From dccd1f43a0c2de3852d9515f57353d756629c97a Mon Sep 17 00:00:00 2001 From: beck <> Date: Thu, 4 Dec 2025 21:16:17 +0000 Subject: Hook up X25519MKLEM768 to the TLS 1.3 handshake This does the following: 1) Adds a second key share prediction to the TLS 1.3 handshake. We only add one as we are unlikely to want to send more than one PQ one, and one classical one and are unlikely to waste bytes on a second PQ algorithm (anything that wants something else that we support can HRR to get it) 2) Adds X25519MLKEM768 (4588) to our list of supported groups. We add this to our preferred client and server key shares for TLS 1.3 and we now have a separate list for TLS 1.2 which does not do this, cleaning up the old "full list" from the comments. 3) Updates the golden magic numbers in the regression tests to allow for the above two things changing the handshake, so the regress tests pass. With this you can successfully hybrid PQ with servers and clients that support it. ok tb@ kenjiro@ --- src/lib/libssl/s3_lib.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src/lib/libssl/s3_lib.c') diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 86b32aec15..bcf26bec40 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.257 2024/07/23 14:40:53 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.258 2025/12/04 21:16:17 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1286,6 +1286,7 @@ ssl3_free(SSL *s) sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); tls_key_share_free(s->s3->hs.key_share); + tls_key_share_free(s->s3->hs.tls13.key_share); tls13_secrets_destroy(s->s3->hs.tls13.secrets); freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); @@ -1337,6 +1338,8 @@ ssl3_clear(SSL *s) tls_key_share_free(s->s3->hs.key_share); s->s3->hs.key_share = NULL; + tls_key_share_free(s->s3->hs.tls13.key_share); + s->s3->hs.tls13.key_share = NULL; tls13_secrets_destroy(s->s3->hs.tls13.secrets); s->s3->hs.tls13.secrets = NULL; -- cgit v1.2.3-55-g6feb