Skip to content

tlshd: Allow the use of post-quantum cryptography #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Sep 15, 2025
Merged

tlshd: Allow the use of post-quantum cryptography #121

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6cea3a0
tlshd: deduplicate client and server config functions
scottmayhew Sep 10, 2025
9253f9d
tlshd: Fix priority string to allow PQC
scottmayhew Sep 10, 2025
14f5349
tlshd: Server-side dual certificate support
scottmayhew Sep 11, 2025
facd084
tlshd: Client-side dual certificate support
scottmayhew Sep 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions configure.ac
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,18 @@ AC_CHECK_LIB([gnutls], [gnutls_get_system_config_file],
AC_CHECK_LIB([gnutls], [gnutls_psk_allocate_client_credentials2],
[AC_DEFINE([HAVE_GNUTLS_PSK_ALLOCATE_CREDENTIALS2], [1],
[Define to 1 if you have the gnutls_psk_allocate_client_credentials2 function.])])

AC_MSG_CHECKING(for ML-DSA support in gnutls)
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[ #include <gnutls/gnutls.h> ]],
[[ (void) GNUTLS_SIGN_MLDSA65; ]])],
[ have_mldsa=yes ],
[ have_mldsa=no ])
AC_MSG_RESULT([$have_mldsa])
if test "x$have_mldsa" = xyes ; then
AC_DEFINE([HAVE_GNUTLS_MLDSA], [1], [Define to 1 if gnutls supports ML-DSA])
fi

AC_SUBST([AM_CPPFLAGS])

AC_CONFIG_FILES([Makefile src/Makefile src/tlshd/Makefile systemd/Makefile])
Expand Down
48 changes: 39 additions & 9 deletions src/tlshd/client.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ static int tlshd_client_get_truststore(gnutls_certificate_credentials_t cred)
char *pathname;
int ret;

if (tlshd_config_get_client_truststore(&pathname)) {
if (tlshd_config_get_truststore(PEER_TYPE_CLIENT, &pathname)) {
ret = gnutls_certificate_set_x509_trust_file(cred, pathname,
GNUTLS_X509_FMT_PEM);
free(pathname);
Expand All @@ -60,7 +60,7 @@ static int tlshd_client_get_truststore(gnutls_certificate_credentials_t cred)
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);

if (tlshd_config_get_client_crl(&pathname)) {
if (tlshd_config_get_crl(PEER_TYPE_CLIENT, &pathname)) {
ret = gnutls_certificate_set_x509_crl_file(cred, pathname,
GNUTLS_X509_FMT_PEM);
free(pathname);
Expand Down Expand Up @@ -134,16 +134,21 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
gnutls_certificate_free_credentials(xcred);
}

static gnutls_privkey_t tlshd_pq_privkey;
static gnutls_privkey_t tlshd_privkey;
static unsigned int tlshd_pq_certs_len = TLSHD_MAX_CERTS;
static unsigned int tlshd_certs_len = TLSHD_MAX_CERTS;
static gnutls_pcert_st tlshd_certs[TLSHD_MAX_CERTS];
static gnutls_pk_algorithm_t tlshd_pq_pkalg = GNUTLS_PK_UNKNOWN;

static bool tlshd_x509_client_get_certs(struct tlshd_handshake_parms *parms)
{
if (parms->x509_cert != TLS_NO_CERT)
return tlshd_keyring_get_certs(parms->x509_cert, tlshd_certs,
&tlshd_certs_len);
return tlshd_config_get_client_certs(tlshd_certs, &tlshd_certs_len);
return tlshd_config_get_certs(PEER_TYPE_CLIENT, tlshd_certs,
&tlshd_pq_certs_len, &tlshd_certs_len,
&tlshd_pq_pkalg);
}

static void tlshd_x509_client_put_certs(void)
Expand All @@ -159,12 +164,14 @@ static bool tlshd_x509_client_get_privkey(struct tlshd_handshake_parms *parms)
if (parms->x509_privkey != TLS_NO_PRIVKEY)
return tlshd_keyring_get_privkey(parms->x509_privkey,
&tlshd_privkey);
return tlshd_config_get_client_privkey(&tlshd_privkey);
return tlshd_config_get_privkey(PEER_TYPE_CLIENT, &tlshd_pq_privkey,
&tlshd_privkey);
}

static void tlshd_x509_client_put_privkey(void)
{
gnutls_privkey_deinit(tlshd_privkey);
gnutls_privkey_deinit(tlshd_pq_privkey);
}

static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
Expand Down Expand Up @@ -205,23 +212,46 @@ static void tlshd_x509_log_issuers(const gnutls_datum_t *req_ca_rdn, int nreqs)
static int
tlshd_x509_retrieve_key_cb(gnutls_session_t session,
const gnutls_datum_t *req_ca_rdn, int nreqs,
__attribute__ ((unused)) const gnutls_pk_algorithm_t *pk_algos,
__attribute__ ((unused)) int pk_algos_length,
const gnutls_pk_algorithm_t *pk_algos,
int pk_algos_length,
gnutls_pcert_st **pcert,
unsigned int *pcert_length,
gnutls_privkey_t *privkey)
{
gnutls_certificate_type_t type;
bool use_pq_cert = false;
int i;

tlshd_x509_log_issuers(req_ca_rdn, nreqs);

type = gnutls_certificate_type_get(session);
if (type != GNUTLS_CRT_X509)
return -1;

*pcert_length = tlshd_certs_len;
*pcert = tlshd_certs;
*privkey = tlshd_privkey;
if (tlshd_pq_pkalg != GNUTLS_PK_UNKNOWN) {
for (i = 0; i < pk_algos_length; i++) {
if (pk_algos[i] == tlshd_pq_pkalg) {
use_pq_cert = true;
break;
}
}
if (use_pq_cert == true) {
tlshd_log_debug("%s: Server supports %s", __func__,
gnutls_pk_algorithm_get_name(pk_algos[i]));
}
}

if (use_pq_cert == true) {
tlshd_log_debug("%s: Selecting x509.pq.certificate from conf file", __func__);
*pcert_length = tlshd_pq_certs_len;
*pcert = tlshd_certs;
*privkey = tlshd_pq_privkey;
} else {
tlshd_log_debug("%s: Selecting x509.certificate from conf file", __func__);
*pcert_length = tlshd_certs_len;
*pcert = tlshd_certs + tlshd_pq_certs_len;
*privkey = tlshd_privkey;
}
return 0;
}

Expand Down
Loading