[openssh-commits] [openssh] branch master updated (5af8f3f29 -> 5a474d1bf)
git+noreply at mindrot.org
git+noreply at mindrot.org
Sun Jun 14 14:33:47 AEST 2026
This is an automated email from the git hooks/post-receive script.
djm pushed a change to branch master
in repository openssh.
from 5af8f3f29 upstream: Make crypto_sign_ed25519_keypair_from_seed()
new b7e552138 upstream: when replying to a "query" SSH_AGENTC_EXTENSION request,
new 81ca1451b upstream: Add experimental support for a composite post-quantum
new db1bad146 upstream: make crypto_sign_ed25519_keypair_from_seed non-static.
new 5a474d1bf upstream: unit and regression tests for composite PQ ML-DSA44/Ed25519
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Detailed log of new commits:
commit 5a474d1bf338a895ce5973883c2f79d766f7dd42
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Jun 14 04:08:05 2026 +0000
upstream: unit and regression tests for composite PQ ML-DSA44/Ed25519
keys.
Includes a new unittests/crypto test that tests basic functionality
of the underlying crypto primitives against public test vectors
OpenBSD-Regress-ID: 4463b2e8adec391efa24a953f3c911b72892ca80
commit db1bad146ff3e9aa8e2e8eac926b185870417b2f
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Jun 14 04:16:19 2026 +0000
upstream: make crypto_sign_ed25519_keypair_from_seed non-static.
The new ML-DSA/ed25519 code needs it
OpenBSD-Commit-ID: 48d00a2094bca8e422494aaa76105c708837436e
commit 81ca1451bf94edd9533c4f6787130f2396219049
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sun Jun 14 03:59:34 2026 +0000
upstream: Add experimental support for a composite post-quantum
signature scheme that combines ML-DSA 44 and Ed25519 using the construction
specified in draft-ietf-lamps-pq-composite-sigs. There's also an early draft
documenting use of the integration of this scheme into SSH as
draft-miller-sshm-mldsa44-ed25519-composite-sigs
This scheme is not enabled by default. To you use, you'll need
to add it to HostKeyAlgorithms, PubkeyAcceptedAlgorithms, etc.
Keys may be generated using "ssh-keygen -t mldsa44-ed25519".
The ML-DSA implementation comes from libcrux. Thanks to
Jonas Schneider-Bensch and Jonathan Protzenko for their work to
make this available.
Consensus is that it's time to get this in to allow people to
experiment with it.
feedback markus@ tb@ logan@ deraadt@
OpenBSD-Commit-ID: 85f2d41e3d3374b4e8c28a45a7c92f153c4489e2
commit b7e552138b8861469295e33e1457040e3f747d06
Author: djm at openbsd.org <djm at openbsd.org>
Date: Sat Jun 13 00:37:13 2026 +0000
upstream: when replying to a "query" SSH_AGENTC_EXTENSION request,
don't append an SSH_AGENT_SUCCESS to the reply to the query. bz3967 ok
dtucker@
OpenBSD-Commit-ID: b51418708096e26dbf73a0c1d3cb49b7352bc899
Summary of changes:
Makefile.in | 1 +
authfd.c | 4 +-
authfile.c | 3 +-
crypto_api.h | 127 +-
ed25519-openssl.c | 34 +-
ed25519.c | 4 +-
ed25519.sh | 4 +-
kexmlkem768x25519.c | 123 +-
libcrux-mlkem-mldsa.c | 426 +
libcrux_internal.h | 27332 +++++++++++++++++++
libcrux_mlkem768_sha3.h | 11752 --------
mlkem768.sh | 219 -
mlkem_mldsa.sh | 341 +
pathnames.h | 4 +-
regress/agent.sh | 17 +-
regress/cert-hostkey.sh | 15 +-
regress/cert-userkey.sh | 16 +-
regress/keytype.sh | 8 +-
regress/knownhosts-command.sh | 5 +-
regress/unittests/Makefile | 4 +-
regress/unittests/authopt/Makefile | 4 +-
regress/unittests/{authopt => crypto}/Makefile | 15 +-
regress/unittests/crypto/test_ed25519.c | 104 +
regress/unittests/crypto/test_mldsa.c | 143 +
regress/unittests/crypto/test_mldsa_eddsa.c | 192 +
regress/unittests/crypto/test_mlkem.c | 167 +
.../draft-ietf-lamps-pq-composite-sigs.json | 8 +
regress/unittests/crypto/testdata/nistkats-44.json | 802 +
regress/unittests/crypto/tests.c | 114 +
regress/unittests/hostkeys/Makefile | 4 +-
regress/unittests/kex/Makefile | 3 +-
regress/unittests/servconf/Makefile | 3 +-
regress/unittests/sshkey/Makefile | 4 +-
regress/unittests/sshkey/mktestdata.sh | 22 +-
regress/unittests/sshkey/test_file.c | 67 +-
regress/unittests/sshkey/test_fuzz.c | 58 +-
regress/unittests/sshkey/test_sshkey.c | 111 +-
.../unittests/sshkey/testdata/mldsa44_ed25519_1 | 58 +
.../sshkey/testdata/mldsa44_ed25519_1-cert.fp | 1 +
.../sshkey/testdata/mldsa44_ed25519_1-cert.pub | 1 +
.../unittests/sshkey/testdata/mldsa44_ed25519_1.fp | 1 +
.../sshkey/testdata/mldsa44_ed25519_1.fp.bb | 1 +
.../sshkey/testdata/mldsa44_ed25519_1.pub | 1 +
.../unittests/sshkey/testdata/mldsa44_ed25519_1_pw | 59 +
.../unittests/sshkey/testdata/mldsa44_ed25519_2 | 58 +
.../unittests/sshkey/testdata/mldsa44_ed25519_2.fp | 1 +
.../sshkey/testdata/mldsa44_ed25519_2.fp.bb | 1 +
.../sshkey/testdata/mldsa44_ed25519_2.pub | 1 +
regress/unittests/sshsig/Makefile | 4 +-
regress/unittests/sshsig/mktestdata.sh | 9 +-
regress/unittests/sshsig/testdata/mldsa44-ed25519 | 58 +
.../unittests/sshsig/testdata/mldsa44-ed25519.pub | 1 +
.../unittests/sshsig/testdata/mldsa44-ed25519.sig | 78 +
regress/unittests/sshsig/tests.c | 6 +-
servconf.c | 4 +-
ssh-agent.c | 12 +-
ssh-keygen.c | 8 +-
ssh-keyscan.c | 15 +-
ssh-keysign.c | 3 +-
ssh-mldsa-eddsa.c | 501 +
ssh.c | 4 +-
sshconnect.c | 3 +-
sshd-auth.c | 5 +-
sshd-session.c | 3 +-
sshd.c | 3 +-
ssherr.c | 4 +-
ssherr.h | 4 +-
sshkey.c | 11 +-
sshkey.h | 7 +-
69 files changed, 31064 insertions(+), 12122 deletions(-)
create mode 100644 libcrux-mlkem-mldsa.c
create mode 100644 libcrux_internal.h
delete mode 100644 libcrux_mlkem768_sha3.h
delete mode 100644 mlkem768.sh
create mode 100644 mlkem_mldsa.sh
copy regress/unittests/{authopt => crypto}/Makefile (74%)
create mode 100644 regress/unittests/crypto/test_ed25519.c
create mode 100644 regress/unittests/crypto/test_mldsa.c
create mode 100644 regress/unittests/crypto/test_mldsa_eddsa.c
create mode 100644 regress/unittests/crypto/test_mlkem.c
create mode 100644 regress/unittests/crypto/testdata/draft-ietf-lamps-pq-composite-sigs.json
create mode 100644 regress/unittests/crypto/testdata/nistkats-44.json
create mode 100644 regress/unittests/crypto/tests.c
create mode 100644 regress/unittests/sshkey/testdata/mldsa44_ed25519_1
create mode 100644 regress/unittests/sshkey/testdata/mldsa44_ed25519_1-cert.fp
create mode 100644 regress/unittests/sshkey/testdata/mldsa44_ed25519_1-cert.pub
create mode 100644 regress/unittests/sshkey/testdata/mldsa44_ed25519_1.fp
create mode 100644 regress/unittests/sshkey/testdata/mldsa44_ed25519_1.fp.bb
create mode 100644 regress/unittests/sshkey/testdata/mldsa44_ed25519_1.pub
create mode 100644 regress/unittests/sshkey/testdata/mldsa44_ed25519_1_pw
create mode 100644 regress/unittests/sshkey/testdata/mldsa44_ed25519_2
create mode 100644 regress/unittests/sshkey/testdata/mldsa44_ed25519_2.fp
create mode 100644 regress/unittests/sshkey/testdata/mldsa44_ed25519_2.fp.bb
create mode 100644 regress/unittests/sshkey/testdata/mldsa44_ed25519_2.pub
create mode 100644 regress/unittests/sshsig/testdata/mldsa44-ed25519
create mode 100644 regress/unittests/sshsig/testdata/mldsa44-ed25519.pub
create mode 100644 regress/unittests/sshsig/testdata/mldsa44-ed25519.sig
create mode 100644 ssh-mldsa-eddsa.c
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list