diff options
| author | beck <> | 2025-12-04 21:16:17 +0000 |
|---|---|---|
| committer | beck <> | 2025-12-04 21:16:17 +0000 |
| commit | dccd1f43a0c2de3852d9515f57353d756629c97a (patch) | |
| tree | 7ffb1e1927c856374b227b21ca57105f14121045 /src/lib/libssl/ssl_tlsext.c | |
| parent | f8fcf556caab3fb1fb9d9b496d2724345c90a3eb (diff) | |
| download | openbsd-dccd1f43a0c2de3852d9515f57353d756629c97a.tar.gz openbsd-dccd1f43a0c2de3852d9515f57353d756629c97a.tar.bz2 openbsd-dccd1f43a0c2de3852d9515f57353d756629c97a.zip | |
Hook up X25519MKLEM768 to the TLS 1.3 handshake
This does the following:
1) Adds a second key share prediction to the TLS 1.3 handshake.
We only add one as we are unlikely to want to send more than
one PQ one, and one classical one and are unlikely to waste
bytes on a second PQ algorithm (anything that wants something
else that we support can HRR to get it)
2) Adds X25519MLKEM768 (4588) to our list of supported groups.
We add this to our preferred client and server key shares for TLS 1.3
and we now have a separate list for TLS 1.2 which does not do this,
cleaning up the old "full list" from the comments.
3) Updates the golden magic numbers in the regression tests to allow
for the above two things changing the handshake, so the regress
tests pass.
With this you can successfully hybrid PQ with servers and clients
that support it.
ok tb@ kenjiro@
Diffstat (limited to 'src/lib/libssl/ssl_tlsext.c')
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 51 |
1 files changed, 49 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index dcd9a31205..d879b3304e 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.158 2025/12/04 21:03:42 beck Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.159 2025/12/04 21:16:17 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -1445,7 +1445,7 @@ tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) | |||
| 1445 | static int | 1445 | static int |
| 1446 | tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) | 1446 | tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) |
| 1447 | { | 1447 | { |
| 1448 | CBB client_shares, key_exchange; | 1448 | CBB client_shares, key_exchange, key_exchange2; |
| 1449 | 1449 | ||
| 1450 | if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) | 1450 | if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) |
| 1451 | return 0; | 1451 | return 0; |
| @@ -1458,6 +1458,31 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) | |||
| 1458 | if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) | 1458 | if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange)) |
| 1459 | return 0; | 1459 | return 0; |
| 1460 | 1460 | ||
| 1461 | /* | ||
| 1462 | * We wish to include a second key share prediction in a TLS 1.3 client | ||
| 1463 | * hello if we have more than one preferred group. We never wish to do | ||
| 1464 | * this in response to a server selected group (Either from a TLS 1.2 | ||
| 1465 | * server, or from a hello retry request after having negotiated TLS | ||
| 1466 | * 1.3). | ||
| 1467 | * | ||
| 1468 | * Therefore we only do this if we have not yet negotiated | ||
| 1469 | * a version, and our max version could negotiate TLS 1.3. | ||
| 1470 | */ | ||
| 1471 | if (s->s3->hs.negotiated_tls_version == 0 && | ||
| 1472 | s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) { | ||
| 1473 | if (s->s3->hs.tls13.key_share != NULL) { | ||
| 1474 | if (!CBB_add_u16(&client_shares, | ||
| 1475 | tls_key_share_group(s->s3->hs.tls13.key_share))) | ||
| 1476 | return 0; | ||
| 1477 | if (!CBB_add_u16_length_prefixed(&client_shares, | ||
| 1478 | &key_exchange2)) | ||
| 1479 | return 0; | ||
| 1480 | if (!tls_key_share_public(s->s3->hs.tls13.key_share, | ||
| 1481 | &key_exchange2)) | ||
| 1482 | return 0; | ||
| 1483 | } | ||
| 1484 | } | ||
| 1485 | |||
| 1461 | if (!CBB_flush(cbb)) | 1486 | if (!CBB_flush(cbb)) |
| 1462 | return 0; | 1487 | return 0; |
| 1463 | 1488 | ||
| @@ -1687,10 +1712,32 @@ tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 1687 | *alert = SSL_AD_INTERNAL_ERROR; | 1712 | *alert = SSL_AD_INTERNAL_ERROR; |
| 1688 | return 0; | 1713 | return 0; |
| 1689 | } | 1714 | } |
| 1715 | |||
| 1716 | if (s->s3->hs.tls13.server_version >= TLS1_3_VERSION && | ||
| 1717 | tls_key_share_group(s->s3->hs.key_share) != group && | ||
| 1718 | s->s3->hs.tls13.key_share != NULL && | ||
| 1719 | tls_key_share_group(s->s3->hs.tls13.key_share) == group) { | ||
| 1720 | /* | ||
| 1721 | * Server chose our second key share prediction, switch to it, | ||
| 1722 | * and discard the first one. | ||
| 1723 | */ | ||
| 1724 | tls_key_share_free(s->s3->hs.key_share); | ||
| 1725 | s->s3->hs.key_share = s->s3->hs.tls13.key_share; | ||
| 1726 | s->s3->hs.tls13.key_share = NULL; | ||
| 1727 | } | ||
| 1728 | |||
| 1690 | if (tls_key_share_group(s->s3->hs.key_share) != group) { | 1729 | if (tls_key_share_group(s->s3->hs.key_share) != group) { |
| 1691 | *alert = SSL_AD_INTERNAL_ERROR; | 1730 | *alert = SSL_AD_INTERNAL_ERROR; |
| 1692 | return 0; | 1731 | return 0; |
| 1693 | } | 1732 | } |
| 1733 | |||
| 1734 | /* | ||
| 1735 | * Discard our now unused second key share prediction if we had made one | ||
| 1736 | * with our initial 1.3 client hello | ||
| 1737 | */ | ||
| 1738 | tls_key_share_free(s->s3->hs.tls13.key_share); | ||
| 1739 | s->s3->hs.tls13.key_share = NULL; | ||
| 1740 | |||
| 1694 | if (!tls_key_share_client_peer_public(s->s3->hs.key_share, | 1741 | if (!tls_key_share_client_peer_public(s->s3->hs.key_share, |
| 1695 | &key_exchange, &decode_error, NULL)) { | 1742 | &key_exchange, &decode_error, NULL)) { |
| 1696 | if (!decode_error) | 1743 | if (!decode_error) |