[TLS 1.3] Post-Quantum Readiness via Hybrid Key Exchange

[reneme]

Pull-Request Dependencies

• [TLS 1.3] Limited TLS 1.3 Client Implementation #2922
• FIX: Kyber KEM with a KDF + some nitpicks #2982

Both change sets are currently also displayed in this pull request. Hence, review and merge of those should make this PR fairly small (~700 lines added).

TODO

• Add a "hybrid" key exchange method to the TLS policy
• Add a minimum_kyber_group_size() to the TLS policy (??)

Description

This enables the TLS 1.3 implementation to perform hybrid key exchanges using a classical KEX (ECDH or X25519) and a post-quantum KEM (Kyber or Kyber90s). The implementation is based on this IETF draft and the group identifiers for the Key Share extension are taken from OQS.

Demo

./configure.py                 \
    --build-targets=static,cli \
    --minimized-build          \
    --without-documentation    \
    --enable-modules=tls13,tls13_pqc,auto_rng,system_rng,chacha20poly1305,curve25519,kyber

make -j$(nproc) cli

./botan tls_client                                           \
    --policy=src/tests/data/tls-policy/default_tls13_pqc.txt \
    --port=443                                               \
    kms.eu-central-1.amazonaws.com

Using the snippets above, one should obtain a TLS 1.3 connection to Amazon's KMS endpoint (that is already PQC-enabled using their s2n-tls library). Simply typing "GET / HTTP/1.1" [Enter][Enter] should yield an (admittedly useless) "Bad Request" response.

The PQC TLS 1.3 policy file passed to the CLI uses X25519/Kyber512 as the hybrid key exchange scheme.

[lgtm-com]

This pull request introduces 1 alert when merging 7b74a14 into 8bfb00f - view on LGTM.com

new alerts:

• 1 for Comparison result is always the same

[reneme]

Rebased to master.

[randombit]

Broadly speaking looks good to me. Needs a rebase to resolve the merge conflicts and I can give a final review.

[reneme]

Rebased to master.

This will certainly need another look and compatibility testing round. Maybe it could even be used as a vehicle to find a better alternative to the tls_dh_agree() callbacks discussed here. After all is basically just another group, of sorts.

I'd suggest to keep this open until most of the the remaining TLS 1.3 work is done and revisit.

[codecov-commenter]

Codecov Report

Base: 87.98% // Head: 87.69% // Decreases project coverage by -0.29% ⚠️

Coverage data is based on head (f6b4f80) compared to base (4eb304b).
Patch coverage: 3.63% of modified lines in pull request are covered.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2983      +/-   ##
==========================================
- Coverage   87.98%   87.69%   -0.30%     
==========================================
  Files         599      600       +1     
  Lines       66333    66544     +211     
  Branches     6610     6635      +25     
==========================================
- Hits        58365    58355      -10     
- Misses       5181     5407     +226     
+ Partials     2787     2782       -5     

Impacted Files	Coverage Δ
src/lib/tls/tls13_pqc/composite_public_key.cpp	0.00% <0.00%> (ø)
src/lib/tls/tls_algos.cpp	58.64% <0.00%> (-25.40%)	⬇️
src/lib/tls/tls13/tls_extensions_key_share.cpp	73.29% <19.35%> (-10.95%)	⬇️
src/lib/tls/msg_client_hello.cpp	82.97% <100.00%> (ø)
src/lib/tls/tls13/tls_client_impl_13.cpp	84.28% <100.00%> (ø)
src/lib/entropy/rdseed/rdseed.cpp	18.18% <0.00%> (-63.64%)	⬇️
src/lib/utils/cpuid/cpuid_x86.cpp	45.94% <0.00%> (-7.39%)	⬇️
src/cli/cli_rng.cpp	60.00% <0.00%> (-4.00%)	⬇️
src/lib/utils/cpuid/cpuid.cpp	62.16% <0.00%> (-2.40%)	⬇️
src/lib/pubkey/dl_group/dl_group.cpp	84.42% <0.00%> (-0.68%)	⬇️
... and 12 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[randombit]

There is a specific draft for X25519+Kyber768 which is already implemented by Zig stdlib and also (IIRC) Cloudflare https://github.com/bwesterb/draft-westerbaan-tls-xyber768d00/blob/main/draft-tls-westerbaan-xyber768d00.md

[reneme]

Closing as superseded by: #3609