cloudflare-specific hybrid kyber768 support (open-quantum-safe#78)

* cloudflare-specific hybrid x25519_kyber768 support Signed-off-by: Felipe Ventura <felipe.ventura@entrust.com>
EntrustCorporation · Mar 13, 2024 · 5734617 · 5734617
1 parent b0fd3a6
commit 5734617
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 8 deletions.
diff --git a/oqsprov/oqs_prov.h b/oqsprov/oqs_prov.h
@@ -9,6 +9,9 @@
 
 /* Internal OQS functions for other submodules: not for application use */
 
+/* Set this define to create support for x25519_kyber768 as done by cloudflare */
+// #define CLOUDFLARE
+
 #ifndef OQSX_H
 # define OQSX_H
 
@@ -70,9 +73,16 @@
     (secbits == 128 ? "p256_" #oqsname "" : \
      secbits == 192 ? "p384_" #oqsname "" : \
                       "p521_" #oqsname "")
+
+#ifdef CLOUDFLARE
 #define ECX_NAME(secbits, oqsname) \
-    (secbits == 128 ? "x25519_" #oqsname "" : \
+    (((secbits == 128) || (!strcmp("kyber768", ""#oqsname""))) ? "x25519_" #oqsname "" : \
                         "x448_" #oqsname "")
+#else
+#define ECX_NAME(secbits, oqsname) \
+    ((secbits == 128) ? "x25519_" #oqsname "" : \
+                        "x448_" #oqsname "")
+#endif
 
 typedef struct prov_oqs_ctx_st {
     const OSSL_CORE_HANDLE *handle;

diff --git a/oqsprov/oqsprov_capabilities.c b/oqsprov/oqsprov_capabilities.c
@@ -20,13 +20,7 @@
 // internal, but useful OSSL define:
 # define OSSL_NELEM(x)    (sizeof(x)/sizeof((x)[0]))
 
-#define ECP_NAME(secbits, oqsname) \
-    (secbits == 128 ? "p256_" #oqsname "" : \
-     secbits == 192 ? "p384_" #oqsname "" : \
-                      "p521_" #oqsname "")
-#define ECX_NAME(secbits, oqsname) \
-    (secbits == 128 ? "x25519_" #oqsname "" : \
-                        "x448_" #oqsname "")
+#include "oqs_prov.h"
 
 typedef struct oqs_group_constants_st {
     unsigned int group_id;           /* Group ID */

diff --git a/oqsprov/oqsprov_keys.c b/oqsprov/oqsprov_keys.c
@@ -567,7 +567,11 @@ OQSX_KEY *oqsx_key_new(OSSL_LIB_CTX *libctx, char* oqs_name, char* tls_name, int
         ON_ERR_GOTO(!evp_ctx, err);
 
         ret2 = (init_kex_fun[primitive - KEY_TYPE_ECP_HYB_KEM])
+#ifdef CLOUDFLARE
+                (((!strcmp("Kyber768", oqs_name)&&(primitive==KEY_TYPE_ECX_HYB_KEM)))?128:bit_security, evp_ctx);
+#else
                 (bit_security, evp_ctx);
+#endif
         ON_ERR_GOTO(ret2 <= 0 || !evp_ctx->keyParam || !evp_ctx->ctx, err);
 
         ret->numkeys = 2;