feat: add secp384r1_mlkem_1024 kem group (#5395)

Author: johubertj

tests/policy_snapshot/snapshots/test_all

@@ -71,6 +71,7 @@ pq:
 - kem groups:
 -- X25519MLKEM768
 -- SecP256r1MLKEM768
+-- SecP384r1MLKEM1024
 -- SecP256r1Kyber768Draft00
 -- X25519Kyber768Draft00
 -- secp384r1_kyber-768-r3

tests/unit/kats/generate_pq_hybrid_tls13_handshake_kats.py

@@ -236,6 +236,20 @@
         "pq_shared_secret": "B408D5D115713F0A93047DBBEA832E4340787686D59A9A2D106BD662BA0AA035",
         "transcript_hash": "35412cebcf35cb8a7af8f78278a486fc798f8702eaebd067c97acb27bffe13524d8426a4ed57956b4fd0ffdc4c90be52",
     },
+    {
+        "group_name": "SecP384r1MLKEM1024",
+        "cipher_suite": "TLS_AES_128_GCM_SHA256",
+        "ec_shared_secret": "b72536062cd8e8eced91046e33413b027cabde0576747aa47863b8dcb914100585c600fafc8ff4927a34abb0aa6b3b68",
+        "pq_shared_secret": "23f211b84a6ee20c8c29f6e5314c91b414e940513d380add17bd724ab3a13a52",
+        "transcript_hash": "f5f7f7867668be4b792159d4d194a03ec5cfa238b6409b5ca2ddccfddcc92a2b",
+    },
+    {
+        "group_name": "SecP384r1MLKEM1024",
+        "cipher_suite": "TLS_AES_256_GCM_SHA384",
+        "ec_shared_secret": "b72536062cd8e8eced91046e33413b027cabde0576747aa47863b8dcb914100585c600fafc8ff4927a34abb0aa6b3b68",
+        "pq_shared_secret": "23f211b84a6ee20c8c29f6e5314c91b414e940513d380add17bd724ab3a13a52",
+        "transcript_hash": "35412cebcf35cb8a7af8f78278a486fc798f8702eaebd067c97acb27bffe13524d8426a4ed57956b4fd0ffdc4c90be52",
+    },
 ]
 
 

tests/unit/s2n_kem_preferences_test.c

@@ -27,6 +27,7 @@ int main(int argc, char **argv)
 
     EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_SECP256R1_MLKEM_768));
     EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_X25519_MLKEM_768));
+    EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_SECP384R1_MLKEM_1024));
     EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_X25519_KYBER_512_R3));
     EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_X25519_KYBER_768_R3));
     EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_SECP256R1_KYBER_512_R3));
@@ -44,6 +45,7 @@ int main(int argc, char **argv)
 
         EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_SECP256R1_MLKEM_768));
         EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_X25519_MLKEM_768));
+        EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_SECP384R1_MLKEM_1024));
         EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_X25519_KYBER_512_R3));
         EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_X25519_KYBER_768_R3));
         EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_SECP256R1_KYBER_512_R3));
@@ -67,6 +69,7 @@ int main(int argc, char **argv)
 
             if (s2n_libcrypto_supports_mlkem()) {
                 EXPECT_TRUE(s2n_kem_group_is_available(&s2n_secp256r1_mlkem_768));
+                EXPECT_TRUE(s2n_kem_group_is_available(&s2n_secp384r1_mlkem_1024));
                 if (s2n_is_evp_apis_supported()) {
                     EXPECT_TRUE(s2n_kem_group_is_available(&s2n_x25519_mlkem_768));
                 } else {
@@ -82,6 +85,7 @@ int main(int argc, char **argv)
             EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp521r1_kyber_1024_r3));
             EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp256r1_mlkem_768));
             EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_mlkem_768));
+            EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp384r1_mlkem_1024));
         }
     };
 

tests/unit/s2n_tls13_hybrid_shared_secret_test.c

@@ -138,6 +138,7 @@ struct hybrid_test_vector {
 #define KYBER768R3_SECRET  "914CB67FE5C38E73BF74181C0AC50428DEDF7750A98058F7D536708774535B29"
 #define KYBER1024R3_SECRET "B10F7394926AD3B49C5D62D5AEB531D5757538BCC0DA9E550D438F1B61BD7419"
 #define MLKEM768_SECRET    "B408D5D115713F0A93047DBBEA832E4340787686D59A9A2D106BD662BA0AA035"
+#define MLKEM1024_SECRET   "23f211b84a6ee20c8c29f6e5314c91b414e940513d380add17bd724ab3a13a52"
 
 #define X25519_KYBER512R3_HYBRID_SECRET     (X25519_SHARED_SECRET KYBER512R3_SECRET)
 #define X25519_KYBER768R3_HYBRID_SECRET     (X25519_SHARED_SECRET KYBER768R3_SECRET)
@@ -147,6 +148,7 @@ struct hybrid_test_vector {
 #define SECP521R1_KYBER1024R3_HYBRID_SECRET (SECP521R1_SHARED_SECRET KYBER1024R3_SECRET)
 #define X25519_MLKEM768_HYBRID_SECRET       (MLKEM768_SECRET X25519_SHARED_SECRET)
 #define SECP256R1_MLKEM768_HYBRID_SECRET    (SECP256R1_SHARED_SECRET MLKEM768_SECRET)
+#define SECP384R1_MLKEM1024_HYBRID_SECRET   (SECP384R1_SHARED_SECRET MLKEM1024_SECRET)
 
 /* The expected traffic secrets were calculated from an independent Python implementation located in the KAT directory,
  * using the ECDHE & PQ secrets defined above. */
@@ -190,6 +192,11 @@ struct hybrid_test_vector {
 #define AES_256_X25519_MLKEM768_CLIENT_TRAFFIC_SECRET "44eb9e15ef082936fe7a2c169be644ff16b47fb2a91f7223069cbd8d9b063a034f0936234e60a733a30db6d7226d984d"
 #define AES_256_X25519_MLKEM768_SERVER_TRAFFIC_SECRET "852b46f0e3cdc222badc0b85f4cfb4f332c2d8ea8c9695d6024e129b5056d2c534191ee76bff50148f19a88f81897112"
 
+#define AES_128_SECP384R1_MLKEM1024_CLIENT_TRAFFIC_SECRET "367b160926dc977e255fa5fdd15c51a3942f98a492db05d74777ed4498882179"
+#define AES_128_SECP384R1_MLKEM1024_SERVER_TRAFFIC_SECRET "93c1dcb54fa694957f8decde496944533d64a6e11884bfb8c928cd3b9e954836"
+#define AES_256_SECP384R1_MLKEM1024_CLIENT_TRAFFIC_SECRET "900c6409a1f1d748006759b8276a2ae7b74dca44d9c4e52083952e7cf1c868cba34c270b802dea59a7a8a00b919ff061"
+#define AES_256_SECP384R1_MLKEM1024_SERVER_TRAFFIC_SECRET "ccabea1600385fdd3587429d701aae0efcf6acac0bab0f194d571d78fa8755a0d0a58364c07c14fbe288a67843b68530"
+
 /* A fake transcript string to hash when deriving handshake secrets */
 #define FAKE_TRANSCRIPT "client_hello || server_hello"
 
@@ -431,6 +438,39 @@ int main(int argc, char **argv)
         .expected_server_traffic_secret = &aes_256_secp256r1_mlkem768_server_secret,
     };
 
+    S2N_BLOB_FROM_HEX(mlkem1024_secret, MLKEM1024_SECRET);
+    S2N_BLOB_FROM_HEX(secp384r1_mlkem1024_hybrid_secret, SECP384R1_MLKEM1024_HYBRID_SECRET);
+
+    S2N_BLOB_FROM_HEX(aes_128_secp384r1_mlkem1024_client_secret, AES_128_SECP384R1_MLKEM1024_CLIENT_TRAFFIC_SECRET);
+    S2N_BLOB_FROM_HEX(aes_128_secp384r1_mlkem1024_server_secret, AES_128_SECP384R1_MLKEM1024_SERVER_TRAFFIC_SECRET);
+
+    const struct hybrid_test_vector aes_128_sha_256_secp384r1_mlkem1024_vector = {
+        .cipher_suite = &s2n_tls13_aes_128_gcm_sha256,
+        .transcript = FAKE_TRANSCRIPT,
+        .kem_group = &s2n_secp384r1_mlkem_1024,
+        .client_ecc_key = CLIENT_SECP384R1_PRIV_KEY,
+        .server_ecc_key = SERVER_SECP384R1_PRIV_KEY,
+        .pq_secret = &mlkem1024_secret,
+        .expected_hybrid_secret = &secp384r1_mlkem1024_hybrid_secret,
+        .expected_client_traffic_secret = &aes_128_secp384r1_mlkem1024_client_secret,
+        .expected_server_traffic_secret = &aes_128_secp384r1_mlkem1024_server_secret,
+    };
+
+    S2N_BLOB_FROM_HEX(aes_256_secp384r1_mlkem1024_client_secret, AES_256_SECP384R1_MLKEM1024_CLIENT_TRAFFIC_SECRET);
+    S2N_BLOB_FROM_HEX(aes_256_secp384r1_mlkem1024_server_secret, AES_256_SECP384R1_MLKEM1024_SERVER_TRAFFIC_SECRET);
+
+    const struct hybrid_test_vector aes_256_sha_384_secp384r1_mlkem1024_vector = {
+        .cipher_suite = &s2n_tls13_aes_256_gcm_sha384,
+        .transcript = FAKE_TRANSCRIPT,
+        .kem_group = &s2n_secp384r1_mlkem_1024,
+        .client_ecc_key = CLIENT_SECP384R1_PRIV_KEY,
+        .server_ecc_key = SERVER_SECP384R1_PRIV_KEY,
+        .pq_secret = &mlkem1024_secret,
+        .expected_hybrid_secret = &secp384r1_mlkem1024_hybrid_secret,
+        .expected_client_traffic_secret = &aes_256_secp384r1_mlkem1024_client_secret,
+        .expected_server_traffic_secret = &aes_256_secp384r1_mlkem1024_server_secret,
+    };
+
     S2N_BLOB_FROM_HEX(aes_128_x25519_mlkem768_client_secret, AES_128_X25519_MLKEM768_CLIENT_TRAFFIC_SECRET);
     S2N_BLOB_FROM_HEX(aes_128_x25519_mlkem768_server_secret, AES_128_X25519_MLKEM768_SERVER_TRAFFIC_SECRET);
 
@@ -476,6 +516,8 @@ int main(int argc, char **argv)
         &aes_256_sha_384_x25519_kyber768r3_vector,
         &aes_128_sha_256_secp256r1_mlkem768_vector,
         &aes_256_sha_384_secp256r1_mlkem768_vector,
+        &aes_128_sha_256_secp384r1_mlkem1024_vector,
+        &aes_256_sha_384_secp384r1_mlkem1024_vector,
         &aes_128_sha_256_x25519_mlkem768_vector,
         &aes_256_sha_384_x25519_mlkem768_vector,
     };

tests/unit/s2n_tls13_pq_handshake_test.c

@@ -446,6 +446,26 @@ int main()
         .ecc_preferences = &s2n_ecc_preferences_20240603,
     };
 
+    const struct s2n_kem_group *mlkem1024_test_groups[] = {
+        &s2n_secp384r1_mlkem_1024,
+    };
+
+    const struct s2n_kem_preferences mlkem1024_test_prefs = {
+        .kem_count = 0,
+        .kems = NULL,
+        .tls13_kem_group_count = s2n_array_len(mlkem1024_test_groups),
+        .tls13_kem_groups = mlkem1024_test_groups,
+        .tls13_pq_hybrid_draft_revision = 5
+    };
+
+    const struct s2n_security_policy mlkem1024_test_policy = {
+        .minimum_protocol_version = S2N_TLS13,
+        .cipher_preferences = &cipher_preferences_20190801,
+        .kem_preferences = &mlkem1024_test_prefs,
+        .signature_preferences = &s2n_signature_preferences_20200207,
+        .ecc_preferences = &s2n_ecc_preferences_20240603,
+    };
+
     const struct s2n_security_policy ecc_retry_policy = {
         .minimum_protocol_version = security_policy_pq_tls_1_0_2020_12.minimum_protocol_version,
         .cipher_preferences = security_policy_pq_tls_1_0_2020_12.cipher_preferences,
@@ -508,10 +528,12 @@ int main()
 
     /* ML-KEM is only available on newer versions of AWS-LC. If it's
      * unavailable, we must downgrade the assertions to Kyber or EC. */
-    const struct s2n_kem_group *null_if_no_mlkem = &s2n_x25519_mlkem_768;
+    const struct s2n_kem_group *null_if_no_mlkem_768 = &s2n_x25519_mlkem_768;
+    const struct s2n_kem_group *null_if_no_mlkem_1024 = &s2n_secp384r1_mlkem_1024;
     const struct s2n_ecc_named_curve *ec_if_no_mlkem = NULL;
     if (!s2n_libcrypto_supports_mlkem()) {
-        null_if_no_mlkem = NULL;
+        null_if_no_mlkem_768 = NULL;
+        null_if_no_mlkem_1024 = NULL;
         ec_if_no_mlkem = default_curve;
     }
 
@@ -733,7 +755,17 @@ int main()
         {
                 .client_policy = &mlkem768_test_policy,
                 .server_policy = &mlkem768_test_policy,
-                .expected_kem_group = null_if_no_mlkem,
+                .expected_kem_group = null_if_no_mlkem_768,
+                .expected_curve = ec_if_no_mlkem,
+                .hrr_expected = false,
+                .len_prefix_expected = false,
+        },
+
+        /* Confirm that MLKEM1024 is negotiable */
+        {
+                .client_policy = &mlkem1024_test_policy,
+                .server_policy = &mlkem1024_test_policy,
+                .expected_kem_group = null_if_no_mlkem_1024,
                 .expected_curve = ec_if_no_mlkem,
                 .hrr_expected = false,
                 .len_prefix_expected = false,

tls/s2n_kem.c

@@ -134,6 +134,14 @@ const struct s2n_kem_group s2n_x25519_mlkem_768 = {
     .send_kem_first = 1,
 };
 
+const struct s2n_kem_group s2n_secp384r1_mlkem_1024 = {
+    .name = "SecP384r1MLKEM1024",
+    .iana_id = TLS_PQ_KEM_GROUP_ID_SECP384R1_MLKEM_1024,
+    .curve = &s2n_ecc_curve_secp384r1,
+    .kem = &s2n_mlkem_1024,
+    .send_kem_first = 0,
+};
+
 const struct s2n_kem_group s2n_secp256r1_kyber_512_r3 = {
     .name = "secp256r1_kyber-512-r3",
     .iana_id = TLS_PQ_KEM_GROUP_ID_SECP256R1_KYBER_512_R3,
@@ -185,6 +193,7 @@ const struct s2n_kem_group s2n_x25519_kyber_768_r3 = {
 const struct s2n_kem_group *ALL_SUPPORTED_KEM_GROUPS[] = {
     &s2n_x25519_mlkem_768,
     &s2n_secp256r1_mlkem_768,
+    &s2n_secp384r1_mlkem_1024,
     &s2n_secp256r1_kyber_768_r3,
     &s2n_x25519_kyber_768_r3,
     &s2n_secp384r1_kyber_768_r3,

tls/s2n_kem.h

@@ -102,11 +102,12 @@ extern const struct s2n_kem s2n_kyber_512_r3;
 extern const struct s2n_kem s2n_kyber_768_r3;
 extern const struct s2n_kem s2n_kyber_1024_r3;
 
-#define S2N_KEM_GROUPS_COUNT 8
+#define S2N_KEM_GROUPS_COUNT 9
 extern const struct s2n_kem_group *ALL_SUPPORTED_KEM_GROUPS[S2N_KEM_GROUPS_COUNT];
 
 /* NIST curve KEM Groups */
 extern const struct s2n_kem_group s2n_secp256r1_mlkem_768;
+extern const struct s2n_kem_group s2n_secp384r1_mlkem_1024;
 extern const struct s2n_kem_group s2n_secp256r1_kyber_512_r3;
 extern const struct s2n_kem_group s2n_secp256r1_kyber_768_r3;
 extern const struct s2n_kem_group s2n_secp384r1_kyber_768_r3;

tls/s2n_tls_parameters.h

@@ -70,6 +70,7 @@
  */
 #define TLS_PQ_KEM_GROUP_ID_SECP256R1_MLKEM_768     0x11EB
 #define TLS_PQ_KEM_GROUP_ID_X25519_MLKEM_768        0x11EC
+#define TLS_PQ_KEM_GROUP_ID_SECP384R1_MLKEM_1024    0x11ED
 #define TLS_PQ_KEM_GROUP_ID_X25519_KYBER_512_R3     0x2F39
 #define TLS_PQ_KEM_GROUP_ID_SECP256R1_KYBER_512_R3  0x2F3A
 #define TLS_PQ_KEM_GROUP_ID_SECP384R1_KYBER_768_R3  0x2F3C