Add initial HRSS support.

This change includes support for a variant of [HRSS], a post-quantum KEM based on NTRU. It includes changes suggested in [SXY]. This is not yet ready for any deployment: some breaking changes, like removing the confirmation hash, are still planned. (CLA for HRSS's assembly code noted in b/119426559.) [HRSS] https://eprint.iacr.org/2017/667.pdf [SXY] https://eprint.iacr.org/2017/1005.pdf Change-Id: I85d813733b066d5c578484bdd248de3f764194db Reviewed-on: https://boringssl-review.googlesource.com/c/33105 Reviewed-by: David Benjamin <davidben@google.com>
author: Adam Langley <alangley@gmail.com> 2018-11-12 13:53:42 -0800
committer: Adam Langley <agl@google.com> 2018-12-12 17:35:02 +0000
commit: 7b935937b18215294e7dbf6404742855e3349092 (patch)
tree: 3830c443b7009faf7afd352900821a204842d783 /ssl/handshake_server.cc
parent: 602f4669ab8e01cb02747e4fff1cd702a84c5f1d (diff)
download: boringssl-7b935937b18215294e7dbf6404742855e3349092.zip
boringssl-7b935937b18215294e7dbf6404742855e3349092.tar.gz
boringssl-7b935937b18215294e7dbf6404742855e3349092.tar.bz2
1 files changed, 6 insertions, 5 deletions
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
index c4f3b75..8b3b942 100644
--- a/ssl/handshake_server.cc
+++ b/ssl/handshake_server.cc
@@ -932,12 +932,12 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) {
       hs->new_session->group_id = group_id;
 
       // Set up ECDH, generate a key, and emit the public half.
-      hs->key_share = SSLKeyShare::Create(group_id);
-      if (!hs->key_share ||
+      hs->key_shares[0] = SSLKeyShare::Create(group_id);
+      if (!hs->key_shares[0] ||
           !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) ||
           !CBB_add_u16(cbb.get(), group_id) ||
           !CBB_add_u8_length_prefixed(cbb.get(), &child) ||
-          !hs->key_share->Offer(&child)) {
+          !hs->key_shares[0]->Offer(&child)) {
         return ssl_hs_error;
       }
     } else {
@@ -1275,13 +1275,14 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
 
     // Compute the premaster.
     uint8_t alert = SSL_AD_DECODE_ERROR;
-    if (!hs->key_share->Finish(&premaster_secret, &alert, peer_key)) {
+    if (!hs->key_shares[0]->Finish(&premaster_secret, &alert, peer_key)) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
       return ssl_hs_error;
     }
 
     // The key exchange state may now be discarded.
-    hs->key_share.reset();
+    hs->key_shares[0].reset();
+    hs->key_shares[1].reset();
   } else if (!(alg_k & SSL_kPSK)) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
author	Adam Langley <alangley@gmail.com>	2018-11-12 13:53:42 -0800
committer	Adam Langley <agl@google.com>	2018-12-12 17:35:02 +0000
commit	7b935937b18215294e7dbf6404742855e3349092 (patch)
tree	3830c443b7009faf7afd352900821a204842d783 /ssl/handshake_server.cc
parent	602f4669ab8e01cb02747e4fff1cd702a84c5f1d (diff)
download	boringssl-7b935937b18215294e7dbf6404742855e3349092.zip boringssl-7b935937b18215294e7dbf6404742855e3349092.tar.gz boringssl-7b935937b18215294e7dbf6404742855e3349092.tar.bz2