pq_crypto 0.5.0 → 0.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4f34f4ae9f34414fbbc1f6ffc63de9c24306a6a432138e36442c1e43661fa59e
-  data.tar.gz: 6b2a754c55b9a1be4706cf5d835ee08844b54d75d96d43611f22c8c4f68cb10f
+  metadata.gz: 2274795113da1599b664af11b1393a86d68f1886f3536e0a65385b04b8ce03fe
+  data.tar.gz: 386fe1093ba0b28a910195a40d7698e0cef91f9f57fc90b3a1aaac3eec4451a5
 SHA512:
-  metadata.gz: 0b72822b4b645f891e8f87693004f736070b9bba37432a48ffc840ec1a114865ba691db7c1ffc12aab7643369c3883892d9fbcf3c4f7cf895b5938d2ee650b1c
-  data.tar.gz: 13c0263600408685f5d484528032305c48e3e3d551799abad990167c9a9d14d0287aabb70fd88dc00f72d6236f15e70c3d9f6e9572ad02276e11674aafd87774
+  metadata.gz: f9f73a9d575d9931020e1674f96adafe08816a1f7183b0b948194fcd2fb4da106afb854525ef544409b47bde34c987ac0eae6ce54440b7562f70faf5807446c3
+  data.tar.gz: c5e54b45ab8461bd1edd2b3e4e14f0092267232bc3bf1436841488fa7a604fdf66056dfd160767ec2d47b0a4afe37cb660a46a54466677994a3c1d73269959d1

data/.github/workflows/ci.yml

@@ -1,12 +1,30 @@
 name: CI
 
 on:
-  push:
-    branches: ["**"]
   pull_request:
+  push:
+    branches: [main]
 
 jobs:
+  vendor-verify:
+    name: vendor-verify
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+
+      - name: Verify vendored sources against pinned tree_sha256
+        run: bundle exec rake vendor:verify
+
   test:
+    needs: vendor-verify
     runs-on: ${{ matrix.os }}
 
     strategy:
@@ -30,6 +48,9 @@ jobs:
         with:
           go-version: "1.26.0"
 
+      - name: Verify vendored sources
+        run: bundle exec rake vendor:verify
+
       - name: Compile extension
         run: bundle exec rake compile
 
@@ -37,6 +58,7 @@ jobs:
         run: bundle exec rake test
 
   interop-openssl-3-5-required:
+    needs: vendor-verify
     name: interop-openssl-3.5-required
     runs-on: ubuntu-24.04
 
@@ -77,6 +99,9 @@ jobs:
         with:
           go-version: "1.26.0"
 
+      - name: Verify vendored sources
+        run: bundle exec rake vendor:verify
+
       - name: Compile extension
         run: bundle exec rake compile
 
@@ -91,3 +116,50 @@ jobs:
             echo "OpenSSL 3.5 interop tests must NOT skip on this matrix entry."
             exit 1
           fi
+
+  linux-native-backend:
+    needs: test
+    name: linux-native-backend
+    runs-on: ubuntu-latest
+    env:
+      PQCRYPTO_NATIVE_ASM: "1"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+
+      - name: Verify vendored sources
+        run: bundle exec rake vendor:verify
+
+      - name: Compile extension with native x86_64 backend
+        run: |
+          rm -rf tmp lib/pqcrypto/pqcrypto_secure.so
+          bundle exec rake compile
+
+      - name: Smoke native backend
+        run: |
+          bundle exec ruby -Ilib -e '
+            require "pq_crypto"
+
+            kem = PQCrypto::KEM.generate(:ml_kem_768)
+            enc = kem.public_key.encapsulate
+            raise "ML-KEM mismatch" unless kem.secret_key.decapsulate(enc.ciphertext) == enc.shared_secret
+
+            sig = PQCrypto::Signature.generate(:ml_dsa_65)
+            msg = "linux-native-backend".b
+            signature = sig.secret_key.sign(msg)
+            raise "ML-DSA verify failed" unless sig.public_key.verify(msg, signature)
+          '
+
+      - name: Verify AVX2 native symbols
+        run: |
+          set -euxo pipefail
+          so="lib/pqcrypto/pqcrypto_secure.so"
+          test -f "$so"
+          nm "$so" | grep -E "pqcr_(mlkem|mldsa).*avx2|keccak.*avx2"

data/CHANGELOG.md

@@ -1,5 +1,54 @@
 # Changelog
 
+## [0.5.2] - 2026-05-06
+
+### Build
+
+- Added Linux/OpenSSL discovery via `OPENSSL_ROOT_DIR`, `OPENSSL_DIR`, and `pkg-config`.
+- Preserved `$(CFLAGS)`/`$(CCDLFLAGS)` for vendored native objects so Linux shared-object builds keep `-fPIC`.
+- Added opt-in Linux x86_64 native-backend support through `PQCRYPTO_NATIVE_ASM=1`.
+- Added x86_64 AVX2 vendor flags for mlkem-native/mldsa-native when native backends are explicitly enabled.
+- Added separate `PQCRYPTO_NATIVE_ARITH` and `PQCRYPTO_NATIVE_FIPS202` switches for native arithmetic and Keccak/FIPS202 backends.
+- Kept AArch64 native asm enabled by default; verified macOS arm64 still builds ML-KEM/ML-DSA native asm paths.
+
+### CI
+
+- Added a Linux native-backend job that compiles with `PQCRYPTO_NATIVE_ASM=1`, runs ML-KEM/ML-DSA smoke checks, and verifies AVX2 symbols in the extension.
+
+## [0.5.1] - 2026-05-04
+
+### Performance
+
+- Enabled native asm/SIMD paths for ML-DSA/ML-KEM where available.
+- Reduced Hybrid KEM X25519 overhead by reusing expanded/native key state and avoiding repeated private/public key reconstruction.
+- Moved hot crypto calls under `rb_nogvl` where applicable.
+- Optimized PEM export path by replacing BIO/streaming base64 with direct encode.
+- Reduced small-buffer streaming overhead by avoiding unnecessary `malloc`/`nogvl` work for tiny chunks.
+
+### Vendoring
+
+- Committed `mlkem-native` and `mldsa-native` sources to the repository. Builds no longer require git or network.
+- Pinned upstream by `commit` + `tree_sha256` in `script/vendor_libs.rb`; manifest signed with `manifest_sha256`.
+- Deterministic vendor tree (no symlinks, dotfiles, normalized mtime/permissions).
+- `script/vendor_libs.rb` now supports `--verify`, `--sync`, `--bump`.
+
+### Build
+
+- `extconf.rb` no longer auto-fetches upstream. Missing vendor aborts the build; opt in with `PQCRYPTO_AUTO_VENDOR=1`.
+
+### Rakefile
+
+- Added `vendor:verify`, `vendor:sync`, `vendor:bump`. Default task runs `vendor:verify` before `compile` and `test`.
+
+### CI
+
+- Added `vendor-verify` gating job; `vendor:verify` also runs in each test job before compile.
+
+### Repository
+
+- `.gitattributes` enforces `eol=lf` and marks vendor as binary (CRLF protection).
+- `.gitignore` no longer hides `sempls/`.
+
 ## [0.5.0] - 2026-05-04
 
 ### Changed — native backend migration

data/ext/pqcrypto/extconf.rb

@@ -39,14 +39,85 @@ if SANITIZE && !SANITIZE.strip.empty?
   $LDFLAGS << " -fsanitize=#{sanitize}"
 end
 
-NATIVE_ASM = (ENV["PQCRYPTO_NATIVE_ASM"] || "0") == "1"
+def host_cpu
+  RbConfig::CONFIG.fetch("host_cpu", "")
+end
+
+def host_os
+  RbConfig::CONFIG.fetch("host_os", "")
+end
+
+def aarch64_host?
+  host_cpu =~ /\A(?:arm64|aarch64)\z/i
+end
+
+def x86_64_host?
+  host_cpu =~ /\A(?:x86_64|amd64|x64)\z/i
+end
+
+def native_asm_supported_by_default?
+  return false if host_os =~ /mswin|mingw|cygwin/i
+
+  aarch64_host?
+end
+
+def env_bool(name, default)
+  value = ENV[name]
+  return default if value.nil? || value.strip.empty? || value.strip.downcase == "auto"
+
+  case value.strip.downcase
+  when "1", "true", "yes", "on"
+    true
+  when "0", "false", "no", "off"
+    false
+  else
+    abort "Invalid #{name}=#{value.inspect}; use 1, 0, true, false, or auto"
+  end
+end
+
+NATIVE_ASM = env_bool("PQCRYPTO_NATIVE_ASM", native_asm_supported_by_default?)
+NATIVE_ARITH = env_bool("PQCRYPTO_NATIVE_ARITH", NATIVE_ASM)
+NATIVE_FIPS202 = env_bool("PQCRYPTO_NATIVE_FIPS202", NATIVE_ASM)
+
+X86_VENDOR_ARCH_FLAGS = "-mavx2 -mbmi -mbmi2 -mpopcnt -maes -mssse3 -msse4.1 -msse4.2"
+
+VENDOR_C_ARCH_FLAGS = +""
+VENDOR_ASM_ARCH_FLAGS = +""
+
+if x86_64_host? && (NATIVE_ARITH || NATIVE_FIPS202)
+  VENDOR_C_ARCH_FLAGS << "#{X86_VENDOR_ARCH_FLAGS} -fno-tree-vectorize"
+  VENDOR_ASM_ARCH_FLAGS << X86_VENDOR_ARCH_FLAGS
+end
+
+if ENV["PQCRYPTO_NATIVE_TUNE"] == "1"
+  VENDOR_C_ARCH_FLAGS << " -march=native -mtune=native"
+  VENDOR_ASM_ARCH_FLAGS << " -march=native -mtune=native"
+end
 
 def configure_compiler_environment
-  return unless RUBY_PLATFORM.include?("darwin")
+  if RUBY_PLATFORM.include?("darwin")
+    dir_config("homebrew", "/opt/homebrew")
+    $CPPFLAGS << " -I/opt/homebrew/include"
+    $LDFLAGS << " -L/opt/homebrew/lib"
+    return
+  end
 
-  dir_config("homebrew", "/opt/homebrew")
-  $CPPFLAGS << " -I/opt/homebrew/include"
-  $LDFLAGS << " -L/opt/homebrew/lib"
+  openssl_root = ENV["OPENSSL_ROOT_DIR"] || ENV["OPENSSL_DIR"]
+  if openssl_root && !openssl_root.strip.empty? && File.directory?(openssl_root)
+    $CPPFLAGS << " -I#{openssl_root}/include"
+    %w[lib64 lib].each do |suffix|
+      libdir = File.join(openssl_root, suffix)
+      next unless File.directory?(libdir)
+
+      $LDFLAGS << " -L#{libdir} -Wl,-rpath,#{libdir}"
+      break
+    end
+  elsif find_executable("pkg-config")
+    cflags = `pkg-config --cflags openssl 2>/dev/null`.strip
+    libs = `pkg-config --libs-only-L openssl 2>/dev/null`.strip
+    $CPPFLAGS << " #{cflags}" unless cflags.empty?
+    $LDFLAGS << " #{libs}" unless libs.empty?
+  end
 end
 
 def native_vendor_sources_for(vendor_dir)
@@ -66,28 +137,25 @@ def vendor_script_path
 end
 
 def run_vendor_script!(vendor_dir)
-  script = vendor_script_path
-  abort <<~MSG unless File.exist?(script)
-    PQ Code Package vendored sources are missing and script/vendor_libs.rb was not packaged.
+  abort <<~MSG if ENV["PQCRYPTO_AUTO_VENDOR"] != "1"
+    PQ Code Package vendored sources are missing.
 
     Expected:
       #{native_vendor_sources_for(vendor_dir).join("\n  ")}
 
-    Rebuild the gem from a repository that includes script/vendor_libs.rb, or run
-    script/vendor_libs.rb before building the gem package.
-  MSG
-
-  abort <<~MSG if ENV["PQCRYPTO_AUTO_VENDOR"] == "0"
-    PQ Code Package vendored sources are missing and PQCRYPTO_AUTO_VENDOR=0 was set.
+    The vendor tree is committed to the repository and shipped with the gem.
+    If it is missing, the source tree is incomplete or corrupted.
 
-    Expected:
-      #{native_vendor_sources_for(vendor_dir).join("\n  ")}
-
-    Run:
+    To fetch upstream sources at the pinned commits run:
       ruby script/vendor_libs.rb
+
+    Or to allow extconf.rb to do this for you set PQCRYPTO_AUTO_VENDOR=1.
   MSG
 
-  puts "PQ Code Package native sources are missing; vendoring now..."
+  script = vendor_script_path
+  abort "PQ Code Package vendored sources are missing and script/vendor_libs.rb was not packaged." unless File.exist?(script)
+
+  puts "PQ Code Package native sources are missing; vendoring now (PQCRYPTO_AUTO_VENDOR=1)..."
   ok = system(RbConfig.ruby, script)
   abort <<~MSG unless ok
     Failed to vendor PQ Code Package native sources.
@@ -210,10 +278,8 @@ def native_flags(kind, level, shared:)
   flags << "-D#{prefix}_CONFIG_NAMESPACE_PREFIX=#{ns}"
   flags << "-D#{prefix}_CONFIG_NO_SUPERCOP"
   flags << (shared ? "-D#{prefix}_CONFIG_MULTILEVEL_WITH_SHARED" : "-D#{prefix}_CONFIG_MULTILEVEL_NO_SHARED")
-  if NATIVE_ASM
-    flags << "-D#{prefix}_CONFIG_USE_NATIVE_BACKEND_ARITH"
-    flags << "-D#{prefix}_CONFIG_USE_NATIVE_BACKEND_FIPS202"
-  end
+  flags << "-D#{prefix}_CONFIG_USE_NATIVE_BACKEND_ARITH" if NATIVE_ARITH
+  flags << "-D#{prefix}_CONFIG_USE_NATIVE_BACKEND_FIPS202" if NATIVE_FIPS202
   flags.join(" ")
 end
 
@@ -237,11 +303,11 @@ def inject_native_sources!(config)
     build_rules << <<~RULE
       #{object}: #{source}
       	$(ECHO) compiling #{source} [#{kind}-#{level}]
-      	$(Q) $(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) #{VENDOR_ONLY_CFLAGS} #{flags} $(COUTFLAG)$@ -c $(CSRCFLAG)$<
+      	$(Q) $(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) $(CCDLFLAGS) #{VENDOR_ONLY_CFLAGS} #{VENDOR_C_ARCH_FLAGS} #{flags} $(COUTFLAG)$@ -c $(CSRCFLAG)$<
     RULE
   end
 
-  if NATIVE_ASM
+  if NATIVE_ARITH || NATIVE_FIPS202
     [
       [:mlkem, "512", config[:mlkem_asm], true],
       [:mlkem, "768", config[:mlkem_asm], false],
@@ -258,7 +324,7 @@ def inject_native_sources!(config)
       build_rules << <<~RULE
         #{object}: #{source}
         	$(ECHO) assembling #{source} [#{kind}-#{level}]
-        	$(Q) $(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) #{VENDOR_ONLY_CFLAGS} #{flags} $(COUTFLAG)$@ -c $(CSRCFLAG)$<
+        	$(Q) $(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) $(CCDLFLAGS) #{VENDOR_ONLY_CFLAGS} #{VENDOR_ASM_ARCH_FLAGS} #{flags} $(COUTFLAG)$@ -c $(CSRCFLAG)$<
       RULE
     end
   end
@@ -288,7 +354,15 @@ native_config = native_vendor_config(vendor_dir)
 puts "OpenSSL: system"
 puts "ML-KEM: mlkem-native vendored"
 puts "ML-DSA: mldsa-native vendored"
-puts "Native asm backends: #{NATIVE_ASM ? 'enabled' : 'disabled'}"
+puts "Host CPU: #{host_cpu} (#{host_os})"
+puts "Native asm auto/forced: #{NATIVE_ASM ? 'enabled' : 'disabled'}"
+puts "Native arithmetic backend: #{NATIVE_ARITH ? 'enabled' : 'disabled'}"
+puts "Native FIPS202 backend: #{NATIVE_FIPS202 ? 'enabled' : 'disabled'}"
+puts "Vendor C arch flags: #{VENDOR_C_ARCH_FLAGS.empty? ? '(none)' : VENDOR_C_ARCH_FLAGS}"
+puts "Vendor ASM arch flags: #{VENDOR_ASM_ARCH_FLAGS.empty? ? '(none)' : VENDOR_ASM_ARCH_FLAGS}"
+if x86_64_host? && (NATIVE_ARITH || NATIVE_FIPS202)
+  puts "x86_64 native backend: AVX2 build flags enabled"
+end
 puts "PQClean fallback: removed"
 puts "Output: pqcrypto/pqcrypto_secure"
 puts "===================================="

data/ext/pqcrypto/pqcrypto_native_api.h

@@ -78,6 +78,9 @@ int pqcr_mlkem1024_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 int pqcr_mlkem1024_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
 int pqcr_mlkem1024_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
 
+void pqcr_mlkem_shake256(uint8_t *output, size_t outlen, const uint8_t *input, size_t inlen);
+void pqcr_mlkem_sha3_256(uint8_t *output, const uint8_t *input, size_t inlen);
+
 /* mldsa-native symbols: namespace prefix pqcr_mldsa + level suffix. */
 int pqcr_mldsa44_keypair(uint8_t *pk, uint8_t *sk);
 int pqcr_mldsa44_keypair_internal(uint8_t *pk, uint8_t *sk, const uint8_t seed[MLDSA_SEEDBYTES]);