cryptography icon indicating copy to clipboard operation
cryptography copied to clipboard
verified publisher icon pyca

OpenSSL 3.3, 3.4, 3.5 features to expose

Open h-vetinari opened this issue 9 months ago • 5 comments

This is a continuation of #9795 for newer versions. The points here are simply harvested from the feature list in openssl's NEWS.md, not all of them are necessarily applicable to cryptography (but I don't know how to make that determination, so I opted to err on the side of completeness). Please feel free to prune/edit/expand the list as you see fit.

  • OpenSSL v3.3

    • [x] Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple times with different output sizes.
    • [x] New atexit configuration switch, which controls whether the OPENSSL_cleanup is registered when libcrypto is unloaded.

  • OpenSSL v3.4

  • OpenSSL v3.5

    • [ ] Support for PQC algorithms
      • [ ] ML-KEM (#12824)
      • [ ] ML-DSA
      • [ ] SLH-DSA
    • [ ] Support added for opaque symmetric key objects (EVP_SKEY).

h-vetinari avatar Mar 12 '25 23:03 h-vetinari

In this context I'd like to revive the discussion: https://github.com/pyca/cryptography/issues/11473

OpenSSL 3.5 extends the default provider with support for NIST finalists of the post-quantum algorithm competition, so I hope this brings the possibility of using PQ algorithms via cryptography closer to reality.

ralienpp avatar Mar 14 '25 20:03 ralienpp

Once 3.5 is out, I'd like to add PQ algorithms.

This is somewhat tempered by the fact that they're all behind atrocious new OpenSSL APIs.

(I don't think the current list of everything from the OpenSSL changelogs is especially useful, as the vast majority of these ideas have no implications for our APIs.)

alex avatar Mar 14 '25 20:03 alex

I don't think the current list of everything from the OpenSSL changelogs is especially useful, as the vast majority of these ideas have no implications for our APIs.

Please just wantonly delete what has no place here. I find it hard to tell which pieces may affect cryptography, so I didn't prune the list.

h-vetinari avatar Mar 14 '25 20:03 h-vetinari

@alex could you provide some estimate on when we could expect addition of support for PQC algorithms?

alittwin avatar Jun 27 '25 07:06 alittwin

We have no estimates.

On Fri, Jun 27, 2025 at 12:03 AM Adrian Littwin @.***> wrote:

alittwin left a comment (pyca/cryptography#12610) https://github.com/pyca/cryptography/issues/12610#issuecomment-3011932007

@alex https://github.com/alex could you provide some estimate on when we could expect addition of support for PQC algorithms?

— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/12610#issuecomment-3011932007, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBAQJMY7Z5ZY56IP2TD3FTUCXAVCNFSM6AAAAABY43GI5CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAMJRHEZTEMBQG4 . You are receiving this because you were mentioned.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

alex avatar Jun 27 '25 14:06 alex