aws · andrewhop · Apr 18, 2025 · Apr 9, 2025 · Apr 10, 2025 · Apr 10, 2025
@@ -56,7 +56,7 @@
 
 /* This file is generated by crypto/obj/objects.go. */
 
-#define NUM_NID 998
+#define NUM_NID 999
 
 static const uint8_t kObjectData[] = {
     /* NID_rsadsi */
@@ -7320,6 +7320,16 @@ static const uint8_t kObjectData[] = {
     0x04,
     0x03,
     0x13,
+    /* NID_SecP384r1MLKEM1024 */
+    0x2b,
+    0x06,
+    0x01,
+    0x04,
+    0x01,
+    0x82,
+    0xc9,
+    0x7b,
+    0x06,
 };
 
 static const ASN1_OBJECT kObjects[NUM_NID] = {
@@ -9005,6 +9015,8 @@ static const ASN1_OBJECT kObjects[NUM_NID] = {
     {"MLDSA65", "MLDSA65", NID_MLDSA65, 9, &kObjectData[6342], 0},
     {"MLDSA87", "MLDSA87", NID_MLDSA87, 9, &kObjectData[6351], 0},
     {"ED25519ph", "ED25519ph", NID_ED25519ph, 0, NULL, 0},
+    {"SecP384r1MLKEM1024", "SecP384r1MLKEM1024", NID_SecP384r1MLKEM1024, 9,
+     &kObjectData[6360], 0},
 };
 
 static const uint16_t kNIDsInShortNameOrder[] = {
@@ -9228,6 +9240,7 @@ static const uint16_t kNIDsInShortNameOrder[] = {
     143 /* SXNetID */,
     981 /* SecP256r1Kyber768Draft00 */,
     992 /* SecP256r1MLKEM768 */,
+    998 /* SecP384r1MLKEM1024 */,
     458 /* UID */,
     948 /* X25519 */,
     982 /* X25519Kyber768Draft00 */,
@@ -10114,6 +10127,7 @@ static const uint16_t kNIDsInLongNameOrder[] = {
     387 /* SNMPv2 */,
     981 /* SecP256r1Kyber768Draft00 */,
     992 /* SecP256r1MLKEM768 */,
+    998 /* SecP384r1MLKEM1024 */,
     512 /* Secure Electronic Transactions */,
     386 /* Security */,
     394 /* Selected Attribute Types */,
@@ -11634,6 +11648,7 @@ static const uint16_t kNIDsInOIDOrder[] = {
     683 /* 1.2.840.10045.1.2.3.3 (OBJ_X9_62_ppBasis) */,
     417 /* 1.3.6.1.4.1.311.17.1 (OBJ_ms_csp_name) */,
     856 /* 1.3.6.1.4.1.311.17.2 (OBJ_LocalKeySet) */,
+    998 /* 1.3.6.1.4.1.42235.6 (OBJ_SecP384r1MLKEM1024) */,
     390 /* 1.3.6.1.4.1.1466.344 (OBJ_dcObject) */,
     91 /* 1.3.6.1.4.1.3029.1.2 (OBJ_bf_cbc) */,
     315 /* 1.3.6.1.5.5.7.5.1.1 (OBJ_id_regCtrl_regToken) */,

@@ -985,3 +985,4 @@ MLDSA44		994
 MLDSA65		995
 MLDSA87		996
 ED25519ph		997
+SecP384r1MLKEM1024		998
@@ -139,6 +139,7 @@ secg-ellipticCurve 39		: sect571r1
 1 3 9999 99 52 : SecP256r1Kyber768Draft00
 1 3 9999 99 54 : X25519MLKEM768
 1 3 9999 99 55 : SecP256r1MLKEM768
+1 3 6 1 4 1 42235 6 : SecP384r1MLKEM1024
 
 # WAP/TLS curve OIDs (http://www.wapforum.org/)
 !Alias wap-wsg-idm-ecid wap-wsg 4

@@ -4382,6 +4382,10 @@ extern "C" {
 #define SN_ED25519ph "ED25519ph"
 #define NID_ED25519ph 997
 
+#define SN_SecP384r1MLKEM1024 "SecP384r1MLKEM1024"
+#define NID_SecP384r1MLKEM1024 998
+#define OBJ_SecP384r1MLKEM1024 1L, 3L, 6L, 1L, 4L, 1L, 42235L, 6L
+
 #if defined(__cplusplus)
 } /* extern C */
 #endif

@@ -636,12 +636,18 @@ class HybridKeyShare : public SSLKeyShare {
      case SSL_GROUP_SECP256R1:
        *out = 1 + (2 * EC_P256R1_FIELD_ELEM_BYTES);
        return true;
+     case SSL_GROUP_SECP384R1:
+       *out = 1 + (2 * EC_P384R1_FIELD_ELEM_BYTES);
+       return true;
      case SSL_GROUP_KYBER768_R3:
        *out = KYBER768_R3_PUBLIC_KEY_BYTES;
        return true;
      case SSL_GROUP_MLKEM768:
        *out = MLKEM768_PUBLIC_KEY_BYTES;
        return true;
+    case SSL_GROUP_MLKEM1024:
+       *out = MLKEM1024_PUBLIC_KEY_BYTES;
+       return true;
      case SSL_GROUP_X25519:
        *out = 32;
        return true;
@@ -656,12 +662,18 @@ class HybridKeyShare : public SSLKeyShare {
      case SSL_GROUP_SECP256R1:
        *out = 1 + (2 * EC_P256R1_FIELD_ELEM_BYTES);
        return true;
+     case SSL_GROUP_SECP384R1:
+       *out = 1 + (2 * EC_P384R1_FIELD_ELEM_BYTES);
+       return true;
      case SSL_GROUP_KYBER768_R3:
        *out = KYBER768_R3_CIPHERTEXT_BYTES;
        return true;
      case SSL_GROUP_MLKEM768:
        *out = MLKEM768_CIPHERTEXT_BYTES;
        return true;
+     case SSL_GROUP_MLKEM1024:
+       *out = MLKEM1024_CIPHERTEXT_BYTES;
+       return true;
      case SSL_GROUP_X25519:
        *out = 32;
        return true;
@@ -686,18 +698,21 @@ CONSTEXPR_ARRAY NamedGroup kNamedGroups[] = {
     {NID_X25519Kyber768Draft00, SSL_GROUP_X25519_KYBER768_DRAFT00, "X25519Kyber768Draft00", ""},
     {NID_SecP256r1MLKEM768, SSL_GROUP_SECP256R1_MLKEM768, "SecP256r1MLKEM768", ""},
     {NID_X25519MLKEM768, SSL_GROUP_X25519_MLKEM768, "X25519MLKEM768", ""},
+    {NID_SecP384r1MLKEM1024, SSL_GROUP_SECP384R1_MLKEM1024, "SecP384r1MLKEM1024", ""},
 };
 
 CONSTEXPR_ARRAY uint16_t kPQGroups[] = {
     SSL_GROUP_KYBER512_R3,
     SSL_GROUP_KYBER768_R3,
     SSL_GROUP_KYBER1024_R3,
+    SSL_GROUP_MLKEM512,
     SSL_GROUP_MLKEM768,
     SSL_GROUP_MLKEM1024,
     SSL_GROUP_SECP256R1_KYBER768_DRAFT00,
     SSL_GROUP_X25519_KYBER768_DRAFT00,
     SSL_GROUP_SECP256R1_MLKEM768,
-    SSL_GROUP_X25519_MLKEM768
+    SSL_GROUP_X25519_MLKEM768,
+    SSL_GROUP_SECP384R1_MLKEM1024,
 };
 
 CONSTEXPR_ARRAY HybridGroup kHybridGroups[] = {
@@ -715,15 +730,13 @@ CONSTEXPR_ARRAY HybridGroup kHybridGroups[] = {
       SSL_GROUP_KYBER768_R3,          // component_group_ids[1]
     },
   },
-
   {
     SSL_GROUP_SECP256R1_MLKEM768,     // group_id
     {
       SSL_GROUP_SECP256R1,         // component_group_ids[0]
       SSL_GROUP_MLKEM768,          // component_group_ids[1]
     },
   },
-
   {
     SSL_GROUP_X25519_MLKEM768,     // group_id
     {
@@ -732,7 +745,14 @@ CONSTEXPR_ARRAY HybridGroup kHybridGroups[] = {
       SSL_GROUP_MLKEM768,          // component_group_ids[0]
       SSL_GROUP_X25519,            // component_group_ids[1]
     },
-  }
+  },
+  {
+    SSL_GROUP_SECP384R1_MLKEM1024,     // group_id
+    {
+      SSL_GROUP_SECP384R1,         // component_group_ids[0]
+      SSL_GROUP_MLKEM1024,         // component_group_ids[1]
+    },
+  },
 };
 
 } // namespace
@@ -773,10 +793,16 @@ UniquePtr<SSLKeyShare> SSLKeyShare::Create(uint16_t group_id) {
       // MLKEM768, as a standalone group, is not a NamedGroup; however, we
       // need to create MLKEM768 key shares as part of hybrid groups.
       return MakeUnique<KEMKeyShare>(NID_MLKEM768, SSL_GROUP_MLKEM768);
+    case SSL_GROUP_MLKEM1024:
+      // MLKEM1024, as a standalone group, is not a NamedGroup; however, we
+      // need to create MLKEM1024 key shares as part of hybrid groups.
+      return MakeUnique<KEMKeyShare>(NID_MLKEM1024, SSL_GROUP_MLKEM1024);
     case SSL_GROUP_SECP256R1_MLKEM768:
       return MakeUnique<HybridKeyShare>(SSL_GROUP_SECP256R1_MLKEM768);
     case SSL_GROUP_X25519_MLKEM768:
       return MakeUnique<HybridKeyShare>(SSL_GROUP_X25519_MLKEM768);
+    case SSL_GROUP_SECP384R1_MLKEM1024:
+      return MakeUnique<HybridKeyShare>(SSL_GROUP_SECP384R1_MLKEM1024);
     default:
       return nullptr;
   }

@@ -670,13 +670,23 @@ static const CurveTest kCurveTests[] = {
       SSL_GROUP_SECP256R1,
     },
   },
+{
+  "SecP384r1MLKEM1024:X25519MLKEM768:SecP256r1MLKEM768",
+  {
+    SSL_GROUP_SECP384R1_MLKEM1024,
+    SSL_GROUP_X25519_MLKEM768,
+    SSL_GROUP_SECP256R1_MLKEM768,
+  },
+},
 };
 
 
 // SECP256R1:     https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8.2
 // X25519:        https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8.2
 static const size_t P256_KEYSHARE_SIZE = ((EC_P256R1_FIELD_ELEM_BYTES * 2) + 1);
 static const size_t P256_SECRET_SIZE = EC_P256R1_FIELD_ELEM_BYTES;
+static const size_t P384_KEYSHARE_SIZE = ((EC_P384R1_FIELD_ELEM_BYTES * 2) + 1);
+static const size_t P384_SECRET_SIZE = EC_P384R1_FIELD_ELEM_BYTES;
 static const size_t X25519_KEYSHARE_SIZE = 32;
 static const size_t X25519_SECRET_SIZE = 32;
 
@@ -762,6 +772,21 @@ static const HybridGroupTest kHybridGroupTests[] = {
       X25519_KEYSHARE_SIZE,           // accept_share_sizes[1]
     },
   },
+  {
+    NID_SecP384r1MLKEM1024,
+    SSL_GROUP_SECP384R1_MLKEM1024,
+    P384_KEYSHARE_SIZE + MLKEM1024_PUBLIC_KEY_BYTES,
+    P384_KEYSHARE_SIZE + MLKEM1024_CIPHERTEXT_BYTES,
+    P384_SECRET_SIZE + MLKEM1024_SHARED_SECRET_LEN,
+    {
+      P384_KEYSHARE_SIZE,             // offer_share_sizes[0]
+      MLKEM1024_PUBLIC_KEY_BYTES,     // offer_share_sizes[1]
+    },
+    {
+      P384_KEYSHARE_SIZE,             // accept_share_sizes[0]
+      MLKEM1024_CIPHERTEXT_BYTES,     // accept_share_sizes[1]
+    },
+  },
 };
 
 static const char *kBadCurvesLists[] = {
@@ -1112,6 +1137,15 @@ static const HybridHandshakeTest kHybridHandshakeTests[] = {
     false,
   },
 
+  {
+    "SecP384r1MLKEM1024",
+    TLS1_3_VERSION,
+    "SecP384r1MLKEM1024",
+    TLS1_3_VERSION,
+    SSL_GROUP_SECP384R1_MLKEM1024,
+    false,
+  },
+
   // The client's preferred hybrid group should be negotiated when also
   // supported by the server, even if the server "prefers"/supports other groups.
   {
@@ -1141,6 +1175,24 @@ static const HybridHandshakeTest kHybridHandshakeTests[] = {
     false,
   },
 
+  {
+    "X25519MLKEM768:SecP256r1MLKEM768:SecP384r1MLKEM1024",
+    TLS1_3_VERSION,
+    "SecP384r1MLKEM1024:SecP256r1MLKEM768:X25519MLKEM768",
+    TLS1_3_VERSION,
+    SSL_GROUP_X25519_MLKEM768,
+    false,
+  },
+
+  {
+    "SecP384r1MLKEM1024:SecP256r1MLKEM768:X25519MLKEM768",
+    TLS1_3_VERSION,
+    "X25519MLKEM768:SecP256r1MLKEM768:SecP384r1MLKEM1024",
+    TLS1_3_VERSION,
+    SSL_GROUP_SECP384R1_MLKEM1024,
+    false,
+  },
+
   // The client lists PQ/hybrid groups as both first and second preferences.
   // The key share logic is implemented such that the client will always
   // attempt to send one hybrid key share and one classical key share.
@@ -13130,6 +13182,7 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) {
         EXPECT_TRUE(
           hybrid_group->component_group_ids[i] == SSL_GROUP_KYBER768_R3 ||
           hybrid_group->component_group_ids[i] == SSL_GROUP_MLKEM768 ||
+          hybrid_group->component_group_ids[i] == SSL_GROUP_MLKEM1024 ||
           hybrid_group->component_group_ids[i] == SSL_GROUP_X25519
         );
 
@@ -13149,7 +13202,10 @@ TEST_P(BadHybridKeyShareAcceptTest, BadHybridKeyShareAccept) {
       } else {
         // The Accept() functionality for the NIST curves (e.g. P256) is
         // written so that it will return failure if the key share is invalid.
-        EXPECT_EQ(hybrid_group->component_group_ids[i], SSL_GROUP_SECP256R1);
+        EXPECT_TRUE(
+          hybrid_group->component_group_ids[i] == SSL_GROUP_SECP256R1 ||
+          hybrid_group->component_group_ids[i] == SSL_GROUP_SECP384R1
+        );
         EXPECT_EQ(server_alert, SSL_AD_ILLEGAL_PARAMETER);
       }
 
@@ -13398,6 +13454,7 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) {
         EXPECT_TRUE(
           hybrid_group->component_group_ids[i] == SSL_GROUP_KYBER768_R3 ||
           hybrid_group->component_group_ids[i] == SSL_GROUP_MLKEM768 ||
+          hybrid_group->component_group_ids[i] == SSL_GROUP_MLKEM1024 ||
           hybrid_group->component_group_ids[i] == SSL_GROUP_X25519
         );
 
@@ -13411,7 +13468,10 @@ TEST_P(BadHybridKeyShareFinishTest, BadHybridKeyShareFinish) {
       } else {
         // The Finish() functionality for the NIST curves (e.g. P256) is
         // written so that it will return failure if the key share is invalid.
-        EXPECT_EQ(hybrid_group->component_group_ids[i], SSL_GROUP_SECP256R1);
+        EXPECT_TRUE(
+          hybrid_group->component_group_ids[i] == SSL_GROUP_SECP256R1 ||
+          hybrid_group->component_group_ids[i] == SSL_GROUP_SECP384R1
+        );
         EXPECT_EQ(client_alert, SSL_AD_ILLEGAL_PARAMETER);
       }