This change implements behavior required by the specification Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3. The specification defines several validation checks during the hybrid key exchange that require aborting the connection with either an illegal_parameter alert or an internal_error alert.
In 4.2. Server share section specifies the following checks: For all groups, the server MUST perform the encapsulation key check described in Section 7.2 of [NIST-FIPS-203] on the client’s encapsulation key, and abort with an illegal_parameter alert if it fails. For all groups, the client MUST check if the ciphertext length matches the selected group, and abort with an illegal_parameter alert if it fails. If ML-KEM decapsulation fails for any other reason, the connection MUST be aborted with an internal_error alert. For all groups, both client and server MUST process the ECDH part as described in Section 4.2.8.2 of [RFC8446], including all validity checks, and abort with an illegal_parameter alert if it fails. In 4.3. Shared secret section specifies the following check: For all groups, both client and server MUST calculate the ECDH part of the shared secret as described in Section 7.4.2 of [RFC8446], including the all-zero shared secret check for X25519, and abort the connection with an illegal_parameter alert if it fails. This implementation propagates exceptions raised during ECDH and ML-KEM operations in client and server sides from the Hybrid and DHasKEM classes (which implement KEMSpi) to the TLS handshake layer, where they are mapped to the corresponding TLS fatal alerts. ------------- Commit messages: - Restore to throw DecapsulateException for invalid encapsulation length - 8375275: Error handling to raise illegal_parameter or internal_error alert in hybrid key exchange Changes: https://git.openjdk.org/jdk/pull/30039/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=30039&range=00 Issue: https://bugs.openjdk.org/browse/JDK-8375275 Stats: 81 lines in 2 files changed: 69 ins; 0 del; 12 mod Patch: https://git.openjdk.org/jdk/pull/30039.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/30039/head:pull/30039 PR: https://git.openjdk.org/jdk/pull/30039
