fix: add back kyber for old fingerprints

2025-04-04 04:27:36 +03:00 · 2025-03-01 01:48:06 -07:00 · 2025-03-01 01:48:06 -07:00 · 9fada94f7e
commit 9fada94f7e
parent a99feacec2
4 changed files with 66 additions and 9 deletions
--- a/handshake_client_tls13.go
+++ b/handshake_client_tls13.go
@ -629,6 +629,15 @@ func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
 		}
 		ecdhePeerData = hs.serverHello.serverShare.data[mlkem.CiphertextSize768:]
 	}
+	// [uTLS] SECTION BEGIN
+	if hs.serverHello.serverShare.group == X25519Kyber768Draft00 {
+		if len(ecdhePeerData) != x25519PublicKeySize+mlkem.CiphertextSize768 {
+			c.sendAlert(alertIllegalParameter)
+			return errors.New("tls: invalid server X25519Kyber768Draft00 key share")
+		}
+		ecdhePeerData = hs.serverHello.serverShare.data[:x25519PublicKeySize]
+	}
+	// [uTLS] SECTION END
 	peerKey, err := hs.keyShareKeys.ecdhe.Curve().NewPublicKey(ecdhePeerData)
 	if err != nil {
 		c.sendAlert(alertIllegalParameter)
@ -651,6 +660,20 @@ func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
 		}
 		sharedKey = append(mlkemShared, sharedKey...)
 	}
+	// [uTLS] SECTION BEGIN
+	if hs.serverHello.serverShare.group == X25519Kyber768Draft00 {
+		if hs.keyShareKeys.mlkem == nil {
+			return c.sendAlert(alertInternalError)
+		}
+		ciphertext := hs.serverHello.serverShare.data[x25519PublicKeySize:]
+		kyberShared, err := kyberDecapsulate(hs.keyShareKeys.mlkem, ciphertext)
+		if err != nil {
+			c.sendAlert(alertIllegalParameter)
+			return errors.New("tls: invalid X25519Kyber768Draft00 server key share")
+		}
+		sharedKey = append(sharedKey, kyberShared...)
+	}
+	// [uTLS] SECTION END
 	c.curveID = hs.serverHello.serverShare.group

 	earlySecret := hs.earlySecret