botan
botan copied to clipboard
randombit
[TLS 1.3] Post-Quantum Readiness via Hybrid Key Exchange
Pull-Request Dependencies
- https://github.com/randombit/botan/pull/2922
- https://github.com/randombit/botan/pull/2982
Both change sets are currently also displayed in this pull request. Hence, review and merge of those should make this PR fairly small (~700 lines added).
TODO
- [ ] Add a "hybrid" key exchange method to the TLS policy
- [ ] Add a
minimum_kyber_group_size()to the TLS policy (??)
Description
This enables the TLS 1.3 implementation to perform hybrid key exchanges using a classical KEX (ECDH or X25519) and a post-quantum KEM (Kyber or Kyber90s). The implementation is based on this IETF draft and the group identifiers for the Key Share extension are taken from OQS.
Demo
./configure.py \
--build-targets=static,cli \
--minimized-build \
--without-documentation \
--enable-modules=tls13,tls13_pqc,auto_rng,system_rng,chacha20poly1305,curve25519,kyber
make -j$(nproc) cli
./botan tls_client \
--policy=src/tests/data/tls-policy/default_tls13_pqc.txt \
--port=443 \
kms.eu-central-1.amazonaws.com
Using the snippets above, one should obtain a TLS 1.3 connection to Amazon's KMS endpoint (that is already PQC-enabled using their s2n-tls library). Simply typing "GET / HTTP/1.1" [Enter][Enter] should yield an (admittedly useless) "Bad Request" response.
The PQC TLS 1.3 policy file passed to the CLI uses X25519/Kyber512 as the hybrid key exchange scheme.
This pull request introduces 1 alert when merging 7b74a1456b1d75e6a443ada751d2f2b287988102 into 8bfb00f6f142bd8160c09514508b270b3a422e3f - view on LGTM.com
new alerts:
- 1 for Comparison result is always the same
![lgtm-com[bot] avatar](https://avatars.githubusercontent.com/in/17324?v=4 "Published by a pub.dev verified publisher"){kind=small}
Rebased to master.
This will certainly need another look and compatibility testing round. Maybe it could even be used as a vehicle to find a better alternative to the tls_dh_agree() callbacks discussed here. After all is basically just another group, of sorts.
I'd suggest to keep this open until most of the the remaining TLS 1.3 work is done and revisit.
Codecov Report
Base: 87.98% // Head: 87.69% // Decreases project coverage by -0.29% :warning:
Coverage data is based on head (
f6b4f80) compared to base (4eb304b). Patch coverage: 3.63% of modified lines in pull request are covered.
Additional details and impacted files
@@ Coverage Diff @@
## master #2983 +/- ##
==========================================
- Coverage 87.98% 87.69% -0.30%
==========================================
Files 599 600 +1
Lines 66333 66544 +211
Branches 6610 6635 +25
==========================================
- Hits 58365 58355 -10
- Misses 5181 5407 +226
+ Partials 2787 2782 -5
| Impacted Files | Coverage Δ | |
|---|---|---|
| src/lib/tls/tls13_pqc/composite_public_key.cpp | 0.00% <0.00%> (ø) |
|
| src/lib/tls/tls_algos.cpp | 58.64% <0.00%> (-25.40%) |
:arrow_down: |
| src/lib/tls/tls13/tls_extensions_key_share.cpp | 73.29% <19.35%> (-10.95%) |
:arrow_down: |
| src/lib/tls/msg_client_hello.cpp | 82.97% <100.00%> (ø) |
|
| src/lib/tls/tls13/tls_client_impl_13.cpp | 84.28% <100.00%> (ø) |
|
| src/lib/entropy/rdseed/rdseed.cpp | 18.18% <0.00%> (-63.64%) |
:arrow_down: |
| src/lib/utils/cpuid/cpuid_x86.cpp | 45.94% <0.00%> (-7.39%) |
:arrow_down: |
| src/cli/cli_rng.cpp | 60.00% <0.00%> (-4.00%) |
:arrow_down: |
| src/lib/utils/cpuid/cpuid.cpp | 62.16% <0.00%> (-2.40%) |
:arrow_down: |
| src/lib/pubkey/dl_group/dl_group.cpp | 84.42% <0.00%> (-0.68%) |
:arrow_down: |
| ... and 12 more |
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.
:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.
There is a specific draft for X25519+Kyber768 which is already implemented by Zig stdlib and also (IIRC) Cloudflare https://github.com/bwesterb/draft-westerbaan-tls-xyber768d00/blob/main/draft-tls-westerbaan-xyber768d00.md
