Merged
Conversation
lrstewart
reviewed
Oct 28, 2025
maddeleine
reviewed
Nov 4, 2025
jmayclin
reviewed
Nov 6, 2025
maddeleine
reviewed
Nov 6, 2025
jmayclin
reviewed
Nov 7, 2025
jmayclin
reviewed
Nov 7, 2025
jmayclin
approved these changes
Nov 11, 2025
maddeleine
reviewed
Nov 11, 2025
maddeleine
approved these changes
Nov 11, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release Summary:
Adds pure ML-KEM-1024 support:
s2n_pure_mlkem_1024KEM group is now negotiable.Resolved issues:
Partially addresses #5152
Description of changes:
This is the 2nd part of adding pure ML-KEM support following #5468. This PR updates the handshake key share functions (sending & receiving) to enable pure ML-KEM negotiation. Changes overview:
s2n_client_key_share.cands2n_server_key_share.cto skip the ECC path for pure ML-KEM groups (i.e. using the placeholder curves2n_ecc_curve_none).ecc_params.negotiated_curveandecc_params.evp_pkeybecause pure ML-KEM groups don't contain an ECC curve.s2n_pure_mlkem_1024toALL_SUPPORTED_KEM_GROUPSwhich is used by thetest_allpolicy.s2n_server_key_share_extension_testands2n_client_key_share_extension_pq_test.Call-outs:
I discussed the length-prefixed PQ key share issue with Alex. The prefixed format is only used by TLS 1.2 and Draft 0 of TLS 1.3 (See Alex's previous PR). Since pure ML-KEM is added in later versions, it should always use the un-prefixed format.
Moreover, all of the length prefixing logic for PQ should eventually be removed from s2n-tls. It was only used in draft standards, and we have only promised customers to support PQ draft standards (i.e.
tls13_pq_hybrid_draft_revision < 5) until end of 2025.This will impact two unit tests that explicitly test prefixed PQ key shares:
s2n_server_key_share_extension_testands2n_client_key_share_extension_pq_test. I skipped the length-prefixed tests for pure ML-KEM as a workaround. This can be removed as we clean up the length-prefixed format for PQ and overhaul these unit tests.Testing:
pure_mlkem1024_test_policythat only negotiatess2n_pure_mlkem_1024. It will fall back to the default ECC curve if the libcrypto does not support ML-KEM.s2n_pure_mlkem_1024is added toALL_SUPPORTED_KEM_GROUPS; hence pure ML-KEM will run in all the unit tests usingALL_SUPPORTED_KEM_GROUPS.s2n_connection_size_testfailed in the CI FreeBSD job:s2n_connection size (4368) no longer in (3924, 4360).Increase the max limit to 4400.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.