Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X25519Kyber768Draft00 named group not being picked up by boringssl static #863

Open
jmcrawford45 opened this issue Mar 19, 2024 · 9 comments
Open

X25519Kyber768Draft00 named group not being picked up by boringssl static #863

jmcrawford45 opened this issue Mar 19, 2024 · 9 comments

Comments

@jmcrawford45
Copy link

I am setting
System.setProperty("jdk.tls.namedGroups", "X25519Kyber768Draft00"); on 2.0.65.Final
for my application, but when I trace the code to setCurvesList0, I get false instead of true. I would expect this named group to be configured when requested, which is consistent with what I get when running e.g. ./bssl client -curves X25519Kyber768Draft00 -connect localhost:4433 -debug. Is there some additional property I need to set to get X25519Kyber768Draft00 recognized as a supported group?
@normanmaurer
Copy link
Member

I don't think we respect this property in our implement... Maybe something we should do tho

@jmcrawford45
Copy link
Author

jmcrawford45 commented Mar 19, 2024
edited
Loading

@normanmaurer I see you added a related commit for this in https://github.com/netty/netty/pull/11660/files I'm curious what else would need to be added as it seems the referenced PR adds this support. I also see the property parsed and passed all the way down to the native entry point, but setCurvesList0 fails on "X25519Kyber768Draft00", but passes on all other supported bssl NamedGroups.

@normanmaurer
Copy link
Member

Oh so I already implemented it 🤣... maybe support is not present in the chromium-stable branch of boringssl ?

@jmcrawford45
Copy link
Author

I'm able to spin up a server and client with chromium-stable@{'3 months ago'} and use them with e.g. ./bssl client -curves X25519Kyber768Draft00 -connect localhost:4433 -debug

@normanmaurer
Copy link
Member

I can have a look but it might take me a while ...

@jmcrawford45
Copy link
Author

Thank you so much, please let me know if I can provide any additional context. I've been debugging this for a while, and my best guess at this point is that the ssl context created by Openssl.java excludes Kyber from the supported curves list field which causes the setCurve call to fail.

@jmcrawford45
Copy link
Author

@normanmaurer I'm checking back in on this issue, please let me know if there's any way I can help with debugging.

@normanmaurer
Copy link
Member

@jmcrawford45 unfortunately I had not time yet to investigate :/

@jmcrawford45
Copy link
Author

@normanmaurer I'm checking back in on this issue, please let me know if there's any way I can help with debugging. Given the recent NIST standardization, there is a growing interest in the ability to configure these algorithms.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@normanmaurer @jmcrawford45