Add a MLKEM768_X25519 hybrid key share.

This implements the currently in use MLKEM768_X25519 hybrid key share as outlined in https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/ This commit does not yet wire this up to anything, that is done in follow on changes. ok tb@ jsing@ kenjiro@
author: beck <> 2025-12-04 21:03:42 +0000
committer: beck <> 2025-12-04 21:03:42 +0000
commit: f8fcf556caab3fb1fb9d9b496d2724345c90a3eb (patch)
tree: e39a46d0520e4b766125513ea7a2a2e6521f7cf6 /src/lib/libssl/ssl_tlsext.c
parent: 25e047ad935a9d585bc84fe9aae3de40dbad3e72 (diff)
download: openbsd-f8fcf556caab3fb1fb9d9b496d2724345c90a3eb.tar.gz
openbsd-f8fcf556caab3fb1fb9d9b496d2724345c90a3eb.tar.bz2
openbsd-f8fcf556caab3fb1fb9d9b496d2724345c90a3eb.zip
1 files changed, 4 insertions, 4 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 12ede899e8..dcd9a31205 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.157 2025/10/16 14:42:21 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.158 2025/12/04 21:03:42 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1523,7 +1523,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
-                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
                    &key_exchange, &decode_error, NULL)) {
                        if (!decode_error)
                                *alert = SSL_AD_INTERNAL_ERROR;
@@ -1614,7 +1614,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
-                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
                    &key_exchange, &decode_error, NULL)) {
                        if (!decode_error)
                                *alert = SSL_AD_INTERNAL_ERROR;
@@ -1691,7 +1691,7 @@ tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share,
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share,
            &key_exchange, &decode_error, NULL)) {
                if (!decode_error)
                        *alert = SSL_AD_INTERNAL_ERROR;
author	beck <>	2025-12-04 21:03:42 +0000
committer	beck <>	2025-12-04 21:03:42 +0000
commit	f8fcf556caab3fb1fb9d9b496d2724345c90a3eb (patch)
tree	e39a46d0520e4b766125513ea7a2a2e6521f7cf6 /src/lib/libssl/ssl_tlsext.c
parent	25e047ad935a9d585bc84fe9aae3de40dbad3e72 (diff)
download	openbsd-f8fcf556caab3fb1fb9d9b496d2724345c90a3eb.tar.gz openbsd-f8fcf556caab3fb1fb9d9b496d2724345c90a3eb.tar.bz2 openbsd-f8fcf556caab3fb1fb9d9b496d2724345c90a3eb.zip

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 12ede899e8..dcd9a31205 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.157 2025/10/16 14:42:21 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.158 2025/12/04 21:03:42 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1523,7 +1523,7 @@ tlsext_keyshare_server_process(SSL s, uint16_t msg_type, CBS cbs, int *alert)
1523	*alert = SSL_AD_INTERNAL_ERROR;	1523	*alert = SSL_AD_INTERNAL_ERROR;
1524	return 0;	1524	return 0;
1525	}	1525	}
1526	if (!tls_key_share_peer_public(s->s3->hs.key_share,	1526	if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
1527	&key_exchange, &decode_error, NULL)) {	1527	&key_exchange, &decode_error, NULL)) {
1528	if (!decode_error)	1528	if (!decode_error)
1529	*alert = SSL_AD_INTERNAL_ERROR;	1529	*alert = SSL_AD_INTERNAL_ERROR;
@@ -1614,7 +1614,7 @@ tlsext_keyshare_server_process(SSL s, uint16_t msg_type, CBS cbs, int *alert)
1614	*alert = SSL_AD_INTERNAL_ERROR;	1614	*alert = SSL_AD_INTERNAL_ERROR;
1615	return 0;	1615	return 0;
1616	}	1616	}
1617	if (!tls_key_share_peer_public(s->s3->hs.key_share,	1617	if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
1618	&key_exchange, &decode_error, NULL)) {	1618	&key_exchange, &decode_error, NULL)) {
1619	if (!decode_error)	1619	if (!decode_error)
1620	*alert = SSL_AD_INTERNAL_ERROR;	1620	*alert = SSL_AD_INTERNAL_ERROR;
@@ -1691,7 +1691,7 @@ tlsext_keyshare_client_process(SSL s, uint16_t msg_type, CBS cbs, int *alert)
1691	*alert = SSL_AD_INTERNAL_ERROR;	1691	*alert = SSL_AD_INTERNAL_ERROR;
1692	return 0;	1692	return 0;
1693	}	1693	}
1694	if (!tls_key_share_peer_public(s->s3->hs.key_share,	1694	if (!tls_key_share_client_peer_public(s->s3->hs.key_share,
1695	&key_exchange, &decode_error, NULL)) {	1695	&key_exchange, &decode_error, NULL)) {
1696	if (!decode_error)	1696	if (!decode_error)
1697	*alert = SSL_AD_INTERNAL_ERROR;	1697	*alert = SSL_AD_INTERNAL_ERROR;