pq handshake

Author: johubertj

crypto/s2n_ecc_evp.c

@@ -253,6 +253,11 @@ static int s2n_ecc_evp_compute_shared_secret(EVP_PKEY *own_key, EVP_PKEY *peer_p
 int s2n_ecc_evp_generate_ephemeral_key(struct s2n_ecc_evp_params *ecc_evp_params)
 {
     POSIX_ENSURE_REF(ecc_evp_params->negotiated_curve);
+
+    /* Skip ECDHE key generation for MLKEM placeholder curve */
+    if (ecc_evp_params->negotiated_curve == &s2n_ecc_curve_mlkem_placeholder) {
+        return S2N_SUCCESS;
+    }
     S2N_ERROR_IF(ecc_evp_params->evp_pkey != NULL, S2N_ERR_ECDHE_GEN_KEY);
     S2N_ERROR_IF(s2n_ecc_evp_generate_own_key(ecc_evp_params->negotiated_curve, &ecc_evp_params->evp_pkey) != 0,
             S2N_ERR_ECDHE_GEN_KEY);
@@ -423,6 +428,12 @@ int s2n_ecc_evp_write_params_point(struct s2n_ecc_evp_params *ecc_evp_params, st
 {
     POSIX_ENSURE_REF(ecc_evp_params);
     POSIX_ENSURE_REF(ecc_evp_params->negotiated_curve);
+
+    /* Skip EC point write for MLKEM placeholder curve */
+    if (ecc_evp_params->negotiated_curve == &s2n_ecc_curve_mlkem_placeholder) {
+        return S2N_SUCCESS;
+    }
+
     POSIX_ENSURE_REF(ecc_evp_params->evp_pkey);
     POSIX_ENSURE_REF(out);
 

tests/unit/s2n_tls13_pq_handshake_test.c

@@ -112,8 +112,11 @@ int s2n_test_tls13_pq_handshake(const struct s2n_security_policy *client_sec_pol
         const struct s2n_security_policy *server_sec_policy, const struct s2n_kem_group *expected_kem_group,
         const struct s2n_ecc_named_curve *expected_curve, bool hrr_expected, bool len_prefix_expected)
 {
+    /* Skip XOR check for pure MLKEM placeholder, otherwise enforce XOR */
     /* XOR check: can expect to negotiate either a KEM group, or a classic EC curve, but not both/neither */
-    POSIX_ENSURE((expected_kem_group == NULL) != (expected_curve == NULL), S2N_ERR_SAFETY);
+    if (!(expected_kem_group && expected_kem_group->curve == &s2n_ecc_curve_mlkem_placeholder)) {
+        POSIX_ENSURE((expected_kem_group != NULL) != (expected_curve != NULL), S2N_ERR_SAFETY);
+    }
 
     /* Set up connections */
     struct s2n_connection *client_conn = NULL, *server_conn = NULL;
@@ -458,18 +461,6 @@ int main()
         .tls13_pq_hybrid_draft_revision = 5
     };
 
-// const struct s2n_kem_group *mlkem1024_pure_test_groups[] = {
-//     &s2n_pure_mlkem_1024,
-// };
-
-// const struct s2n_kem_preferences mlkem1024_pure_test_prefs = {
-//     .kem_count = 0,
-//     .kems = NULL,
-//     .tls13_kem_group_count = s2n_array_len(mlkem1024_pure_test_groups),
-//     .tls13_kem_groups = mlkem1024_pure_test_groups,
-//     .tls13_pq_hybrid_draft_revision = 5
-// };
-
     const struct s2n_security_policy mlkem1024_test_policy = {
         .minimum_protocol_version = S2N_TLS13,
         .cipher_preferences = &cipher_preferences_20190801,
@@ -478,13 +469,25 @@ int main()
         .ecc_preferences = &s2n_ecc_preferences_20240603,
     };
 
-    // const struct s2n_security_policy mlkem1024_pure_test_policy = {
-    //     .minimum_protocol_version = S2N_TLS13,
-    //     .cipher_preferences = &cipher_preferences_20190801,
-    //     .kem_preferences = &mlkem1024_pure_test_prefs,
-    //     .signature_preferences = &s2n_signature_preferences_20200207,
-    //     .ecc_preferences = &s2n_ecc_preferences_null,
-    // };
+    const struct s2n_kem_group *mlkem1024_pure_test_groups[] = {
+        &s2n_pure_mlkem_1024,
+    };
+
+    const struct s2n_kem_preferences mlkem1024_pure_test_prefs = {
+        .kem_count = 0,
+        .kems = NULL,
+        .tls13_kem_group_count = s2n_array_len(mlkem1024_pure_test_groups),
+        .tls13_kem_groups = mlkem1024_pure_test_groups,
+        .tls13_pq_hybrid_draft_revision = 5
+    };
+
+    const struct s2n_security_policy mlkem1024_pure_test_policy = {
+        .minimum_protocol_version = S2N_TLS13,
+        .cipher_preferences = &cipher_preferences_20190801,
+        .kem_preferences = &mlkem1024_pure_test_prefs,
+        .signature_preferences = &s2n_signature_preferences_20200207,
+        .ecc_preferences = &s2n_ecc_preferences_pure_mlkem,
+    };
 
     const struct s2n_security_policy ecc_retry_policy = {
         .minimum_protocol_version = security_policy_pq_tls_1_0_2020_12.minimum_protocol_version,
@@ -550,13 +553,16 @@ int main()
      * unavailable, we must downgrade the assertions to Kyber or EC. */
     const struct s2n_kem_group *null_if_no_mlkem_768 = &s2n_x25519_mlkem_768;
     const struct s2n_kem_group *null_if_no_mlkem_1024 = &s2n_secp384r1_mlkem_1024;
-    // const struct s2n_kem_group *null_if_no_pure_mlkem_1024 = &s2n_pure_mlkem_1024;
+    const struct s2n_kem_group *null_if_no_pure_mlkem_1024 = &s2n_pure_mlkem_1024;
     const struct s2n_ecc_named_curve *ec_if_no_mlkem = NULL;
+    const struct s2n_ecc_named_curve *ec_if_no_pure_mlkem = &s2n_ecc_curve_mlkem_placeholder;
+
     if (!s2n_libcrypto_supports_mlkem()) {
         null_if_no_mlkem_768 = NULL;
         null_if_no_mlkem_1024 = NULL;
-        // null_if_no_pure_mlkem_1024 = NULL;
+        null_if_no_pure_mlkem_1024 = NULL;
         ec_if_no_mlkem = default_curve;
+        ec_if_no_pure_mlkem = default_curve;
     }
 
     /* Test vectors that expect to negotiate PQ assume that PQ is enabled in s2n.
@@ -793,15 +799,15 @@ int main()
                 .len_prefix_expected = false,
         },
 
-        // /* Confirm that pure MLKEM1024 is negotiable */
-        // {
-        //         .client_policy = &mlkem1024_pure_test_policy,
-        //         .server_policy = &mlkem1024_pure_test_policy,
-        //         .expected_kem_group = null_if_no_pure_mlkem_1024,
-        //         .expected_curve = NULL,
-        //         .hrr_expected = false,
-        //         .len_prefix_expected = false,
-        // },
+        /* Confirm that pure MLKEM1024 is negotiable */
+        {
+                .client_policy = &mlkem1024_pure_test_policy,
+                .server_policy = &mlkem1024_pure_test_policy,
+                .expected_kem_group = null_if_no_pure_mlkem_1024,
+                .expected_curve = NULL,
+                .hrr_expected = false,
+                .len_prefix_expected = false,
+        },
     };
 
     for (size_t i = 0; i < s2n_array_len(test_vectors); i++) {

tls/extensions/s2n_client_key_share.c

@@ -67,6 +67,12 @@ static int s2n_generate_default_ecc_key_share(struct s2n_connection *conn, struc
     POSIX_GUARD(s2n_connection_get_ecc_preferences(conn, &ecc_pref));
     POSIX_ENSURE_REF(ecc_pref);
 
+    /* Skip if the highest-priority curve is the mlkem_placeholder */
+    if (ecc_pref->count > 0 && ecc_pref->ecc_curves[0] == &s2n_ecc_curve_mlkem_placeholder) {
+        printf("    DEBUG: Skipping standalone ECC key share for MLKEM placeholder\n");
+        return S2N_SUCCESS;
+    }
+
     /* We only ever send a single EC key share: either the share requested by the server
      * during a retry, or the most preferred share according to local preferences.
      */
@@ -135,6 +141,32 @@ static int s2n_generate_pq_hybrid_key_share(struct s2n_stuffer *out, struct s2n_
     return S2N_SUCCESS;
 }
 
+static int s2n_generate_pure_pq_key_share(struct s2n_stuffer *out,
+                                          struct s2n_kem_group_params *kem_group_params)
+{
+    POSIX_ENSURE_REF(out);
+    POSIX_ENSURE_REF(kem_group_params);
+    POSIX_ENSURE_REF(kem_group_params->kem_group);
+    POSIX_ENSURE_REF(kem_group_params->kem_group->kem);
+
+    /* Write group ID */
+    POSIX_GUARD(s2n_stuffer_write_uint16(out, kem_group_params->kem_group->iana_id));
+
+    /* Reserve space for total share size */
+    struct s2n_stuffer_reservation total_share_size = { 0 };
+    POSIX_GUARD(s2n_stuffer_reserve_uint16(out, &total_share_size));
+
+    /* Write KEM public key */
+    struct s2n_kem_params *kem_params = &kem_group_params->kem_params;
+    kem_params->kem = kem_group_params->kem_group->kem;
+    POSIX_GUARD(s2n_kem_send_public_key(out, kem_params));
+
+    /* Fill in the reserved size field */
+    POSIX_GUARD(s2n_stuffer_write_vector_size(&total_share_size));
+
+    return S2N_SUCCESS;
+}
+
 static int s2n_generate_default_pq_hybrid_key_share(struct s2n_connection *conn, struct s2n_stuffer *out)
 {
     POSIX_ENSURE_REF(conn);
@@ -187,7 +219,14 @@ static int s2n_generate_default_pq_hybrid_key_share(struct s2n_connection *conn,
         client_params->kem_params.len_prefixed = s2n_tls13_client_must_use_hybrid_kem_length_prefix(kem_pref);
     }
 
-    POSIX_GUARD(s2n_generate_pq_hybrid_key_share(out, client_params));
+    /* Special case: Pure MLKEM (no ECC portion) */
+    if (client_params->kem_group == &s2n_pure_mlkem_1024 ||
+        client_params->kem_group->curve == &s2n_ecc_curve_mlkem_placeholder) {
+        printf("    DEBUG: Skipping ECC portion for Pure MLKEM\n");
+        POSIX_GUARD(s2n_generate_pure_pq_key_share(out, client_params));
+    } else {
+        POSIX_GUARD(s2n_generate_pq_hybrid_key_share(out, client_params));
+    }
 
     return S2N_SUCCESS;
 }
@@ -223,6 +262,12 @@ static int s2n_client_key_share_parse_ecc(struct s2n_stuffer *key_share, const s
     POSIX_ENSURE_REF(curve);
     POSIX_ENSURE_REF(ecc_params);
 
+    if (curve == &s2n_ecc_curve_mlkem_placeholder) {
+        printf("DEBUG: Skipping KeyShare parse for MLKEM placeholder\n");
+        ecc_params->negotiated_curve = curve;
+        return S2N_SUCCESS;
+    }
+
     struct s2n_blob point_blob = { 0 };
     POSIX_GUARD(s2n_ecc_evp_read_params_point(key_share, curve->share_size, &point_blob));
 
@@ -236,6 +281,56 @@ static int s2n_client_key_share_parse_ecc(struct s2n_stuffer *key_share, const s
     return S2N_SUCCESS;
 }
 
+static int s2n_client_key_share_recv_pure_kem(
+        struct s2n_connection *conn,
+        struct s2n_stuffer *key_share,
+        uint16_t kem_group_iana_id)
+{
+    POSIX_ENSURE_REF(conn);
+    POSIX_ENSURE_REF(key_share);
+
+    if (kem_group_iana_id != s2n_pure_mlkem_1024.iana_id) {
+        return S2N_SUCCESS; /* not a pure KEM share */
+    }
+
+    printf("    DEBUG: Entering pure MLKEM recv: named_group=%u, expected_iana=%u\n",
+           kem_group_iana_id, s2n_pure_mlkem_1024.iana_id);
+
+    struct s2n_kem_group_params *client_params = &conn->kex_params.client_kem_group_params;
+    client_params->kem_group = &s2n_pure_mlkem_1024;
+    client_params->ecc_params.negotiated_curve = &s2n_ecc_curve_mlkem_placeholder;
+    client_params->kem_params.kem = s2n_pure_mlkem_1024.kem;
+
+    uint16_t actual_share_size = key_share->blob.size;
+    uint16_t unprefixed_size = client_params->kem_params.kem->public_key_length;
+    uint16_t prefixed_size = S2N_SIZE_OF_KEY_SHARE_SIZE + unprefixed_size;
+
+    printf("    DEBUG: actual_share_size=%u, unprefixed_size=%u, prefixed_size=%u\n",
+           actual_share_size, unprefixed_size, prefixed_size);
+
+    if (actual_share_size != unprefixed_size && actual_share_size != prefixed_size) {
+        printf("    DEBUG: Share size mismatch — ignoring key share\n");
+        return S2N_SUCCESS;
+    }
+
+    client_params->kem_params.len_prefixed = (actual_share_size == prefixed_size);
+    printf("    DEBUG: len_prefixed=%d\n", client_params->kem_params.len_prefixed);
+
+    POSIX_GUARD(s2n_kem_recv_public_key(key_share, &client_params->kem_params));
+    printf("    DEBUG: KEM public key parsed, size=%u\n",
+           client_params->kem_params.public_key.size);
+
+    printf("    DEBUG: key_share.read_cursor=%u, key_share.write_cursor=%u\n",
+           key_share->read_cursor, key_share->write_cursor);
+
+    printf("    DEBUG: remaining bytes in key_share=%u\n",
+           s2n_stuffer_data_available(key_share));
+    POSIX_ENSURE(s2n_stuffer_data_available(key_share) == 0, S2N_ERR_BAD_MESSAGE);
+
+    printf("    DEBUG: Finished pure MLKEM recv successfully\n");
+    return S2N_SUCCESS;
+}
+
 static int s2n_client_key_share_recv_ecc(struct s2n_connection *conn, struct s2n_stuffer *key_share, uint16_t curve_iana_id)
 {
     POSIX_ENSURE_REF(conn);
@@ -286,6 +381,11 @@ static int s2n_client_key_share_recv_ecc(struct s2n_connection *conn, struct s2n
 
     DEFER_CLEANUP(struct s2n_ecc_evp_params new_client_params = { 0 }, s2n_ecc_evp_params_free);
 
+    if (curve == &s2n_ecc_curve_mlkem_placeholder) {
+        printf("DEBUG: Skipping ECC recv for MLKEM placeholder\n");
+        return S2N_SUCCESS;
+    }
+
     POSIX_GUARD(s2n_client_key_share_parse_ecc(key_share, curve, &new_client_params));
     /* negotiated_curve will be NULL if the key share was not parsed successfully */
     if (!new_client_params.negotiated_curve) {
@@ -312,6 +412,11 @@ static int s2n_client_key_share_recv_hybrid_partial_ecc(struct s2n_stuffer *key_
         POSIX_ENSURE(ec_share_size == kem_group->curve->share_size, S2N_ERR_SIZE_MISMATCH);
     }
 
+    if (kem_group->curve == &s2n_ecc_curve_mlkem_placeholder) {
+        printf("DEBUG: Skipping Hybrid ECC recv for MLKEM placeholder\n");
+        return S2N_SUCCESS;
+    }
+
     POSIX_GUARD(s2n_client_key_share_parse_ecc(key_share, kem_group->curve, &new_client_params->ecc_params));
 
     /* If we were unable to parse the EC portion of the share, negotiated_curve
@@ -453,8 +558,26 @@ static int s2n_client_key_share_recv(struct s2n_connection *conn, struct s2n_stu
         POSIX_GUARD(s2n_stuffer_skip_write(&key_share, share_size));
         keyshare_count++;
 
-        /* Try to parse the share as ECC, then as PQ/hybrid; will ignore
-         * shares for unrecognized groups. */
+        if (named_group == s2n_pure_mlkem_1024.iana_id) {
+            printf("DEBUG[key_share_recv]: Detected pure MLKEM group, calling pure_kem recv\n");
+            POSIX_GUARD(s2n_client_key_share_recv_pure_kem(conn, &key_share, named_group));
+
+            printf("DEBUG[key_share_recv]: After pure_kem -> extension_read=%u extension_write=%u extension_available=%u\n",
+                extension->read_cursor, extension->write_cursor, s2n_stuffer_data_available(extension));
+
+            if (s2n_stuffer_data_available(extension) > 0) {
+                printf("DEBUG[key_share_recv]: Leftover bytes in extension: ");
+                for (uint32_t i = 0; i < s2n_stuffer_data_available(extension); i++) {
+                    uint8_t b = extension->blob.data[extension->read_cursor + i];
+                    printf("%02x ", b);
+                }
+                printf("\n");
+            }
+
+            printf("DEBUG[key_share_recv]: pure_kem recv success\n");
+            continue; /* skip ECC/hybrid parsing */
+        }
+
         POSIX_GUARD(s2n_client_key_share_recv_ecc(conn, &key_share, named_group));
         POSIX_GUARD(s2n_client_key_share_recv_pq_hybrid(conn, &key_share, named_group));
     }

tls/extensions/s2n_client_supported_groups.c

@@ -73,7 +73,7 @@ static int s2n_client_supported_groups_send(struct s2n_connection *conn, struct
 
     /* Then send curve list */
     for (size_t i = 0; i < ecc_pref->count; i++) {
-        POSIX_GUARD(s2n_stuffer_write_uint16(out, ecc_pref->ecc_curves[i]->iana_id));
+                POSIX_GUARD(s2n_stuffer_write_uint16(out, ecc_pref->ecc_curves[i]->iana_id));
     }
 
     POSIX_GUARD(s2n_stuffer_write_vector_size(&group_list_len));