crypto/tls: implement X25519MLKEM768

This makes three related changes that work particularly well together
and would require significant extra work to do separately: it replaces
X25519Kyber768Draft00 with X25519MLKEM768, it makes CurvePreferences
ordering crypto/tls-selected, and applies a preference to PQ key
exchange methods over key shares (to mitigate downgrades).

TestHandshakeServerUnsupportedKeyShare was removed because we are not
rejecting unsupported key shares anymore (nor do we select them, and
rejecting them actively is a MAY). It would have been nice to keep the
test to check we still continue successfully, but testClientHelloFailure
is broken in the face of any server-side behavior which requires writing
any other messages back to the client, or reading them.

Updates #69985
Fixes #69393

Change-Id: I58de76f5b8742a9bd4543fd7907c48e038507b19
Reviewed-on: https://go-review.googlesource.com/c/go/+/630775
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

tls_test.go

@@ -1887,26 +1887,21 @@ func testVerifyCertificates(t *testing.T, version uint16) {
 	}
 }
 
-func TestHandshakeKyber(t *testing.T) {
-	skipFIPS(t) // No Kyber768 in FIPS
-
-	if x25519Kyber768Draft00.String() != "X25519Kyber768Draft00" {
-		t.Fatalf("unexpected CurveID string: %v", x25519Kyber768Draft00.String())
-	}
-
+func TestHandshakeMLKEM(t *testing.T) {
+	skipFIPS(t) // No X25519MLKEM768 in FIPS
 	var tests = []struct {
 		name                string
 		clientConfig        func(*Config)
 		serverConfig        func(*Config)
 		preparation         func(*testing.T)
 		expectClientSupport bool
-		expectKyber         bool
+		expectMLKEM         bool
 		expectHRR           bool
 	}{
 		{
 			name:                "Default",
 			expectClientSupport: true,
-			expectKyber:         true,
+			expectMLKEM:         true,
 			expectHRR:           false,
 		},
 		{
@@ -1922,7 +1917,7 @@ func TestHandshakeKyber(t *testing.T) {
 				config.CurvePreferences = []CurveID{X25519}
 			},
 			expectClientSupport: true,
-			expectKyber:         false,
+			expectMLKEM:         false,
 			expectHRR:           false,
 		},
 		{
@@ -1931,9 +1926,25 @@ func TestHandshakeKyber(t *testing.T) {
 				config.CurvePreferences = []CurveID{CurveP256}
 			},
 			expectClientSupport: true,
-			expectKyber:         false,
+			expectMLKEM:         false,
 			expectHRR:           true,
 		},
+		{
+			name: "ClientMLKEMOnly",
+			clientConfig: func(config *Config) {
+				config.CurvePreferences = []CurveID{X25519MLKEM768}
+			},
+			expectClientSupport: true,
+			expectMLKEM:         true,
+		},
+		{
+			name: "ClientSortedCurvePreferences",
+			clientConfig: func(config *Config) {
+				config.CurvePreferences = []CurveID{CurveP256, X25519MLKEM768}
+			},
+			expectClientSupport: true,
+			expectMLKEM:         true,
+		},
 		{
 			name: "ClientTLSv12",
 			clientConfig: func(config *Config) {
@@ -1947,12 +1958,12 @@ func TestHandshakeKyber(t *testing.T) {
 				config.MaxVersion = VersionTLS12
 			},
 			expectClientSupport: true,
-			expectKyber:         false,
+			expectMLKEM:         false,
 		},
 		{
 			name: "GODEBUG",
 			preparation: func(t *testing.T) {
-				t.Setenv("GODEBUG", "tlskyber=0")
+				t.Setenv("GODEBUG", "tlsmlkem=0")
 			},
 			expectClientSupport: false,
 		},
@@ -1972,10 +1983,10 @@ func TestHandshakeKyber(t *testing.T) {
 				test.serverConfig(serverConfig)
 			}
 			serverConfig.GetConfigForClient = func(hello *ClientHelloInfo) (*Config, error) {
-				if !test.expectClientSupport && slices.Contains(hello.SupportedCurves, x25519Kyber768Draft00) {
-					return nil, errors.New("client supports Kyber768Draft00")
-				} else if test.expectClientSupport && !slices.Contains(hello.SupportedCurves, x25519Kyber768Draft00) {
-					return nil, errors.New("client does not support Kyber768Draft00")
+				if !test.expectClientSupport && slices.Contains(hello.SupportedCurves, X25519MLKEM768) {
+					return nil, errors.New("client supports X25519MLKEM768")
+				} else if test.expectClientSupport && !slices.Contains(hello.SupportedCurves, X25519MLKEM768) {
+					return nil, errors.New("client does not support X25519MLKEM768")
 				}
 				return nil, nil
 			}
@@ -1987,19 +1998,19 @@ func TestHandshakeKyber(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			if test.expectKyber {
-				if ss.testingOnlyCurveID != x25519Kyber768Draft00 {
-					t.Errorf("got CurveID %v (server), expected %v", ss.testingOnlyCurveID, x25519Kyber768Draft00)
+			if test.expectMLKEM {
+				if ss.testingOnlyCurveID != X25519MLKEM768 {
+					t.Errorf("got CurveID %v (server), expected %v", ss.testingOnlyCurveID, X25519MLKEM768)
 				}
-				if cs.testingOnlyCurveID != x25519Kyber768Draft00 {
-					t.Errorf("got CurveID %v (client), expected %v", cs.testingOnlyCurveID, x25519Kyber768Draft00)
+				if cs.testingOnlyCurveID != X25519MLKEM768 {
+					t.Errorf("got CurveID %v (client), expected %v", cs.testingOnlyCurveID, X25519MLKEM768)
 				}
 			} else {
-				if ss.testingOnlyCurveID == x25519Kyber768Draft00 {
-					t.Errorf("got CurveID %v (server), expected not Kyber", ss.testingOnlyCurveID)
+				if ss.testingOnlyCurveID == X25519MLKEM768 {
+					t.Errorf("got CurveID %v (server), expected not X25519MLKEM768", ss.testingOnlyCurveID)
 				}
-				if cs.testingOnlyCurveID == x25519Kyber768Draft00 {
-					t.Errorf("got CurveID %v (client), expected not Kyber", cs.testingOnlyCurveID)
+				if cs.testingOnlyCurveID == X25519MLKEM768 {
+					t.Errorf("got CurveID %v (client), expected not X25519MLKEM768", cs.testingOnlyCurveID)
 				}
 			}
 			if test.expectHRR {