passing pq handshake

Author: johubertj

crypto/s2n_ecc_evp.c

@@ -253,6 +253,11 @@ static int s2n_ecc_evp_compute_shared_secret(EVP_PKEY *own_key, EVP_PKEY *peer_p
 int s2n_ecc_evp_generate_ephemeral_key(struct s2n_ecc_evp_params *ecc_evp_params)
 {
     POSIX_ENSURE_REF(ecc_evp_params->negotiated_curve);
+    /* Skip ECDHE key generation for MLKEM placeholder curve */
+    if (ecc_evp_params->negotiated_curve == &s2n_ecc_curve_mlkem_placeholder) {
+        return S2N_SUCCESS;
+    }
+
     S2N_ERROR_IF(ecc_evp_params->evp_pkey != NULL, S2N_ERR_ECDHE_GEN_KEY);
     S2N_ERROR_IF(s2n_ecc_evp_generate_own_key(ecc_evp_params->negotiated_curve, &ecc_evp_params->evp_pkey) != 0,
             S2N_ERR_ECDHE_GEN_KEY);
@@ -423,6 +428,12 @@ int s2n_ecc_evp_write_params_point(struct s2n_ecc_evp_params *ecc_evp_params, st
 {
     POSIX_ENSURE_REF(ecc_evp_params);
     POSIX_ENSURE_REF(ecc_evp_params->negotiated_curve);
+
+    /* Skip EC point write for MLKEM placeholder curve */
+    if (ecc_evp_params->negotiated_curve == &s2n_ecc_curve_mlkem_placeholder) {
+        return S2N_SUCCESS;
+    }
+
     POSIX_ENSURE_REF(ecc_evp_params->evp_pkey);
     POSIX_ENSURE_REF(out);
 

tests/unit/s2n_tls13_pq_handshake_test.c

@@ -67,6 +67,13 @@ static int s2n_generate_default_ecc_key_share(struct s2n_connection *conn, struc
     POSIX_GUARD(s2n_connection_get_ecc_preferences(conn, &ecc_pref));
     POSIX_ENSURE_REF(ecc_pref);
 
+    printf("    DEBUG: s2n_generate_default_ecc_key_share\n");
+    /* Skip if the highest-priority curve is the mlkem_placeholder */
+    if (ecc_pref->count > 0 && ecc_pref->ecc_curves[0] == &s2n_ecc_curve_mlkem_placeholder) {
+        printf("    DEBUG: Skipping standalone ECC key share for MLKEM placeholder\n");
+        return S2N_SUCCESS;
+    }
+
     /* We only ever send a single EC key share: either the share requested by the server
      * during a retry, or the most preferred share according to local preferences.
      */
@@ -135,6 +142,32 @@ static int s2n_generate_pq_hybrid_key_share(struct s2n_stuffer *out, struct s2n_
     return S2N_SUCCESS;
 }
 
+static int s2n_generate_pure_pq_key_share(struct s2n_stuffer *out,
+                                          struct s2n_kem_group_params *kem_group_params)
+{
+    POSIX_ENSURE_REF(out);
+    POSIX_ENSURE_REF(kem_group_params);
+    POSIX_ENSURE_REF(kem_group_params->kem_group);
+    POSIX_ENSURE_REF(kem_group_params->kem_group->kem);
+
+    /* Write group ID */
+    POSIX_GUARD(s2n_stuffer_write_uint16(out, kem_group_params->kem_group->iana_id));
+
+    /* Reserve space for total share size */
+    struct s2n_stuffer_reservation total_share_size = { 0 };
+    POSIX_GUARD(s2n_stuffer_reserve_uint16(out, &total_share_size));
+
+    /* Write KEM public key */
+    struct s2n_kem_params *kem_params = &kem_group_params->kem_params;
+    kem_params->kem = kem_group_params->kem_group->kem;
+    POSIX_GUARD(s2n_kem_send_public_key(out, kem_params));
+
+    /* Fill in the reserved size field */
+    POSIX_GUARD(s2n_stuffer_write_vector_size(&total_share_size));
+
+    return S2N_SUCCESS;
+}
+
 static int s2n_generate_default_pq_hybrid_key_share(struct s2n_connection *conn, struct s2n_stuffer *out)
 {
     POSIX_ENSURE_REF(conn);
@@ -187,7 +220,14 @@ static int s2n_generate_default_pq_hybrid_key_share(struct s2n_connection *conn,
         client_params->kem_params.len_prefixed = s2n_tls13_client_must_use_hybrid_kem_length_prefix(kem_pref);
     }
 
-    POSIX_GUARD(s2n_generate_pq_hybrid_key_share(out, client_params));
+    /* Special case: Pure MLKEM (no ECC portion) */
+    if (client_params->kem_group == &s2n_pure_mlkem_1024 ||
+        client_params->kem_group->curve == &s2n_ecc_curve_mlkem_placeholder) {
+        printf("    DEBUG: Skipping ECC portion for Pure MLKEM\n");
+        POSIX_GUARD(s2n_generate_pure_pq_key_share(out, client_params));
+    } else {
+        POSIX_GUARD(s2n_generate_pq_hybrid_key_share(out, client_params));
+    }
 
     return S2N_SUCCESS;
 }
@@ -223,6 +263,12 @@ static int s2n_client_key_share_parse_ecc(struct s2n_stuffer *key_share, const s
     POSIX_ENSURE_REF(curve);
     POSIX_ENSURE_REF(ecc_params);
 
+    if (curve == &s2n_ecc_curve_mlkem_placeholder) {
+        printf("DEBUG: Skipping KeyShare parse for MLKEM placeholder\n");
+        ecc_params->negotiated_curve = curve;
+        return S2N_SUCCESS;
+    }
+
     struct s2n_blob point_blob = { 0 };
     POSIX_GUARD(s2n_ecc_evp_read_params_point(key_share, curve->share_size, &point_blob));
 
@@ -236,6 +282,56 @@ static int s2n_client_key_share_parse_ecc(struct s2n_stuffer *key_share, const s
     return S2N_SUCCESS;
 }
 
+static int s2n_client_key_share_recv_pure_kem(
+        struct s2n_connection *conn,
+        struct s2n_stuffer *key_share,
+        uint16_t kem_group_iana_id)
+{
+    POSIX_ENSURE_REF(conn);
+    POSIX_ENSURE_REF(key_share);
+
+    if (kem_group_iana_id != s2n_pure_mlkem_1024.iana_id) {
+        return S2N_SUCCESS; /* not a pure KEM share */
+    }
+
+    printf("    DEBUG: Entering pure MLKEM recv: named_group=%u, expected_iana=%u\n",
+           kem_group_iana_id, s2n_pure_mlkem_1024.iana_id);
+
+    struct s2n_kem_group_params *client_params = &conn->kex_params.client_kem_group_params;
+    client_params->kem_group = &s2n_pure_mlkem_1024;
+    client_params->ecc_params.negotiated_curve = &s2n_ecc_curve_mlkem_placeholder;
+    client_params->kem_params.kem = s2n_pure_mlkem_1024.kem;
+
+    uint16_t actual_share_size = key_share->blob.size;
+    uint16_t unprefixed_size = client_params->kem_params.kem->public_key_length;
+    uint16_t prefixed_size = S2N_SIZE_OF_KEY_SHARE_SIZE + unprefixed_size;
+
+    printf("    DEBUG: actual_share_size=%u, unprefixed_size=%u, prefixed_size=%u\n",
+           actual_share_size, unprefixed_size, prefixed_size);
+
+    if (actual_share_size != unprefixed_size && actual_share_size != prefixed_size) {
+        printf("    DEBUG: Share size mismatch — ignoring key share\n");
+        return S2N_SUCCESS;
+    }
+
+    client_params->kem_params.len_prefixed = (actual_share_size == prefixed_size);
+    printf("    DEBUG: len_prefixed=%d\n", client_params->kem_params.len_prefixed);
+
+    POSIX_GUARD(s2n_kem_recv_public_key(key_share, &client_params->kem_params));
+    printf("    DEBUG: KEM public key parsed, size=%u\n",
+           client_params->kem_params.public_key.size);
+
+    printf("    DEBUG: key_share.read_cursor=%u, key_share.write_cursor=%u\n",
+           key_share->read_cursor, key_share->write_cursor);
+
+    printf("    DEBUG: remaining bytes in key_share=%u\n",
+           s2n_stuffer_data_available(key_share));
+    POSIX_ENSURE(s2n_stuffer_data_available(key_share) == 0, S2N_ERR_BAD_MESSAGE);
+
+    printf("    DEBUG: Finished pure MLKEM recv successfully\n");
+    return S2N_SUCCESS;
+}
+
 static int s2n_client_key_share_recv_ecc(struct s2n_connection *conn, struct s2n_stuffer *key_share, uint16_t curve_iana_id)
 {
     POSIX_ENSURE_REF(conn);
@@ -286,6 +382,11 @@ static int s2n_client_key_share_recv_ecc(struct s2n_connection *conn, struct s2n
 
     DEFER_CLEANUP(struct s2n_ecc_evp_params new_client_params = { 0 }, s2n_ecc_evp_params_free);
 
+    if (curve == &s2n_ecc_curve_mlkem_placeholder) {
+        printf("DEBUG: Skipping ECC recv for MLKEM placeholder\n");
+        return S2N_SUCCESS;
+    }
+
     POSIX_GUARD(s2n_client_key_share_parse_ecc(key_share, curve, &new_client_params));
     /* negotiated_curve will be NULL if the key share was not parsed successfully */
     if (!new_client_params.negotiated_curve) {
@@ -312,6 +413,11 @@ static int s2n_client_key_share_recv_hybrid_partial_ecc(struct s2n_stuffer *key_
         POSIX_ENSURE(ec_share_size == kem_group->curve->share_size, S2N_ERR_SIZE_MISMATCH);
     }
 
+    if (kem_group->curve == &s2n_ecc_curve_mlkem_placeholder) {
+        printf("DEBUG: Skipping Hybrid ECC recv for MLKEM placeholder\n");
+        return S2N_SUCCESS;
+    }
+
     POSIX_GUARD(s2n_client_key_share_parse_ecc(key_share, kem_group->curve, &new_client_params->ecc_params));
 
     /* If we were unable to parse the EC portion of the share, negotiated_curve
@@ -430,11 +536,15 @@ static int s2n_client_key_share_recv_pq_hybrid(struct s2n_connection *conn, stru
  */
 static int s2n_client_key_share_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
 {
+    printf("DEBUG[key_share_recv]: ENTER\n");
     POSIX_ENSURE_REF(conn);
     POSIX_ENSURE_REF(extension);
 
     uint16_t key_shares_size = 0;
+    printf("DEBUG[key_share_recv]: Reading key_shares_size...\n");
     POSIX_GUARD(s2n_stuffer_read_uint16(extension, &key_shares_size));
+    printf("DEBUG[key_share_recv]: key_shares_size=%u, available=%u\n",
+        key_shares_size, s2n_stuffer_data_available(extension));
     POSIX_ENSURE(s2n_stuffer_data_available(extension) == key_shares_size, S2N_ERR_BAD_MESSAGE);
 
     uint16_t named_group = 0, share_size = 0;
@@ -443,8 +553,13 @@ static int s2n_client_key_share_recv(struct s2n_connection *conn, struct s2n_stu
 
     uint16_t keyshare_count = 0;
     while (s2n_stuffer_data_available(extension) > 0) {
+        printf("DEBUG[key_share_recv]: Loop start, available=%u\n",
+            s2n_stuffer_data_available(extension));
+
         POSIX_GUARD(s2n_stuffer_read_uint16(extension, &named_group));
         POSIX_GUARD(s2n_stuffer_read_uint16(extension, &share_size));
+        printf("DEBUG[key_share_recv]: named_group=%u share_size=%u\n", named_group, share_size);
+
         POSIX_ENSURE(s2n_stuffer_data_available(extension) >= share_size, S2N_ERR_BAD_MESSAGE);
 
         POSIX_GUARD(s2n_blob_init(&key_share_blob,
@@ -453,30 +568,53 @@ static int s2n_client_key_share_recv(struct s2n_connection *conn, struct s2n_stu
         POSIX_GUARD(s2n_stuffer_skip_write(&key_share, share_size));
         keyshare_count++;
 
-        /* Try to parse the share as ECC, then as PQ/hybrid; will ignore
-         * shares for unrecognized groups. */
+        printf("DEBUG[key_share_recv]: kem_group=%s curve=%s\n",
+            conn->kex_params.server_kem_group_params.kem_group ?
+            conn->kex_params.server_kem_group_params.kem_group->name : "NULL",
+            conn->kex_params.server_kem_group_params.kem_group &&
+            conn->kex_params.server_kem_group_params.kem_group->curve ?
+            conn->kex_params.server_kem_group_params.kem_group->curve->name : "NULL");
+
+        if (named_group == s2n_pure_mlkem_1024.iana_id) {
+            printf("DEBUG[key_share_recv]: Detected pure MLKEM group, calling pure_kem recv\n");
+            POSIX_GUARD(s2n_client_key_share_recv_pure_kem(conn, &key_share, named_group));
+
+            printf("DEBUG[key_share_recv]: After pure_kem -> extension_read=%u extension_write=%u extension_available=%u\n",
+                extension->read_cursor, extension->write_cursor, s2n_stuffer_data_available(extension));
+
+            if (s2n_stuffer_data_available(extension) > 0) {
+                printf("DEBUG[key_share_recv]: Leftover bytes in extension: ");
+                for (uint32_t i = 0; i < s2n_stuffer_data_available(extension); i++) {
+                    uint8_t b = extension->blob.data[extension->read_cursor + i];
+                    printf("%02x ", b);
+                }
+                printf("\n");
+            }
+
+            printf("DEBUG[key_share_recv]: pure_kem recv success\n");
+            continue; /* skip ECC/hybrid parsing */
+        }
+
+        printf("DEBUG[key_share_recv]: Calling ECC recv...\n");
         POSIX_GUARD(s2n_client_key_share_recv_ecc(conn, &key_share, named_group));
+        printf("DEBUG[key_share_recv]: ECC recv done\n");
+
+        printf("DEBUG[key_share_recv]: Calling PQ/hybrid recv...\n");
         POSIX_GUARD(s2n_client_key_share_recv_pq_hybrid(conn, &key_share, named_group));
+        printf("DEBUG[key_share_recv]: PQ/hybrid recv done\n");
     }
 
-    /* During a retry, the client should only have sent one keyshare */
+    printf("DEBUG[key_share_recv]: Loop done, keyshare_count=%u\n", keyshare_count);
     POSIX_ENSURE(!s2n_is_hello_retry_handshake(conn) || keyshare_count == 1, S2N_ERR_BAD_MESSAGE);
 
-    /**
-     * If there were no matching key shares, then we received an empty key share extension
-     * or we didn't match a key share with a supported group. We should send a retry.
-     *
-     *= https://www.rfc-editor.org/rfc/rfc8446#4.1.1
-     *# If the server selects an (EC)DHE group and the client did not offer a
-     *# compatible "key_share" extension in the initial ClientHello, the
-     *# server MUST respond with a HelloRetryRequest (Section 4.1.4) message.
-     **/
     struct s2n_ecc_evp_params *client_ecc_params = &conn->kex_params.client_ecc_evp_params;
     struct s2n_kem_group_params *client_pq_params = &conn->kex_params.client_kem_group_params;
     if (!client_pq_params->kem_group && !client_ecc_params->negotiated_curve) {
+        printf("DEBUG[key_share_recv]: No matching key shares, setting HRR required\n");
         POSIX_GUARD(s2n_set_hello_retry_required(conn));
     }
 
+    printf("DEBUG[key_share_recv]: EXIT SUCCESS\n");
     return S2N_SUCCESS;
 }
 

tls/extensions/s2n_client_key_share.c

@@ -61,19 +61,36 @@ static int s2n_client_supported_groups_send(struct s2n_connection *conn, struct
     struct s2n_stuffer_reservation group_list_len = { 0 };
     POSIX_GUARD(s2n_stuffer_reserve_uint16(out, &group_list_len));
 
+    printf("    DEBUG: Client sending supported_groups:\n");
+
     /* Send KEM groups list first */
     if (s2n_connection_get_protocol_version(conn) >= S2N_TLS13 && s2n_pq_is_enabled()) {
         for (size_t i = 0; i < kem_pref->tls13_kem_group_count; i++) {
             if (!s2n_kem_group_is_available(kem_pref->tls13_kem_groups[i])) {
                 continue;
             }
+
+            printf("    KEM group[%zu]: %s (iana=%d)\n", 
+            i, 
+            kem_pref->tls13_kem_groups[i]->name, 
+            kem_pref->tls13_kem_groups[i]->iana_id);
+
             POSIX_GUARD(s2n_stuffer_write_uint16(out, kem_pref->tls13_kem_groups[i]->iana_id));
         }
     }
 
     /* Then send curve list */
     for (size_t i = 0; i < ecc_pref->count; i++) {
-        POSIX_GUARD(s2n_stuffer_write_uint16(out, ecc_pref->ecc_curves[i]->iana_id));
+        const struct s2n_ecc_named_curve *curve = ecc_pref->ecc_curves[i];
+
+        if (curve == &s2n_ecc_curve_mlkem_placeholder) {
+            printf("    Skipping ECC placeholder curve: %s\n", curve->name);
+            continue;
+        }
+
+        printf("    ECC curve[%zu]: %s (iana=%d)\n", 
+            i, curve->name, curve->iana_id);
+        POSIX_GUARD(s2n_stuffer_write_uint16(out, curve->iana_id));
     }
 
     POSIX_GUARD(s2n_stuffer_write_vector_size(&group_list_len));

tls/extensions/s2n_client_supported_groups.c

@@ -26,6 +26,11 @@ S2N_RESULT s2n_ecdhe_send_public_key(struct s2n_ecc_evp_params *ecc_evp_params,
     RESULT_ENSURE_REF(ecc_evp_params);
     RESULT_ENSURE_REF(ecc_evp_params->negotiated_curve);
 
+    /* Skip ECDHE KeyShare for pure ML-KEM placeholder curve */
+    if (ecc_evp_params->negotiated_curve == &s2n_ecc_curve_mlkem_placeholder) {
+        return S2N_RESULT_OK;
+    }
+
     if (len_prefixed) {
         RESULT_GUARD_POSIX(s2n_stuffer_write_uint16(out, ecc_evp_params->negotiated_curve->share_size));
     }