diff options
author | David Benjamin <davidben@google.com> | 2023-02-28 17:22:23 -0500 |
---|---|---|
committer | Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-03-01 17:26:52 +0000 |
commit | 08b1f38577b6da8533179ffdb4a42b5afc36dc27 (patch) | |
tree | b3cf11637201262c19aa19b261687b245720e698 /ssl/handshake_server.cc | |
parent | 028bae7ddc67b6061d80c17b0be4e2f60d94731b (diff) | |
download | boringssl-08b1f38577b6da8533179ffdb4a42b5afc36dc27.zip boringssl-08b1f38577b6da8533179ffdb4a42b5afc36dc27.tar.gz boringssl-08b1f38577b6da8533179ffdb4a42b5afc36dc27.tar.bz2 |
Use KEM terminology in TLS ECDHE and key_share abstractions
TLS 1.2 ECDHE and TLS 1.3 key shares were originally designed around
Diffie-Hellman-like primitives and use language based on that.
Post-quantum replacements do not look like Diffie-Hellman, where each
part exchanges a public key, but schemes that work differently can still
slot in without protocol changes.
We previously came up with our own Offer/Accept/Finish abstraction for
early post-quantum experiments, but the NIST constructions are all
expressed as KEMs: First, the recipient generates a keypair and sends
the public key. Then the sender encapsulates a symmetric secret and
sends the ciphertext. Finally, the recipient decapsulates the ciphertext
to get the secret.
Align our C++ and Go abstractions to this terminology. The functions are
now called Generate/Encap/Decap, and the output of Encap is called
"ciphertext", which seems to align with what most folks use. (RFC 9180
uses "enc" for "encapsulated key", but they staple a KEM to an AEAD, so
"ciphertext" would be ambiguous.)
Where variable names refer to parts of the protocol, rather than the
the underlying KEM-like construction, I've kept variable names matching
the protocol mechanism, so we still talk about "curves" and "key
shares", but, when using the post-quantum replacements, the terminology
is no longer quite accurate.
I've also not yet renamed SSLKeyShare yet, though the name is now
inaccurate. Also ideally we'd touch that up so the stateful object is
just a KEM private key, for SSLKEMKey. Though at that point, we maybe
should just add EVP_KEM and EVP_KEM_KEY APIs to libcrypto.
Change-Id: Icbcc1840c5d2dfad210ef4caad2a7c4bf8146553
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57726
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Diffstat (limited to 'ssl/handshake_server.cc')
-rw-r--r-- | ssl/handshake_server.cc | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc index 70fe983..e50a690 100644 --- a/ssl/handshake_server.cc +++ b/ssl/handshake_server.cc @@ -1146,7 +1146,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { } } else { // Generate a key, and emit the public half. - if (!hs->key_shares[0]->Offer(&child)) { + if (!hs->key_shares[0]->Generate(&child)) { return ssl_hs_error; } // If generating hints, save the ECDHE key. @@ -1490,17 +1490,17 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { } } else if (alg_k & SSL_kECDHE) { // Parse the ClientKeyExchange. - CBS peer_key; - if (!CBS_get_u8_length_prefixed(&client_key_exchange, &peer_key) || + CBS ciphertext; + if (!CBS_get_u8_length_prefixed(&client_key_exchange, &ciphertext) || CBS_len(&client_key_exchange) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return ssl_hs_error; } - // Compute the premaster. + // Decapsulate the premaster secret. uint8_t alert = SSL_AD_DECODE_ERROR; - if (!hs->key_shares[0]->Finish(&premaster_secret, &alert, peer_key)) { + if (!hs->key_shares[0]->Decap(&premaster_secret, &alert, ciphertext)) { ssl_send_alert(ssl, SSL3_AL_FATAL, alert); return ssl_hs_error; } |