2020-06-16 22:30:46 +08:00
|
|
|
/*
|
2025-03-12 21:35:59 +08:00
|
|
|
* Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved.
|
2020-06-16 22:30:46 +08:00
|
|
|
*
|
|
|
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
|
* https://www.openssl.org/source/license.html
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef OSSL_INTERNAL_TLSGROUPS_H
|
|
|
|
|
# define OSSL_INTERNAL_TLSGROUPS_H
|
2021-02-07 05:14:03 +08:00
|
|
|
# pragma once
|
2020-06-16 22:30:46 +08:00
|
|
|
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect163k1 0x0001
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect163r1 0x0002
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect163r2 0x0003
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect193r1 0x0004
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect193r2 0x0005
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect233k1 0x0006
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect233r1 0x0007
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect239k1 0x0008
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect283k1 0x0009
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect283r1 0x000A
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect409k1 0x000B
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect409r1 0x000C
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect571k1 0x000D
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_sect571r1 0x000E
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_secp160k1 0x000F
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_secp160r1 0x0010
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_secp160r2 0x0011
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_secp192k1 0x0012
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_secp192r1 0x0013
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_secp224k1 0x0014
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_secp224r1 0x0015
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_secp256k1 0x0016
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_secp256r1 0x0017
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_secp384r1 0x0018
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_secp521r1 0x0019
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_brainpoolP256r1 0x001A
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_brainpoolP384r1 0x001B
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_brainpoolP512r1 0x001C
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_x25519 0x001D
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_x448 0x001E
|
2018-10-25 05:10:38 +08:00
|
|
|
# define OSSL_TLS_GROUP_ID_brainpoolP256r1_tls13 0x001F
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_brainpoolP384r1_tls13 0x0020
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_brainpoolP512r1_tls13 0x0021
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_gc256A 0x0022
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_gc256B 0x0023
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_gc256C 0x0024
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_gc256D 0x0025
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_gc512A 0x0026
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_gc512B 0x0027
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_gc512C 0x0028
|
2020-06-16 22:30:46 +08:00
|
|
|
# define OSSL_TLS_GROUP_ID_ffdhe2048 0x0100
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_ffdhe3072 0x0101
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_ffdhe4096 0x0102
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_ffdhe6144 0x0103
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_ffdhe8192 0x0104
|
Multi-variant ML-KEM
This introduces support for ML-KEM-512 and ML-KEM-1024 using the same
underlying implementation parameterised by a few macros for the
associated types and constants.
KAT tests are added for ML-KEM 512 and 1024, to complement the previous
tests for ML-KEM-768.
MLKEM{512,768,1024} TLS "group" codepoints are updated to match the
final IANA assigments and to make the additional KEMs known to the TLS
layer.
The pure-QC MLKEMs are not in the default list of supported groups, and
need to be explicitly enabled by the application. Future work will
introduce support for hybrids, and for more fine-grained policy of
which keyshares a client should send by default, and when a server
should request (HRR) a new mutually-supported group that was not
sent.
Tests for ML-KEM key exchange added to sslapitest to make sure that our
TLS client MLKEM{512,768,1024} implementations interoperate with our TLS
server, and that MLKEM* are not negotiated in TLS 1.2.
Tests also added to excercise non-derandomised ML-KEM APIs, both
directly (bypassing the provider layer), and through the generic EVP KEM
API (exercising the provider). These make sure that RNG input is used
correctly (KAT tests bypass the RNG by specifying seeds).
The API interface to the provider takes an "const ML_KEM_VINFO" pointer,
(obtained from ossl_ml_kem_get_vinfo()). This checks input and output
buffer sizes before passing control to internal code that assumes
correctly sized (for each variant) buffers.
The original BoringSSL API was refactored to eliminate the opaque
public/private key structure wrappers, since these structures are an
internal detail between libcrypto and the provider, they are not part of
the public (EVP) API.
New "clangover" counter-measures added, refined with much appreciated
input from David Benjamin (Chromium).
The internal steps of "encrypt_cpa" were reordered to reduce the
working-set size of the algorithm, now needs space for just two
temporary "vectors" rather than three. The "decap" function now process
the decrypted message in one call, rather than three separate calls to
scalar_decode_1, scalar_decompress and scalar_add.
Some loops were unrolled, improving performance of en/decapsulate
(pre-expanded vectors and matrix) by around 5%.
To handle, however unlikely, the SHA3 primitives not behaving like
"pure" functions and failing, the implementation of `decap` was modifed:
- To use the KDF to compute the Fujisaki-Okamoto (FO) failure secret
first thing, and if that fails, bail out returning an error, a shared
secret is still returned at random from the RNG, but it is OK for the
caller to not use it.
- If any of the subsequently used hash primitives fail, use the computed
FO failure secret (OK, despite no longer constant-time) and return
success (otherwise the RNG would replace the result).
- We quite reasonably assume that chosen-ciphertext attacks (of the
correct length) cannot cause hash functions to fail in a manner the
depends on the private key content.
Support for ML-KEM-512 required adding a centered binomial distribution
helper function to deal with η_1 == 3 in just that variant.
Some additional comments were added to highlight how the code relates to
the ML-KEM specification in FIPS 203.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26172)
2024-11-30 22:20:58 +08:00
|
|
|
# define OSSL_TLS_GROUP_ID_mlkem512 0x0200
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_mlkem768 0x0201
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_mlkem1024 0x0202
|
2024-12-20 17:26:50 +08:00
|
|
|
# define OSSL_TLS_GROUP_ID_SecP256r1MLKEM768 0x11EB
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_X25519MLKEM768 0x11EC
|
|
|
|
|
# define OSSL_TLS_GROUP_ID_SecP384r1MLKEM1024 0x11ED
|
2020-06-16 22:30:46 +08:00
|
|
|
|
|
|
|
|
#endif
|
