Branch data     Line data    Source code

       1                 :            : /*
       2                 :            :  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
       3                 :            :  *
       4                 :            :  * Licensed under the Apache License, Version 2.0 (the "License").
       5                 :            :  * You may not use this file except in compliance with the License.
       6                 :            :  * A copy of the License is located at
       7                 :            :  *
       8                 :            :  *  http://aws.amazon.com/apache2.0
       9                 :            :  *
      10                 :            :  * or in the "license" file accompanying this file. This file is distributed
      11                 :            :  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
      12                 :            :  * express or implied. See the License for the specific language governing
      13                 :            :  * permissions and limitations under the License.
      14                 :            :  */
      15                 :            : 
      16                 :            : #pragma once
      17                 :            : 
      18                 :            : #include <stdint.h>
      19                 :            : 
      20                 :            : #include "crypto/s2n_ecc_evp.h"
      21                 :            : #include "stuffer/s2n_stuffer.h"
      22                 :            : #include "tls/s2n_crypto_constants.h"
      23                 :            : #include "utils/s2n_blob.h"
      24                 :            : 
      25                 :            : typedef uint16_t kem_extension_size;
      26                 :            : typedef uint16_t kem_public_key_size;
      27                 :            : typedef uint16_t kem_private_key_size;
      28                 :            : typedef uint16_t kem_shared_secret_size;
      29                 :            : typedef uint16_t kem_ciphertext_key_size;
      30                 :            : 
      31                 :            : #define IN  /* Indicates a necessary function input */
      32                 :            : #define OUT /* Indicates a function output */
      33                 :            : 
      34                 :            : #if defined(S2N_LIBCRYPTO_SUPPORTS_EVP_KEM)
      35                 :            :     #define S2N_NID_KYBER512  NID_KYBER512_R3
      36                 :            :     #define S2N_NID_KYBER768  NID_KYBER768_R3
      37                 :            :     #define S2N_NID_KYBER1024 NID_KYBER1024_R3
      38                 :            : #else
      39                 :            :     #define S2N_NID_KYBER512  NID_undef
      40                 :            :     #define S2N_NID_KYBER768  NID_undef
      41                 :            :     #define S2N_NID_KYBER1024 NID_undef
      42                 :            : #endif
      43                 :            : 
      44                 :            : #if defined(S2N_LIBCRYPTO_SUPPORTS_MLKEM)
      45                 :            :     #define S2N_NID_MLKEM768  NID_MLKEM768
      46                 :            :     #define S2N_NID_MLKEM1024 NID_MLKEM1024
      47                 :            : #else
      48                 :            :     #define S2N_NID_MLKEM768  NID_undef
      49                 :            :     #define S2N_NID_MLKEM1024 NID_undef
      50                 :            : #endif
      51                 :            : 
      52                 :            : struct s2n_kem {
      53                 :            :     const char *name;
      54                 :            :     int kem_nid;
      55                 :            :     const kem_extension_size kem_extension_id;
      56                 :            :     const kem_public_key_size public_key_length;
      57                 :            :     const kem_private_key_size private_key_length;
      58                 :            :     const kem_shared_secret_size shared_secret_key_length;
      59                 :            :     const kem_ciphertext_key_size ciphertext_length;
      60                 :            :     /* NIST Post Quantum KEM submissions require the following API for compatibility */
      61                 :            :     int (*generate_keypair)(IN const struct s2n_kem *kem, OUT uint8_t *public_key, OUT uint8_t *private_key);
      62                 :            :     int (*encapsulate)(IN const struct s2n_kem *kem, OUT uint8_t *ciphertext, OUT uint8_t *shared_secret, IN const uint8_t *public_key);
      63                 :            :     int (*decapsulate)(IN const struct s2n_kem *kem, OUT uint8_t *shared_secret, IN const uint8_t *ciphertext, IN const uint8_t *private_key);
      64                 :            : };
      65                 :            : 
      66                 :            : struct s2n_kem_params {
      67                 :            :     const struct s2n_kem *kem;
      68                 :            :     struct s2n_blob public_key;
      69                 :            :     struct s2n_blob private_key;
      70                 :            :     struct s2n_blob shared_secret;
      71                 :            :     /* Store whether the client included the length prefix of the PQ and ECC Shares in their ClientHello, so that the
      72                 :            :      * server can match the client's behavior. For the client side, store whether it should send the length prefix. */
      73                 :            :     bool len_prefixed;
      74                 :            : };
      75                 :            : 
      76                 :            : struct s2n_iana_to_kem {
      77                 :            :     const uint8_t iana_value[S2N_TLS_CIPHER_SUITE_LEN];
      78                 :            :     const struct s2n_kem **kems;
      79                 :            :     uint8_t kem_count;
      80                 :            : };
      81                 :            : 
      82                 :            : struct s2n_kem_group {
      83                 :            :     const char *name;
      84                 :            :     uint16_t iana_id;
      85                 :            :     const struct s2n_ecc_named_curve *curve;
      86                 :            :     const struct s2n_kem *kem;
      87                 :            : 
      88                 :            :     /* Whether the PQ KeyShare should be sent before the ECC KeyShare. Only enabled for X25519MLKEM768.
      89                 :            :      * See: https://datatracker.ietf.org/doc/html/draft-kwiatkowski-tls-ecdhe-mlkem-02#name-negotiated-groups */
      90                 :            :     bool send_kem_first;
      91                 :            : };
      92                 :            : 
      93                 :            : struct s2n_kem_group_params {
      94                 :            :     const struct s2n_kem_group *kem_group;
      95                 :            :     struct s2n_kem_params kem_params;
      96                 :            :     struct s2n_ecc_evp_params ecc_params;
      97                 :            : };
      98                 :            : 
      99                 :            : extern const struct s2n_kem s2n_mlkem_768;
     100                 :            : extern const struct s2n_kem s2n_mlkem_1024;
     101                 :            : extern const struct s2n_kem s2n_kyber_512_r3;
     102                 :            : extern const struct s2n_kem s2n_kyber_768_r3;
     103                 :            : extern const struct s2n_kem s2n_kyber_1024_r3;
     104                 :            : 
     105                 :         44 : #define S2N_KEM_GROUPS_COUNT 10
     106                 :            : extern const struct s2n_kem_group *ALL_SUPPORTED_KEM_GROUPS[S2N_KEM_GROUPS_COUNT];
     107                 :            : 
     108                 :            : /* NIST curve KEM Groups */
     109                 :            : extern const struct s2n_kem_group s2n_secp256r1_mlkem_768;
     110                 :            : extern const struct s2n_kem_group s2n_secp384r1_mlkem_1024;
     111                 :            : extern const struct s2n_kem_group s2n_secp256r1_kyber_512_r3;
     112                 :            : extern const struct s2n_kem_group s2n_secp256r1_kyber_768_r3;
     113                 :            : extern const struct s2n_kem_group s2n_secp384r1_kyber_768_r3;
     114                 :            : extern const struct s2n_kem_group s2n_secp521r1_kyber_1024_r3;
     115                 :            : 
     116                 :            : /* x25519 KEM Groups */
     117                 :            : extern const struct s2n_kem_group s2n_x25519_mlkem_768;
     118                 :            : extern const struct s2n_kem_group s2n_x25519_kyber_512_r3;
     119                 :            : extern const struct s2n_kem_group s2n_x25519_kyber_768_r3;
     120                 :            : 
     121                 :            : /* Pure ML-KEM Groups */
     122                 :            : extern const struct s2n_kem_group s2n_pure_mlkem_1024;
     123                 :            : 
     124                 :            : S2N_RESULT s2n_kem_generate_keypair(struct s2n_kem_params *kem_params);
     125                 :            : S2N_RESULT s2n_kem_encapsulate(struct s2n_kem_params *kem_params, struct s2n_blob *ciphertext);
     126                 :            : S2N_RESULT s2n_kem_decapsulate(struct s2n_kem_params *kem_params, const struct s2n_blob *ciphertext);
     127                 :            : int s2n_choose_kem_with_peer_pref_list(const uint8_t iana_value[S2N_TLS_CIPHER_SUITE_LEN],
     128                 :            :         struct s2n_blob *client_kem_ids, const struct s2n_kem *server_kem_pref_list[],
     129                 :            :         const uint8_t num_server_supported_kems, const struct s2n_kem **chosen_kem);
     130                 :            : int s2n_choose_kem_without_peer_pref_list(const uint8_t iana_value[S2N_TLS_CIPHER_SUITE_LEN],
     131                 :            :         const struct s2n_kem *server_kem_pref_list[], const uint8_t num_server_supported_kems,
     132                 :            :         const struct s2n_kem **chosen_kem);
     133                 :            : int s2n_kem_free(struct s2n_kem_params *kem_params);
     134                 :            : int s2n_kem_group_free(struct s2n_kem_group_params *kem_group_params);
     135                 :            : int s2n_cipher_suite_to_kem(const uint8_t iana_value[S2N_TLS_CIPHER_SUITE_LEN],
     136                 :            :         const struct s2n_iana_to_kem **supported_params);
     137                 :            : int s2n_get_kem_from_extension_id(kem_extension_size kem_id, const struct s2n_kem **kem);
     138                 :            : int s2n_kem_send_public_key(struct s2n_stuffer *out, struct s2n_kem_params *kem_params);
     139                 :            : int s2n_kem_recv_public_key(struct s2n_stuffer *in, struct s2n_kem_params *kem_params);
     140                 :            : int s2n_kem_send_ciphertext(struct s2n_stuffer *out, struct s2n_kem_params *kem_params);
     141                 :            : int s2n_kem_recv_ciphertext(struct s2n_stuffer *in, struct s2n_kem_params *kem_params);
     142                 :            : bool s2n_kem_is_available(const struct s2n_kem *kem);
     143                 :            : bool s2n_kem_group_is_available(const struct s2n_kem_group *kem_group);
     144                 :            : int s2n_find_kem_group_from_iana_id(uint16_t iana_id, const struct s2n_kem_group **out, bool *found);
     145                 :            : 
     146                 :            : /* mlkem768 */
     147                 :            : #define S2N_MLKEM_768_PUBLIC_KEY_BYTES    1184
     148                 :            : #define S2N_MLKEM_768_SECRET_KEY_BYTES    2400
     149                 :            : #define S2N_MLKEM_768_CIPHERTEXT_BYTES    1088
     150                 :            : #define S2N_MLKEM_768_SHARED_SECRET_BYTES 32
     151                 :            : 
     152                 :            : /* mlkem1024 */
     153                 :            : #define S2N_MLKEM_1024_PUBLIC_KEY_BYTES    1568
     154                 :            : #define S2N_MLKEM_1024_SECRET_KEY_BYTES    3168
     155                 :            : #define S2N_MLKEM_1024_CIPHERTEXT_BYTES    1568
     156                 :            : #define S2N_MLKEM_1024_SHARED_SECRET_BYTES 32
     157                 :            : 
     158                 :            : /* kyber512r3 */
     159                 :            : #define S2N_KYBER_512_R3_PUBLIC_KEY_BYTES    800
     160                 :            : #define S2N_KYBER_512_R3_SECRET_KEY_BYTES    1632
     161                 :            : #define S2N_KYBER_512_R3_CIPHERTEXT_BYTES    768
     162                 :            : #define S2N_KYBER_512_R3_SHARED_SECRET_BYTES 32
     163                 :            : 
     164                 :            : /* kyber768r3 */
     165                 :            : #define S2N_KYBER_768_R3_PUBLIC_KEY_BYTES    1184
     166                 :            : #define S2N_KYBER_768_R3_SECRET_KEY_BYTES    2400
     167                 :            : #define S2N_KYBER_768_R3_CIPHERTEXT_BYTES    1088
     168                 :            : #define S2N_KYBER_768_R3_SHARED_SECRET_BYTES 32
     169                 :            : 
     170                 :            : /* kyber1024r3 */
     171                 :            : #define S2N_KYBER_1024_R3_PUBLIC_KEY_BYTES    1568
     172                 :            : #define S2N_KYBER_1024_R3_SECRET_KEY_BYTES    3168
     173                 :            : #define S2N_KYBER_1024_R3_CIPHERTEXT_BYTES    1568
     174                 :            : #define S2N_KYBER_1024_R3_SHARED_SECRET_BYTES 32