-
Notifications
You must be signed in to change notification settings - Fork 704
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add initial support for MLKEM768 (without any new Security Policies) #4816
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It looks like our CI might be using an older version of AWS-LC:
We may want to update that before merging so all of the tests can run. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
/* | ||
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"). | ||
* You may not use this file except in compliance with the License. | ||
* A copy of the License is located at | ||
* | ||
* http://aws.amazon.com/apache2.0 | ||
* | ||
* or in the "license" file accompanying this file. This file is distributed | ||
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either | ||
* express or implied. See the License for the specific language governing | ||
* permissions and limitations under the License. | ||
*/ | ||
|
||
#include <openssl/evp.h> | ||
#include <openssl/nid.h> | ||
|
||
int main() | ||
{ | ||
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_KEM, NULL); | ||
if (ctx == NULL) { | ||
return 1; | ||
} | ||
if (!EVP_PKEY_CTX_kem_set_params(ctx, NID_MLKEM768)) { | ||
EVP_PKEY_CTX_free(ctx); | ||
return 1; | ||
} | ||
EVP_PKEY_CTX_free(ctx); | ||
return 0; | ||
} |
Large diffs are not rendered by default.
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -25,6 +25,8 @@ int main(int argc, char **argv) | |
BEGIN_TEST(); | ||
EXPECT_SUCCESS(s2n_disable_tls13_in_test()); | ||
|
||
EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_SECP256R1_MLKEM_768)); | ||
EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_X25519_MLKEM_768)); | ||
EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_X25519_KYBER_512_R3)); | ||
EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_X25519_KYBER_768_R3)); | ||
EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_SECP256R1_KYBER_512_R3)); | ||
|
@@ -34,6 +36,8 @@ int main(int argc, char **argv) | |
|
||
{ | ||
const struct s2n_kem_group *test_kem_groups[] = { | ||
&s2n_secp256r1_mlkem_768, | ||
&s2n_x25519_mlkem_768, | ||
Comment on lines
38
to
+40
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Any reason this needs to be another separate list and can't be ALL_SUPPORTED_KEM_GROUPS? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Was this missed? |
||
&s2n_secp256r1_kyber_512_r3, | ||
&s2n_x25519_kyber_512_r3, | ||
&s2n_secp384r1_kyber_768_r3, | ||
|
@@ -49,6 +53,8 @@ int main(int argc, char **argv) | |
.tls13_kem_groups = test_kem_groups, | ||
}; | ||
|
||
EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_SECP256R1_MLKEM_768)); | ||
EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_X25519_MLKEM_768)); | ||
EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_X25519_KYBER_512_R3)); | ||
EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_X25519_KYBER_768_R3)); | ||
EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_SECP256R1_KYBER_512_R3)); | ||
|
@@ -69,13 +75,24 @@ int main(int argc, char **argv) | |
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_kyber_512_r3)); | ||
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_kyber_768_r3)); | ||
} | ||
|
||
if (s2n_libcrypto_supports_mlkem()) { | ||
EXPECT_TRUE(s2n_kem_group_is_available(&s2n_secp256r1_mlkem_768)); | ||
if (s2n_is_evp_apis_supported()) { | ||
EXPECT_TRUE(s2n_kem_group_is_available(&s2n_x25519_mlkem_768)); | ||
} else { | ||
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_mlkem_768)); | ||
} | ||
} | ||
} else { | ||
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp256r1_kyber_512_r3)); | ||
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_kyber_512_r3)); | ||
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_kyber_768_r3)); | ||
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp256r1_kyber_768_r3)); | ||
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp384r1_kyber_768_r3)); | ||
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp521r1_kyber_1024_r3)); | ||
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp256r1_mlkem_768)); | ||
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_mlkem_768)); | ||
} | ||
}; | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
/* | ||
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"). | ||
* You may not use this file except in compliance with the License. | ||
* A copy of the License is located at | ||
* | ||
* http://aws.amazon.com/apache2.0 | ||
* | ||
* or in the "license" file accompanying this file. This file is distributed | ||
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either | ||
* express or implied. See the License for the specific language governing | ||
* permissions and limitations under the License. | ||
*/ | ||
|
||
#include "api/s2n.h" | ||
#include "crypto/s2n_libcrypto.h" | ||
#include "crypto/s2n_pq.h" | ||
#include "s2n_test.h" | ||
#include "testlib/s2n_testlib.h" | ||
|
||
int main() | ||
{ | ||
BEGIN_TEST(); | ||
/* MLKEM Support was added to AWSLC when AWSLC_API_VERSION == 29 */ | ||
if (s2n_libcrypto_is_awslc() && s2n_libcrypto_awslc_api_version() >= 30) { | ||
EXPECT_TRUE(s2n_libcrypto_supports_mlkem()); | ||
Comment on lines
+25
to
+27
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this correct? It looks like the |
||
} else if (s2n_libcrypto_is_awslc() && s2n_libcrypto_awslc_api_version() < 29) { | ||
EXPECT_FALSE(s2n_libcrypto_supports_mlkem()); | ||
} | ||
|
||
END_TEST(); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s2n_libcrypto_is_awslc()
is already defined in s2n_openssl.h:s2n-tls/crypto/s2n_openssl.h
Line 59 in 7324a33
This header does seem like a more reasonable place to define the
libcrypto_is
functions, but moving them may be out of scope for this PR.