Align Kyber names with draft-tls-westerbaan-xyber768d00
The initial codepoint is called X25519Kyber786Draft00 in the draft, so
align with that name for this version. Also remove the placeholder bits
for the other combinations, which haven't gotten that far yet.
Update-Note: Update references to NID_X25519Kyber768 to
NID_X25519Kyber768Draft00. For now, the old name is available as an
alias.
Change-Id: I2e531947f41e589cec61607944dca844722f0947
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59605
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h
index 7cd1153..654b3c0 100644
--- a/crypto/obj/obj_dat.h
+++ b/crypto/obj/obj_dat.h
@@ -57,7 +57,7 @@
/* This file is generated by crypto/obj/objects.go. */
-#define NUM_NID 967
+#define NUM_NID 965
static const uint8_t kObjectData[] = {
/* NID_rsadsi */
@@ -8782,9 +8782,8 @@
{"X448", "X448", NID_X448, 3, &kObjectData[6184], 0},
{"SHA512-256", "sha512-256", NID_sha512_256, 9, &kObjectData[6187], 0},
{"HKDF", "hkdf", NID_hkdf, 0, NULL, 0},
- {"X25519Kyber768", "X25519Kyber768", NID_X25519Kyber768, 0, NULL, 0},
- {"P256Kyber768", "P256Kyber768", NID_P256Kyber768, 0, NULL, 0},
- {"P384Kyber768", "P384Kyber768", NID_P384Kyber768, 0, NULL, 0},
+ {"X25519Kyber768Draft00", "X25519Kyber768Draft00",
+ NID_X25519Kyber768Draft00, 0, NULL, 0},
};
static const uint16_t kNIDsInShortNameOrder[] = {
@@ -8917,8 +8916,6 @@
18 /* OU */,
749 /* Oakley-EC2N-3 */,
750 /* Oakley-EC2N-4 */,
- 965 /* P256Kyber768 */,
- 966 /* P384Kyber768 */,
9 /* PBE-MD2-DES */,
168 /* PBE-MD2-RC2-64 */,
10 /* PBE-MD5-DES */,
@@ -8985,7 +8982,7 @@
458 /* UID */,
0 /* UNDEF */,
948 /* X25519 */,
- 964 /* X25519Kyber768 */,
+ 964 /* X25519Kyber768Draft00 */,
961 /* X448 */,
11 /* X500 */,
378 /* X500algorithms */,
@@ -9832,8 +9829,6 @@
366 /* OCSP Nonce */,
371 /* OCSP Service Locator */,
180 /* OCSP Signing */,
- 965 /* P256Kyber768 */,
- 966 /* P384Kyber768 */,
161 /* PBES2 */,
69 /* PBKDF2 */,
162 /* PBMAC1 */,
@@ -9858,7 +9853,7 @@
133 /* Time Stamping */,
375 /* Trust Root */,
948 /* X25519 */,
- 964 /* X25519Kyber768 */,
+ 964 /* X25519Kyber768Draft00 */,
961 /* X448 */,
12 /* X509 */,
402 /* X509v3 AC Targeting */,
diff --git a/crypto/obj/obj_mac.num b/crypto/obj/obj_mac.num
index 583f6e3..a0519ac 100644
--- a/crypto/obj/obj_mac.num
+++ b/crypto/obj/obj_mac.num
@@ -951,6 +951,4 @@
X448 961
sha512_256 962
hkdf 963
-X25519Kyber768 964
-P256Kyber768 965
-P384Kyber768 966
+X25519Kyber768Draft00 964
diff --git a/crypto/obj/objects.txt b/crypto/obj/objects.txt
index cad6a3b..3ad32ea 100644
--- a/crypto/obj/objects.txt
+++ b/crypto/obj/objects.txt
@@ -1332,10 +1332,8 @@
: dh-std-kdf
: dh-cofactor-kdf
-# NIDs for post quantum key agreements (no corresponding OIDs).
- : X25519Kyber768
- : P256Kyber768
- : P384Kyber768
+# NIDs for post quantum hybrid KEMs in TLS (no corresponding OIDs).
+ : X25519Kyber768Draft00
# See RFC 8410.
1 3 101 110 : X25519
diff --git a/include/openssl/nid.h b/include/openssl/nid.h
index 64c9c9c..4dd8841 100644
--- a/include/openssl/nid.h
+++ b/include/openssl/nid.h
@@ -4252,14 +4252,8 @@
#define LN_hkdf "hkdf"
#define NID_hkdf 963
-#define SN_X25519Kyber768 "X25519Kyber768"
-#define NID_X25519Kyber768 964
-
-#define SN_P256Kyber768 "P256Kyber768"
-#define NID_P256Kyber768 965
-
-#define SN_P384Kyber768 "P384Kyber768"
-#define NID_P384Kyber768 966
+#define SN_X25519Kyber768Draft00 "X25519Kyber768Draft00"
+#define NID_X25519Kyber768Draft00 964
#if defined(__cplusplus)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 5b5e3fe..3f9bf01 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2331,8 +2331,7 @@
#define SSL_CURVE_SECP384R1 24
#define SSL_CURVE_SECP521R1 25
#define SSL_CURVE_X25519 29
-#define SSL_CURVE_X25519KYBER768 0x6399
-#define SSL_CURVE_P256KYBER768 0xfe32
+#define SSL_CURVE_X25519_KYBER768_DRAFT00 0x6399
// SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently
// completed handshake or 0 if not applicable.
diff --git a/ssl/extensions.cc b/ssl/extensions.cc
index 4d9651b..5ee2802 100644
--- a/ssl/extensions.cc
+++ b/ssl/extensions.cc
@@ -206,8 +206,7 @@
static bool is_post_quantum_group(uint16_t id) {
switch (id) {
- case SSL_CURVE_X25519KYBER768:
- case SSL_CURVE_P256KYBER768:
+ case SSL_CURVE_X25519_KYBER768_DRAFT00:
return true;
default:
return false;
diff --git a/ssl/internal.h b/ssl/internal.h
index 01decb0..9ba2b14 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -1107,7 +1107,7 @@
struct NamedGroup {
int nid;
uint16_t group_id;
- const char name[12], alias[12];
+ const char name[32], alias[32];
};
// NamedGroups returns all supported groups.
diff --git a/ssl/ssl_key_share.cc b/ssl/ssl_key_share.cc
index 8885246..1b01c46 100644
--- a/ssl/ssl_key_share.cc
+++ b/ssl/ssl_key_share.cc
@@ -196,7 +196,9 @@
public:
X25519Kyber768KeyShare() {}
- uint16_t GroupID() const override { return SSL_CURVE_X25519KYBER768; }
+ uint16_t GroupID() const override {
+ return SSL_CURVE_X25519_KYBER768_DRAFT00;
+ }
bool Generate(CBB *out) override {
uint8_t x25519_public_key[32];
@@ -281,38 +283,14 @@
KYBER_private_key kyber_private_key_;
};
-class P256Kyber768KeyShare : public SSLKeyShare {
- public:
- P256Kyber768KeyShare() {}
-
- uint16_t GroupID() const override { return SSL_CURVE_P256KYBER768; }
-
- bool Generate(CBB *out) override {
- // There is no implementation on Kyber in BoringSSL. BoringSSL must be
- // patched for this KEM to be workable. It is not enabled by default.
- return false;
- }
-
- bool Encap(CBB *out_ciphertext, Array<uint8_t> *out_secret,
- uint8_t *out_alert, Span<const uint8_t> peer_key) override {
- return false;
- }
-
- bool Decap(Array<uint8_t> *out_secret, uint8_t *out_alert,
- Span<const uint8_t> ciphertext) override {
- return false;
- }
-};
-
constexpr NamedGroup kNamedGroups[] = {
{NID_secp224r1, SSL_CURVE_SECP224R1, "P-224", "secp224r1"},
{NID_X9_62_prime256v1, SSL_CURVE_SECP256R1, "P-256", "prime256v1"},
{NID_secp384r1, SSL_CURVE_SECP384R1, "P-384", "secp384r1"},
{NID_secp521r1, SSL_CURVE_SECP521R1, "P-521", "secp521r1"},
{NID_X25519, SSL_CURVE_X25519, "X25519", "x25519"},
- {NID_X25519Kyber768, SSL_CURVE_X25519KYBER768, "X25519KYBER",
- "X25519Kyber"},
- {NID_P256Kyber768, SSL_CURVE_P256KYBER768, "P256KYBER", "P256Kyber"},
+ {NID_X25519Kyber768Draft00, SSL_CURVE_X25519_KYBER768_DRAFT00,
+ "X25519Kyber768Draft00", ""},
};
} // namespace
@@ -333,10 +311,8 @@
return MakeUnique<ECKeyShare>(NID_secp521r1, SSL_CURVE_SECP521R1);
case SSL_CURVE_X25519:
return MakeUnique<X25519KeyShare>();
- case SSL_CURVE_X25519KYBER768:
+ case SSL_CURVE_X25519_KYBER768_DRAFT00:
return MakeUnique<X25519Kyber768KeyShare>();
- case SSL_CURVE_P256KYBER768:
- return MakeUnique<P256Kyber768KeyShare>();
default:
return nullptr;
}
@@ -359,7 +335,7 @@
*out_group_id = group.group_id;
return true;
}
- if (len == strlen(group.alias) &&
+ if (strlen(group.alias) > 0 && len == strlen(group.alias) &&
!strncmp(group.alias, name, len)) {
*out_group_id = group.group_id;
return true;
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 854068f..1a06ba8 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -401,8 +401,8 @@
{ SSL_CURVE_SECP256R1 },
},
{
- "P-256:X25519KYBER",
- { SSL_CURVE_SECP256R1, SSL_CURVE_X25519KYBER768 },
+ "P-256:X25519Kyber768Draft00",
+ { SSL_CURVE_SECP256R1, SSL_CURVE_X25519_KYBER768_DRAFT00 },
},
{
diff --git a/ssl/test/fuzzer.h b/ssl/test/fuzzer.h
index e18a820..864c643 100644
--- a/ssl/test/fuzzer.h
+++ b/ssl/test/fuzzer.h
@@ -418,7 +418,7 @@
return false;
}
- static const int kCurves[] = {NID_X25519Kyber768, NID_X25519,
+ static const int kCurves[] = {NID_X25519Kyber768Draft00, NID_X25519,
NID_X9_62_prime256v1, NID_secp384r1,
NID_secp521r1};
if (!SSL_CTX_set1_curves(ctx_.get(), kCurves,
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index 0ee5580..aa15320 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -1919,8 +1919,8 @@
nids.push_back(NID_X25519);
break;
- case SSL_CURVE_X25519KYBER768:
- nids.push_back(NID_X25519Kyber768);
+ case SSL_CURVE_X25519_KYBER768_DRAFT00:
+ nids.push_back(NID_X25519Kyber768Draft00);
break;
}
if (!SSL_set1_curves(ssl.get(), &nids[0], nids.size())) {
