Put feature flag back for CECPQ2.

After doing real-world testing against SIKE[1], re-add the feature flag purely to enable CECPQ2, in the hopes of reaching Stable with it. [1] https://www.imperialviolet.org/2019/10/30/pqsivssl.html Bug: 930812 Change-Id: I4b05b5b1eff7288269640496735ae81168920f20 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1904754 Commit-Queue: Adam Langley <agl@chromium.org> Commit-Queue: David Benjamin <davidben@chromium.org> Auto-Submit: Adam Langley <agl@chromium.org> Reviewed-by: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/master@{#713689}

Put feature flag back for CECPQ2.
After doing real-world testing against SIKE[1], re-add the feature flag purely to enable CECPQ2, in the hopes of reaching Stable with it. [1] https://www.imperialviolet.org/2019/10/30/pqsivssl.html Bug: 930812 Change-Id: I4b05b5b1eff7288269640496735ae81168920f20 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1904754 Commit-Queue: Adam Langley <agl@chromium.org> Commit-Queue: David Benjamin <davidben@chromium.org> Auto-Submit: Adam Langley <agl@chromium.org> Reviewed-by: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/master@{#713689}
2149c30c · Adam Langley · Commit Bot · d047bf91 · 2149c30c · 2149c30c
Commit 2149c30c authored Nov 08, 2019 by Adam Langley Committed by Commit Bot Nov 08, 2019
Showing with 12 additions and 0 deletions

net/base/features.cc net/base/features.cc +3 -0

net/base/features.h net/base/features.h +3 -0

net/socket/ssl_client_socket_impl.cc net/socket/ssl_client_socket_impl.cc +6 -0

No files found.
--- a/net/base/features.cc
+++ b/net/base/features.cc
@@ -42,6 +42,9 @@ const base::Feature kPartitionSSLSessionsByNetworkIsolationKey{
 const base::Feature kTLS13KeyUpdate{"TLS13KeyUpdate",
                                    base::FEATURE_DISABLED_BY_DEFAULT};

+const base::Feature kPostQuantumCECPQ2{"PostQuantumCECPQ2",
+                                       base::FEATURE_DISABLED_BY_DEFAULT};
+
 const base::Feature kNetUnusedIdleSocketTimeout{
    "NetUnusedIdleSocketTimeout", base::FEATURE_DISABLED_BY_DEFAULT};


--- a/net/base/features.h
+++ b/net/base/features.h
@@ -62,6 +62,9 @@ NET_EXPORT extern const base::Feature
 // servers.
 NET_EXPORT extern const base::Feature kTLS13KeyUpdate;

+// Enables CECPQ2, a post-quantum key-agreement, in TLS 1.3 connections.
+NET_EXPORT extern const base::Feature kPostQuantumCECPQ2;
+
 // Changes the timeout after which unused sockets idle sockets are cleaned up.
 NET_EXPORT extern const base::Feature kNetUnusedIdleSocketTimeout;


--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
@@ -323,6 +323,12 @@ class SSLClientSocketImpl::SSLContext {
        ssl_ctx_.get(), TLSEXT_cert_compression_brotli,
        nullptr /* compression not supported */, DecompressBrotliCert);
 #endif
+
+    if (base::FeatureList::IsEnabled(features::kPostQuantumCECPQ2)) {
+      static const int kCurves[] = {NID_CECPQ2, NID_X25519,
+                                    NID_X9_62_prime256v1, NID_secp384r1};
+      SSL_CTX_set1_curves(ssl_ctx_.get(), kCurves, base::size(kCurves));
+    }
  }

  static int ClientCertRequestCallback(SSL* ssl, void* arg) {