On Tue, 3 Mar 2026 23:08:37 GMT, Hai-May Chao <[email protected]> wrote:
> This change implements behavior required by the specification Post-quantum > hybrid ECDHE-MLKEM Key Agreement for TLSv1.3. The specification defines > several validation checks during the hybrid key exchange that require > aborting the connection with either an illegal_parameter alert or an > internal_error alert. > > In 4.2. Server share section specifies the following checks: > For all groups, the server MUST perform the encapsulation key check described > in Section 7.2 of [NIST-FIPS-203] on the client’s encapsulation key, and > abort with an illegal_parameter alert if it fails. > > For all groups, the client MUST check if the ciphertext length matches the > selected group, and abort with an illegal_parameter alert if it fails. If > ML-KEM decapsulation fails for any other reason, the connection MUST be > aborted with an internal_error alert. > > For all groups, both client and server MUST process the ECDH part as > described in Section 4.2.8.2 of [RFC8446], including all validity checks, and > abort with an illegal_parameter alert if it fails. > > In 4.3. Shared secret section specifies the following check: > For all groups, both client and server MUST calculate the ECDH part of the > shared secret as described in Section 7.4.2 of [RFC8446], including the > all-zero shared secret check for X25519, and abort the connection with an > illegal_parameter alert if it fails. > > This implementation propagates exceptions raised during ECDH and ML-KEM > operations in client and server sides from the Hybrid and DHasKEM classes > (which implement KEMSpi) to the TLS handshake layer, where they are mapped to > the corresponding TLS fatal alerts. This pull request has now been integrated. Changeset: cf424480 Author: Hai-May Chao <[email protected]> URL: https://git.openjdk.org/jdk/commit/cf424480f42ac220adee7034e0319cee0e9039db Stats: 78 lines in 2 files changed: 66 ins; 0 del; 12 mod 8375275: Error handling to raise illegal_parameter or internal_error alert in hybrid key exchange Reviewed-by: wetmore, mpowers ------------- PR: https://git.openjdk.org/jdk/pull/30039
