OTP-19825

* ingela/ssl/psk-bugs:
  ssl: Add hybrid PQA support
  ssl: pre_shared_key shall be last client hello extension
  ssl: Improve interoperability

Author: IngelaAndin

lib/ssl/src/ssl_handshake.erl

@@ -433,7 +433,7 @@ certificate_verify(Signature, PublicKeyInfo, Version,
     end.
 %%--------------------------------------------------------------------
 -spec verify_signature(ssl_record:ssl_version(), binary(), {term(), term()}, binary(),
-				   public_key_info()) -> true | false.
+                       public_key_info()) -> true | false.
 %%
 %% Description: Checks that a public_key signature is valid.
 %%--------------------------------------------------------------------
@@ -2701,9 +2701,13 @@ encode_psk_binders(Binders) ->
     Len = byte_size(Result),
     <<?UINT16(Len), Result/binary>>.
 
-
 hello_extensions_list(HelloExtensions) ->
-    [Ext || {_, Ext} <- maps:to_list(HelloExtensions), Ext =/= undefined].
+    case maps:take(pre_shared_key, HelloExtensions) of
+        {#pre_shared_key_client_hello{} = PSK, Rest} ->
+            [Ext || {_, Ext} <- maps:to_list(Rest), Ext =/= undefined] ++ [PSK];
+        _ ->
+            [Ext || {_, Ext} <- maps:to_list(HelloExtensions), Ext =/= undefined]
+    end.
 
 %%-------------Decode handshakes---------------------------------
 dec_server_key(<<?UINT16(PLen), P:PLen/binary,
@@ -3127,7 +3131,9 @@ decode_extensions(<<?UINT16(?PRE_SHARED_KEY_EXT), ?UINT16(Len),
                                #pre_shared_key_client_hello{
                                   offered_psks = #offered_psks{
                                                     identities = decode_psk_identities(Identities),
-                                                    binders = decode_psk_binders(Binders)}}});
+                                                    binders = decode_psk_binders(Binders)},
+                                  binder_length = BLen + 2}}
+                     );
 decode_extensions(<<?UINT16(?PRE_SHARED_KEY_EXT), ?UINT16(Len),
                        ExtData:Len/binary, Rest/binary>>,
                   Version, MessageType = server_hello, Acc) ->

lib/ssl/src/tls_client_connection_1_3.erl

@@ -647,7 +647,7 @@ do_handle_exlusive_1_3_hello_or_hello_retry_request(
          connection_states = ConnectionStates0
         } = State0) ->
     {Ref,Maybe} = tls_gen_connection_1_3:do_maybe(),
-                                              try
+    try
         ClientGroups =
             Maybe(tls_handshake_1_3:get_supported_groups(ClientGroups0)),
         Cookie = maps:get(cookie, Extensions, undefined),

lib/ssl/src/tls_handshake_1_3.erl

@@ -1832,28 +1832,11 @@ create_binders(Context, [#ticket_data{
 %% } OfferedPsks;
 truncate_client_hello(HelloBin0) ->
     <<?BYTE(Type), ?UINT24(_Length), Body/binary>> = HelloBin0,
-    CH0 = #client_hello{
-             extensions = #{pre_shared_key := PSK0} = Extensions0} =
+    #client_hello{
+       extensions = #{pre_shared_key := PSK0}} =
         tls_handshake:decode_handshake(?TLS_1_3, Type, Body),
-    #pre_shared_key_client_hello{offered_psks = OfferedPsks0} = PSK0,
-    OfferedPsks = OfferedPsks0#offered_psks{binders = []},
-    PSK = PSK0#pre_shared_key_client_hello{offered_psks = OfferedPsks},
-    Extensions = Extensions0#{pre_shared_key => PSK},
-    CH = CH0#client_hello{extensions = Extensions},
-
-    %% Decoding a ClientHello from an another TLS implementation can contain
-    %% unsupported extensions and thus executing decoding and encoding on
-    %% the input can result in a different handshake binary.
-    %% The original length of the binders can still be determined by
-    %% re-encoding the original ClientHello and using its size as reference
-    %% when we subtract the size of the truncated binary.
-    TruncatedSize = iolist_size(tls_handshake:encode_handshake(CH, ?TLS_1_3)),
-    RefSize = iolist_size(tls_handshake:encode_handshake(CH0, ?TLS_1_3)),
-    BindersSize = RefSize - TruncatedSize,
-
-    %% Return the truncated ClientHello by cutting of the binders from the original
-    %% ClientHello binary.
-    {Truncated, _} = split_binary(HelloBin0, byte_size(HelloBin0) - BindersSize - 2),
+    #pre_shared_key_client_hello{binder_length = BinderLen} = PSK0,
+    {Truncated, _} = split_binary(HelloBin0, byte_size(HelloBin0) - BinderLen),
     Truncated.
 
 maybe_add_early_data_indication(#client_hello{

lib/ssl/src/tls_handshake_1_3.hrl

@@ -117,7 +117,8 @@
 %% } PreSharedKeyExtension;
 -record(pre_shared_key_client_hello,
         {
-         offered_psks
+         offered_psks,
+         binder_length
         }).
 
 -record(pre_shared_key_server_hello,

lib/ssl/test/property_test/ssl_eqc_handshake.erl

@@ -689,7 +689,7 @@ elliptic_curves(Version) when ?TLS_LT(Version, ?TLS_1_3) ->
 
 %% RFC 8446 (TLS 1.3) renamed the "elliptic_curve" extension.
 supported_groups(Version) when ?TLS_GTE(Version, ?TLS_1_3) ->
-    SupportedGroups = tls_v1:groups(),
+    SupportedGroups = tls_v1:groups(),   
     #supported_groups{supported_groups = SupportedGroups}.
 
 
@@ -773,11 +773,30 @@ generate_public_key(Group) when
        Group =:= mlkem1024 ->
     {PublicKey, _} = crypto:generate_key(Group, []),
     PublicKey;
+generate_public_key(x25519mlkem768 = Group) ->
+    {Curve, MLKem} = hybrid_algs(Group),
+    P2 = generate_public_key(Curve),
+    {P1,_} = crypto:generate_key(MLKem, []),
+    <<P1/binary, P2/binary>>;
+generate_public_key(Group) when
+       Group =:= secp256r1mlkem768 orelse
+       Group =:= secp384r1mlkem1024 ->
+    {Curve, MLKem} = hybrid_algs(Group),
+    P1 = generate_public_key(Curve),
+    {P2, _} = crypto:generate_key(MLKem, []),
+    <<P1/binary, P2/binary>>;
 generate_public_key(Group) ->
     {PublicKey, _} =
         public_key:generate_key(ssl_dh_groups:dh_params(Group)),
     PublicKey.
 
+hybrid_algs(x25519mlkem768)->
+    {x25519, mlkem768};
+hybrid_algs(secp256r1mlkem768) ->
+    {secp256r1, mlkem768};
+hybrid_algs(secp384r1mlkem1024) ->
+    {secp384r1, mlkem1024}.
+
 groups() ->
     Max = length(ssl:groups()),
     ?LET(Size, choose(1,Max), group_list(Size)).