summaryrefslogtreecommitdiff
path: root/src/lib/libssl/t1_lib.c
diff options
context:
space:
mode:
authorbeck <>2025-12-04 21:16:17 +0000
committerbeck <>2025-12-04 21:16:17 +0000
commitdccd1f43a0c2de3852d9515f57353d756629c97a (patch)
tree7ffb1e1927c856374b227b21ca57105f14121045 /src/lib/libssl/t1_lib.c
parentf8fcf556caab3fb1fb9d9b496d2724345c90a3eb (diff)
downloadopenbsd-dccd1f43a0c2de3852d9515f57353d756629c97a.tar.gz
openbsd-dccd1f43a0c2de3852d9515f57353d756629c97a.tar.bz2
openbsd-dccd1f43a0c2de3852d9515f57353d756629c97a.zip
Hook up X25519MKLEM768 to the TLS 1.3 handshake
This does the following: 1) Adds a second key share prediction to the TLS 1.3 handshake. We only add one as we are unlikely to want to send more than one PQ one, and one classical one and are unlikely to waste bytes on a second PQ algorithm (anything that wants something else that we support can HRR to get it) 2) Adds X25519MLKEM768 (4588) to our list of supported groups. We add this to our preferred client and server key shares for TLS 1.3 and we now have a separate list for TLS 1.2 which does not do this, cleaning up the old "full list" from the comments. 3) Updates the golden magic numbers in the regression tests to allow for the above two things changing the handshake, so the regress tests pass. With this you can successfully hybrid PQ with servers and clients that support it. ok tb@ kenjiro@
Diffstat (limited to 'src/lib/libssl/t1_lib.c')
-rw-r--r--src/lib/libssl/t1_lib.c64
1 files changed, 30 insertions, 34 deletions
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 57cd180d09..912bea592a 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: t1_lib.c,v 1.206 2025/05/31 15:17:11 tb Exp $ */ 1/* $OpenBSD: t1_lib.c,v 1.207 2025/12/04 21:16:17 beck Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -306,6 +306,11 @@ static const struct supported_group nid_list[] = {
306 .nid = NID_X25519, 306 .nid = NID_X25519,
307 .bits = 128, 307 .bits = 128,
308 }, 308 },
309 {
310 .group_id = 4588,
311 .nid = NID_X25519MLKEM768,
312 .bits = 128,
313 },
309}; 314};
310 315
311#define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0])) 316#define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))
@@ -322,41 +327,21 @@ static const uint8_t ecformats_default[] = {
322 TLSEXT_ECPOINTFORMAT_uncompressed, 327 TLSEXT_ECPOINTFORMAT_uncompressed,
323}; 328};
324 329
325#if 0 330static const uint16_t ecgroups_tls12_client_default[] = {
326static const uint16_t ecgroups_list[] = {
327 29, /* X25519 (29) */ 331 29, /* X25519 (29) */
328 14, /* sect571r1 (14) */ 332 23, /* secp256r1 (23) */
329 13, /* sect571k1 (13) */
330 25, /* secp521r1 (25) */
331 28, /* brainpoolP512r1 (28) */
332 11, /* sect409k1 (11) */
333 12, /* sect409r1 (12) */
334 27, /* brainpoolP384r1 (27) */
335 24, /* secp384r1 (24) */ 333 24, /* secp384r1 (24) */
336 9, /* sect283k1 (9) */ 334 25, /* secp521r1 (25) */
337 10, /* sect283r1 (10) */ 335};
338 26, /* brainpoolP256r1 (26) */ 336
339 22, /* secp256k1 (22) */ 337static const uint16_t ecgroups_tls12_server_default[] = {
338 29, /* X25519 (29) */
340 23, /* secp256r1 (23) */ 339 23, /* secp256r1 (23) */
341 8, /* sect239k1 (8) */ 340 24, /* secp384r1 (24) */
342 6, /* sect233k1 (6) */
343 7, /* sect233r1 (7) */
344 20, /* secp224k1 (20) */
345 21, /* secp224r1 (21) */
346 4, /* sect193r1 (4) */
347 5, /* sect193r2 (5) */
348 18, /* secp192k1 (18) */
349 19, /* secp192r1 (19) */
350 1, /* sect163k1 (1) */
351 2, /* sect163r1 (2) */
352 3, /* sect163r2 (3) */
353 15, /* secp160k1 (15) */
354 16, /* secp160r1 (16) */
355 17, /* secp160r2 (17) */
356}; 341};
357#endif
358 342
359static const uint16_t ecgroups_client_default[] = { 343static const uint16_t ecgroups_client_default[] = {
344 4588, /* X25519MLKEM768 (4588) */
360 29, /* X25519 (29) */ 345 29, /* X25519 (29) */
361 23, /* secp256r1 (23) */ 346 23, /* secp256r1 (23) */
362 24, /* secp384r1 (24) */ 347 24, /* secp384r1 (24) */
@@ -364,6 +349,7 @@ static const uint16_t ecgroups_client_default[] = {
364}; 349};
365 350
366static const uint16_t ecgroups_server_default[] = { 351static const uint16_t ecgroups_server_default[] = {
352 4588, /* X25519MLKEM768 (4588) */
367 29, /* X25519 (29) */ 353 29, /* X25519 (29) */
368 23, /* secp256r1 (23) */ 354 23, /* secp256r1 (23) */
369 24, /* secp384r1 (24) */ 355 24, /* secp384r1 (24) */
@@ -478,11 +464,21 @@ tls1_get_group_list(const SSL *s, int client_groups, const uint16_t **pgroups,
478 return; 464 return;
479 465
480 if (!s->server) { 466 if (!s->server) {
481 *pgroups = ecgroups_client_default; 467 if (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
482 *pgroupslen = sizeof(ecgroups_client_default) / 2; 468 *pgroups = ecgroups_client_default;
469 *pgroupslen = sizeof(ecgroups_client_default) / 2;
470 } else {
471 *pgroups = ecgroups_tls12_client_default;
472 *pgroupslen = sizeof(ecgroups_tls12_client_default) / 2;
473 }
483 } else { 474 } else {
484 *pgroups = ecgroups_server_default; 475 if (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
485 *pgroupslen = sizeof(ecgroups_server_default) / 2; 476 *pgroups = ecgroups_server_default;
477 *pgroupslen = sizeof(ecgroups_server_default) / 2;
478 } else {
479 *pgroups = ecgroups_tls12_server_default;
480 *pgroupslen = sizeof(ecgroups_tls12_server_default) / 2;
481 }
486 } 482 }
487} 483}
488 484
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-22 14:12:04 +0000