@@ -364,15 +364,17 @@ Applications can query the capabilities to discover those services.
364364
365365The "TLS-GROUP" capability can be queried by libssl to discover the list of
366366TLS groups that a provider can support. Each group supported can be used for
367- key exchange during a TLS handshake. TLS clients can advertise the list of
368- TLS groups they support in the supported_groups extension, and TLS servers can
369- select a group from the offered list that they also support. In this way a
370- provider can add to the list of groups that libssl already supports with
371- additional ones.
367+ I<key exchange> (KEX) or I<key encapsulation method> (KEM) during a TLS
368+ handshake.
369+ TLS clients can advertise the list of TLS groups they support in the
370+ supported_groups extension, and TLS servers can select a group from the offered
371+ list that they also support. In this way a provider can add to the list of
372+ groups that libssl already supports with additional ones.
372373
373374Each TLS group that a provider supports should be described via the callback
374375passed in through the provider_get_capabilities function. Each group should have
375- the following details supplied (all are mandatory):
376+ the following details supplied (all are mandatory, except
377+ B<OSSL_CAPABILITY_TLS_GROUP_IS_KEM>):
376378
377379=over 4
378380
@@ -393,7 +395,9 @@ The TLS group id value as given in the IANA TLS Supported Groups registry.
393395=item "tls-group-alg" (B<OSSL_CAPABILITY_TLS_GROUP_ALG>) <utf8 string>
394396
395397The name of a Key Management algorithm that the provider offers and that should
396- be used with this group. Keys created should be able to support key exchange.
398+ be used with this group. Keys created should be able to support I<key exchange>
399+ or I<key encapsulation method> (KEM), as implied by the optional
400+ B<OSSL_CAPABILITY_TLS_GROUP_IS_KEM> flag.
397401The algorithm must support key and parameter generation as well as the
398402key/parameter generation parameter, B<OSSL_PKEY_PARAM_GROUP_NAME>. The group
399403name given via "tls-group-name-internal" above will be passed via
@@ -405,6 +409,29 @@ The number of bits of security offered by keys in this group. The number of bits
405409should be comparable with the ones given in table 2 and 3 of the NIST SP800-57
406410document.
407411
412+ =item "tls-group-is-kem" (B<OSSL_CAPABILITY_TLS_GROUP_IS_KEM>) <unsigned integer>
413+
414+ Boolean flag to describe if the group should be used in I<key exchange> (KEX)
415+ mode (0, default) or in I<key encapsulation method> (KEM) mode (1).
416+
417+ This parameter is optional: if not specified, KEX mode is assumed as the default
418+ mode for the group.
419+
420+ In KEX mode, in a typical Diffie-Hellman fashion, both sides execute I<keygen>
421+ then I<derive> against the peer public key. To operate in KEX mode, the group
422+ implementation must support the provider functions as described in
423+ L<provider-keyexch(7)>.
424+
425+ In KEM mode, the client executes I<keygen> and sends its public key, the server
426+ executes I<encapsulate> using the client's public key and sends back the
427+ resulting I<ciphertext>, finally the client executes I<decapsulate> to retrieve
428+ the same I<shared secret> generated by the server's I<encapsulate>. To operate
429+ in KEM mode, the group implementation must support the provider functions as
430+ described in L<provider-kem(7)>.
431+
432+ Both in KEX and KEM mode, the resulting I<shared secret> is then used according
433+ to the protocol specification.
434+
408435=item "tls-min-tls" (B<OSSL_CAPABILITY_TLS_GROUP_MIN_TLS>) <integer>
409436
410437=item "tls-max-tls" (B<OSSL_CAPABILITY_TLS_GROUP_MAX_TLS>) <integer>
0 commit comments