Align Kyber names with draft-tls-westerbaan-xyber768d00

The initial codepoint is called X25519Kyber786Draft00 in the draft, so align with that name for this version. Also remove the placeholder bits for the other combinations, which haven't gotten that far yet. Update-Note: Update references to NID_X25519Kyber768 to NID_X25519Kyber768Draft00. For now, the old name is available as an alias. Change-Id: I2e531947f41e589cec61607944dca844722f0947 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59605 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
2 years ago · 1b724a6b8c
parent 85e6453cc3
commit 1b724a6b8c
11 changed files with 25 additions and 66 deletions
--- a/crypto/obj/obj_dat.h
+++ b/crypto/obj/obj_dat.h
@ -57,7 +57,7 @@
 /* This file is generated by crypto/obj/objects.go. */


-#define NUM_NID 967
+#define NUM_NID 965

 static const uint8_t kObjectData[] = {
    /* NID_rsadsi */
@ -8782,9 +8782,8 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
    {"X448", "X448", NID_X448, 3, &kObjectData[6184], 0},
    {"SHA512-256", "sha512-256", NID_sha512_256, 9, &kObjectData[6187], 0},
    {"HKDF", "hkdf", NID_hkdf, 0, NULL, 0},
-    {"X25519Kyber768", "X25519Kyber768", NID_X25519Kyber768, 0, NULL, 0},
-    {"P256Kyber768", "P256Kyber768", NID_P256Kyber768, 0, NULL, 0},
-    {"P384Kyber768", "P384Kyber768", NID_P384Kyber768, 0, NULL, 0},
+    {"X25519Kyber768Draft00", "X25519Kyber768Draft00",
+     NID_X25519Kyber768Draft00, 0, NULL, 0},
 };

 static const uint16_t kNIDsInShortNameOrder[] = {
@ -8917,8 +8916,6 @@ static const uint16_t kNIDsInShortNameOrder[] = {
    18 /* OU */,
    749 /* Oakley-EC2N-3 */,
    750 /* Oakley-EC2N-4 */,
-    965 /* P256Kyber768 */,
-    966 /* P384Kyber768 */,
    9 /* PBE-MD2-DES */,
    168 /* PBE-MD2-RC2-64 */,
    10 /* PBE-MD5-DES */,
@ -8985,7 +8982,7 @@ static const uint16_t kNIDsInShortNameOrder[] = {
    458 /* UID */,
    0 /* UNDEF */,
    948 /* X25519 */,
-    964 /* X25519Kyber768 */,
+    964 /* X25519Kyber768Draft00 */,
    961 /* X448 */,
    11 /* X500 */,
    378 /* X500algorithms */,
@ -9832,8 +9829,6 @@ static const uint16_t kNIDsInLongNameOrder[] = {
    366 /* OCSP Nonce */,
    371 /* OCSP Service Locator */,
    180 /* OCSP Signing */,
-    965 /* P256Kyber768 */,
-    966 /* P384Kyber768 */,
    161 /* PBES2 */,
    69 /* PBKDF2 */,
    162 /* PBMAC1 */,
@ -9858,7 +9853,7 @@ static const uint16_t kNIDsInLongNameOrder[] = {
    133 /* Time Stamping */,
    375 /* Trust Root */,
    948 /* X25519 */,
-    964 /* X25519Kyber768 */,
+    964 /* X25519Kyber768Draft00 */,
    961 /* X448 */,
    12 /* X509 */,
    402 /* X509v3 AC Targeting */,
--- a/crypto/obj/obj_mac.num
+++ b/crypto/obj/obj_mac.num
@ -951,6 +951,4 @@ ED448		960
 X448		961
 sha512_256		962
 hkdf		963
-X25519Kyber768		964
-P256Kyber768		965
-P384Kyber768		966
+X25519Kyber768Draft00		964
--- a/crypto/obj/objects.txt
+++ b/crypto/obj/objects.txt
@ -1332,10 +1332,8 @@ secg-scheme 14 3 : dhSinglePass-cofactorDH-sha512kdf-scheme
                 : dh-std-kdf
                 : dh-cofactor-kdf

-# NIDs for post quantum key agreements (no corresponding OIDs).
- : X25519Kyber768
- : P256Kyber768
- : P384Kyber768
+# NIDs for post quantum hybrid KEMs in TLS (no corresponding OIDs).
+ : X25519Kyber768Draft00

 # See RFC 8410.
 1 3 101 110 : X25519
--- a/include/openssl/nid.h
+++ b/include/openssl/nid.h
@ -4252,14 +4252,8 @@ extern "C" {
 #define LN_hkdf "hkdf"
 #define NID_hkdf 963

-#define SN_X25519Kyber768 "X25519Kyber768"
-#define NID_X25519Kyber768 964
-
-#define SN_P256Kyber768 "P256Kyber768"
-#define NID_P256Kyber768 965
-
-#define SN_P384Kyber768 "P384Kyber768"
-#define NID_P384Kyber768 966
+#define SN_X25519Kyber768Draft00 "X25519Kyber768Draft00"
+#define NID_X25519Kyber768Draft00 964


 #if defined(__cplusplus)
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -2331,8 +2331,7 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);
 #define SSL_CURVE_SECP384R1 24
 #define SSL_CURVE_SECP521R1 25
 #define SSL_CURVE_X25519 29
-#define SSL_CURVE_X25519KYBER768 0x6399
-#define SSL_CURVE_P256KYBER768 0xfe32
+#define SSL_CURVE_X25519_KYBER768_DRAFT00 0x6399

 // SSL_get_curve_id returns the ID of the curve used by |ssl|'s most recently
 // completed handshake or 0 if not applicable.
--- a/ssl/extensions.cc
+++ b/ssl/extensions.cc
@ -206,8 +206,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) {

 static bool is_post_quantum_group(uint16_t id) {
  switch (id) {
-    case SSL_CURVE_X25519KYBER768:
-    case SSL_CURVE_P256KYBER768:
+    case SSL_CURVE_X25519_KYBER768_DRAFT00:
      return true;
    default:
      return false;
--- a/ssl/internal.h
+++ b/ssl/internal.h
@ -1107,7 +1107,7 @@ class SSLKeyShare {
 struct NamedGroup {
  int nid;
  uint16_t group_id;
-  const char name[12], alias[12];
+  const char name[32], alias[32];
 };

 // NamedGroups returns all supported groups.
--- a/ssl/ssl_key_share.cc
+++ b/ssl/ssl_key_share.cc
@ -196,7 +196,9 @@ class X25519Kyber768KeyShare : public SSLKeyShare {
 public:
  X25519Kyber768KeyShare() {}

-  uint16_t GroupID() const override { return SSL_CURVE_X25519KYBER768; }
+  uint16_t GroupID() const override {
+    return SSL_CURVE_X25519_KYBER768_DRAFT00;
+  }

  bool Generate(CBB *out) override {
    uint8_t x25519_public_key[32];
@ -281,38 +283,14 @@ class X25519Kyber768KeyShare : public SSLKeyShare {
  KYBER_private_key kyber_private_key_;
 };

-class P256Kyber768KeyShare : public SSLKeyShare {
- public:
-  P256Kyber768KeyShare() {}
-
-  uint16_t GroupID() const override { return SSL_CURVE_P256KYBER768; }
-
-  bool Generate(CBB *out) override {
-    // There is no implementation on Kyber in BoringSSL. BoringSSL must be
-    // patched for this KEM to be workable. It is not enabled by default.
-    return false;
-  }
-
-  bool Encap(CBB *out_ciphertext, Array<uint8_t> *out_secret,
-             uint8_t *out_alert, Span<const uint8_t> peer_key) override {
-    return false;
-  }
-
-  bool Decap(Array<uint8_t> *out_secret, uint8_t *out_alert,
-             Span<const uint8_t> ciphertext) override {
-    return false;
-  }
-};
-
 constexpr NamedGroup kNamedGroups[] = {
    {NID_secp224r1, SSL_CURVE_SECP224R1, "P-224", "secp224r1"},
    {NID_X9_62_prime256v1, SSL_CURVE_SECP256R1, "P-256", "prime256v1"},
    {NID_secp384r1, SSL_CURVE_SECP384R1, "P-384", "secp384r1"},
    {NID_secp521r1, SSL_CURVE_SECP521R1, "P-521", "secp521r1"},
    {NID_X25519, SSL_CURVE_X25519, "X25519", "x25519"},
-    {NID_X25519Kyber768, SSL_CURVE_X25519KYBER768, "X25519KYBER",
-     "X25519Kyber"},
-    {NID_P256Kyber768, SSL_CURVE_P256KYBER768, "P256KYBER", "P256Kyber"},
+    {NID_X25519Kyber768Draft00, SSL_CURVE_X25519_KYBER768_DRAFT00,
+     "X25519Kyber768Draft00", ""},
 };

 }  // namespace
@ -333,10 +311,8 @@ UniquePtr<SSLKeyShare> SSLKeyShare::Create(uint16_t group_id) {
      return MakeUnique<ECKeyShare>(NID_secp521r1, SSL_CURVE_SECP521R1);
    case SSL_CURVE_X25519:
      return MakeUnique<X25519KeyShare>();
-    case SSL_CURVE_X25519KYBER768:
+    case SSL_CURVE_X25519_KYBER768_DRAFT00:
      return MakeUnique<X25519Kyber768KeyShare>();
-    case SSL_CURVE_P256KYBER768:
-      return MakeUnique<P256Kyber768KeyShare>();
    default:
      return nullptr;
  }
@ -359,7 +335,7 @@ bool ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len)
      *out_group_id = group.group_id;
      return true;
    }
-    if (len == strlen(group.alias) &&
+    if (strlen(group.alias) > 0 && len == strlen(group.alias) &&
        !strncmp(group.alias, name, len)) {
      *out_group_id = group.group_id;
      return true;
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@ -401,8 +401,8 @@ static const CurveTest kCurveTests[] = {
    { SSL_CURVE_SECP256R1 },
  },
  {
-    "P-256:X25519KYBER",
-    { SSL_CURVE_SECP256R1, SSL_CURVE_X25519KYBER768 },
+    "P-256:X25519Kyber768Draft00",
+    { SSL_CURVE_SECP256R1, SSL_CURVE_X25519_KYBER768_DRAFT00 },
  },

  {
--- a/ssl/test/fuzzer.h
+++ b/ssl/test/fuzzer.h
@ -418,7 +418,7 @@ class TLSFuzzer {
      return false;
    }

-    static const int kCurves[] = {NID_X25519Kyber768, NID_X25519,
+    static const int kCurves[] = {NID_X25519Kyber768Draft00, NID_X25519,
                                  NID_X9_62_prime256v1, NID_secp384r1,
                                  NID_secp521r1};
    if (!SSL_CTX_set1_curves(ctx_.get(), kCurves,
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@ -1919,8 +1919,8 @@ bssl::UniquePtr<SSL> TestConfig::NewSSL(
          nids.push_back(NID_X25519);
          break;

-        case SSL_CURVE_X25519KYBER768:
-          nids.push_back(NID_X25519Kyber768);
+        case SSL_CURVE_X25519_KYBER768_DRAFT00:
+          nids.push_back(NID_X25519Kyber768Draft00);
          break;
      }
      if (!SSL_set1_curves(ssl.get(), &nids[0], nids.size())) {