commit fc077381d3615c6d3f658b63704fe3e2e48ac282
author Adam Langley <agl@imperialviolet.org> Sun Jan 08 16:22:31 2023 -0800
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue Jan 17 21:30:51 2023 +0000
tree 949ef3d96f983100746a065bbb868a188bdecf2a
parent c6e37807639a5ed33fc2bbd8695b104d915a589e

Add stubs for hybrid Kyber768 with X25519 or P-256.

There is no Kyber implementation in BoringSSL so these stubs assume that
you are locally patching such an implementation in.

Change-Id: I274b9a93e60f0eb74301c8d58f05c235687643e1
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/55930
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>

ssl/extensions.cc

diff --git a/ssl/extensions.cc b/ssl/extensions.cc
index a126b46..abc7e38 100644
--- a/ssl/extensions.cc
+++ b/ssl/extensions.cc
@@ -205,7 +205,14 @@
 }
 
 static bool is_post_quantum_group(uint16_t id) {
-  return id == SSL_CURVE_CECPQ2;
+  switch (id) {
+    case SSL_CURVE_CECPQ2:
+    case SSL_CURVE_X25519KYBER768:
+    case SSL_CURVE_P256KYBER768:
+      return true;
+    default:
+      return false;
+  }
 }
 
 bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
@@ -340,8 +347,8 @@
   for (uint16_t pref_group : pref) {
     for (uint16_t supp_group : supp) {
       if (pref_group == supp_group &&
-          // CECPQ2(b) doesn't fit in the u8-length-prefixed ECPoint field in
-          // TLS 1.2 and below.
+          // Post-quantum key agreements don't fit in the u8-length-prefixed
+          // ECPoint field in TLS 1.2 and below.
           (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
            !is_post_quantum_group(pref_group))) {
         *out_group_id = pref_group;