Add initial support for MLKEM768 (without any new Security Policies) #4816
Conversation
alexw91
changed the title
alexw91
force-pushed
the
mlkem-part-2
branch
2 times, most recently
from
316df93
to
19fcae8
Compare
alexw91
changed the title
alexw91
force-pushed
the
mlkem-part-2
branch
3 times, most recently
from
a4cf925
to
d07f333
Compare
| const struct s2n_kem_group *test_kem_groups[] = { | ||
| &s2n_secp256r1_mlkem_768, | ||
| &s2n_x25519_mlkem_768, |
There was a problem hiding this comment.
Any reason this needs to be another separate list and can't be ALL_SUPPORTED_KEM_GROUPS?
alexw91
force-pushed
the
mlkem-part-2
branch
3 times, most recently
from
eb04c73
to
a592e1e
Compare
| /* MLKEM Support was added to AWSLC when AWSLC_API_VERSION == 29 */ | ||
| if (s2n_libcrypto_is_awslc() && s2n_libcrypto_awslc_api_version() >= 30) { | ||
| EXPECT_TRUE(s2n_libcrypto_supports_mlkem()); |
There was a problem hiding this comment.
Is this correct? It looks like the NID_MLKEM768 field used in the feature probe was defined in aws/aws-lc#1797, which was API version 30. Or was NID_MLKEM768 somehow exposed earlier?
| @@ -17,6 +17,8 @@ | |||
|
|
|||
| #include "utils/s2n_result.h" | |||
|
|
|||
| uint64_t s2n_libcrypto_awslc_api_version(void); | |||
| bool s2n_libcrypto_is_awslc(); | |||
There was a problem hiding this comment.
s2n_libcrypto_is_awslc() is already defined in s2n_openssl.h:
Line 59 in 7324a33
This header does seem like a more reasonable place to define the libcrypto_is functions, but moving them may be out of scope for this PR.
| @@ -34,6 +34,22 @@ const s2n_extension_type s2n_server_key_share_extension = { | |||
| .if_missing = s2n_extension_noop_if_missing, | |||
| }; | |||
|
|
|||
| static int s2n_server_key_share_send_hybrid_partial_ecc(struct s2n_connection *conn, struct s2n_stuffer *out) | |||
| { | |||
| struct s2n_kem_group_params *server_kem_group_params = &conn->kex_params.server_kem_group_params; | |||
There was a problem hiding this comment.
nit
| struct s2n_kem_group_params *server_kem_group_params = &conn->kex_params.server_kem_group_params; | |
| POSIX_ENSURE_REF(conn); | |
| struct s2n_kem_group_params *server_kem_group_params = &conn->kex_params.server_kem_group_params; |
| @@ -157,6 +171,27 @@ static int s2n_server_key_share_send(struct s2n_connection *conn, struct s2n_stu | |||
| return S2N_SUCCESS; | |||
| } | |||
|
|
|||
| static int s2n_server_key_share_recv_hybrid_partial_ecc(struct s2n_connection *conn, struct s2n_stuffer *extension) | |||
| { | |||
| struct s2n_kem_params *client_kem_params = &conn->kex_params.client_kem_group_params.kem_params; | |||
There was a problem hiding this comment.
nit
| struct s2n_kem_params *client_kem_params = &conn->kex_params.client_kem_group_params.kem_params; | |
| POSIX_ENSURE_REF(conn); | |
| struct s2n_kem_params *client_kem_params = &conn->kex_params.client_kem_group_params.kem_params; |
| { | ||
| struct s2n_kem_params *client_kem_params = &conn->kex_params.client_kem_group_params.kem_params; | ||
| struct s2n_kem_group_params *server_kem_group_params = &conn->kex_params.server_kem_group_params; | ||
| uint16_t expected_ecc_share_size = server_kem_group_params->kem_group->curve->share_size; |
There was a problem hiding this comment.
nit - I think kem_group can be null:
| uint16_t expected_ecc_share_size = server_kem_group_params->kem_group->curve->share_size; | |
| const struct s2n_kem_group *server_kem_group = server_kem_group_params->kem_group; | |
| POSIX_ENSURE_REF(server_kem_group); | |
| uint16_t expected_ecc_share_size = server_kem_group->curve->share_size; |
| const struct s2n_kem_group *test_kem_groups[] = { | ||
| &s2n_secp256r1_mlkem_768, | ||
| &s2n_x25519_mlkem_768, |
| @@ -406,6 +406,27 @@ int main() | |||
| .ecc_preferences = &s2n_ecc_preferences_20201021, | |||
| }; | |||
|
|
|||
| const struct s2n_kem_group *mlkem768_test_groups[] = { | |||
| &s2n_x25519_mlkem_768, | |||
There was a problem hiding this comment.
If I'm understanding this test correctly, I think this will only try to handshake with s2n_x25519_mlkem_768? Would it be worth adding a self-talk test here or somewhere else that negotiates both of these?
There was a problem hiding this comment.
It looks like our CI might be using an older version of AWS-LC:
-- feature S2N_LIBCRYPTO_SUPPORTS_MLKEM: FALSE
We may want to update that before merging so all of the tests can run.
Resolved issues:
None
Description of changes:
Part 2 in a multi-part series to add
X25519MLKEM768support to s2n. (Previous PR is: #4810)This PR includes the following changes:
send_kem_firstboolean parameter for Hybrid PQ KeyShares (needed forX25519MLKEM768).MLKEM768X25519MLKEM768andSecP256r1MLKEM768X25519MLKEM768and confirm shared secret calculation is correct.Call-outs:
No new s2n-tls security policies with
X25519MLKEM768have been added (other thantest_allPolicy). These new MLKEM-768 security policies will be coming in a later PR.Testing:
X25519MLKEM768Is this a refactor change? If so, how have you proved that the intended behavior hasn't changed?
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.