diff --git a/boring-sys/build/main.rs b/boring-sys/build/main.rs index d192a0f8c..5e62ec1d2 100644 --- a/boring-sys/build/main.rs +++ b/boring-sys/build/main.rs @@ -791,6 +791,7 @@ fn generate_bindings(config: &Config) -> Result -Date: Wed, 3 Dec 2025 11:10:16 +0100 -Subject: [PATCH] Add additional post-quantum key agreements +From e45854b34aa48b1fdefad81906cdb9931e697bbc Mon Sep 17 00:00:00 2001 +From: Christopher Patton +Date: Tue, 21 Apr 2026 15:45:09 -0700 +Subject: [PATCH] Add additional post-quantum key agreement This patch adds: @@ -16,6 +16,8 @@ This patch adds: non post-quantum and a post-quantum keyshare if available. These functions allow one to change the behaviour to only send a single keyshare. + + --- crypto/obj/obj_dat.h | 6 +- crypto/obj/obj_mac.num | 1 + @@ -26,7 +28,7 @@ This patch adds: ssl/internal.h | 12 ++- ssl/ssl_key_share.cc | 111 +++++++++++++++++++++++++++- ssl/ssl_lib.cc | 16 +++- - ssl/ssl_test.cc | 19 ++++- + ssl/ssl_test.cc | 24 +++++- ssl/test/runner/basic_tests.go | 2 + ssl/test/runner/cbc_tests.go | 3 + ssl/test/runner/common.go | 2 +- @@ -35,22 +37,22 @@ This patch adds: ssl/test/runner/extension_tests.go | 3 +- ssl/test/runner/key_update_tests.go | 6 +- tool/client.cc | 9 +++ - 18 files changed, 245 insertions(+), 42 deletions(-) + 18 files changed, 249 insertions(+), 43 deletions(-) diff --git a/crypto/obj/obj_dat.h b/crypto/obj/obj_dat.h -index d8b86dcd2..6dd49ec36 100644 +index 10ad9bb14..3fe6fdec6 100644 --- a/crypto/obj/obj_dat.h +++ b/crypto/obj/obj_dat.h -@@ -15,7 +15,7 @@ - // This file is generated by crypto/obj/objects.go. +@@ -16,7 +16,7 @@ + BSSL_NAMESPACE_BEGIN -#define NUM_NID 971 +#define NUM_NID 972 static const uint8_t kObjectData[] = { /* NID_rsadsi */ -@@ -8799,6 +8799,8 @@ static const ASN1_OBJECT kObjects[NUM_NID] = { +@@ -8800,6 +8800,8 @@ static const ASN1_OBJECT kObjects[NUM_NID] = { {"id-ml-dsa-87", "ML-DSA-87", NID_ML_DSA_87, 9, &kObjectData[6223], 0}, {"id-alg-ml-kem-768", "ML-KEM-768", NID_ML_KEM_768, 9, &kObjectData[6232], 0}, @@ -59,7 +61,7 @@ index d8b86dcd2..6dd49ec36 100644 }; static const uint16_t kNIDsInShortNameOrder[] = { -@@ -8931,6 +8933,7 @@ static const uint16_t kNIDsInShortNameOrder[] = { +@@ -8932,6 +8934,7 @@ static const uint16_t kNIDsInShortNameOrder[] = { 18 /* OU */, 749 /* Oakley-EC2N-3 */, 750 /* Oakley-EC2N-4 */, @@ -67,7 +69,7 @@ index d8b86dcd2..6dd49ec36 100644 9 /* PBE-MD2-DES */, 168 /* PBE-MD2-RC2-64 */, 10 /* PBE-MD5-DES */, -@@ -9854,6 +9857,7 @@ static const uint16_t kNIDsInLongNameOrder[] = { +@@ -9855,6 +9858,7 @@ static const uint16_t kNIDsInLongNameOrder[] = { 366 /* OCSP Nonce */, 371 /* OCSP Service Locator */, 180 /* OCSP Signing */, @@ -111,10 +113,10 @@ index 83a1cf592..7265f15f6 100644 #if defined(__cplusplus) } /* extern C */ diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h -index ff68ba69e..0730e769a 100644 +index 3a2e6dc50..300848e0f 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h -@@ -2550,6 +2550,7 @@ OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx); +@@ -2579,6 +2579,7 @@ OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx); #define SSL_GROUP_X25519_MLKEM768 0x11ec #define SSL_GROUP_X25519_KYBER768_DRAFT00 0x6399 #define SSL_GROUP_MLKEM1024 0x0202 @@ -122,7 +124,7 @@ index ff68ba69e..0730e769a 100644 // SSL_CTX_set1_group_ids sets the preferred groups for |ctx| to |group_ids|. // Each element of |group_ids| should be a unique one of the |SSL_GROUP_*| -@@ -5964,6 +5965,20 @@ OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves); +@@ -6195,6 +6196,20 @@ OPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves); // SSL_set1_curves_list calls |SSL_set1_groups_list|. OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); @@ -144,10 +146,10 @@ index ff68ba69e..0730e769a 100644 // |SSL_get_negotiated_group| to return an unrecognized group. BoringSSL never // returns this value, but we define this constant for compatibility. diff --git a/ssl/extensions.cc b/ssl/extensions.cc -index c5f90688c..e0514fed3 100644 +index 529226876..e2ed74d5f 100644 --- a/ssl/extensions.cc +++ b/ssl/extensions.cc -@@ -101,6 +101,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) { +@@ -106,6 +106,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) { static bool is_post_quantum_group(uint16_t id) { switch (id) { case SSL_GROUP_X25519_KYBER768_DRAFT00: @@ -155,7 +157,7 @@ index c5f90688c..e0514fed3 100644 case SSL_GROUP_X25519_MLKEM768: case SSL_GROUP_MLKEM1024: return true; -@@ -2241,18 +2242,21 @@ bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) { +@@ -2413,18 +2414,21 @@ bool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) { if (!default_key_shares.TryPushBack(supported_group_list[0])) { return false; } @@ -189,10 +191,10 @@ index c5f90688c..e0514fed3 100644 selected_key_shares.emplace(default_key_shares); } diff --git a/ssl/internal.h b/ssl/internal.h -index a69505b47..1f5ce51e6 100644 +index 4d86a6170..1c0d9f2fd 100644 --- a/ssl/internal.h +++ b/ssl/internal.h -@@ -955,7 +955,7 @@ struct NamedGroup { +@@ -913,7 +913,7 @@ struct NamedGroup { Span NamedGroups(); // kNumNamedGroups is the number of supported groups. @@ -201,7 +203,7 @@ index a69505b47..1f5ce51e6 100644 // DefaultSupportedGroupIds returns the list of IDs for the default groups that // are supported when the caller hasn't explicitly configured supported groups. -@@ -3388,6 +3388,11 @@ struct SSL_CONFIG { +@@ -3512,6 +3512,11 @@ struct SSL_CONFIG { // permute_extensions is whether to permute extensions when sending messages. bool permute_extensions : 1; @@ -213,7 +215,7 @@ index a69505b47..1f5ce51e6 100644 // aes_hw_override if set indicates we should override checking for aes // hardware support, and use the value in aes_hw_override_value instead. bool aes_hw_override : 1; -@@ -4015,6 +4020,11 @@ struct ssl_ctx_st : public bssl::RefCounted { +@@ -4149,6 +4154,11 @@ struct ssl_ctx_st : public bssl::RefCounted { // permute_extensions is whether to permute extensions when sending messages. bool permute_extensions : 1; @@ -371,10 +373,10 @@ index d155b5527..4fb08906b 100644 return nullptr; } diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc -index f64b103fb..fe5bb9bc7 100644 +index de4e79efc..4ca2e799d 100644 --- a/ssl/ssl_lib.cc +++ b/ssl/ssl_lib.cc -@@ -397,6 +397,7 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method) +@@ -385,6 +385,7 @@ ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method) channel_id_enabled(false), grease_enabled(false), permute_extensions(false), @@ -382,7 +384,7 @@ index f64b103fb..fe5bb9bc7 100644 allow_unknown_alpn_protos(false), false_start_allowed_without_alpn(false), handoff(false), -@@ -527,6 +528,7 @@ SSL *SSL_new(SSL_CTX *ctx) { +@@ -517,6 +518,7 @@ SSL *SSL_new(SSL_CTX *ctx) { ssl->config->retain_only_sha256_of_client_certs = ctx->retain_only_sha256_of_client_certs; ssl->config->permute_extensions = ctx->permute_extensions; @@ -390,7 +392,7 @@ index f64b103fb..fe5bb9bc7 100644 ssl->config->aes_hw_override = ctx->aes_hw_override; ssl->config->aes_hw_override_value = ctx->aes_hw_override_value; ssl->config->compliance_policy = ctx->compliance_policy; -@@ -586,6 +588,7 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg) +@@ -582,6 +584,7 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg) jdk11_workaround(false), quic_use_legacy_codepoint(false), permute_extensions(false), @@ -398,7 +400,7 @@ index f64b103fb..fe5bb9bc7 100644 alps_use_new_codepoint(true) { assert(ssl); } -@@ -3331,6 +3334,15 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) { +@@ -3372,6 +3375,15 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) { return SSL_set1_groups_list(ssl, curves); } @@ -414,7 +416,7 @@ index f64b103fb..fe5bb9bc7 100644 namespace fips202205 { // (References are to SP 800-52r2): -@@ -3342,7 +3354,9 @@ namespace fips202205 { +@@ -3383,7 +3395,9 @@ namespace fips202205 { // Section 3.3.1 // "The server shall be configured to only use cipher suites that are // composed entirely of NIST approved algorithms" @@ -426,10 +428,10 @@ index f64b103fb..fe5bb9bc7 100644 static const uint16_t kSigAlgs[] = { SSL_SIGN_RSA_PKCS1_SHA256, diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc -index 779a2c37a..36a0cab3b 100644 +index 49adcaf72..6427ecf5d 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc -@@ -506,6 +506,14 @@ static const CurveTest kCurveTests[] = { +@@ -520,6 +520,14 @@ static const CurveTest kCurveTests[] = { "MLKEM1024:X25519MLKEM768", {SSL_GROUP_MLKEM1024, SSL_GROUP_X25519_MLKEM768}, }, @@ -444,7 +446,7 @@ index 779a2c37a..36a0cab3b 100644 { "P-256:P-384:P-521:X25519", -@@ -668,7 +676,9 @@ TEST(SSLTest, CurveRules) { +@@ -681,7 +689,9 @@ TEST(SSLTest, CurveRules) { } TEST(SSLTest, DefaultCurves) { @@ -455,7 +457,7 @@ index 779a2c37a..36a0cab3b 100644 SSL_GROUP_SECP384R1}; // Test the group ID APIs. -@@ -1522,6 +1532,9 @@ static bool GetClientHello(SSL *ssl, std::vector *out) { +@@ -1641,6 +1651,9 @@ static bool GetClientHello(SSL *ssl, std::vector *out) { static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version, size_t ticket_len) { bssl::UniquePtr ctx(SSL_CTX_new(TLS_method())); @@ -465,7 +467,19 @@ index 779a2c37a..36a0cab3b 100644 bssl::UniquePtr session = CreateSessionWithTicket(session_version, ticket_len); if (!ctx || !session) { -@@ -6815,7 +6828,9 @@ TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) { +@@ -2315,7 +2328,10 @@ TEST(SSLTest, SetGroupIdsWithEqualPreference) { + // Test that the SSL group flags are defaulted to zero when zero groups are set + // (i.e. using the default groups). + TEST(SSLTest, SetGroupIdsWithFlags_DefaultGroups) { +- const uint16_t kDefaultGroups[] = {SSL_GROUP_X25519, SSL_GROUP_SECP256R1, ++ const uint16_t kDefaultGroups[] = {SSL_GROUP_X25519_MLKEM768, ++ SSL_GROUP_P256_KYBER768_DRAFT00, ++ SSL_GROUP_X25519, ++ SSL_GROUP_SECP256R1, + SSL_GROUP_SECP384R1}; + const uint32_t kBogusFlags[] = {SSL_GROUP_FLAG_EQUAL_PREFERENCE_WITH_NEXT, + SSL_GROUP_FLAG_EQUAL_PREFERENCE_WITH_NEXT, 0}; +@@ -7052,7 +7068,9 @@ TEST(SSLTest, ApplyHandoffRemovesUnsupportedCurves) { // The default list of groups is used before applying the handoff. EXPECT_THAT(server->config->supported_group_list, @@ -477,10 +491,10 @@ index 779a2c37a..36a0cab3b 100644 ASSERT_TRUE(SSL_apply_handoff(server.get(), handoff)); EXPECT_EQ(1u, server->config->supported_group_list.size()); diff --git a/ssl/test/runner/basic_tests.go b/ssl/test/runner/basic_tests.go -index 08de8fa5f..dd945fa49 100644 +index dfd17d5f1..054241404 100644 --- a/ssl/test/runner/basic_tests.go +++ b/ssl/test/runner/basic_tests.go -@@ -129,6 +129,7 @@ read alert 1 0 +@@ -132,6 +132,7 @@ read alert 1 0 `write hs 1 read hs 3 write hs 1 @@ -488,7 +502,7 @@ index 08de8fa5f..dd945fa49 100644 read hs 2 read hs 11 read hs 12 -@@ -1956,6 +1957,7 @@ read alert 1 0 +@@ -1975,6 +1976,7 @@ read alert 1 0 write hs 2 write hs 8 write hs 11 @@ -518,10 +532,10 @@ index 6f49d12af..5e970b2b5 100644 }) } diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go -index 7dbde72c9..9d18d9d45 100644 +index 2d174832f..5056444de 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go -@@ -2095,7 +2095,7 @@ type ProtocolBugs struct { +@@ -2172,7 +2172,7 @@ type ProtocolBugs struct { FailIfHelloRetryRequested bool // FailIfPostQuantumOffered will cause a server to reject a ClientHello if @@ -531,10 +545,10 @@ index 7dbde72c9..9d18d9d45 100644 // ExpectKeyShares, if not nil, lists (in order) the curves that a ClientHello diff --git a/ssl/test/runner/curve_tests.go b/ssl/test/runner/curve_tests.go -index 8e7b0a45b..556bf314d 100644 +index 9bc13115e..0d11da734 100644 --- a/ssl/test/runner/curve_tests.go +++ b/ssl/test/runner/curve_tests.go -@@ -579,17 +579,6 @@ func addCurveTests() { +@@ -581,17 +581,6 @@ func addCurveTests() { }) } @@ -552,7 +566,7 @@ index 8e7b0a45b..556bf314d 100644 for _, curve := range testCurves { if !isMLKEMGroup(curve.id) { continue -@@ -679,18 +668,19 @@ func addCurveTests() { +@@ -681,18 +670,19 @@ func addCurveTests() { }) } @@ -630,7 +644,7 @@ index 2cd3c10d3..f19d8d20a 100644 clientAndServerHelloInitial += "write ccs\n" } diff --git a/ssl/test/runner/extension_tests.go b/ssl/test/runner/extension_tests.go -index d6adb7759..4eb80aa8e 100644 +index 3087efe37..61a036d8b 100644 --- a/ssl/test/runner/extension_tests.go +++ b/ssl/test/runner/extension_tests.go @@ -16,6 +16,7 @@ package runner @@ -651,7 +665,7 @@ index d6adb7759..4eb80aa8e 100644 // Test that illegal extensions in TLS 1.3 are rejected by the client if diff --git a/ssl/test/runner/key_update_tests.go b/ssl/test/runner/key_update_tests.go -index 0a9053038..5ce709589 100644 +index f98528265..2068b1102 100644 --- a/ssl/test/runner/key_update_tests.go +++ b/ssl/test/runner/key_update_tests.go @@ -14,7 +14,10 @@ @@ -675,10 +689,10 @@ index 0a9053038..5ce709589 100644 // Test that shim responds to KeyUpdate requests. diff --git a/tool/client.cc b/tool/client.cc -index 0839d4880..be9b79259 100644 +index 1653af8da..cab725d40 100644 --- a/tool/client.cc +++ b/tool/client.cc -@@ -125,6 +125,11 @@ static const struct argument kArguments[] = { +@@ -156,6 +156,11 @@ static const struct argument kArguments[] = { kBooleanArgument, "Permute extensions in handshake messages", }, @@ -688,9 +702,9 @@ index 0839d4880..be9b79259 100644 + "Do not send a second keyshare", + }, { - "-test-resumption", kBooleanArgument, - "Connect to the server twice. The first connection is closed once a " -@@ -538,6 +543,10 @@ bool Client(const std::vector &args) { + "-test-resumption", + kBooleanArgument, +@@ -637,6 +642,10 @@ bool Client(const std::vector &args) { SSL_CTX_set_permute_extensions(ctx.get(), 1); } @@ -698,9 +712,9 @@ index 0839d4880..be9b79259 100644 + SSL_CTX_use_second_keyshare(ctx.get(), 0); + } + + // Configure accepted roots. if (args_map.count("-root-certs") != 0) { if (!SSL_CTX_load_verify_locations( - ctx.get(), args_map["-root-certs"].c_str(), nullptr)) { -- -2.40.0 +2.50.1 (Apple Git-155)