Track 1: constant-time crypto FFI, memory zeroing, PSK resumption

Practical-security hardening for production readiness:

- 1a: sml-crypto-ffi shim wrapping libsodium (X25519, ChaCha20-Poly1305)
  via MLton _import and Poly/ML Foreign. Cross-impl tests assert
  byte-identical output to the pure-SML oracles on RFC 8439 / RFC 7748.
  FFI path lives behind dedicated targets; default suite stays pure-SML.
- 1b: SecureZero (sodium_memzero / pure fallback) and
  TlsClient.zeroize / TlsServer.zeroize / zeroizeConfig to overwrite
  traffic keys, secrets, and rsaPrivateKeyDer. Best-effort given SML
  string immutability (documented).
- 1c: server-side PSK resumption accept path (pure SML): in-memory
  ticket store, binder verification over the truncated ClientHello,
  selected_identity echo, PSK key schedule, Cert/CertVerify omitted on
  resume. Binder mismatch -> fatal illegal_parameter.

Both compilers green: 306 passed, 0 failed (was 280).

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: sjqtentacles

Makefile

@@ -1,12 +1,31 @@
 # sml-tls build
 MLTON      ?= mlton
+CC         ?= clang
 BIN        := bin
 LIBDIR     := lib/github.com/sjqtentacles/sml-tls
+FFIDIR     := lib/github.com/sjqtentacles/sml-crypto-ffi
 TEST_MLB   := test/sources.mlb
 SRCS       := $(wildcard $(LIBDIR)/*.sml $(LIBDIR)/*.sig) \
               $(wildcard test/*.sml) $(TEST_MLB) $(LIBDIR)/sources.mlb
 
-.PHONY: all test poly test-poly all-tests clean
+# --- Track 1a/1b: libsodium constant-time crypto FFI shim ---
+# libsodium (Homebrew default on Apple Silicon). Override on other systems,
+# e.g. SODIUM_PREFIX=/usr or =/usr/local.
+SODIUM_PREFIX ?= /opt/homebrew
+SODIUM_INC    := $(SODIUM_PREFIX)/include
+SODIUM_LIB    := $(SODIUM_PREFIX)/lib
+# Shared-library extension: .dylib on macOS, .so elsewhere.
+ifeq ($(shell uname -s),Darwin)
+  SHLIB_EXT := dylib
+else
+  SHLIB_EXT := so
+endif
+FFI_SHIM   := $(BIN)/libsmlcryptoffi.$(SHLIB_EXT)
+# MLton link flags to resolve the shim's _import symbols against the dylib
+# (and libsodium itself).
+FFI_LINK   := -link-opt "-L$(BIN) -L$(SODIUM_LIB) -lsmlcryptoffi -lsodium -Wl,-rpath,$(BIN) -Wl,-rpath,$(SODIUM_LIB)"
+
+.PHONY: all test poly test-poly all-tests ffi-shim test-ffi test-ffi-poly test-ffi-all clean
 
 all: $(BIN)/test-mlton
 
@@ -26,6 +45,31 @@ test-poly: $(BIN)/test-poly
 
 all-tests: test test-poly
 
+# --- FFI shim (Track 1a/1b) ---------------------------------------------
+# Build the libsodium constant-time crypto shim into a shared library that
+# MLton links against and Poly/ML loads at runtime via Foreign.loadLibrary.
+ffi-shim: $(FFI_SHIM)
+
+$(FFI_SHIM): $(FFIDIR)/shim.c | $(BIN)
+	$(CC) -O2 -fPIC -shared -I$(SODIUM_INC) $< \
+	  -L$(SODIUM_LIB) -lsodium -o $@
+
+# MLton FFI test: byte-identity (shim == pure-SML oracle) on RFC vectors.
+test-ffi: $(FFI_SHIM) $(SRCS) test/sources-ffi-mlton.mlb \
+          $(wildcard $(FFIDIR)/*.sml $(FFIDIR)/*.sig) | $(BIN)
+	$(MLTON) -default-ann 'allowFFI true' $(FFI_LINK) \
+	  -output $(BIN)/test-ffi-mlton test/sources-ffi-mlton.mlb
+	$(BIN)/test-ffi-mlton
+
+# Poly/ML FFI test: same suite via Foreign.loadLibrary on the shim.
+test-ffi-poly: $(FFI_SHIM) $(SRCS) test/sources-ffi-poly.mlb tools/polybuild \
+               $(wildcard $(FFIDIR)/*.sml $(FFIDIR)/*.sig) | $(BIN)
+	SML_CRYPTO_FFI_LIB=$(FFI_SHIM) \
+	  sh tools/polybuild -o $(BIN)/test-ffi-poly test/sources-ffi-poly.mlb
+	SML_CRYPTO_FFI_LIB=$(FFI_SHIM) $(BIN)/test-ffi-poly
+
+test-ffi-all: test-ffi test-ffi-poly
+
 $(BIN):
 	mkdir -p $(BIN)
 

lib/github.com/sjqtentacles/sml-crypto-ffi/crypto_ffi.sig

@@ -0,0 +1,57 @@
+(* crypto_ffi.sig
+
+   Constant-time crypto via an FFI shim over libsodium (Track 1a/1b).
+
+   This signature is implemented twice -- once with MLton's `_import`
+   (crypto_ffi_mlton.sml) and once with Poly/ML's `Foreign` structure
+   (crypto_ffi_poly.sml) -- so the same `CryptoFfi` structure is available
+   on both compilers. Each build selects exactly one implementation file.
+
+   The interface intentionally mirrors the SHAPE of the pure-SML modules it
+   replaces so it can be used as a near drop-in:
+
+     - `dh` / `base`            match X25519.dh / X25519.base
+     - `seal` / `open'`         match Aead.seal / Aead.open' for
+                                ChaCha20-Poly1305 (record-form: ct||tag)
+     - `memzero`                best-effort secure wipe (Track 1b)
+
+   All byte material is RAW byte strings (one char per byte, 0-255), the
+   same convention as the rest of the sjqtentacles crypto family. *)
+
+signature CRYPTO_FFI =
+sig
+  (* Raised on a length/contract violation or an underlying libsodium error
+     (distinct from an AEAD authentication failure, which is `NONE`). *)
+  exception CryptoFfi of string
+
+  (* Idempotent libsodium initialisation. The implementations call this
+     lazily on first use, but it is exposed for explicit warm-up/tests. *)
+  val init : unit -> unit
+
+  (* X25519 (RFC 7748). `scalar` and `point` are 32-byte little-endian
+     strings; the result is the 32-byte shared u-coordinate. libsodium
+     clamps the scalar internally, matching X25519.dh. *)
+  val dh   : string -> string -> string
+
+  (* Public key: dh scalar 9. 32-byte little-endian result. *)
+  val base : string -> string
+
+  (* 32, for symmetry with X25519.keySize. *)
+  val keySize : int
+
+  structure ChaCha20Poly1305 :
+  sig
+    (* seal key nonce aad plaintext -> ciphertext || 16-byte tag.
+       `key` is 32 bytes, `nonce` is 12 bytes. Raises CryptoFfi on a
+       length violation. *)
+    val seal  : string -> string -> string -> string -> string
+
+    (* open' key nonce aad (ciphertext||tag) -> SOME plaintext | NONE.
+       NONE iff the tag does not verify or the input is too short. *)
+    val open' : string -> string -> string -> string -> string option
+  end
+
+  (* Overwrite the bytes currently held by a Word8Array using libsodium's
+     sodium_memzero, which the optimizer may not elide (Track 1b). *)
+  val memzero : Word8Array.array -> unit
+end

lib/github.com/sjqtentacles/sml-crypto-ffi/crypto_ffi_mlton.sml

@@ -0,0 +1,111 @@
+(* crypto_ffi_mlton.sml
+
+   MLton implementation of CRYPTO_FFI using `_import` to call the libsodium
+   shim (lib/.../sml-crypto-ffi/shim.c). The shim object/library is linked
+   into the executable by the Makefile via `-link-opt`.
+
+   This file uses MLton-only `_import` syntax and is NOT loaded under
+   Poly/ML (which uses crypto_ffi_poly.sml instead). *)
+
+structure CryptoFfi :> CRYPTO_FFI =
+struct
+  exception CryptoFfi of string
+
+  val keySize = 32
+
+  (* --- libsodium shim imports (see shim.c) --- *)
+  val cInit = _import "sml_sodium_init" public : unit -> int;
+  val cX25519 = _import "sml_x25519" public :
+    Word8Array.array * Word8Array.array * Word8Array.array -> int;
+  val cX25519Base = _import "sml_x25519_base" public :
+    Word8Array.array * Word8Array.array -> int;
+  val cSeal = _import "sml_chacha20poly1305_seal" public :
+    Word8Array.array * Word8Array.array * int
+    * Word8Array.array * int * Word8Array.array * Word8Array.array -> int;
+  val cOpen = _import "sml_chacha20poly1305_open" public :
+    Word8Array.array * Word8Array.array * int
+    * Word8Array.array * int * Word8Array.array * Word8Array.array -> int;
+  val cMemzero = _import "sml_memzero" public :
+    Word8Array.array * int -> unit;
+
+  (* --- byte string <-> Word8Array marshalling --- *)
+  fun toArr (s : string) : Word8Array.array =
+    Word8Array.tabulate (String.size s,
+      fn i => Byte.charToByte (String.sub (s, i)))
+
+  fun fromArr (a : Word8Array.array) : string =
+    CharVector.tabulate (Word8Array.length a,
+      fn i => Byte.byteToChar (Word8Array.sub (a, i)))
+
+  val initialised = ref false
+  fun init () =
+    if !initialised then ()
+    else
+      let val r = cInit () in
+        if r < 0 then raise CryptoFfi "sodium_init failed"
+        else initialised := true
+      end
+
+  fun checkLen (what, s, n) =
+    if String.size s <> n then
+      raise CryptoFfi (what ^ " must be " ^ Int.toString n ^ " bytes, got "
+                       ^ Int.toString (String.size s))
+    else ()
+
+  fun dh scalar point =
+    ( init ()
+    ; checkLen ("scalar", scalar, 32)
+    ; checkLen ("point", point, 32)
+    ; let
+        val out = Word8Array.array (32, 0w0)
+        val _ = cX25519 (out, toArr scalar, toArr point)
+        (* A zero result (small-order point) returns -1; the pure-SML
+           oracle just returns the zero output, so we mirror that and
+           return the (zeroed) output rather than raising. *)
+      in fromArr out end )
+
+  fun base scalar =
+    ( init ()
+    ; checkLen ("scalar", scalar, 32)
+    ; let
+        val out = Word8Array.array (32, 0w0)
+        val _ = cX25519Base (out, toArr scalar)
+      in fromArr out end )
+
+  structure ChaCha20Poly1305 =
+  struct
+    fun seal key nonce aad plaintext =
+      ( init ()
+      ; checkLen ("key", key, 32)
+      ; checkLen ("nonce", nonce, 12)
+      ; let
+          val m = toArr plaintext
+          val ad = toArr aad
+          val out = Word8Array.array (String.size plaintext + 16, 0w0)
+          val n = cSeal (out, m, String.size plaintext,
+                         ad, String.size aad, toArr nonce, toArr key)
+        in
+          if n < 0 then raise CryptoFfi "chacha20poly1305 seal failed"
+          else fromArr out
+        end )
+
+    fun open' key nonce aad sealed =
+      ( init ()
+      ; checkLen ("key", key, 32)
+      ; checkLen ("nonce", nonce, 12)
+      ; if String.size sealed < 16 then NONE
+        else
+          let
+            val c = toArr sealed
+            val ad = toArr aad
+            val out = Word8Array.array (String.size sealed - 16, 0w0)
+            val n = cOpen (out, c, String.size sealed,
+                           ad, String.size aad, toArr nonce, toArr key)
+          in
+            if n < 0 then NONE else SOME (fromArr out)
+          end )
+  end
+
+  fun memzero a =
+    ( init (); cMemzero (a, Word8Array.length a) )
+end

lib/github.com/sjqtentacles/sml-crypto-ffi/crypto_ffi_poly.sml

@@ -0,0 +1,137 @@
+(* crypto_ffi_poly.sml
+
+   Poly/ML implementation of CRYPTO_FFI using the `Foreign` structure to
+   call the libsodium shim (lib/.../sml-crypto-ffi/shim.c), compiled to a
+   shared library that this module loads at runtime via
+   `Foreign.loadLibrary`.
+
+   This file uses Poly/ML-only `Foreign` and is NOT loaded under MLton
+   (which uses crypto_ffi_mlton.sml instead).
+
+   Poly/ML's `cArrayPointer cUint8` marshals an SML `int array` to/from a
+   C `unsigned char *`, so byte material crosses the boundary as `int
+   array` (values 0-255). *)
+
+structure CryptoFfi :> CRYPTO_FFI =
+struct
+  exception CryptoFfi of string
+
+  val keySize = 32
+
+  (* Locate the shim shared library. The Makefile builds it next to the
+     test binary as bin/libsmlcryptoffi.dylib; we also try a few common
+     spots so tests run from the repo root work regardless of cwd. *)
+  local
+    open Foreign
+    fun ext () =
+      case OS.Process.getEnv "SML_CRYPTO_FFI_LIB" of
+          SOME p => [p]
+        | NONE => []
+    val candidates =
+      ext () @
+      [ "bin/libsmlcryptoffi.dylib",
+        "bin/libsmlcryptoffi.so",
+        "./libsmlcryptoffi.dylib",
+        "libsmlcryptoffi.dylib",
+        "libsmlcryptoffi.so" ]
+    fun tryLoad [] = raise CryptoFfi "could not load libsmlcryptoffi shim library"
+      | tryLoad (p :: ps) =
+          (loadLibrary p handle _ => tryLoad ps)
+    val lib = tryLoad candidates
+    val byteArr = cArrayPointer cUint8
+  in
+    val cInit = buildCall0 (getSymbol lib "sml_sodium_init", (), cInt)
+    val cX25519 = buildCall3 (getSymbol lib "sml_x25519",
+      (byteArr, byteArr, byteArr), cInt)
+    val cX25519Base = buildCall2 (getSymbol lib "sml_x25519_base",
+      (byteArr, byteArr), cInt)
+    val cSeal = buildCall7 (getSymbol lib "sml_chacha20poly1305_seal",
+      (byteArr, byteArr, cInt, byteArr, cInt, byteArr, byteArr), cInt)
+    val cOpen = buildCall7 (getSymbol lib "sml_chacha20poly1305_open",
+      (byteArr, byteArr, cInt, byteArr, cInt, byteArr, byteArr), cInt)
+    val cMemzeroI = buildCall2 (getSymbol lib "sml_memzero",
+      (byteArr, cInt), cVoid)
+  end
+
+  (* --- byte string <-> int array (0-255) marshalling --- *)
+  fun toArr (s : string) : int array =
+    Array.tabulate (String.size s, fn i => Char.ord (String.sub (s, i)))
+
+  fun fromArr (a : int array) : string =
+    CharVector.tabulate (Array.length a, fn i => Char.chr (Array.sub (a, i)))
+
+  val initialised = ref false
+  fun init () =
+    if !initialised then ()
+    else
+      let val r = cInit () in
+        if r < 0 then raise CryptoFfi "sodium_init failed"
+        else initialised := true
+      end
+
+  fun checkLen (what, s, n) =
+    if String.size s <> n then
+      raise CryptoFfi (what ^ " must be " ^ Int.toString n ^ " bytes, got "
+                       ^ Int.toString (String.size s))
+    else ()
+
+  fun dh scalar point =
+    ( init ()
+    ; checkLen ("scalar", scalar, 32)
+    ; checkLen ("point", point, 32)
+    ; let
+        val out = Array.array (32, 0)
+        val _ = cX25519 (out, toArr scalar, toArr point)
+      in fromArr out end )
+
+  fun base scalar =
+    ( init ()
+    ; checkLen ("scalar", scalar, 32)
+    ; let
+        val out = Array.array (32, 0)
+        val _ = cX25519Base (out, toArr scalar)
+      in fromArr out end )
+
+  structure ChaCha20Poly1305 =
+  struct
+    fun seal key nonce aad plaintext =
+      ( init ()
+      ; checkLen ("key", key, 32)
+      ; checkLen ("nonce", nonce, 12)
+      ; let
+          val out = Array.array (String.size plaintext + 16, 0)
+          val n = cSeal (out, toArr plaintext, String.size plaintext,
+                         toArr aad, String.size aad, toArr nonce, toArr key)
+        in
+          if n < 0 then raise CryptoFfi "chacha20poly1305 seal failed"
+          else fromArr out
+        end )
+
+    fun open' key nonce aad sealed =
+      ( init ()
+      ; checkLen ("key", key, 32)
+      ; checkLen ("nonce", nonce, 12)
+      ; if String.size sealed < 16 then NONE
+        else
+          let
+            val out = Array.array (String.size sealed - 16, 0)
+            val n = cOpen (out, toArr sealed, String.size sealed,
+                           toArr aad, String.size aad, toArr nonce, toArr key)
+          in
+            if n < 0 then NONE else SOME (fromArr out)
+          end )
+  end
+
+  (* Word8Array path: copy into an int array, zero via the shim, then copy
+     the zeros back so the caller's array is wiped too. (sodium_memzero on
+     the temporary guarantees the value-zeroing is not elided.) *)
+  fun memzero a =
+    let
+      val () = init ()
+      val n = Word8Array.length a
+      val tmp = Array.array (n, 0)
+      val () = cMemzeroI (tmp, n)
+    in
+      Word8Array.modify (fn _ => 0w0) a
+    end
+end