|detect) ACX_BOTAN_GOST;;
 		esac
@@ -231,6 +258,19 @@ AC_DEFUN([ACX_CRYPTO_BACKEND],[
 	fi
 	AM_CONDITIONAL([WITH_EDDSA], [test "x${enable_eddsa}" = "xyes"])
 
+	AC_MSG_CHECKING(for ML-DSA support)
+	if test "x${enable_mldsa}" = "xyes"; then
+		AC_MSG_RESULT(yes)
+		AC_DEFINE_UNQUOTED(
+			[WITH_ML_DSA],
+			[],
+			[Compile with ML-DSA support]
+		)
+	else
+		AC_MSG_RESULT(no)
+	fi
+	AM_CONDITIONAL([WITH_ML_DSA], [test "x${enable_mldsa}" = "xyes"])
+
 
 	AC_SUBST(CRYPTO_INCLUDES)
 	AC_SUBST(CRYPTO_LIBS)
 
@@ -0,0 +1,43 @@
+AC_DEFUN([ACX_OPENSSL_MLDSA],[
+	AC_MSG_CHECKING(for OpenSSL ML-DSA support)
+
+	tmp_CPPFLAGS=$CPPFLAGS
+	tmp_LIBS=$LIBS
+
+	CPPFLAGS="$CPPFLAGS $CRYPTO_INCLUDES"
+	LIBS="$CRYPTO_LIBS $LIBS"
+
+	AC_LANG_PUSH([C])
+	AC_CACHE_VAL([acx_cv_lib_openssl_mldsa_support],[
+		acx_cv_lib_openssl_mldsa_support=no
+		AC_RUN_IFELSE([
+			AC_LANG_SOURCE([[
+				#include <openssl/evp.h>
+				#include <openssl/objects.h>
+				int main()
+				{
+					EVP_PKEY_CTX *pctx =
+    					EVP_PKEY_CTX_new_from_name(NULL, "ML-DSA-44", NULL);
+						if (pctx == NULL)
+							return 1;
+						return 0;
+				}
+			]])
+		],[
+			AC_MSG_RESULT([yes])
+			acx_cv_lib_openssl_mldsa_support=yes
+		],[
+			AC_MSG_RESULT([no])
+			acx_cv_lib_openssl_mldsa_support=no
+		],[
+			AC_MSG_WARN([Cannot test, ML-DSA])
+			acx_cv_lib_openssl_mldsa_support=no
+		])
+	])
+
+	AC_LANG_POP([C])
+
+	CPPFLAGS=$tmp_CPPFLAGS
+	LIBS=$tmp_LIBS
+	have_lib_openssl_mldsa_support="${acx_cv_lib_openssl_mldsa_support}"
+])
@@ -150,6 +150,8 @@ void fill_CKA_table(std::map<unsigned long, std::string> &t)
 	t[CKA_OS_TOKENFLAGS] = "CKA_OS_TOKENFLAGS";
 	t[CKA_OS_SOPIN] = "CKA_OS_SOPIN";
 	t[CKA_OS_USERPIN] = "CKA_OS_USERPIN";
+	t[CKA_PARAMETER_SET] = "CKA_PARAMETER_SET";
+	t[CKA_SEED] = "CKA_SEED";
 }
 
 void fill_CKM_table(std::map<unsigned long, std::string> &t)
@@ -478,6 +480,8 @@ void fill_CKM_table(std::map<unsigned long, std::string> &t)
 	t[CKM_RSA_PKCS_OAEP_TPM_1_1] = "CKM_RSA_PKCS_OAEP_TPM_1_1";
 	t[CKM_EC_EDWARDS_KEY_PAIR_GEN] = "CKM_EC_EDWARDS_KEY_PAIR_GEN";
 	t[CKM_EDDSA] = "CKM_EDDSA";
+	t[CKM_ML_DSA_KEY_PAIR_GEN] = "CKM_ML_DSA_KEY_PAIR_GEN";
+	t[CKM_ML_DSA] = "CKM_ML_DSA";
 }
 
 void fill_CKO_table(std::map<unsigned long, std::string> &t)
@@ -544,6 +548,7 @@ void fill_CKK_table(std::map<unsigned long, std::string> &t)
 	t[CKK_GOSTR3411] = "CKK_GOSTR3411";
 	t[CKK_GOST28147] = "CKK_GOST28147";
 	t[CKK_EC_EDWARDS] = "CKK_EC_EDWARDS";
+	t[CKK_ML_DSA] = "CKK_ML_DSA";
 }
 
 void fill_CKC_table(std::map<unsigned long, std::string> &t)