Deprecate 0xFE30 X25519/Kyber512 code point

This code point falls into the 'private code point' region (RFC 8446 4.2.3) and was used by pq.cloudflareresearch.com for hybrid key exchange using X25519+KyberR3-512.
randombit · Oct 1, 2024 · b5df358 · b5df358
1 parent 0639e82
commit b5df358
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/src/examples/tls_13_hybrid_key_exchange_client.cpp b/src/examples/tls_13_hybrid_key_exchange_client.cpp
@@ -54,15 +54,15 @@ class Client_Policy : public Botan::TLS::Default_Policy {
       // additional to the default (classical) key exchange groups
       std::vector<Botan::TLS::Group_Params> key_exchange_groups() const override {
          auto groups = Botan::TLS::Default_Policy::key_exchange_groups();
-         groups.push_back(Botan::TLS::Group_Params::HYBRID_X25519_KYBER_512_R3_CLOUDFLARE);
+         groups.push_back(Botan::TLS::Group_Params::HYBRID_X25519_KYBER_768_R3_OQS);
          groups.push_back(Botan::TLS::Group_Params::HYBRID_X25519_KYBER_512_R3_OQS);
          return groups;
       }
 
       // Define that the client should exclusively pre-offer hybrid groups
       // in its initial Client Hello.
       std::vector<Botan::TLS::Group_Params> key_exchange_groups_to_offer() const override {
-         return {Botan::TLS::Group_Params::HYBRID_X25519_KYBER_512_R3_CLOUDFLARE,
+         return {Botan::TLS::Group_Params::HYBRID_X25519_KYBER_768_R3_OQS,
                  Botan::TLS::Group_Params::HYBRID_X25519_KYBER_512_R3_OQS};
       }
 };

diff --git a/src/lib/tls/tls_algos.h b/src/lib/tls/tls_algos.h
@@ -113,7 +113,7 @@ enum class Group_Params_Code : uint16_t {
 
    // Cloudflare code points for hybrid PQC
    // https://blog.cloudflare.com/post-quantum-for-all/
-   HYBRID_X25519_KYBER_512_R3_CLOUDFLARE = 0xFE30,
+   HYBRID_X25519_KYBER_512_R3_CLOUDFLARE BOTAN_DEPRECATED("removed without replacement") = 0xFE30,
 
    // libOQS defines those in:
    // https://github.com/open-quantum-safe/oqs-provider/blob/main/ALGORITHMS.md
@@ -213,6 +213,9 @@ class BOTAN_PUBLIC_API(3, 2) Group_Params final {
       constexpr bool is_post_quantum() const { return is_pure_kyber() || is_pure_frodokem() || is_pqc_hybrid(); }
 
       constexpr bool is_pqc_hybrid() const {
+         BOTAN_DIAGNOSTIC_PUSH
+         BOTAN_DIAGNOSTIC_IGNORE_DEPRECATED_DECLARATIONS
+
          return m_code == Group_Params_Code::HYBRID_X25519_KYBER_512_R3_CLOUDFLARE ||
                 m_code == Group_Params_Code::HYBRID_X25519_KYBER_512_R3_OQS ||
                 m_code == Group_Params_Code::HYBRID_X25519_KYBER_768_R3_OQS ||
@@ -231,6 +234,8 @@ class BOTAN_PUBLIC_API(3, 2) Group_Params final {
                 m_code == Group_Params_Code::HYBRID_SECP521R1_KYBER_1024_R3_OQS ||
                 m_code == Group_Params_Code::HYBRID_SECP521R1_eFRODOKEM_1344_SHAKE_OQS ||
                 m_code == Group_Params_Code::HYBRID_SECP521R1_eFRODOKEM_1344_AES_OQS;
+
+         BOTAN_DIAGNOSTIC_POP
       }
 
       constexpr bool is_kem() const { return is_pure_kyber() || is_pure_frodokem() || is_pqc_hybrid(); }

diff --git a/src/scripts/test_cli.py b/src/scripts/test_cli.py
@@ -1323,7 +1323,6 @@ def get_oqs_rootca():
         return get_oqs_resource("/CA.crt")
 
     test_cfg = [
-        TestConfig("pq.cloudflareresearch.com", "x25519/Kyber-512-r3/cloudflare"),
         TestConfig("pq.cloudflareresearch.com", "x25519/Kyber-768-r3"),
         TestConfig("google.com", "x25519/Kyber-768-r3"),