From 5734617dbdce27a1fa76225b5a663516cb6afc81 Mon Sep 17 00:00:00 2001
From: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Date: Thu, 20 Oct 2022 07:20:53 +0200
Subject: [PATCH] cloudflare-specific hybrid kyber768 support (#78)

* cloudflare-specific hybrid x25519_kyber768 support

Signed-off-by: Felipe Ventura <felipe.ventura@entrust.com>
---
 oqsprov/oqs_prov.h             | 12 +++++++++++-
 oqsprov/oqsprov_capabilities.c |  8 +-------
 oqsprov/oqsprov_keys.c         |  4 ++++
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/oqsprov/oqs_prov.h b/oqsprov/oqs_prov.h
index 8bb761b1..993a02bb 100644
--- a/oqsprov/oqs_prov.h
+++ b/oqsprov/oqs_prov.h
@@ -9,6 +9,9 @@
 
 /* Internal OQS functions for other submodules: not for application use */
 
+/* Set this define to create support for x25519_kyber768 as done by cloudflare */
+// #define CLOUDFLARE
+
 #ifndef OQSX_H
 # define OQSX_H
 
@@ -70,9 +73,16 @@
     (secbits == 128 ? "p256_" #oqsname "" : \
      secbits == 192 ? "p384_" #oqsname "" : \
                       "p521_" #oqsname "")
+
+#ifdef CLOUDFLARE
 #define ECX_NAME(secbits, oqsname) \
-    (secbits == 128 ? "x25519_" #oqsname "" : \
+    (((secbits == 128) || (!strcmp("kyber768", ""#oqsname""))) ? "x25519_" #oqsname "" : \
                         "x448_" #oqsname "")
+#else
+#define ECX_NAME(secbits, oqsname) \
+    ((secbits == 128) ? "x25519_" #oqsname "" : \
+                        "x448_" #oqsname "")
+#endif
 
 typedef struct prov_oqs_ctx_st {
     const OSSL_CORE_HANDLE *handle;
diff --git a/oqsprov/oqsprov_capabilities.c b/oqsprov/oqsprov_capabilities.c
index 2578073d..3671013b 100644
--- a/oqsprov/oqsprov_capabilities.c
+++ b/oqsprov/oqsprov_capabilities.c
@@ -20,13 +20,7 @@
 // internal, but useful OSSL define:
 # define OSSL_NELEM(x)    (sizeof(x)/sizeof((x)[0]))
 
-#define ECP_NAME(secbits, oqsname) \
-    (secbits == 128 ? "p256_" #oqsname "" : \
-     secbits == 192 ? "p384_" #oqsname "" : \
-                      "p521_" #oqsname "")
-#define ECX_NAME(secbits, oqsname) \
-    (secbits == 128 ? "x25519_" #oqsname "" : \
-                        "x448_" #oqsname "")
+#include "oqs_prov.h"
 
 typedef struct oqs_group_constants_st {
     unsigned int group_id;           /* Group ID */
diff --git a/oqsprov/oqsprov_keys.c b/oqsprov/oqsprov_keys.c
index d5e27203..f2f13476 100644
--- a/oqsprov/oqsprov_keys.c
+++ b/oqsprov/oqsprov_keys.c
@@ -567,7 +567,11 @@ OQSX_KEY *oqsx_key_new(OSSL_LIB_CTX *libctx, char* oqs_name, char* tls_name, int
         ON_ERR_GOTO(!evp_ctx, err);
 
         ret2 = (init_kex_fun[primitive - KEY_TYPE_ECP_HYB_KEM])
+#ifdef CLOUDFLARE
+                (((!strcmp("Kyber768", oqs_name)&&(primitive==KEY_TYPE_ECX_HYB_KEM)))?128:bit_security, evp_ctx);
+#else
                 (bit_security, evp_ctx);
+#endif
         ON_ERR_GOTO(ret2 <= 0 || !evp_ctx->keyParam || !evp_ctx->ctx, err);
 
         ret->numkeys = 2;