bcgit
diff --git a/‎tls/src/main/java/org/bouncycastle/tls/NamedGroup.java‎
Lines changed: 88 additions & 1 deletion b/‎tls/src/main/java/org/bouncycastle/tls/NamedGroup.java‎
Lines changed: 88 additions & 1 deletion
diff --git a/‎tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java‎
Lines changed: 3 additions & 15 deletions b/‎tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java‎
Lines changed: 3 additions & 15 deletions
diff --git a/‎tls/src/main/java/org/bouncycastle/tls/TlsUtils.java‎
Lines changed: 103 additions & 56 deletions b/‎tls/src/main/java/org/bouncycastle/tls/TlsUtils.java‎
Lines changed: 103 additions & 56 deletions
diff --git a/‎tls/src/main/java/org/bouncycastle/tls/crypto/TlsCrypto.java‎
Lines changed: 2 additions & 0 deletions b/‎tls/src/main/java/org/bouncycastle/tls/crypto/TlsCrypto.java‎
Lines changed: 2 additions & 0 deletions
@@ -116,6 +116,13 @@ public class NamedGroup
     public static final int MLKEM768 = 0x0201;
     public static final int MLKEM1024 = 0x0202;
 
+    /*
+     * draft-ietf-tls-ecdhe-mlkem-00
+     */
+    public static final int SecP256r1MLKEM768 = 0x11EB;
+    public static final int X25519MLKEM768 = 0x11EC;
+    public static final int SecP384r1MLKEM1024 = 0x11ED;
+
     /* Names of the actual underlying elliptic curves (not necessarily matching the NamedGroup names). */
     private static final String[] CURVE_NAMES = new String[]{ "sect163k1", "sect163r1", "sect163r2", "sect193r1",
         "sect193r2", "sect233k1", "sect233r1", "sect239k1", "sect283k1", "sect283r1", "sect409k1", "sect409r1",
@@ -163,7 +170,7 @@ public static boolean canBeNegotiated(int namedGroup, ProtocolVersion version)
             }
         }
 
-        if (refersToASpecificKem(namedGroup))
+        if (refersToASpecificHybrid(namedGroup) || refersToASpecificKem(namedGroup))
         {
             return isTLSv13;
         }
@@ -297,6 +304,66 @@ public static String getFiniteFieldName(int namedGroup)
         return null;
     }
 
+    public static int getHybridFirst(int namedGroup)
+    {
+        switch (namedGroup)
+        {
+        case SecP256r1MLKEM768:
+            return secp256r1;
+        case X25519MLKEM768:
+            return MLKEM768;
+        case SecP384r1MLKEM1024:
+            return secp384r1;
+        default:
+            return -1;
+        }
+    }
+
+    public static int getHybridSecond(int namedGroup)
+    {
+        switch (namedGroup)
+        {
+        case SecP256r1MLKEM768:
+            return MLKEM768;
+        case X25519MLKEM768:
+            return x25519;
+        case SecP384r1MLKEM1024:
+            return MLKEM1024;
+        default:
+            return -1;
+        }
+    }
+
+    // TODO Temporary until crypto implementations become more self-documenting around lengths
+    static int getHybridSplitClientShare(int namedGroup)
+    {
+        switch (namedGroup)
+        {
+        case secp256r1:
+            return 65;
+        case secp384r1:
+            return 97;
+        case MLKEM768:
+            return 1184;
+        }
+        return -1;
+    }
+
+    // TODO Temporary until crypto implementations become more self-documenting around lengths
+    static int getHybridSplitServerShare(int namedGroup)
+    {
+        switch (namedGroup)
+        {
+        case secp256r1:
+            return 65;
+        case secp384r1:
+            return 97;
+        case MLKEM768:
+            return 1088;
+        }
+        return -1;
+    }
+
     public static String getKemName(int namedGroup)
     {
         switch (namedGroup)
@@ -382,6 +449,12 @@ public static String getName(int namedGroup)
             return "MLKEM768";
         case MLKEM1024:
             return "MLKEM1024";
+        case SecP256r1MLKEM768:
+            return "SecP256r1MLKEM768";
+        case X25519MLKEM768:
+            return "X25519MLKEM768";
+        case SecP384r1MLKEM1024:
+            return "SecP384r1MLKEM1024";
         case arbitrary_explicit_prime_curves:
             return "arbitrary_explicit_prime_curves";
         case arbitrary_explicit_char2_curves:
@@ -489,9 +562,23 @@ public static boolean refersToASpecificGroup(int namedGroup)
     {
         return refersToASpecificCurve(namedGroup)
             || refersToASpecificFiniteField(namedGroup)
+            || refersToASpecificHybrid(namedGroup)
             || refersToASpecificKem(namedGroup);
     }
 
+    public static boolean refersToASpecificHybrid(int namedGroup)
+    {
+        switch (namedGroup)
+        {
+        case SecP256r1MLKEM768:
+        case X25519MLKEM768:
+        case SecP384r1MLKEM1024:
+            return true;
+        default:
+            return false;
+        }
+    }
+
     public static boolean refersToASpecificKem(int namedGroup)
     {
         switch (namedGroup)
 
@@ -396,21 +396,9 @@ protected ServerHello generate13ServerHello(ClientHello clientHello, HandshakeMe
         TlsSecret sharedSecret;
         {
             int namedGroup = clientShare.getNamedGroup();
-    
-            TlsAgreement agreement;
-            if (NamedGroup.refersToAnECDHCurve(namedGroup))
-            {
-                agreement = crypto.createECDomain(new TlsECConfig(namedGroup)).createECDH();
-            }
-            else if (NamedGroup.refersToASpecificFiniteField(namedGroup))
-            {
-                agreement = crypto.createDHDomain(new TlsDHConfig(namedGroup, true)).createDH();
-            }
-            else if (NamedGroup.refersToASpecificKem(namedGroup))
-            {
-                agreement = crypto.createKemDomain(new TlsKemConfig(namedGroup, true)).createKem();
-            }
-            else
+
+            TlsAgreement agreement = TlsUtils.createKeyShare(crypto, namedGroup, true);
+            if (agreement == null)
             {
                 throw new TlsFatalAlert(AlertDescription.internal_error);
             }
 
@@ -40,6 +40,7 @@
 import org.bouncycastle.tls.crypto.TlsEncryptor;
 import org.bouncycastle.tls.crypto.TlsHash;
 import org.bouncycastle.tls.crypto.TlsHashOutputStream;
+import org.bouncycastle.tls.crypto.TlsHybridAgreement;
 import org.bouncycastle.tls.crypto.TlsKemConfig;
 import org.bouncycastle.tls.crypto.TlsSecret;
 import org.bouncycastle.tls.crypto.TlsStreamSigner;
@@ -1149,7 +1150,7 @@ public static void addIfSupported(Vector supportedAlgs, TlsCrypto crypto, Signat
 
     public static void addIfSupported(Vector supportedGroups, TlsCrypto crypto, int namedGroup)
     {
-        if (crypto.hasNamedGroup(namedGroup))
+        if (isSupportedNamedGroup(crypto, namedGroup))
         {
             supportedGroups.addElement(Integers.valueOf(namedGroup));
         }
@@ -4449,6 +4450,17 @@ public static boolean isSupportedKeyExchange(TlsCrypto crypto, int keyExchangeAl
         }
     }
 
+    public static boolean isSupportedNamedGroup(TlsCrypto crypto, int namedGroup)
+    {
+        if (!NamedGroup.refersToASpecificHybrid(namedGroup))
+        {
+            return crypto.hasNamedGroup(namedGroup);
+        }
+
+        return crypto.hasNamedGroup(NamedGroup.getHybridFirst(namedGroup))
+            && crypto.hasNamedGroup(NamedGroup.getHybridSecond(namedGroup));
+    }
+
     static boolean hasAnyRSASigAlgs(TlsCrypto crypto)
     {
         return crypto.hasSignatureAlgorithm(SignatureAlgorithm.rsa)
@@ -5362,45 +5374,79 @@ private static void collectKeyShares(TlsCrypto crypto, int[] supportedGroups, Ve
             int supportedGroup = supportedGroups[i];
             Integer supportedGroupElement = Integers.valueOf(supportedGroup);
 
-            if (!keyShareGroups.contains(supportedGroupElement)
-                || clientAgreements.containsKey(supportedGroupElement)
-                || !crypto.hasNamedGroup(supportedGroup))
+            if (!keyShareGroups.contains(supportedGroupElement) ||
+                clientAgreements.containsKey(supportedGroupElement))
             {
                 continue;
             }
 
-            TlsAgreement agreement = null;
-            if (NamedGroup.refersToAnECDHCurve(supportedGroup))
+            TlsAgreement agreement = createKeyShare(crypto, supportedGroup, false);
+            if (agreement != null)
+            {
+                byte[] key_exchange = agreement.generateEphemeral();
+                KeyShareEntry clientShare = new KeyShareEntry(supportedGroup, key_exchange);
+
+                clientShares.addElement(clientShare);
+                clientAgreements.put(supportedGroupElement, agreement);
+            }
+        }
+    }
+
+    static TlsAgreement createKeyShare(TlsCrypto crypto, int keyShareGroup, boolean isServer)
+    {
+        if (!NamedGroup.refersToASpecificHybrid(keyShareGroup))
+        {
+            return createKeyShareSimple(crypto, keyShareGroup, isServer);
+        }
+
+        int hybridFirst = NamedGroup.getHybridFirst(keyShareGroup);
+        TlsAgreement firstAgreement = createKeyShareSimple(crypto, hybridFirst, isServer);
+        if (firstAgreement == null)
+        {
+            return null;
+        }
+
+        int hybridSecond = NamedGroup.getHybridSecond(keyShareGroup);
+        TlsAgreement secondAgreement = createKeyShareSimple(crypto, hybridSecond, isServer);
+        if (secondAgreement == null)
+        {
+            return null;
+        }
+
+        int peerValueSplit = isServer
+            ? NamedGroup.getHybridSplitClientShare(hybridFirst)
+            : NamedGroup.getHybridSplitServerShare(hybridFirst);
+
+        return new TlsHybridAgreement(crypto, firstAgreement, secondAgreement, peerValueSplit);
+    }
+
+    private static TlsAgreement createKeyShareSimple(TlsCrypto crypto, int keyShareGroup, boolean isServer)
+    {
+        if (crypto.hasNamedGroup(keyShareGroup))
+        {
+            if (NamedGroup.refersToAnECDHCurve(keyShareGroup))
             {
                 if (crypto.hasECDHAgreement())
                 {
-                    agreement = crypto.createECDomain(new TlsECConfig(supportedGroup)).createECDH();
+                    return crypto.createECDomain(new TlsECConfig(keyShareGroup)).createECDH();
                 }
             }
-            else if (NamedGroup.refersToASpecificFiniteField(supportedGroup))
+            else if (NamedGroup.refersToASpecificFiniteField(keyShareGroup))
             {
                 if (crypto.hasDHAgreement())
                 {
-                    agreement = crypto.createDHDomain(new TlsDHConfig(supportedGroup, true)).createDH();
+                    return crypto.createDHDomain(new TlsDHConfig(keyShareGroup, true)).createDH();
                 }
             }
-            else if (NamedGroup.refersToASpecificKem(supportedGroup))
+            else if (NamedGroup.refersToASpecificKem(keyShareGroup))
             {
                 if (crypto.hasKemAgreement())
                 {
-                    agreement = crypto.createKemDomain(new TlsKemConfig(supportedGroup, false)).createKem();
+                    return crypto.createKemDomain(new TlsKemConfig(keyShareGroup, isServer)).createKem();
                 }
             }
-
-            if (null != agreement)
-            {
-                byte[] key_exchange = agreement.generateEphemeral();
-                KeyShareEntry clientShare = new KeyShareEntry(supportedGroup, key_exchange);
-
-                clientShares.addElement(clientShare);
-                clientAgreements.put(supportedGroupElement, agreement);
-            }
         }
+        return null;
     }
 
     static KeyShareEntry selectKeyShare(Vector clientShares, int keyShareGroup)
@@ -5427,25 +5473,10 @@ static KeyShareEntry selectKeyShare(TlsCrypto crypto, ProtocolVersion negotiated
 
                 int group = clientShare.getNamedGroup();
 
-                if (!NamedGroup.canBeNegotiated(group, negotiatedVersion))
-                {
-                    continue;
-                }
-
-                if (!Arrays.contains(serverSupportedGroups, group) ||
-                    !Arrays.contains(clientSupportedGroups, group))
-                {
-                    continue;
-                }
-
-                if (!crypto.hasNamedGroup(group))
-                {
-                    continue;
-                }
-
-                if ((NamedGroup.refersToAnECDHCurve(group) && crypto.hasECDHAgreement()) ||
-                    (NamedGroup.refersToASpecificFiniteField(group) && crypto.hasDHAgreement()) ||
-                    (NamedGroup.refersToASpecificKem(group) && crypto.hasKemAgreement()))
+                if (NamedGroup.canBeNegotiated(group, negotiatedVersion) &&
+                    Arrays.contains(serverSupportedGroups, group) &&
+                    Arrays.contains(clientSupportedGroups, group) &&
+                    supportsKeyShareGroup(crypto, group))
                 {
                     return clientShare;
                 }
@@ -5463,30 +5494,46 @@ static int selectKeyShareGroup(TlsCrypto crypto, ProtocolVersion negotiatedVersi
             {
                 int group = clientSupportedGroups[i];
 
-                if (!NamedGroup.canBeNegotiated(group, negotiatedVersion))
+                if (NamedGroup.canBeNegotiated(group, negotiatedVersion) &&
+                    Arrays.contains(serverSupportedGroups, group) &&
+                    supportsKeyShareGroup(crypto, group))
                 {
-                    continue;
+                    return group;
                 }
+            }
+        }
+        return -1;
+    }
 
-                if (!Arrays.contains(serverSupportedGroups, group))
-                {
-                    continue;
-                }
+    private static boolean supportsKeyShareGroup(TlsCrypto crypto, int keyShareGroup)
+    {
+        if (!NamedGroup.refersToASpecificHybrid(keyShareGroup))
+        {
+            return supportsKeyShareGroupSimple(crypto, keyShareGroup);
+        }
 
-                if (!crypto.hasNamedGroup(group))
-                {
-                    continue;
-                }
+        return supportsKeyShareGroupSimple(crypto, NamedGroup.getHybridFirst(keyShareGroup))
+            && supportsKeyShareGroupSimple(crypto, NamedGroup.getHybridSecond(keyShareGroup));
+    }
 
-                if ((NamedGroup.refersToAnECDHCurve(group) && crypto.hasECDHAgreement()) ||
-                    (NamedGroup.refersToASpecificFiniteField(group) && crypto.hasDHAgreement()) ||
-                    (NamedGroup.refersToASpecificKem(group) && crypto.hasKemAgreement()))
-                {
-                    return group;
-                }
+    private static boolean supportsKeyShareGroupSimple(TlsCrypto crypto, int keyShareGroup)
+    {
+        if (crypto.hasNamedGroup(keyShareGroup))
+        {
+            if (NamedGroup.refersToAnECDHCurve(keyShareGroup))
+            {
+                return crypto.hasECDHAgreement();
+            }
+            else if (NamedGroup.refersToASpecificFiniteField(keyShareGroup))
+            {
+                return crypto.hasDHAgreement();
+            }
+            else if (NamedGroup.refersToASpecificKem(keyShareGroup))
+            {
+                return crypto.hasKemAgreement();
             }
         }
-        return -1;
+        return false;
     }
 
     static byte[] readEncryptedPMS(TlsContext context, InputStream input) throws IOException
 
@@ -146,6 +146,8 @@ public interface TlsCrypto
      */
     boolean hasSRPAuthentication();
 
+    TlsSecret createHybridSecret(TlsSecret s1, TlsSecret s2);
+
     /**
      * Create a TlsSecret object based on provided data.
      *
Original file line number	Diff line number	Diff line change
`@@ -146,6 +146,8 @@ public interface TlsCrypto`
`146`	`146`	`*/`
`147`	`147`	`boolean hasSRPAuthentication();`
`148`	`148`
	`149`	`+ TlsSecret createHybridSecret(TlsSecret s1, TlsSecret s2);`
	`150`	`+`
`149`	`151`	`/**`
`150`	`152`	`* Create a TlsSecret object based on provided data.`
`151`	`153`	`*`