Merge branch 'main' of gitlab.cryptoworkshop.com:root/bc-java

Author: dghgit

tls/src/main/java/org/bouncycastle/jsse/provider/SignatureSchemeInfo.java

@@ -596,11 +596,12 @@ private static int[] createCandidatesDefault()
         {
             int signatureScheme = values[i].signatureScheme;
 
-            /*
-             * SLH-DSA signing is quite slow; users will most likely be interested in it for the certificate
-             * chain, so we'll leave it to them to configure signature_algorithms_cert.
-             */
-            if (!SignatureScheme.isSLHDSA(signatureScheme))
+            if (SignatureScheme.isMLDSA(signatureScheme) ||
+                SignatureScheme.isSLHDSA(signatureScheme))
+            {
+                // For the time being, do not enable stand-alone PQ schemes by default
+            }
+            else
             {
                 result[pos++] = signatureScheme;
             }

tls/src/main/java/org/bouncycastle/tls/DTLSClientProtocol.java

@@ -534,19 +534,27 @@ protected byte[] generateClientHello(ClientHandshakeState state)
             state.clientExtensions.remove(TlsExtensionsUtils.EXT_extended_master_secret);
         }
 
-        // Cipher Suites (and SCSV)
+        // NOT renegotiating
+        if (offeringDTLSv12Minus)
         {
             /*
-             * RFC 5746 3.4. The client MUST include either an empty "renegotiation_info" extension,
-             * or the TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the
-             * ClientHello. Including both is NOT RECOMMENDED.
+             * RFC 5746 3.4. Client Behavior: Initial Handshake (both full and session-resumption)
+             */
+
+            /*
+             * The client MUST include either an empty "renegotiation_info" extension, or the
+             * TLS_EMPTY_RENEGOTIATION_INFO_SCSV signaling cipher suite value in the ClientHello.
+             * Including both is NOT RECOMMENDED.
              */
-            boolean noRenegExt = (null == TlsUtils.getExtensionData(state.clientExtensions, TlsProtocol.EXT_RenegotiationInfo));
-            boolean noRenegSCSV = !Arrays.contains(state.offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
+            boolean noRenegExt = (null == TlsUtils.getExtensionData(state.clientExtensions,
+                TlsProtocol.EXT_RenegotiationInfo));
+            boolean noRenegSCSV = !Arrays.contains(state.offeredCipherSuites,
+                CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
 
             if (noRenegExt && noRenegSCSV)
             {
-                state.offeredCipherSuites = Arrays.append(state.offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
+                state.offeredCipherSuites = Arrays.append(state.offeredCipherSuites,
+                    CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
             }
         }
 

tls/src/main/java/org/bouncycastle/tls/TlsClientProtocol.java

@@ -1902,8 +1902,6 @@ protected void sendClientHello()
             this.clientExtensions.remove(TlsExtensionsUtils.EXT_extended_master_secret);
         }
 
-        boolean hasRenegSCSV = Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
-
         if (securityParameters.isRenegotiating())
         {
             /*
@@ -1920,7 +1918,7 @@ protected void sendClientHello()
              * The client MUST include the "renegotiation_info" extension in the ClientHello,
              * containing the saved client_verify_data. The SCSV MUST NOT be included.
              */
-            if (hasRenegSCSV)
+            if (Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV))
             {
                 throw new TlsFatalAlert(AlertDescription.internal_error,
                     "Renegotiation cannot use TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
@@ -1930,7 +1928,7 @@ protected void sendClientHello()
 
             this.clientExtensions.put(EXT_RenegotiationInfo, createRenegotiationInfo(saved.getLocalVerifyData()));
         }
-        else
+        else if (offeringTLSv12Minus)
         {
             /*
              * RFC 5746 3.4. Client Behavior: Initial Handshake (both full and session-resumption)
@@ -1942,11 +1940,10 @@ protected void sendClientHello()
              * Including both is NOT RECOMMENDED.
              */
             boolean noRenegExt = (null == TlsUtils.getExtensionData(clientExtensions, EXT_RenegotiationInfo));
-            boolean noRenegSCSV = !hasRenegSCSV;
+            boolean noRenegSCSV = !Arrays.contains(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
 
             if (noRenegExt && noRenegSCSV)
             {
-                // TODO[tls13] Probably want to not add this if no pre-TLSv13 versions offered?
                 offeredCipherSuites = Arrays.append(offeredCipherSuites, CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
             }
         }

tls/src/test/java/org/bouncycastle/jsse/provider/test/MLDSACredentialsTest.java

@@ -22,9 +22,23 @@
 public class MLDSACredentialsTest
     extends TestCase
 {
+    private static final String PROPERTY_CLIENT_SIGNATURE_SCHEMES = "jdk.tls.client.SignatureSchemes";
+    private static final String PROPERTY_SERVER_SIGNATURE_SCHEMES = "jdk.tls.server.SignatureSchemes";
+
     protected void setUp()
     {
         ProviderUtils.setupLowPriority(false);
+
+        String signatureSchemes = "mldsa44, mldsa65, mldsa87";
+
+        System.setProperty(PROPERTY_CLIENT_SIGNATURE_SCHEMES, signatureSchemes);
+        System.setProperty(PROPERTY_SERVER_SIGNATURE_SCHEMES, signatureSchemes);
+    }
+
+    protected void tearDown()
+    {
+        System.clearProperty(PROPERTY_CLIENT_SIGNATURE_SCHEMES);
+        System.clearProperty(PROPERTY_SERVER_SIGNATURE_SCHEMES);
     }
 
     private static final String HOST = "localhost";