feature: support for ML-DSA handshake signatures

Author: lrstewart

crypto/s2n_mldsa.h

@@ -18,6 +18,16 @@
 #include "crypto/s2n_pkey.h"
 #include "utils/s2n_result.h"
 
+#if S2N_LIBCRYPTO_SUPPORTS_MLDSA
+    #define S2N_NID_MLDSA44 NID_MLDSA44
+    #define S2N_NID_MLDSA65 NID_MLDSA65
+    #define S2N_NID_MLDSA87 NID_MLDSA87
+#else
+    #define S2N_NID_MLDSA44 NID_undef
+    #define S2N_NID_MLDSA65 NID_undef
+    #define S2N_NID_MLDSA87 NID_undef
+#endif
+
 /*
  * The draft ML-DSA PKI RFC
  * (https://www.ietf.org/archive/id/draft-ietf-lamps-dilithium-certificates-07.html)

tests/features/S2N_LIBCRYPTO_SUPPORTS_MLDSA.c

@@ -18,6 +18,7 @@
 int main()
 {
     int evp_pkey_id = EVP_PKEY_PQDSA;
+    int nids[] = { NID_MLDSA44, NID_MLDSA65, NID_MLDSA87 };
     /* Required to calculate the mu hash for ML-DSA */
     EVP_PKEY_get_raw_public_key(NULL, NULL, NULL);
     return 0;

tests/testlib/s2n_testlib.h

@@ -116,6 +116,9 @@ S2N_RESULT s2n_connection_set_test_master_secret(struct s2n_connection *conn, co
 #define S2N_RSA_PSS_2048_SHA256_LEAF_KEY  "../pems/rsa_pss_2048_sha256_leaf_key.pem"
 #define S2N_RSA_PSS_2048_SHA256_LEAF_CERT "../pems/rsa_pss_2048_sha256_leaf_cert.pem"
 
+#define S2N_MLDSA87_KEY "../pems/mldsa/ML-DSA-87-seed.priv"
+#define S2N_MLDSA87_CERT "../pems/mldsa/ML-DSA-87.crt"
+
 #define S2N_RSA_2048_SHA256_CLIENT_CERT "../pems/rsa_2048_sha256_client_cert.pem"
 
 #define S2N_RSA_2048_SHA256_NO_DNS_SANS_CERT "../pems/rsa_2048_sha256_no_dns_sans_cert.pem"

tests/unit/s2n_auth_selection_test.c

@@ -294,7 +294,7 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_is_cert_type_valid_for_auth(conn, S2N_PKEY_TYPE_RSA));
         EXPECT_SUCCESS(s2n_is_cert_type_valid_for_auth(conn, S2N_PKEY_TYPE_RSA_PSS));
         EXPECT_SUCCESS(s2n_is_cert_type_valid_for_auth(conn, S2N_PKEY_TYPE_ECDSA));
-        EXPECT_FAILURE(s2n_is_cert_type_valid_for_auth(conn, S2N_PKEY_TYPE_UNKNOWN));
+        EXPECT_SUCCESS(s2n_is_cert_type_valid_for_auth(conn, S2N_PKEY_TYPE_UNKNOWN));
 
         EXPECT_SUCCESS(s2n_connection_free(conn));
     }

tests/unit/s2n_handshake_test.c

@@ -24,6 +24,7 @@
 
 #include "api/s2n.h"
 #include "crypto/s2n_fips.h"
+#include "crypto/s2n_mldsa.h"
 #include "crypto/s2n_rsa_pss.h"
 #include "s2n_test.h"
 #include "testlib/s2n_testlib.h"
@@ -44,6 +45,11 @@ struct s2n_async_pkey_op *pkey_op = NULL;
 int async_pkey_op_called = 0;
 int async_pkey_op_performed = 0;
 
+static uint8_t s2n_trust_all_verify_host(const char *host_name, size_t len, void *data)
+{
+    return 1;
+}
+
 static int handle_async(struct s2n_connection *server_conn)
 {
     s2n_blocked_status server_blocked;
@@ -432,6 +438,69 @@ int main(int argc, char **argv)
 
             s2n_disable_tls13_in_test();
         }
+
+        s2n_reset_tls13_in_test();
+
+        /*  Test: ML-DSA cert */
+        if (s2n_mldsa_is_supported()) {
+            for (size_t verify = 0; verify <= 1; verify++) {
+                for (size_t client_auth = 0; client_auth <= 1; client_auth++) {
+                    DEFER_CLEANUP(struct s2n_cert_chain_and_key *chain_and_key = NULL,
+                            s2n_cert_chain_and_key_ptr_free);
+                    EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key,
+                            S2N_MLDSA87_CERT, S2N_MLDSA87_KEY));
+
+                    DEFER_CLEANUP(struct s2n_config *server_config = s2n_config_new(),
+                            s2n_config_ptr_free);
+                    EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(
+                            server_config, chain_and_key));
+                    EXPECT_SUCCESS(s2n_config_set_verify_host_callback(server_config,
+                            s2n_trust_all_verify_host, NULL));
+                    EXPECT_SUCCESS(s2n_config_set_verification_ca_location(server_config,
+                            S2N_MLDSA87_CERT, NULL));
+
+                    DEFER_CLEANUP(struct s2n_config *client_config = s2n_config_new(),
+                            s2n_config_ptr_free);
+                    EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(
+                            client_config, chain_and_key));
+                    EXPECT_SUCCESS(s2n_config_set_verify_host_callback(client_config,
+                            s2n_trust_all_verify_host, NULL));
+                    EXPECT_SUCCESS(s2n_config_set_verification_ca_location(client_config,
+                            S2N_MLDSA87_CERT, NULL));
+
+                    /* ML-DSA is only usable with TLS1.3 */
+                    EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config,
+                            "test_all_tls13"));
+                    EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config,
+                            "test_all_tls13"));
+
+                    /* The hashing path for verify_after_sign is subtly different.
+                     * Make sure we test both paths.
+                     */
+                    if (verify) {
+                        EXPECT_SUCCESS(s2n_config_set_verify_after_sign(server_config,
+                                S2N_VERIFY_AFTER_SIGN_ENABLED));
+                    }
+
+                    /* Test both the async and sync paths */
+                    if (test_type == TEST_TYPE_ASYNC) {
+                        EXPECT_SUCCESS(s2n_config_set_async_pkey_callback(
+                                server_config, async_pkey_fn));
+                    }
+
+                    /* Also test the client side use of ML-DSA */
+                    if (client_auth) {
+                        EXPECT_SUCCESS(s2n_config_set_client_auth_type(server_config,
+                                S2N_CERT_AUTH_REQUIRED));
+                        EXPECT_SUCCESS(s2n_config_set_client_auth_type(client_config,
+                                S2N_CERT_AUTH_REQUIRED));
+                    }
+
+                    EXPECT_SUCCESS(test_cipher_preferences(server_config, client_config,
+                            chain_and_key, S2N_SIGNATURE_MLDSA));
+                }
+            }
+        }
     }
 
     /* Ensure that a handshake can be performed after all file descriptors are closed */

tls/s2n_auth_selection.c

@@ -187,14 +187,16 @@ int s2n_is_cert_type_valid_for_auth(struct s2n_connection *conn, s2n_pkey_type c
     POSIX_ENSURE_REF(conn);
     POSIX_ENSURE_REF(conn->secure);
     POSIX_ENSURE_REF(conn->secure->cipher_suite);
+    s2n_authentication_method conn_auth_method = conn->secure->cipher_suite->auth_method;
 
-    s2n_authentication_method auth_method;
-    POSIX_GUARD(s2n_get_auth_method_for_cert_type(cert_type, &auth_method));
-
-    if (conn->secure->cipher_suite->auth_method != S2N_AUTHENTICATION_METHOD_SENTINEL) {
-        S2N_ERROR_IF(auth_method != conn->secure->cipher_suite->auth_method, S2N_ERR_CERT_TYPE_UNSUPPORTED);
+    /* TLS1.3 cipher suites do not specify an auth type */
+    if (conn_auth_method == S2N_AUTHENTICATION_METHOD_SENTINEL) {
+        return S2N_SUCCESS;
     }
 
+    s2n_authentication_method cert_auth_method = 0;
+    POSIX_GUARD(s2n_get_auth_method_for_cert_type(cert_type, &cert_auth_method));
+    POSIX_ENSURE(cert_auth_method == conn_auth_method, S2N_ERR_CERT_TYPE_UNSUPPORTED);
     return S2N_SUCCESS;
 }
 

tls/s2n_security_policies.c

@@ -1215,6 +1215,17 @@ const struct s2n_security_policy security_policy_test_all_rsa_kex = {
 };
 
 const struct s2n_security_policy security_policy_test_all_tls13 = {
+    .minimum_protocol_version = S2N_SSLv3,
+    .cipher_preferences = &cipher_preferences_test_all_tls13,
+    .kem_preferences = &kem_preferences_null,
+    .signature_preferences = &s2n_signature_preferences_all,
+    .ecc_preferences = &s2n_ecc_preferences_test_all,
+    .rules = {
+            [S2N_PERFECT_FORWARD_SECRECY] = true,
+    },
+};
+
+const struct s2n_security_policy security_policy_20200207 = {
     .minimum_protocol_version = S2N_SSLv3,
     .cipher_preferences = &cipher_preferences_test_all_tls13,
     .kem_preferences = &kem_preferences_null,
@@ -1349,7 +1360,7 @@ struct s2n_security_policy_selection security_policy_selection[] = {
     { .version = "20190122", .security_policy = &security_policy_20190122, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20190801", .security_policy = &security_policy_20190801, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20190802", .security_policy = &security_policy_20190802, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
-    { .version = "20200207", .security_policy = &security_policy_test_all_tls13, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
+    { .version = "20200207", .security_policy = &security_policy_20200207, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20201021", .security_policy = &security_policy_20201021, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20210816", .security_policy = &security_policy_20210816, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },
     { .version = "20210816_GCM", .security_policy = &security_policy_20210816_gcm, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },

tls/s2n_signature_scheme.c

@@ -18,6 +18,7 @@
 #include "api/s2n.h"
 #include "crypto/s2n_ecc_evp.h"
 #include "crypto/s2n_hash.h"
+#include "crypto/s2n_mldsa.h"
 #include "crypto/s2n_signature.h"
 #include "tls/s2n_connection.h"
 #include "utils/s2n_safety.h"
@@ -204,6 +205,35 @@ const struct s2n_signature_scheme s2n_rsa_pss_pss_sha512 = {
     .minimum_protocol_version = S2N_TLS12,
 };
 
+/* ML-DSA: post-quantum signature schemes */
+
+const struct s2n_signature_scheme s2n_mldsa44 = {
+    .iana_value = TLS_SIGNATURE_SCHEME_MLDSA44,
+    .iana_name = "mldsa44",
+    .hash_alg = S2N_HASH_SHAKE256_64,
+    .sig_alg = S2N_SIGNATURE_MLDSA,
+    .libcrypto_nid = S2N_NID_MLDSA44,
+    .minimum_protocol_version = S2N_TLS13,
+};
+
+const struct s2n_signature_scheme s2n_mldsa65 = {
+    .iana_value = TLS_SIGNATURE_SCHEME_MLDSA65,
+    .iana_name = "mldsa65",
+    .hash_alg = S2N_HASH_SHAKE256_64,
+    .sig_alg = S2N_SIGNATURE_MLDSA,
+    .libcrypto_nid = S2N_NID_MLDSA65,
+    .minimum_protocol_version = S2N_TLS13,
+};
+
+const struct s2n_signature_scheme s2n_mldsa87 = {
+    .iana_value = TLS_SIGNATURE_SCHEME_MLDSA87,
+    .iana_name = "mldsa87",
+    .hash_alg = S2N_HASH_SHAKE256_64,
+    .sig_alg = S2N_SIGNATURE_MLDSA,
+    .libcrypto_nid = S2N_NID_MLDSA87,
+    .minimum_protocol_version = S2N_TLS13,
+};
+
 /* ALL signature schemes, including the legacy default s2n_rsa_pkcs1_md5_sha1 scheme.
  * New signature schemes must be added to this list.
  */
@@ -225,6 +255,9 @@ const struct s2n_signature_scheme* const s2n_sig_scheme_pref_list_all[] = {
     &s2n_rsa_pss_pss_sha256,
     &s2n_rsa_pss_pss_sha384,
     &s2n_rsa_pss_pss_sha512,
+    &s2n_mldsa44,
+    &s2n_mldsa65,
+    &s2n_mldsa87,
 };
 
 const struct s2n_signature_preferences s2n_signature_preferences_all = {

tls/s2n_signature_scheme.h

@@ -70,6 +70,11 @@ extern const struct s2n_signature_scheme s2n_rsa_pss_rsae_sha256;
 extern const struct s2n_signature_scheme s2n_rsa_pss_rsae_sha384;
 extern const struct s2n_signature_scheme s2n_rsa_pss_rsae_sha512;
 
+/* ML-DSA: post-quantum signature schemes */
+extern const struct s2n_signature_scheme s2n_mldsa44;
+extern const struct s2n_signature_scheme s2n_mldsa65;
+extern const struct s2n_signature_scheme s2n_mldsa87;
+
 extern const struct s2n_signature_preferences s2n_signature_preferences_20240501;
 extern const struct s2n_signature_preferences s2n_signature_preferences_20230317;
 extern const struct s2n_signature_preferences s2n_signature_preferences_20140601;

tls/s2n_tls13_certificate_verify.c

@@ -85,6 +85,9 @@ int s2n_tls13_write_cert_verify_signature(struct s2n_connection *conn,
     POSIX_GUARD(s2n_hash_new(&message_hash));
     POSIX_GUARD(s2n_hash_init(&message_hash, chosen_sig_scheme->hash_alg));
 
+    const struct s2n_pkey *pkey = conn->handshake_params.our_chain_and_key->private_key;
+    POSIX_GUARD_RESULT(s2n_pkey_init_hash(pkey, chosen_sig_scheme->sig_alg, &message_hash));
+
     DEFER_CLEANUP(struct s2n_stuffer unsigned_content = { 0 }, s2n_stuffer_free);
     POSIX_GUARD(s2n_tls13_generate_unsigned_cert_verify_content(conn, &unsigned_content, conn->mode));
 
@@ -184,17 +187,19 @@ int s2n_tls13_cert_read_and_verify_signature(struct s2n_connection *conn,
         POSIX_GUARD(s2n_tls13_generate_unsigned_cert_verify_content(conn, &unsigned_content, S2N_CLIENT));
     }
 
-    POSIX_GUARD(s2n_hash_init(&message_hash, chosen_sig_scheme->hash_alg));
-    POSIX_GUARD(s2n_hash_update(&message_hash, unsigned_content.blob.data,
-            s2n_stuffer_data_available(&unsigned_content)));
-
+    struct s2n_pkey *pkey = NULL;
     if (conn->mode == S2N_CLIENT) {
-        POSIX_GUARD(s2n_pkey_verify(&conn->handshake_params.server_public_key, chosen_sig_scheme->sig_alg,
-                &message_hash, &signed_content));
+        pkey = &conn->handshake_params.server_public_key;
     } else {
-        POSIX_GUARD(s2n_pkey_verify(&conn->handshake_params.client_public_key, chosen_sig_scheme->sig_alg,
-                &message_hash, &signed_content));
+        pkey = &conn->handshake_params.client_public_key;
     }
 
+    POSIX_GUARD(s2n_hash_init(&message_hash, chosen_sig_scheme->hash_alg));
+    POSIX_GUARD_RESULT(s2n_pkey_init_hash(pkey, chosen_sig_scheme->sig_alg, &message_hash));
+    POSIX_GUARD(s2n_hash_update(&message_hash, unsigned_content.blob.data,
+            s2n_stuffer_data_available(&unsigned_content)));
+
+    POSIX_GUARD(s2n_pkey_verify(pkey, chosen_sig_scheme->sig_alg,
+            &message_hash, &signed_content));
     return 0;
 }

tls/s2n_tls_parameters.h

@@ -158,6 +158,11 @@
 #define TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384  0x080A
 #define TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512  0x080B
 
+/* ML-DSA: post-quantum signature schemes */
+#define TLS_SIGNATURE_SCHEME_MLDSA44 0x0904
+#define TLS_SIGNATURE_SCHEME_MLDSA65 0x0905
+#define TLS_SIGNATURE_SCHEME_MLDSA87 0x0906
+
 #define TLS_SIGNATURE_SCHEME_LEN          2
 #define TLS_SIGNATURE_SCHEME_LIST_MAX_LEN 128