sync: merge changes from go 1.23.4

key_schedule.go

@@ -12,8 +12,10 @@ import (
 	"hash"
 	"io"
 
+	"github.com/refraction-networking/utls/internal/mlkem768"
 	"golang.org/x/crypto/cryptobyte"
 	"golang.org/x/crypto/hkdf"
+	"golang.org/x/crypto/sha3"
 )
 
 // This file contains the functions necessary to compute the TLS 1.3 key
@@ -117,6 +119,45 @@ func (c *cipherSuiteTLS13) exportKeyingMaterial(masterSecret []byte, transcript
 	}
 }
 
+type keySharePrivateKeys struct {
+	curveID CurveID
+	ecdhe   *ecdh.PrivateKey
+	kyber   *mlkem768.DecapsulationKey
+}
+
+// kyberDecapsulate implements decapsulation according to Kyber Round 3.
+func kyberDecapsulate(dk *mlkem768.DecapsulationKey, c []byte) ([]byte, error) {
+	K, err := mlkem768.Decapsulate(dk, c)
+	if err != nil {
+		return nil, err
+	}
+	return kyberSharedSecret(K, c), nil
+}
+
+// kyberEncapsulate implements encapsulation according to Kyber Round 3.
+func kyberEncapsulate(ek []byte) (c, ss []byte, err error) {
+	c, ss, err = mlkem768.Encapsulate(ek)
+	if err != nil {
+		return nil, nil, err
+	}
+	return c, kyberSharedSecret(ss, c), nil
+}
+
+func kyberSharedSecret(K, c []byte) []byte {
+	// Package mlkem768 implements ML-KEM, which compared to Kyber removed a
+	// final hashing step. Compute SHAKE-256(K || SHA3-256(c), 32) to match Kyber.
+	// See https://words.filippo.io/mlkem768/#bonus-track-using-a-ml-kem-implementation-as-kyber-v3.
+	h := sha3.NewShake256()
+	h.Write(K)
+	ch := sha3.Sum256(c)
+	h.Write(ch[:])
+	out := make([]byte, 32)
+	h.Read(out)
+	return out
+}
+
+const x25519PublicKeySize = 32
+
 // generateECDHEKey returns a PrivateKey that implements Diffie-Hellman
 // according to RFC 8446, Section 4.2.8.2.
 func generateECDHEKey(rand io.Reader, curveID CurveID) (*ecdh.PrivateKey, error) {