diff options
author | Adam Langley <alangley@gmail.com> | 2018-11-12 13:53:42 -0800 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2018-12-12 17:35:02 +0000 |
commit | 7b935937b18215294e7dbf6404742855e3349092 (patch) | |
tree | 3830c443b7009faf7afd352900821a204842d783 /ssl/handshake_server.cc | |
parent | 602f4669ab8e01cb02747e4fff1cd702a84c5f1d (diff) | |
download | boringssl-7b935937b18215294e7dbf6404742855e3349092.zip boringssl-7b935937b18215294e7dbf6404742855e3349092.tar.gz boringssl-7b935937b18215294e7dbf6404742855e3349092.tar.bz2 |
Add initial HRSS support.
This change includes support for a variant of [HRSS], a post-quantum KEM
based on NTRU. It includes changes suggested in [SXY]. This is not yet
ready for any deployment: some breaking changes, like removing the
confirmation hash, are still planned.
(CLA for HRSS's assembly code noted in b/119426559.)
[HRSS] https://eprint.iacr.org/2017/667.pdf
[SXY] https://eprint.iacr.org/2017/1005.pdf
Change-Id: I85d813733b066d5c578484bdd248de3f764194db
Reviewed-on: https://boringssl-review.googlesource.com/c/33105
Reviewed-by: David Benjamin <davidben@google.com>
Diffstat (limited to 'ssl/handshake_server.cc')
-rw-r--r-- | ssl/handshake_server.cc | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc index c4f3b75..8b3b942 100644 --- a/ssl/handshake_server.cc +++ b/ssl/handshake_server.cc @@ -932,12 +932,12 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { hs->new_session->group_id = group_id; // Set up ECDH, generate a key, and emit the public half. - hs->key_share = SSLKeyShare::Create(group_id); - if (!hs->key_share || + hs->key_shares[0] = SSLKeyShare::Create(group_id); + if (!hs->key_shares[0] || !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) || !CBB_add_u16(cbb.get(), group_id) || !CBB_add_u8_length_prefixed(cbb.get(), &child) || - !hs->key_share->Offer(&child)) { + !hs->key_shares[0]->Offer(&child)) { return ssl_hs_error; } } else { @@ -1275,13 +1275,14 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { // Compute the premaster. uint8_t alert = SSL_AD_DECODE_ERROR; - if (!hs->key_share->Finish(&premaster_secret, &alert, peer_key)) { + if (!hs->key_shares[0]->Finish(&premaster_secret, &alert, peer_key)) { ssl_send_alert(ssl, SSL3_AL_FATAL, alert); return ssl_hs_error; } // The key exchange state may now be discarded. - hs->key_share.reset(); + hs->key_shares[0].reset(); + hs->key_shares[1].reset(); } else if (!(alg_k & SSL_kPSK)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |