enable BoGo tests for X25519/ML-KEM hybrid

randombit · Oct 17, 2024 · 42c73be · 42c73be
1 parent 6900d84
commit 42c73be
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 6 deletions.
diff --git a/src/bogo_shim/bogo_shim.cpp b/src/bogo_shim/bogo_shim.cpp
@@ -998,12 +998,18 @@ class Shim_Policy final : public Botan::TLS::Policy {
  groups.push_back(group);
  }
 
- // Given that this is still a draft-standard, we didn't add the
- // hybrid groups to the default policy, yet.
- //
+ // Eventually the pre-standard hybrid exchange using Kyber-R3 will be
+ // retired and removed. Hence, it will likely never be part of the
+ // default `TLS::Policy::key_exchange_groups()`.
+ if(group == Botan::TLS::Group_Params::HYBRID_X25519_KYBER_768_R3_OQS) {
+ groups.push_back(group);
+ }
+
  // TODO: once `TLS::Policy::key_exchange_groups()` contains it by
  // default, remove this explicit check.
- if(group == Botan::TLS::Group_Params::HYBRID_X25519_KYBER_768_R3_OQS) {
+ //
+ // See: https://github.com/randombit/botan/pull/4305
+ if(group == Botan::TLS::Group_Params::HYBRID_X25519_ML_KEM_768) {
  groups.push_back(group);
  }
  }

diff --git a/src/bogo_shim/config.json b/src/bogo_shim/config.json
@@ -179,8 +179,9 @@
  "Renegotiate-Client-UnfinishedWrite": "BoringSSL specific API test",
  "FailEarlyCallback": "BoringSSL specific API test",
 
- "*MLKEM*": "No support for hybrid key exchange with ML-KEM, yet",
-
+ "MLKEMKeyShareIncludedSecond": "BoringSSL specific policy test (we may offer solo PQ/T groups)",
+ "NotJustMLKEMKeyShare": "BoringSSL specific policy test (we may offer solo PQ/T groups)",
+ "MLKEMKeyShareIncludedThird": "BoringSSL specific policy test (we may offer solo PQ/T groups)",
  "NotJustKyberKeyShare": "BoringSSL specific policy test (we may offer solo PQ/T groups)",
  "KyberKeyShareIncludedSecond": "BoringSSL specific policy test (we may offer solo PQ/T groups)",
  "KyberKeyShareIncludedThird": "BoringSSL specific policy test (we may offer solo PQ/T groups)",