Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,13 @@ func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc c
if !ed25519.Verify(pubKey, signed, sig) {
return errors.New("Ed25519 verification failure")
}
case signatureMLDSA:
if hashFunc != directSigning {
return errors.New("tls: ML-DSA must use direct signing")
}
if err := verifyMLDSAHandshakeSignature(pubkey, signed, sig); err != nil {
return err
}
case signaturePKCS1v15:
pubKey, ok := pubkey.(*rsa.PublicKey)
if !ok {
Expand Down Expand Up @@ -105,6 +112,8 @@ func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType
sigType = signatureECDSA
case Ed25519:
sigType = signatureEd25519
case MLDSA44, MLDSA65, MLDSA87:
sigType = signatureMLDSA
default:
return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm)
}
Expand All @@ -119,6 +128,8 @@ func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType
hash = crypto.SHA512
case Ed25519:
hash = directSigning
case MLDSA44, MLDSA65, MLDSA87:
hash = directSigning
default:
return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm)
}
Expand All @@ -141,6 +152,9 @@ func legacyTypeAndHashFromPublicKey(pub crypto.PublicKey) (sigType uint8, hash c
// complexity, so we can't even test it properly.
return 0, 0, fmt.Errorf("tls: Ed25519 public keys are not supported before TLS 1.2")
default:
if isMLDSAPublicKey(pub) {
return 0, 0, errors.New("tls: ML-DSA public keys are not supported before TLS 1.3")
}
return 0, 0, fmt.Errorf("tls: unsupported public key: %T", pub)
}
}
Expand Down Expand Up @@ -211,7 +225,10 @@ func signatureSchemesForCertificate(version uint16, cert *Certificate) []Signatu
case ed25519.PublicKey:
sigAlgs = []SignatureScheme{Ed25519}
default:
return nil
sigAlgs = signatureSchemesForMLDSAPublicKey(version, pub)
if sigAlgs == nil {
return nil
}
}

if cert.SupportedSignatureAlgorithms != nil {
Expand Down Expand Up @@ -284,6 +301,9 @@ func unsupportedCertificateError(cert *Certificate) error {
return fmt.Errorf("tls: certificate RSA key size too small for supported signature algorithms")
case ed25519.PublicKey:
default:
if err := unsupportedMLDSACertificateError(pub); err != nil {
return err
}
return fmt.Errorf("tls: unsupported certificate key (%T)", pub)
}

Expand Down
38 changes: 37 additions & 1 deletion auth_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,42 @@ func TestLegacyTypeAndHash(t *testing.T) {
}
}

func TestMLDSASignatureSchemeUsesDirectSigning(t *testing.T) {
for _, sigAlg := range []SignatureScheme{MLDSA44, MLDSA65, MLDSA87} {
sigType, hash, err := typeAndHashFromSignatureScheme(sigAlg)
if err != nil {
t.Fatalf("typeAndHashFromSignatureScheme(%v) returned error: %v", sigAlg, err)
}
if sigType != signatureMLDSA {
t.Fatalf("typeAndHashFromSignatureScheme(%v) signature type = %#x, want %#x", sigAlg, sigType, signatureMLDSA)
}
if hash != directSigning {
t.Fatalf("typeAndHashFromSignatureScheme(%v) hash = %#x, want directSigning", sigAlg, hash)
}
}
}

func TestDefaultSupportedSignatureAlgorithmsFollowGoMLDSASupport(t *testing.T) {
for _, sigAlg := range []SignatureScheme{MLDSA44, MLDSA65, MLDSA87} {
got := isSupportedSignatureAlgorithm(sigAlg, supportedSignatureAlgorithms())
if got != goMLDSASupported() {
t.Fatalf("default support for %v = %v, want %v", sigAlg, got, goMLDSASupported())
}
}
}

func TestSupportedSignatureAlgorithmsForVersionGatesMLDSA(t *testing.T) {
for _, sigAlg := range []SignatureScheme{MLDSA44, MLDSA65, MLDSA87} {
if isSupportedSignatureAlgorithm(sigAlg, supportedSignatureAlgorithmsForVersion(VersionTLS12)) {
t.Fatalf("%v advertised for TLS 1.2", sigAlg)
}
gotTLS13 := isSupportedSignatureAlgorithm(sigAlg, supportedSignatureAlgorithmsForVersion(VersionTLS13))
if gotTLS13 != goMLDSASupported() {
t.Fatalf("TLS 1.3 support for %v = %v, want %v", sigAlg, gotTLS13, goMLDSASupported())
}
}
}

// TestSupportedSignatureAlgorithms checks that all supportedSignatureAlgorithms
// have valid type and hash information.
func TestSupportedSignatureAlgorithms(t *testing.T) {
Expand All @@ -168,7 +204,7 @@ func TestSupportedSignatureAlgorithms(t *testing.T) {
if sigType == 0 {
t.Errorf("%v: missing signature type", sigAlg)
}
if hash == 0 && sigAlg != Ed25519 {
if hash == 0 && sigAlg != Ed25519 && !isMLDSASignatureScheme(sigAlg) {
t.Errorf("%v: missing hash", sigAlg)
}
}
Expand Down
2 changes: 1 addition & 1 deletion cache.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ func (cc *certCache) newCert(der []byte) (*activeCert, error) {
return cc.active(entry.(*cacheEntry)), nil
}

cert, err := x509.ParseCertificate(der)
cert, err := parseCertificate(der)
if err != nil {
return nil, err
}
Expand Down
37 changes: 33 additions & 4 deletions common.go
Original file line number Diff line number Diff line change
Expand Up @@ -206,12 +206,13 @@ const (
signatureRSAPSS
signatureECDSA
signatureEd25519
signatureMLDSA
signatureEdDilithium3
)

// directSigning is a standard Hash value that signals that no pre-hashing
// should be performed, and that the input should be signed directly. It is the
// hash function associated with the Ed25519 signature scheme.
// hash function associated with the Ed25519 and ML-DSA signature schemes.
var directSigning crypto.Hash = 0

// helloRetryRequestRandom is set as the Random value of a ServerHello
Expand Down Expand Up @@ -414,6 +415,11 @@ const (
// EdDSA algorithms.
Ed25519 SignatureScheme = 0x0807

// ML-DSA algorithms.
MLDSA44 SignatureScheme = 0x0904
MLDSA65 SignatureScheme = 0x0905
MLDSA87 SignatureScheme = 0x0906

// Legacy signature and hash algorithms for TLS 1.2.
PKCS1WithSHA1 SignatureScheme = 0x0201
ECDSAWithSHA1 SignatureScheme = 0x0203
Expand Down Expand Up @@ -914,6 +920,10 @@ type Config struct {
// autoSessionTicketKeys is like sessionTicketKeys but is owned by the
// auto-rotation logic. See Config.ticketKeys.
autoSessionTicketKeys []ticketKey

// testingOnlyForceSignatureAlgorithms freezes signature_algorithms output
// for recorded wire tests whose testdata predates newer default algorithms.
testingOnlyForceSignatureAlgorithms []SignatureScheme
}

// EncryptedClientHelloKey holds a private key that is associated
Expand Down Expand Up @@ -1018,6 +1028,7 @@ func (c *Config) Clone() *Config {
EncryptedClientHelloKeys: c.EncryptedClientHelloKeys,
sessionTicketKeys: c.sessionTicketKeys,
autoSessionTicketKeys: c.autoSessionTicketKeys,
testingOnlyForceSignatureAlgorithms: c.testingOnlyForceSignatureAlgorithms,

PreferSkipResumptionOnNilExtension: c.PreferSkipResumptionOnNilExtension, // [UTLS]
}
Expand Down Expand Up @@ -1532,7 +1543,7 @@ func (cri *CertificateRequestInfo) SupportsCertificate(c *Certificate) error {
// chain.Leaf was nil.
if j != 0 || x509Cert == nil {
var err error
if x509Cert, err = x509.ParseCertificate(cert); err != nil {
if x509Cert, err = parseCertificate(cert); err != nil {
return fmt.Errorf("failed to parse certificate #%d in the chain: %w", j, err)
}
}
Expand Down Expand Up @@ -1602,7 +1613,8 @@ var writerMutex sync.Mutex
type Certificate struct {
Certificate [][]byte
// PrivateKey contains the private key corresponding to the public key in
// Leaf. This must implement crypto.Signer with an RSA, ECDSA or Ed25519 PublicKey.
// Leaf. This must implement crypto.Signer with an RSA, ECDSA, Ed25519, or
// ML-DSA PublicKey.
// For a server up to TLS 1.2, it can also implement crypto.Decrypter with
// an RSA PublicKey.
PrivateKey crypto.PrivateKey
Expand All @@ -1627,7 +1639,7 @@ func (c *Certificate) leaf() (*x509.Certificate, error) {
if c.Leaf != nil {
return c.Leaf, nil
}
return x509.ParseCertificate(c.Certificate[0])
return parseCertificate(c.Certificate[0])
}

type handshakeMessage interface {
Expand Down Expand Up @@ -1741,6 +1753,23 @@ func supportedSignatureAlgorithms() []SignatureScheme {
// [uTLS] SECTION END
}

func supportedSignatureAlgorithmsForVersion(maxVersion uint16) []SignatureScheme {
sigAlgs := supportedSignatureAlgorithms()
if maxVersion >= VersionTLS13 {
return sigAlgs
}
return slices.DeleteFunc(slices.Clone(sigAlgs), isMLDSASignatureScheme)
}

func isMLDSASignatureScheme(sigAlg SignatureScheme) bool {
switch sigAlg {
case MLDSA44, MLDSA65, MLDSA87:
return true
default:
return false
}
}

func isSupportedSignatureAlgorithm(sigAlg SignatureScheme, supportedSignatureAlgorithms []SignatureScheme) bool {
for _, s := range supportedSignatureAlgorithms {
if s == sigAlg {
Expand Down
8 changes: 8 additions & 0 deletions common_string.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions defaults.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ func defaultCurvePreferences() []CurveID {
// the code advertises as supported in a TLS 1.2+ ClientHello and in a TLS 1.2+
// CertificateRequest. The two fields are merged to match with TLS 1.3.
// Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
var defaultSupportedSignatureAlgorithms = []SignatureScheme{
var defaultSupportedSignatureAlgorithms = append(defaultMLDSASignatureAlgorithms(),
PSSWithSHA256,
ECDSAWithP256AndSHA256,
Ed25519,
Expand All @@ -43,7 +43,7 @@ var defaultSupportedSignatureAlgorithms = []SignatureScheme{
ECDSAWithP521AndSHA512,
PKCS1WithSHA1,
ECDSAWithSHA1,
}
)

// [uTLS section begins]
// var tlsrsakex = godebug.New("tlsrsakex")
Expand Down
9 changes: 9 additions & 0 deletions dicttls/signaturescheme.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,9 @@ const (
SigScheme_ecdsa_brainpoolP256r1tls13_sha256 uint16 = 0x081A
SigScheme_ecdsa_brainpoolP384r1tls13_sha384 uint16 = 0x081B
SigScheme_ecdsa_brainpoolP512r1tls13_sha512 uint16 = 0x081C
SigScheme_mldsa44 uint16 = 0x0904
SigScheme_mldsa65 uint16 = 0x0905
SigScheme_mldsa87 uint16 = 0x0906
)

var DictSignatureSchemeValueIndexed = map[uint16]string{
Expand Down Expand Up @@ -75,6 +78,9 @@ var DictSignatureSchemeValueIndexed = map[uint16]string{
0x081A: "ecdsa_brainpoolP256r1tls13_sha256",
0x081B: "ecdsa_brainpoolP384r1tls13_sha384",
0x081C: "ecdsa_brainpoolP512r1tls13_sha512",
0x0904: "mldsa44",
0x0905: "mldsa65",
0x0906: "mldsa87",
}

var DictSignatureSchemeNameIndexed = map[string]uint16{
Expand Down Expand Up @@ -113,4 +119,7 @@ var DictSignatureSchemeNameIndexed = map[string]uint16{
"ecdsa_brainpoolP256r1tls13_sha256": 0x081A,
"ecdsa_brainpoolP384r1tls13_sha384": 0x081B,
"ecdsa_brainpoolP512r1tls13_sha512": 0x081C,
"mldsa44": 0x0904,
"mldsa65": 0x0905,
"mldsa87": 0x0906,
}
11 changes: 6 additions & 5 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module github.com/refraction-networking/utls

go 1.24
go 1.24.0

retract (
v1.4.1 // #218
Expand All @@ -9,10 +9,11 @@ retract (

require (
github.com/andybalholm/brotli v1.0.6
github.com/cloudflare/circl v1.6.4
github.com/klauspost/compress v1.17.4
golang.org/x/crypto v0.36.0
golang.org/x/net v0.38.0
golang.org/x/sys v0.31.0
golang.org/x/crypto v0.45.0
golang.org/x/net v0.47.0
golang.org/x/sys v0.38.0
)

require golang.org/x/text v0.23.0 // indirect
require golang.org/x/text v0.31.0 // indirect
18 changes: 10 additions & 8 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI=
github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
github.com/cloudflare/circl v1.6.4 h1:pOXuDTCEYyzydgUpQ0CQz3LsinKjiSk6nNP5Lt5K64U=
github.com/cloudflare/circl v1.6.4/go.mod h1:YxarevkLlbaHuWsxG6vmYNWBEsSp4pnp7j+4VljMavY=
github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
14 changes: 12 additions & 2 deletions handshake_client.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,10 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, *keySharePrivateKeys, *echCli
}

if maxVersion >= VersionTLS12 {
hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
hello.supportedSignatureAlgorithms = supportedSignatureAlgorithmsForVersion(maxVersion)
}
if config.testingOnlyForceSignatureAlgorithms != nil {
hello.supportedSignatureAlgorithms = config.testingOnlyForceSignatureAlgorithms
}
if testingOnlyForceClientHelloSignatureAlgorithms != nil {
hello.supportedSignatureAlgorithms = testingOnlyForceClientHelloSignatureAlgorithms
Expand Down Expand Up @@ -1217,10 +1220,17 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
}
}

switch certs[0].PublicKey.(type) {
switch pub := certs[0].PublicKey.(type) {
case *rsa.PublicKey, *ecdsa.PublicKey, ed25519.PublicKey:
break
default:
if isMLDSAPublicKey(pub) {
if c.vers < VersionTLS13 {
c.sendAlert(alertUnsupportedCertificate)
return errors.New("tls: ML-DSA certificates require TLS 1.3")
}
break
}
c.sendAlert(alertUnsupportedCertificate)
return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
}
Expand Down
Loading