feat: add pure mlkem_1024 definition (#5468)

Author: johubertj

crypto/s2n_ecc_evp.c

@@ -51,6 +51,7 @@ static EC_POINT *s2n_ecc_evp_blob_to_point(struct s2n_blob *blob, const EC_KEY *
 static int s2n_ecc_evp_generate_key_nist_curves(const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey);
 static int s2n_ecc_evp_generate_own_key(const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey);
 static int s2n_ecc_evp_compute_shared_secret(EVP_PKEY *own_key, EVP_PKEY *peer_public, uint16_t iana_id, struct s2n_blob *shared_secret);
+static int s2n_ecc_evp_generate_key_noop(const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey);
 
 /* IANA values can be found here: https://tools.ietf.org/html/rfc8446#appendix-B.3.1.4 */
 
@@ -101,6 +102,14 @@ const struct s2n_ecc_named_curve s2n_unsupported_curve = {
     .generate_key = s2n_ecc_evp_generate_key_nist_curves,
 };
 
+const struct s2n_ecc_named_curve s2n_ecc_curve_none = {
+    .iana_id = 0,
+    .name = "none",
+    .libcrypto_nid = 0,
+    .share_size = 0,
+    .generate_key = s2n_ecc_evp_generate_key_noop,
+};
+
 /* All curves that s2n supports. New curves MUST be added here.
  * This list is a super set of all the curves present in s2n_ecc_preferences list.
  */
@@ -166,6 +175,11 @@ static int s2n_ecc_evp_generate_key_nist_curves(const struct s2n_ecc_named_curve
     return 0;
 }
 
+static int s2n_ecc_evp_generate_key_noop(const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey)
+{
+    POSIX_BAIL(S2N_ERR_UNIMPLEMENTED);
+}
+
 static int s2n_ecc_evp_generate_own_key(const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey)
 {
     POSIX_ENSURE_REF(named_curve);

crypto/s2n_ecc_evp.h

@@ -44,6 +44,7 @@ extern const struct s2n_ecc_named_curve s2n_ecc_curve_secp256r1;
 extern const struct s2n_ecc_named_curve s2n_ecc_curve_secp384r1;
 extern const struct s2n_ecc_named_curve s2n_ecc_curve_secp521r1;
 extern const struct s2n_ecc_named_curve s2n_ecc_curve_x25519;
+extern const struct s2n_ecc_named_curve s2n_ecc_curve_none;
 
 /* BoringSSL only supports using EVP_PKEY_X25519 with "modern" EC EVP APIs. BoringSSL has a note to possibly add this in
  * the future. See https://github.com/google/boringssl/blob/master/crypto/evp/p_x25519_asn1.c#L233

tests/unit/kats/generate_pq_hybrid_tls13_handshake_kats.py renamed to tests/unit/kats/generate_pq_hybrid_and_pure_tls13_handshake_kats.py

@@ -2,14 +2,16 @@
 import hmac
 
 # The PEM-encoded ECC private keys were used to generate the ECC shared secrets
-# are located in in s2n/tests/unit/s2n_tls13_hybrid_shared_secret_test.c with
+# are located in in s2n/tests/unit/s2n_tls13_hybrid_pq_shared_secret_test.c and
+# s2n/tests/unit/s2n_tls13_pure_pq_shared_secret_test.c with
 # names like "CLIENT_{CURVE}_PRIV_KEY" and "SERVER_{CURVE}_PRIV_KEY".
 
 # We aren't really concerned with the actual bytes of the transcript, only the hash.
 # The transcript_hash values were calculated as:
 # hashlib.sha256(b"client_hello || server_hello").hexdigest()
 # hashlib.sha384(b"client_hello || server_hello").hexdigest()
-# The string "client_hello || server_hello" is used in s2n/tests/unit/s2n_tls13_hybrid_shared_secret_test.c.
+# The string "client_hello || server_hello" is used in s2n/tests/unit/s2n_tls13_hybrid_pq_shared_secret_test.c and
+# s2n/tests/unit/s2n_tls13_pure_pq_shared_secret_test.c
 
 # The PQ shared secrets come from the first test vector in the corresponding NIST KAT.
 input_vectors = [
@@ -250,6 +252,20 @@
         "pq_shared_secret": "23f211b84a6ee20c8c29f6e5314c91b414e940513d380add17bd724ab3a13a52",
         "transcript_hash": "35412cebcf35cb8a7af8f78278a486fc798f8702eaebd067c97acb27bffe13524d8426a4ed57956b4fd0ffdc4c90be52",
     },
+    {
+        "group_name": "MLKEM1024",
+        "cipher_suite": "TLS_AES_128_GCM_SHA256",
+        "ec_shared_secret": "",
+        "pq_shared_secret": "B408D5D115713F0A93047DBBEA832E4340787686D59A9A2D106BD662BA0AA035",
+        "transcript_hash": "f5f7f7867668be4b792159d4d194a03ec5cfa238b6409b5ca2ddccfddcc92a2b",
+    },
+    {
+        "group_name": "MLKEM1024",
+        "cipher_suite": "TLS_AES_256_GCM_SHA384",
+        "ec_shared_secret": "",
+        "pq_shared_secret": "B408D5D115713F0A93047DBBEA832E4340787686D59A9A2D106BD662BA0AA035",
+        "transcript_hash": "35412cebcf35cb8a7af8f78278a486fc798f8702eaebd067c97acb27bffe13524d8426a4ed57956b4fd0ffdc4c90be52",
+    }
 ]
 
 
@@ -278,6 +294,9 @@ def compute_secrets(input_vector: dict):
     if (input_vector["group_name"] == "X25519MLKEM768"):
         shared_secret = bytes.fromhex(input_vector["pq_shared_secret"] + input_vector["ec_shared_secret"])
 
+    if input_vector["group_name"].startswith("MLKEM"):
+        shared_secret = bytes.fromhex(input_vector["pq_shared_secret"])
+
     hash_alg = input_vector["cipher_suite"].split("_")[-1].lower()
     zeros = bytearray([0] * hashlib.new(hash_alg).digest_size)
     transcript_hash = bytes.fromhex(input_vector["transcript_hash"])

tests/unit/s2n_ecc_preferences_test.c

@@ -45,5 +45,19 @@ int main(int argc, char **argv)
         EXPECT_FALSE(s2n_ecc_preferences_includes_curve(&s2n_ecc_preferences_20201021, TLS_EC_CURVE_ECDH_X25519));
     };
 
+    /* Test: validate all ecc preferences */
+    {
+        for (size_t policy_index = 0; security_policy_selection[policy_index].version != NULL; policy_index++) {
+            const struct s2n_security_policy *security_policy = security_policy_selection[policy_index].security_policy;
+            const struct s2n_ecc_preferences *ecc_preferences = security_policy->ecc_preferences;
+            EXPECT_NOT_NULL(ecc_preferences);
+
+            for (size_t curve_index = 0; curve_index < ecc_preferences->count; curve_index++) {
+                /* Ensure no placeholder curve "s2n_ecc_curve_none" is included in all security policies */
+                EXPECT_NOT_EQUAL(ecc_preferences->ecc_curves[curve_index], &s2n_ecc_curve_none);
+            }
+        }
+    };
+
     END_TEST();
 }

tests/unit/s2n_kem_preferences_test.c

@@ -70,6 +70,7 @@ int main(int argc, char **argv)
             if (s2n_libcrypto_supports_mlkem()) {
                 EXPECT_TRUE(s2n_kem_group_is_available(&s2n_secp256r1_mlkem_768));
                 EXPECT_TRUE(s2n_kem_group_is_available(&s2n_secp384r1_mlkem_1024));
+                EXPECT_TRUE(s2n_kem_group_is_available(&s2n_pure_mlkem_1024));
                 if (s2n_is_evp_apis_supported()) {
                     EXPECT_TRUE(s2n_kem_group_is_available(&s2n_x25519_mlkem_768));
                 } else {
@@ -86,6 +87,7 @@ int main(int argc, char **argv)
             EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp256r1_mlkem_768));
             EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_mlkem_768));
             EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp384r1_mlkem_1024));
+            EXPECT_FALSE(s2n_kem_group_is_available(&s2n_pure_mlkem_1024));
         }
     };
 

tests/unit/s2n_tls13_hybrid_shared_secret_test.c renamed to tests/unit/s2n_tls13_hybrid_pq_shared_secret_test.c

@@ -607,46 +607,46 @@ int main(int argc, char **argv)
 
         for (size_t i = 0; i < s2n_array_len(modes); i++) {
             /* Failures because of NULL arguments */
-            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_hybrid_shared_secret(NULL, NULL), S2N_ERR_NULL);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_shared_secret(NULL, NULL), S2N_ERR_NULL);
             struct s2n_connection *conn = NULL;
             EXPECT_NOT_NULL(conn = s2n_connection_new(modes[i]));
-            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_hybrid_shared_secret(conn, NULL), S2N_ERR_NULL);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_shared_secret(conn, NULL), S2N_ERR_NULL);
             DEFER_CLEANUP(struct s2n_blob calculated_shared_secret = { 0 }, s2n_free);
-            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_hybrid_shared_secret(NULL, &calculated_shared_secret), S2N_ERR_NULL);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_shared_secret(NULL, &calculated_shared_secret), S2N_ERR_NULL);
 
             /* Failures because classic (non-hybrid) parameters were configured */
             conn->kex_params.server_ecc_evp_params.negotiated_curve = &s2n_ecc_curve_secp256r1;
-            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_hybrid_shared_secret(conn, &calculated_shared_secret), S2N_ERR_SAFETY);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_shared_secret(conn, &calculated_shared_secret), S2N_ERR_SAFETY);
             conn->kex_params.server_ecc_evp_params.negotiated_curve = NULL;
             EXPECT_SUCCESS(read_priv_ecc(&conn->kex_params.server_ecc_evp_params.evp_pkey, test_vector->client_ecc_key));
-            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_hybrid_shared_secret(conn, &calculated_shared_secret), S2N_ERR_SAFETY);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_shared_secret(conn, &calculated_shared_secret), S2N_ERR_SAFETY);
             EXPECT_SUCCESS(s2n_ecc_evp_params_free(&conn->kex_params.server_ecc_evp_params));
 
             /* Failure because the chosen_client_kem_group_params is NULL */
-            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_hybrid_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
 
             /* Failures because the kem_group_params aren't set */
-            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_hybrid_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
             conn->kex_params.server_kem_group_params.ecc_params.negotiated_curve = test_vector->kem_group->curve;
-            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_hybrid_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
             conn->kex_params.client_kem_group_params.ecc_params.negotiated_curve = test_vector->kem_group->curve;
 
             /* Failures because the ECC private keys are NULL */
-            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_hybrid_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
             EXPECT_SUCCESS(read_priv_ecc(&conn->kex_params.client_kem_group_params.ecc_params.evp_pkey, test_vector->client_ecc_key));
-            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_hybrid_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
             EXPECT_SUCCESS(read_priv_ecc(&conn->kex_params.server_kem_group_params.ecc_params.evp_pkey, test_vector->server_ecc_key));
 
             /* Failure because pq_shared_secret is NULL */
-            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_hybrid_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
             EXPECT_SUCCESS(s2n_dup(test_vector->pq_secret, &conn->kex_params.client_kem_group_params.kem_params.shared_secret));
 
             /* Failure because the kem_group is NULL */
-            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_hybrid_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
+            EXPECT_FAILURE_WITH_ERRNO(s2n_tls13_compute_pq_shared_secret(conn, &calculated_shared_secret), S2N_ERR_NULL);
             conn->kex_params.server_kem_group_params.kem_group = test_vector->kem_group;
 
             /* Finally, success */
-            EXPECT_SUCCESS(s2n_tls13_compute_pq_hybrid_shared_secret(conn, &calculated_shared_secret));
+            EXPECT_SUCCESS(s2n_tls13_compute_pq_shared_secret(conn, &calculated_shared_secret));
 
             EXPECT_SUCCESS(s2n_connection_free(conn));
         }

tests/unit/s2n_tls13_pure_pq_shared_secret_test.c

@@ -0,0 +1,68 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+#include "api/s2n.h"
+#include "crypto/s2n_pq.h"
+#include "tests/s2n_test.h"
+#include "tests/testlib/s2n_testlib.h"
+#include "tls/s2n_connection.h"
+#include "tls/s2n_tls13_handshake.c"
+#include "utils/s2n_blob.h"
+#include "utils/s2n_mem.h"
+#include "utils/s2n_safety.h"
+
+#define MLKEM1024_SECRET "B408D5D115713F0A93047DBBEA832E4340787686D59A9A2D106BD662BA0AA035"
+
+int main(int argc, char **argv)
+{
+    BEGIN_TEST();
+
+    /* Test: TLS 1.3 pure ML-KEM-1024 shared secret computation */
+    {
+        S2N_BLOB_FROM_HEX(expected_secret, MLKEM1024_SECRET);
+
+        DEFER_CLEANUP(struct s2n_connection *client_conn = NULL, s2n_connection_ptr_free);
+        DEFER_CLEANUP(struct s2n_connection *server_conn = NULL, s2n_connection_ptr_free);
+        EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
+        EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
+
+        client_conn->kex_params.server_kem_group_params.kem_group = &s2n_pure_mlkem_1024;
+        client_conn->kex_params.client_kem_group_params.kem_group = &s2n_pure_mlkem_1024;
+        server_conn->kex_params.server_kem_group_params.kem_group = &s2n_pure_mlkem_1024;
+        server_conn->kex_params.client_kem_group_params.kem_group = &s2n_pure_mlkem_1024;
+
+        client_conn->kex_params.server_kem_group_params.kem_params.kem = s2n_pure_mlkem_1024.kem;
+        client_conn->kex_params.client_kem_group_params.kem_params.kem = s2n_pure_mlkem_1024.kem;
+        server_conn->kex_params.server_kem_group_params.kem_params.kem = s2n_pure_mlkem_1024.kem;
+        server_conn->kex_params.client_kem_group_params.kem_params.kem = s2n_pure_mlkem_1024.kem;
+
+        POSIX_GUARD(s2n_dup(&expected_secret,
+                &client_conn->kex_params.client_kem_group_params.kem_params.shared_secret));
+        POSIX_GUARD(s2n_dup(&expected_secret,
+                &server_conn->kex_params.client_kem_group_params.kem_params.shared_secret));
+
+        DEFER_CLEANUP(struct s2n_blob client_secret = { 0 }, s2n_free);
+        DEFER_CLEANUP(struct s2n_blob server_secret = { 0 }, s2n_free);
+
+        EXPECT_SUCCESS(s2n_tls13_compute_shared_secret(client_conn, &client_secret));
+        EXPECT_SUCCESS(s2n_tls13_compute_shared_secret(server_conn, &server_secret));
+
+        S2N_BLOB_EXPECT_EQUAL(client_secret, server_secret);
+
+        EXPECT_EQUAL(client_secret.size, expected_secret.size);
+        EXPECT_BYTEARRAY_EQUAL(client_secret.data, expected_secret.data, expected_secret.size);
+    };
+
+    END_TEST();
+}

tls/s2n_kem.c

@@ -110,6 +110,20 @@ const struct s2n_iana_to_kem kem_mapping[1] = {
  * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
  */
 
+/*
+ * ML-KEM based pure PQ KEMs as specified by IETF and registered in IANA.
+ *
+ * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+ * https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/05/
+ */
+const struct s2n_kem_group s2n_pure_mlkem_1024 = {
+    .name = "MLKEM1024",
+    .iana_id = TLS_PQ_KEM_GROUP_ID_MLKEM_1024,
+    .curve = &s2n_ecc_curve_none,
+    .kem = &s2n_mlkem_1024,
+    .send_kem_first = 0,
+};
+
 /*
  * ML-KEM based hybrid KEMs as specified by IETF and registered in IANA.
  *

tls/s2n_kem.h

@@ -118,6 +118,9 @@ extern const struct s2n_kem_group s2n_x25519_mlkem_768;
 extern const struct s2n_kem_group s2n_x25519_kyber_512_r3;
 extern const struct s2n_kem_group s2n_x25519_kyber_768_r3;
 
+/* Pure ML-KEM Groups */
+extern const struct s2n_kem_group s2n_pure_mlkem_1024;
+
 S2N_RESULT s2n_kem_generate_keypair(struct s2n_kem_params *kem_params);
 S2N_RESULT s2n_kem_encapsulate(struct s2n_kem_params *kem_params, struct s2n_blob *ciphertext);
 S2N_RESULT s2n_kem_decapsulate(struct s2n_kem_params *kem_params, const struct s2n_blob *ciphertext);

tls/s2n_tls13_handshake.c

@@ -73,8 +73,10 @@ int s2n_tls13_compute_ecc_shared_secret(struct s2n_connection *conn, struct s2n_
 }
 
 /* Computes the ECDHE+PQKEM hybrid shared secret as defined in
- * https://tools.ietf.org/html/draft-stebila-tls-hybrid-design */
-int s2n_tls13_compute_pq_hybrid_shared_secret(struct s2n_connection *conn, struct s2n_blob *shared_secret)
+ * https://tools.ietf.org/html/draft-stebila-tls-hybrid-design
+ * Also supports "pure PQ" mode when kem_group->curve == &s2n_ecc_curve_none.
+ */
+int s2n_tls13_compute_pq_shared_secret(struct s2n_connection *conn, struct s2n_blob *shared_secret)
 {
     POSIX_ENSURE_REF(conn);
     POSIX_ENSURE_REF(shared_secret);
@@ -93,15 +95,6 @@ int s2n_tls13_compute_pq_hybrid_shared_secret(struct s2n_connection *conn, struc
     struct s2n_ecc_evp_params *client_ecc_params = &client_kem_group_params->ecc_params;
     POSIX_ENSURE_REF(client_ecc_params);
 
-    DEFER_CLEANUP(struct s2n_blob ecdhe_shared_secret = { 0 }, s2n_free_or_wipe);
-
-    /* Compute the ECDHE shared secret, and retrieve the PQ shared secret. */
-    if (conn->mode == S2N_CLIENT) {
-        POSIX_GUARD(s2n_ecc_evp_compute_shared_secret_from_params(client_ecc_params, server_ecc_params, &ecdhe_shared_secret));
-    } else {
-        POSIX_GUARD(s2n_ecc_evp_compute_shared_secret_from_params(server_ecc_params, client_ecc_params, &ecdhe_shared_secret));
-    }
-
     struct s2n_blob *pq_shared_secret = &client_kem_group_params->kem_params.shared_secret;
     POSIX_ENSURE_REF(pq_shared_secret);
     POSIX_ENSURE_REF(pq_shared_secret->data);
@@ -110,6 +103,16 @@ int s2n_tls13_compute_pq_hybrid_shared_secret(struct s2n_connection *conn, struc
     POSIX_ENSURE_REF(negotiated_kem_group);
     POSIX_ENSURE_REF(negotiated_kem_group->kem);
 
+    DEFER_CLEANUP(struct s2n_blob ecdhe_shared_secret = { 0 }, s2n_free_or_wipe);
+
+    if (negotiated_kem_group->curve == &s2n_ecc_curve_none) {
+        POSIX_ENSURE_EQ(ecdhe_shared_secret.size, 0);
+    } else if (conn->mode == S2N_CLIENT) {
+        POSIX_GUARD(s2n_ecc_evp_compute_shared_secret_from_params(client_ecc_params, server_ecc_params, &ecdhe_shared_secret));
+    } else {
+        POSIX_GUARD(s2n_ecc_evp_compute_shared_secret_from_params(server_ecc_params, client_ecc_params, &ecdhe_shared_secret));
+    }
+
     POSIX_ENSURE_EQ(pq_shared_secret->size, negotiated_kem_group->kem->shared_secret_key_length);
 
     /* Construct the concatenated/hybrid shared secret */
@@ -139,7 +142,7 @@ int s2n_tls13_compute_shared_secret(struct s2n_connection *conn, struct s2n_blob
     POSIX_ENSURE_REF(conn);
 
     if (s2n_tls13_pq_hybrid_supported(conn)) {
-        POSIX_GUARD(s2n_tls13_compute_pq_hybrid_shared_secret(conn, shared_secret));
+        POSIX_GUARD(s2n_tls13_compute_pq_shared_secret(conn, shared_secret));
     } else {
         POSIX_GUARD(s2n_tls13_compute_ecc_shared_secret(conn, shared_secret));
     }