Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add initial support for MLKEM768 (without any new Security Policies) #4816

Merged
merged 6 commits into from
Oct 11, 2024
+602 −197
Merged

Add initial support for MLKEM768 (without any new Security Policies) #4816

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
506f920
Add initial support for MLKEM768
alexw91 Oct 1, 2024
90b1b55
Address Feedback
alexw91 Oct 3, 2024
7fa06d5
Address Feedback v2
alexw91 Oct 4, 2024
2515cdc
Cleanup
alexw91 Oct 9, 2024
cd9d2b2
Address Feedback v3
alexw91 Oct 10, 2024
55b3085
Merge branch 'main' into mlkem-part-2
goatgoose Oct 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions tests/unit/kats/generate_pq_hybrid_tls13_handshake_kats.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,34 @@
"pq_shared_secret": "B10F7394926AD3B49C5D62D5AEB531D5757538BCC0DA9E550D438F1B61BD7419",
"transcript_hash": "35412cebcf35cb8a7af8f78278a486fc798f8702eaebd067c97acb27bffe13524d8426a4ed57956b4fd0ffdc4c90be52",
},
{
"group_name": "X25519MLKEM768",
"cipher_suite": "TLS_AES_128_GCM_SHA256",
"ec_shared_secret": "519be87fa0599077e5673d6f2d910aa150d7fef783c5e1491961fdf63b255910",
"pq_shared_secret": "B408D5D115713F0A93047DBBEA832E4340787686D59A9A2D106BD662BA0AA035",
"transcript_hash": "f5f7f7867668be4b792159d4d194a03ec5cfa238b6409b5ca2ddccfddcc92a2b",
},
{
"group_name": "X25519MLKEM768",
"cipher_suite": "TLS_AES_256_GCM_SHA384",
"ec_shared_secret": "519be87fa0599077e5673d6f2d910aa150d7fef783c5e1491961fdf63b255910",
"pq_shared_secret": "B408D5D115713F0A93047DBBEA832E4340787686D59A9A2D106BD662BA0AA035",
"transcript_hash": "35412cebcf35cb8a7af8f78278a486fc798f8702eaebd067c97acb27bffe13524d8426a4ed57956b4fd0ffdc4c90be52",
},
{
"group_name": "SecP256r1MLKEM768",
"cipher_suite": "TLS_AES_128_GCM_SHA256",
"ec_shared_secret": "9348e27655539e08fffe46b35f863dd634e7437cc6bc11c7d329ef5484ec3b60",
"pq_shared_secret": "B408D5D115713F0A93047DBBEA832E4340787686D59A9A2D106BD662BA0AA035",
"transcript_hash": "f5f7f7867668be4b792159d4d194a03ec5cfa238b6409b5ca2ddccfddcc92a2b",
},
{
"group_name": "SecP256r1MLKEM768",
"cipher_suite": "TLS_AES_256_GCM_SHA384",
"ec_shared_secret": "9348e27655539e08fffe46b35f863dd634e7437cc6bc11c7d329ef5484ec3b60",
"pq_shared_secret": "B408D5D115713F0A93047DBBEA832E4340787686D59A9A2D106BD662BA0AA035",
"transcript_hash": "35412cebcf35cb8a7af8f78278a486fc798f8702eaebd067c97acb27bffe13524d8426a4ed57956b4fd0ffdc4c90be52",
},
]


Expand All @@ -233,6 +261,9 @@ def hkdf_expand_label(key: bytes, label: str, context: bytes, hash_alg: str):

def compute_secrets(input_vector: dict):
shared_secret = bytes.fromhex(input_vector["ec_shared_secret"] + input_vector["pq_shared_secret"])
if (input_vector["group_name"] == "X25519MLKEM768"):
shared_secret = bytes.fromhex(input_vector["pq_shared_secret"] + input_vector["ec_shared_secret"])

hash_alg = input_vector["cipher_suite"].split("_")[-1].lower()
zeros = bytearray([0] * hashlib.new(hash_alg).digest_size)
transcript_hash = bytes.fromhex(input_vector["transcript_hash"])
Expand Down
221 changes: 147 additions & 74 deletions tests/unit/s2n_client_key_share_extension_pq_test.c
View file
Open in desktop

Large diffs are not rendered by default.

28 changes: 17 additions & 11 deletions tests/unit/s2n_kem_preferences_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ int main(int argc, char **argv)
BEGIN_TEST();
EXPECT_SUCCESS(s2n_disable_tls13_in_test());

EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_SECP256R1_MLKEM_768));
EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_X25519_MLKEM_768));
EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_X25519_KYBER_512_R3));
EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_X25519_KYBER_768_R3));
EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_SECP256R1_KYBER_512_R3));
Expand All @@ -33,22 +35,15 @@ int main(int argc, char **argv)
EXPECT_FALSE(s2n_kem_preferences_includes_tls13_kem_group(&kem_preferences_null, TLS_PQ_KEM_GROUP_ID_SECP521R1_KYBER_1024_R3));

{
const struct s2n_kem_group *test_kem_groups[] = {
&s2n_secp256r1_kyber_512_r3,
&s2n_x25519_kyber_512_r3,
&s2n_secp384r1_kyber_768_r3,
&s2n_secp256r1_kyber_768_r3,
&s2n_x25519_kyber_768_r3,
&s2n_secp521r1_kyber_1024_r3,
};

const struct s2n_kem_preferences test_prefs = {
.kem_count = 0,
.kems = NULL,
.tls13_kem_group_count = s2n_array_len(test_kem_groups),
.tls13_kem_groups = test_kem_groups,
.tls13_kem_group_count = S2N_KEM_GROUPS_COUNT,
.tls13_kem_groups = ALL_SUPPORTED_KEM_GROUPS,
};

EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_SECP256R1_MLKEM_768));
EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_X25519_MLKEM_768));
EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_X25519_KYBER_512_R3));
EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_X25519_KYBER_768_R3));
EXPECT_TRUE(s2n_kem_preferences_includes_tls13_kem_group(&test_prefs, TLS_PQ_KEM_GROUP_ID_SECP256R1_KYBER_512_R3));
Expand All @@ -69,13 +64,24 @@ int main(int argc, char **argv)
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_kyber_512_r3));
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_kyber_768_r3));
}

if (s2n_libcrypto_supports_mlkem()) {
EXPECT_TRUE(s2n_kem_group_is_available(&s2n_secp256r1_mlkem_768));
if (s2n_is_evp_apis_supported()) {
EXPECT_TRUE(s2n_kem_group_is_available(&s2n_x25519_mlkem_768));
} else {
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_mlkem_768));
}
}
} else {
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp256r1_kyber_512_r3));
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_kyber_512_r3));
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_kyber_768_r3));
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp256r1_kyber_768_r3));
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp384r1_kyber_768_r3));
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp521r1_kyber_1024_r3));
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_secp256r1_mlkem_768));
EXPECT_FALSE(s2n_kem_group_is_available(&s2n_x25519_mlkem_768));
}
};

Expand Down
32 changes: 17 additions & 15 deletions tests/unit/s2n_pq_kem_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
#include "utils/s2n_safety.h"

static const struct s2n_kem *test_vectors[] = {
&s2n_mlkem_768,
&s2n_kyber_512_r3,
&s2n_kyber_768_r3,
&s2n_kyber_1024_r3,
Expand Down Expand Up @@ -63,25 +64,26 @@ int main()
DEFER_CLEANUP(struct s2n_blob ciphertext = { 0 }, s2n_free);
EXPECT_SUCCESS(s2n_alloc(&ciphertext, kem->ciphertext_length));

if (s2n_pq_is_enabled()) {
/* Test a successful round-trip: keygen->enc->dec */
EXPECT_PQ_KEM_SUCCESS(kem->generate_keypair(kem, public_key.data, private_key.data));
EXPECT_PQ_KEM_SUCCESS(kem->encapsulate(kem, ciphertext.data, client_shared_secret.data, public_key.data));
EXPECT_PQ_KEM_SUCCESS(kem->decapsulate(kem, server_shared_secret.data, ciphertext.data, private_key.data));
EXPECT_BYTEARRAY_EQUAL(server_shared_secret.data, client_shared_secret.data, kem->shared_secret_key_length);

/* By design, if an invalid private key + ciphertext pair is provided to decapsulate(),
* the function should still succeed (return S2N_SUCCESS); however, the shared secret
* that was "decapsulated" will be a garbage random value. */
ciphertext.data[0] ^= 1; /* Flip a bit to invalidate the ciphertext */

EXPECT_PQ_KEM_SUCCESS(kem->decapsulate(kem, server_shared_secret.data, ciphertext.data, private_key.data));
EXPECT_BYTEARRAY_NOT_EQUAL(server_shared_secret.data, client_shared_secret.data, kem->shared_secret_key_length);
} else {
if (!s2n_kem_is_available(kem)) {
EXPECT_FAILURE_WITH_ERRNO(kem->generate_keypair(kem, public_key.data, private_key.data), S2N_ERR_UNIMPLEMENTED);
EXPECT_FAILURE_WITH_ERRNO(kem->encapsulate(kem, ciphertext.data, client_shared_secret.data, public_key.data), S2N_ERR_UNIMPLEMENTED);
EXPECT_FAILURE_WITH_ERRNO(kem->decapsulate(kem, server_shared_secret.data, ciphertext.data, private_key.data), S2N_ERR_UNIMPLEMENTED);
continue;
}

/* Test a successful round-trip: keygen->enc->dec */
EXPECT_PQ_KEM_SUCCESS(kem->generate_keypair(kem, public_key.data, private_key.data));
EXPECT_PQ_KEM_SUCCESS(kem->encapsulate(kem, ciphertext.data, client_shared_secret.data, public_key.data));
EXPECT_PQ_KEM_SUCCESS(kem->decapsulate(kem, server_shared_secret.data, ciphertext.data, private_key.data));
EXPECT_BYTEARRAY_EQUAL(server_shared_secret.data, client_shared_secret.data, kem->shared_secret_key_length);

/* By design, if an invalid private key + ciphertext pair is provided to decapsulate(),
* the function should still succeed (return S2N_SUCCESS); however, the shared secret
* that was "decapsulated" will be a garbage random value. */
ciphertext.data[0] ^= 1; /* Flip a bit to invalidate the ciphertext */

EXPECT_PQ_KEM_SUCCESS(kem->decapsulate(kem, server_shared_secret.data, ciphertext.data, private_key.data));
EXPECT_BYTEARRAY_NOT_EQUAL(server_shared_secret.data, client_shared_secret.data, kem->shared_secret_key_length);
}

END_TEST();
Expand Down
16 changes: 12 additions & 4 deletions tests/unit/s2n_security_policies_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,15 +198,23 @@ int main(int argc, char **argv)
EXPECT_EQUAL(1, security_policy->kem_preferences->kem_count);
EXPECT_NOT_NULL(security_policy->kem_preferences->kems);
EXPECT_EQUAL(&s2n_kyber_512_r3, security_policy->kem_preferences->kems[0]);
EXPECT_EQUAL(security_policy->kem_preferences->tls13_kem_groups, pq_kem_groups_r3_2023_06);
EXPECT_EQUAL(security_policy->kem_preferences->tls13_kem_groups, ALL_SUPPORTED_KEM_GROUPS);
/* All supported kem groups should be in the preference list, but not all of them may be available. */
EXPECT_EQUAL(6, security_policy->kem_preferences->tls13_kem_group_count);
EXPECT_EQUAL(S2N_KEM_GROUPS_COUNT, security_policy->kem_preferences->tls13_kem_group_count);
uint32_t available_groups = 0;
EXPECT_OK(s2n_kem_preferences_groups_available(security_policy->kem_preferences, &available_groups));
if (s2n_libcrypto_supports_evp_kem() && s2n_is_evp_apis_supported()) {
EXPECT_EQUAL(6, available_groups);
if (s2n_libcrypto_supports_mlkem()) {
EXPECT_EQUAL(S2N_KEM_GROUPS_COUNT, available_groups);
} else {
EXPECT_EQUAL(6, available_groups);
}
} else if (s2n_libcrypto_supports_evp_kem() && !s2n_is_evp_apis_supported()) {
EXPECT_EQUAL(4, available_groups);
if (s2n_libcrypto_supports_mlkem()) {
EXPECT_EQUAL(5, available_groups);
} else {
EXPECT_EQUAL(4, available_groups);
}
} else {
EXPECT_EQUAL(0, available_groups);
}
Expand Down
16 changes: 12 additions & 4 deletions tests/unit/s2n_server_key_share_extension_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -885,15 +885,23 @@ int main(int argc, char **argv)
S2N_STUFFER_READ_EXPECT_EQUAL(&stuffer, kem_group->iana_id, uint16);
S2N_STUFFER_READ_EXPECT_EQUAL(&stuffer, expected_hybrid_share_size, uint16);

uint16_t expected_first_share_size = kem_group->curve->share_size;
uint16_t expected_second_share_size = kem_group->kem->ciphertext_length;

if (kem_group->send_kem_first) {
expected_first_share_size = kem_group->kem->ciphertext_length;
expected_second_share_size = kem_group->curve->share_size;
}

if (len_prefixed) {
S2N_STUFFER_READ_EXPECT_EQUAL(&stuffer, kem_group->curve->share_size, uint16);
S2N_STUFFER_READ_EXPECT_EQUAL(&stuffer, expected_first_share_size, uint16);
}
EXPECT_SUCCESS(s2n_stuffer_skip_read(&stuffer, kem_group->curve->share_size));
EXPECT_SUCCESS(s2n_stuffer_skip_read(&stuffer, expected_first_share_size));

if (len_prefixed) {
S2N_STUFFER_READ_EXPECT_EQUAL(&stuffer, kem_group->kem->ciphertext_length, uint16);
S2N_STUFFER_READ_EXPECT_EQUAL(&stuffer, expected_second_share_size, uint16);
}
S2N_STUFFER_LENGTH_WRITTEN_EXPECT_EQUAL(&stuffer, kem_group->kem->ciphertext_length);
S2N_STUFFER_LENGTH_WRITTEN_EXPECT_EQUAL(&stuffer, expected_second_share_size);

EXPECT_NULL(conn->kex_params.server_ecc_evp_params.negotiated_curve);
EXPECT_EQUAL(server_params->kem_group, kem_group);
Expand Down
82 changes: 81 additions & 1 deletion tests/unit/s2n_tls13_hybrid_shared_secret_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,14 +137,16 @@ struct hybrid_test_vector {
#define KYBER512R3_SECRET "0A6925676F24B22C286F4C81A4224CEC506C9B257D480E02E3B49F44CAA3237F"
#define KYBER768R3_SECRET "914CB67FE5C38E73BF74181C0AC50428DEDF7750A98058F7D536708774535B29"
#define KYBER1024R3_SECRET "B10F7394926AD3B49C5D62D5AEB531D5757538BCC0DA9E550D438F1B61BD7419"
#define MLKEM768_SECRET "B408D5D115713F0A93047DBBEA832E4340787686D59A9A2D106BD662BA0AA035"

/* Hybrid shared secrets are the concatenation: ECDHE || PQ */
#define X25519_KYBER512R3_HYBRID_SECRET (X25519_SHARED_SECRET KYBER512R3_SECRET)
#define X25519_KYBER768R3_HYBRID_SECRET (X25519_SHARED_SECRET KYBER768R3_SECRET)
#define SECP256R1_KYBER512R3_HYBRID_SECRET (SECP256R1_SHARED_SECRET KYBER512R3_SECRET)
#define SECP256R1_KYBER768R3_HYBRID_SECRET (SECP256R1_SHARED_SECRET KYBER768R3_SECRET)
#define SECP384R1_KYBER768R3_HYBRID_SECRET (SECP384R1_SHARED_SECRET KYBER768R3_SECRET)
#define SECP521R1_KYBER1024R3_HYBRID_SECRET (SECP521R1_SHARED_SECRET KYBER1024R3_SECRET)
#define X25519_MLKEM768_HYBRID_SECRET (MLKEM768_SECRET X25519_SHARED_SECRET)
#define SECP256R1_MLKEM768_HYBRID_SECRET (SECP256R1_SHARED_SECRET MLKEM768_SECRET)

/* The expected traffic secrets were calculated from an independent Python implementation located in the KAT directory,
* using the ECDHE & PQ secrets defined above. */
Expand Down Expand Up @@ -178,6 +180,16 @@ struct hybrid_test_vector {
#define AES_256_SECP521R1_KYBER1024R3_CLIENT_TRAFFIC_SECRET "660838cb79c4852258346112f481b75463b39aec83b961cd999741d720b18c95df0c3eabc1ec6b1505703ce1925bf396"
#define AES_256_SECP521R1_KYBER1024R3_SERVER_TRAFFIC_SECRET "19cb80a0d66c0e616891370273b92cf700d1cf32146be6402eb3de62eab6d1ce2d259b404ff29249e8c2af6df416d503"

#define AES_128_SECP256R1_MLKEM768_CLIENT_TRAFFIC_SECRET "e3b086562f8dc237a9dc8710f345821c871417bd57a64a1966860f1f06bcd5dc"
#define AES_128_SECP256R1_MLKEM768_SERVER_TRAFFIC_SECRET "eb3f47d5cc09234957543e1160dde10cc86b817f31c43d5e8af8cdd6167b0336"
#define AES_256_SECP256R1_MLKEM768_CLIENT_TRAFFIC_SECRET "9e65803eeb8324eb5faea82be52c266e0bf8ac398f091db73a48e68ee2ff0a91915b3f1f4e9907e33543a9ebb1f7a748"
#define AES_256_SECP256R1_MLKEM768_SERVER_TRAFFIC_SECRET "cb8fc8707f294e3ab9b98f0d873b1e1c5d740ecd254c67fcca44b5444742bf958102be17beb5c89ae08b8b31191d9137"

#define AES_128_X25519_MLKEM768_CLIENT_TRAFFIC_SECRET "8bf7f5f36cdece4ca1439e14e9b585cd5c2c11753ce53733da771c89ba7d8162"
#define AES_128_X25519_MLKEM768_SERVER_TRAFFIC_SECRET "c9221c9f9fad66ac7ae568e46695229eaf95196819c2bb997469f010075b953e"
#define AES_256_X25519_MLKEM768_CLIENT_TRAFFIC_SECRET "44eb9e15ef082936fe7a2c169be644ff16b47fb2a91f7223069cbd8d9b063a034f0936234e60a733a30db6d7226d984d"
#define AES_256_X25519_MLKEM768_SERVER_TRAFFIC_SECRET "852b46f0e3cdc222badc0b85f4cfb4f332c2d8ea8c9695d6024e129b5056d2c534191ee76bff50148f19a88f81897112"

/* A fake transcript string to hash when deriving handshake secrets */
#define FAKE_TRANSCRIPT "client_hello || server_hello"

Expand Down Expand Up @@ -385,6 +397,70 @@ int main(int argc, char **argv)
.expected_server_traffic_secret = &aes_256_x25519_kyber768r3_server_secret,
};

S2N_BLOB_FROM_HEX(mlkem768_secret, MLKEM768_SECRET);
S2N_BLOB_FROM_HEX(secp256r1_mlkem768_hybrid_secret, SECP256R1_MLKEM768_HYBRID_SECRET);
S2N_BLOB_FROM_HEX(x25519_mlkem768_hybrid_secret, X25519_MLKEM768_HYBRID_SECRET);

S2N_BLOB_FROM_HEX(aes_128_secp256r1_mlkem768_client_secret, AES_128_SECP256R1_MLKEM768_CLIENT_TRAFFIC_SECRET);
S2N_BLOB_FROM_HEX(aes_128_secp256r1_mlkem768_server_secret, AES_128_SECP256R1_MLKEM768_SERVER_TRAFFIC_SECRET);

const struct hybrid_test_vector aes_128_sha_256_secp256r1_mlkem768_vector = {
.cipher_suite = &s2n_tls13_aes_128_gcm_sha256,
.transcript = FAKE_TRANSCRIPT,
.kem_group = &s2n_secp256r1_mlkem_768,
.client_ecc_key = CLIENT_SECP256R1_PRIV_KEY,
.server_ecc_key = SERVER_SECP256R1_PRIV_KEY,
.pq_secret = &mlkem768_secret,
.expected_hybrid_secret = &secp256r1_mlkem768_hybrid_secret,
.expected_client_traffic_secret = &aes_128_secp256r1_mlkem768_client_secret,
.expected_server_traffic_secret = &aes_128_secp256r1_mlkem768_server_secret,
};

S2N_BLOB_FROM_HEX(aes_256_secp256r1_mlkem768_client_secret, AES_256_SECP256R1_MLKEM768_CLIENT_TRAFFIC_SECRET);
S2N_BLOB_FROM_HEX(aes_256_secp256r1_mlkem768_server_secret, AES_256_SECP256R1_MLKEM768_SERVER_TRAFFIC_SECRET);

const struct hybrid_test_vector aes_256_sha_384_secp256r1_mlkem768_vector = {
.cipher_suite = &s2n_tls13_aes_256_gcm_sha384,
.transcript = FAKE_TRANSCRIPT,
.kem_group = &s2n_secp256r1_mlkem_768,
.client_ecc_key = CLIENT_SECP256R1_PRIV_KEY,
.server_ecc_key = SERVER_SECP256R1_PRIV_KEY,
.pq_secret = &mlkem768_secret,
.expected_hybrid_secret = &secp256r1_mlkem768_hybrid_secret,
.expected_client_traffic_secret = &aes_256_secp256r1_mlkem768_client_secret,
.expected_server_traffic_secret = &aes_256_secp256r1_mlkem768_server_secret,
};

S2N_BLOB_FROM_HEX(aes_128_x25519_mlkem768_client_secret, AES_128_X25519_MLKEM768_CLIENT_TRAFFIC_SECRET);
S2N_BLOB_FROM_HEX(aes_128_x25519_mlkem768_server_secret, AES_128_X25519_MLKEM768_SERVER_TRAFFIC_SECRET);

const struct hybrid_test_vector aes_128_sha_256_x25519_mlkem768_vector = {
.cipher_suite = &s2n_tls13_aes_128_gcm_sha256,
.transcript = FAKE_TRANSCRIPT,
.kem_group = &s2n_x25519_mlkem_768,
.client_ecc_key = CLIENT_X25519_PRIV_KEY,
.server_ecc_key = SERVER_X25519_PRIV_KEY,
.pq_secret = &mlkem768_secret,
.expected_hybrid_secret = &x25519_mlkem768_hybrid_secret,
.expected_client_traffic_secret = &aes_128_x25519_mlkem768_client_secret,
.expected_server_traffic_secret = &aes_128_x25519_mlkem768_server_secret,
};

S2N_BLOB_FROM_HEX(aes_256_x25519_mlkem768_client_secret, AES_256_X25519_MLKEM768_CLIENT_TRAFFIC_SECRET);
S2N_BLOB_FROM_HEX(aes_256_x25519_mlkem768_server_secret, AES_256_X25519_MLKEM768_SERVER_TRAFFIC_SECRET);

const struct hybrid_test_vector aes_256_sha_384_x25519_mlkem768_vector = {
.cipher_suite = &s2n_tls13_aes_256_gcm_sha384,
.transcript = FAKE_TRANSCRIPT,
.kem_group = &s2n_x25519_mlkem_768,
.client_ecc_key = CLIENT_X25519_PRIV_KEY,
.server_ecc_key = SERVER_X25519_PRIV_KEY,
.pq_secret = &mlkem768_secret,
.expected_hybrid_secret = &x25519_mlkem768_hybrid_secret,
.expected_client_traffic_secret = &aes_256_x25519_mlkem768_client_secret,
.expected_server_traffic_secret = &aes_256_x25519_mlkem768_server_secret,
};

const struct hybrid_test_vector *all_test_vectors[] = {
&aes_128_sha_256_secp256r1_kyber512r3_vector,
&aes_256_sha_384_secp256r1_kyber512r3_vector,
Expand All @@ -398,6 +474,10 @@ int main(int argc, char **argv)
&aes_256_sha_384_secp521r1_kyber1024r3_vector,
&aes_128_sha_256_x25519_kyber768r3_vector,
&aes_256_sha_384_x25519_kyber768r3_vector,
&aes_128_sha_256_secp256r1_mlkem768_vector,
&aes_256_sha_384_secp256r1_mlkem768_vector,
&aes_128_sha_256_x25519_mlkem768_vector,
&aes_256_sha_384_x25519_mlkem768_vector,
};

EXPECT_EQUAL(s2n_array_len(all_test_vectors), (2 * S2N_KEM_GROUPS_COUNT));
Expand Down
Loading
Loading