mirror of
https://github.com/refraction-networking/utls.git
synced 2025-04-03 20:17:36 +03:00
crypto/tls: implement X25519MLKEM768
This makes three related changes that work particularly well together and would require significant extra work to do separately: it replaces X25519Kyber768Draft00 with X25519MLKEM768, it makes CurvePreferences ordering crypto/tls-selected, and applies a preference to PQ key exchange methods over key shares (to mitigate downgrades). TestHandshakeServerUnsupportedKeyShare was removed because we are not rejecting unsupported key shares anymore (nor do we select them, and rejecting them actively is a MAY). It would have been nice to keep the test to check we still continue successfully, but testClientHelloFailure is broken in the face of any server-side behavior which requires writing any other messages back to the client, or reading them. Updates #69985 Fixes #69393 Change-Id: I58de76f5b8742a9bd4543fd7907c48e038507b19 Reviewed-on: https://go-review.googlesource.com/c/go/+/630775 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This commit is contained in:
Filippo Valsorda
Gopher Robot
parent
68e64cfceb
commit
77ea502eee
14 changed files with 177 additions and 206 deletions
|
|
@ -20,6 +20,7 @@ import (
|
|||
"internal/byteorder"
|
||||
"io"
|
||||
"slices"
|
||||
"sort"
|
||||
"time"
|
||||
)
|
||||
|
||||
|
|
@ -195,37 +196,45 @@ func (hs *serverHandshakeStateTLS13) processClientHello() error {
|
|||
hs.hello.cipherSuite = hs.suite.id
|
||||
hs.transcript = hs.suite.hash.New()
|
||||
|
||||
// Pick the key exchange method in server preference order, but give
|
||||
// priority to key shares, to avoid a HelloRetryRequest round-trip.
|
||||
var selectedGroup CurveID
|
||||
var clientKeyShare *keyShare
|
||||
// First, if a post-quantum key exchange is available, use one. See
|
||||
// draft-ietf-tls-key-share-prediction-01, Section 4 for why this must be
|
||||
// first.
|
||||
//
|
||||
// Second, if the client sent a key share for a group we support, use that,
|
||||
// to avoid a HelloRetryRequest round-trip.
|
||||
//
|
||||
// Finally, pick in our fixed preference order.
|
||||
preferredGroups := c.config.curvePreferences(c.vers)
|
||||
for _, preferredGroup := range preferredGroups {
|
||||
ki := slices.IndexFunc(hs.clientHello.keyShares, func(ks keyShare) bool {
|
||||
return ks.group == preferredGroup
|
||||
})
|
||||
if ki != -1 {
|
||||
clientKeyShare = &hs.clientHello.keyShares[ki]
|
||||
selectedGroup = clientKeyShare.group
|
||||
if !slices.Contains(hs.clientHello.supportedCurves, selectedGroup) {
|
||||
c.sendAlert(alertIllegalParameter)
|
||||
return errors.New("tls: client sent key share for group it does not support")
|
||||
preferredGroups = slices.DeleteFunc(preferredGroups, func(group CurveID) bool {
|
||||
return !slices.Contains(hs.clientHello.supportedCurves, group)
|
||||
})
|
||||
if len(preferredGroups) == 0 {
|
||||
c.sendAlert(alertHandshakeFailure)
|
||||
return errors.New("tls: no key exchanges supported by both client and server")
|
||||
}
|
||||
hasKeyShare := func(group CurveID) bool {
|
||||
for _, ks := range hs.clientHello.keyShares {
|
||||
if ks.group == group {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
sort.SliceStable(preferredGroups, func(i, j int) bool {
|
||||
return hasKeyShare(preferredGroups[i]) && !hasKeyShare(preferredGroups[j])
|
||||
})
|
||||
sort.SliceStable(preferredGroups, func(i, j int) bool {
|
||||
return isPQKeyExchange(preferredGroups[i]) && !isPQKeyExchange(preferredGroups[j])
|
||||
})
|
||||
selectedGroup := preferredGroups[0]
|
||||
|
||||
var clientKeyShare *keyShare
|
||||
for _, ks := range hs.clientHello.keyShares {
|
||||
if ks.group == selectedGroup {
|
||||
clientKeyShare = &ks
|
||||
break
|
||||
}
|
||||
}
|
||||
if selectedGroup == 0 {
|
||||
for _, preferredGroup := range preferredGroups {
|
||||
if slices.Contains(hs.clientHello.supportedCurves, preferredGroup) {
|
||||
selectedGroup = preferredGroup
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
if selectedGroup == 0 {
|
||||
c.sendAlert(alertHandshakeFailure)
|
||||
return errors.New("tls: no ECDHE curve supported by both client and server")
|
||||
}
|
||||
if clientKeyShare == nil {
|
||||
ks, err := hs.doHelloRetryRequest(selectedGroup)
|
||||
if err != nil {
|
||||
|
|
@ -237,13 +246,13 @@ func (hs *serverHandshakeStateTLS13) processClientHello() error {
|
|||
|
||||
ecdhGroup := selectedGroup
|
||||
ecdhData := clientKeyShare.data
|
||||
if selectedGroup == x25519Kyber768Draft00 {
|
||||
if selectedGroup == X25519MLKEM768 {
|
||||
ecdhGroup = X25519
|
||||
if len(ecdhData) != x25519PublicKeySize+mlkem.EncapsulationKeySize768 {
|
||||
if len(ecdhData) != mlkem.EncapsulationKeySize768+x25519PublicKeySize {
|
||||
c.sendAlert(alertIllegalParameter)
|
||||
return errors.New("tls: invalid Kyber client key share")
|
||||
return errors.New("tls: invalid X25519MLKEM768 client key share")
|
||||
}
|
||||
ecdhData = ecdhData[:x25519PublicKeySize]
|
||||
ecdhData = ecdhData[mlkem.EncapsulationKeySize768:]
|
||||
}
|
||||
if _, ok := curveForCurveID(ecdhGroup); !ok {
|
||||
c.sendAlert(alertInternalError)
|
||||
|
|
@ -265,14 +274,24 @@ func (hs *serverHandshakeStateTLS13) processClientHello() error {
|
|||
c.sendAlert(alertIllegalParameter)
|
||||
return errors.New("tls: invalid client key share")
|
||||
}
|
||||
if selectedGroup == x25519Kyber768Draft00 {
|
||||
ciphertext, kyberShared, err := kyberEncapsulate(clientKeyShare.data[x25519PublicKeySize:])
|
||||
if selectedGroup == X25519MLKEM768 {
|
||||
k, err := mlkem.NewEncapsulationKey768(clientKeyShare.data[:mlkem.EncapsulationKeySize768])
|
||||
if err != nil {
|
||||
c.sendAlert(alertIllegalParameter)
|
||||
return errors.New("tls: invalid Kyber client key share")
|
||||
return errors.New("tls: invalid X25519MLKEM768 client key share")
|
||||
}
|
||||
hs.sharedKey = append(hs.sharedKey, kyberShared...)
|
||||
hs.hello.serverShare.data = append(hs.hello.serverShare.data, ciphertext...)
|
||||
ciphertext, mlkemSharedSecret := k.Encapsulate()
|
||||
// draft-kwiatkowski-tls-ecdhe-mlkem-02, Section 3.1.3: "For
|
||||
// X25519MLKEM768, the shared secret is the concatenation of the ML-KEM
|
||||
// shared secret and the X25519 shared secret. The shared secret is 64
|
||||
// bytes (32 bytes for each part)."
|
||||
hs.sharedKey = append(mlkemSharedSecret, hs.sharedKey...)
|
||||
// draft-kwiatkowski-tls-ecdhe-mlkem-02, Section 3.1.2: "When the
|
||||
// X25519MLKEM768 group is negotiated, the server's key exchange value
|
||||
// is the concatenation of an ML-KEM ciphertext returned from
|
||||
// encapsulation to the client's encapsulation key, and the server's
|
||||
// ephemeral X25519 share."
|
||||
hs.hello.serverShare.data = append(ciphertext, hs.hello.serverShare.data...)
|
||||
}
|
||||
|
||||
selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, c.quic != nil)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue