feat: generate different ecdhe key for pq key

When the client sends both pq and non-pq keyshares, the ecdhe key was
reused in line with stdlib. However this can be used to fingerprint utls
ClientHellos. Generate different ecdhe keys instead, in line with
Chrome. This will have to change when we support more browsers with
different ways of handling this.

Author: mingyech

handshake_client_tls13.go

@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"context"
 	"crypto"
+	"crypto/ecdh"
 	"crypto/hmac"
 	"crypto/mlkem"
 	"crypto/rsa"
@@ -562,6 +563,22 @@ func (hs *clientHandshakeStateTLS13) processServerHello() error {
 	return nil
 }
 
+// [uTLS] SECTION BEGIN
+func getSharedKey(peerData []byte, key *ecdh.PrivateKey) ([]byte, error) {
+	peerKey, err := key.Curve().NewPublicKey(peerData)
+	if err != nil {
+		return nil, errors.New("tls: invalid server key share")
+	}
+	sharedKey, err := key.ECDH(peerKey)
+	if err != nil {
+		return nil, errors.New("tls: invalid server key share")
+	}
+
+	return sharedKey, nil
+}
+
+// [uTLS] SECTION END
+
 func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
 	c := hs.c
 
@@ -581,13 +598,8 @@ func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
 		}
 		ecdhePeerData = hs.serverHello.serverShare.data[:x25519PublicKeySize]
 	}
+	sharedKey, err := getSharedKey(ecdhePeerData, hs.keyShareKeys.ecdhe)
 	// [uTLS] SECTION END
-	peerKey, err := hs.keyShareKeys.ecdhe.Curve().NewPublicKey(ecdhePeerData)
-	if err != nil {
-		c.sendAlert(alertIllegalParameter)
-		return errors.New("tls: invalid server key share")
-	}
-	sharedKey, err := hs.keyShareKeys.ecdhe.ECDH(peerKey)
 	if err != nil {
 		c.sendAlert(alertIllegalParameter)
 		return errors.New("tls: invalid server key share")
@@ -596,6 +608,14 @@ func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
 		if hs.keyShareKeys.mlkem == nil {
 			return c.sendAlert(alertInternalError)
 		}
+		// [uTLS] SECTION BEGIN
+		if hs.uconn != nil && hs.uconn.clientHelloBuildStatus == BuildByUtls {
+			if sharedKey, err = getSharedKey(ecdhePeerData, hs.keyShareKeys.mlkemEcdhe); err != nil {
+				c.sendAlert(alertIllegalParameter)
+				return errors.New("tls: invalid server key share")
+			}
+		}
+		// [uTLS] SECTION END
 		ciphertext := hs.serverHello.serverShare.data[:mlkem.CiphertextSize768]
 		mlkemShared, err := hs.keyShareKeys.mlkem.Decapsulate(ciphertext)
 		if err != nil {
@@ -609,6 +629,12 @@ func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
 		if hs.keyShareKeys.mlkem == nil {
 			return c.sendAlert(alertInternalError)
 		}
+		if hs.uconn != nil && hs.uconn.clientHelloBuildStatus == BuildByUtls {
+			if sharedKey, err = getSharedKey(ecdhePeerData, hs.keyShareKeys.mlkemEcdhe); err != nil {
+				c.sendAlert(alertIllegalParameter)
+				return errors.New("tls: invalid server key share")
+			}
+		}
 		ciphertext := hs.serverHello.serverShare.data[x25519PublicKeySize:]
 		kyberShared, err := kyberDecapsulate(hs.keyShareKeys.mlkem, ciphertext)
 		if err != nil {

key_schedule.go

@@ -51,9 +51,10 @@ func (c *cipherSuiteTLS13) exportKeyingMaterial(s *tls13.MasterSecret, transcrip
 }
 
 type keySharePrivateKeys struct {
-	curveID CurveID
-	ecdhe   *ecdh.PrivateKey
-	mlkem   *mlkem.DecapsulationKey768
+	curveID    CurveID
+	ecdhe      *ecdh.PrivateKey
+	mlkem      *mlkem.DecapsulationKey768
+	mlkemEcdhe *ecdh.PrivateKey // [uTLS] seperate ecdhe key for pq keyshare in line with Chrome, instead of reusing ecdhe key like stdlib
 }
 
 const x25519PublicKeySize = 32

u_parrots.go

@@ -2830,17 +2830,8 @@ func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
 					} else {
 						ext.KeyShares[i].Data = append(mlkemKey.EncapsulationKey().Bytes(), ecdheKey.PublicKey().Bytes()...)
 					}
-					if !preferredCurveIsSet {
-						// only do this once for the first non-grease curve
-						uconn.HandshakeState.State13.KeyShareKeys.mlkem = mlkemKey
-						preferredCurveIsSet = true
-					}
-
-					if len(ext.KeyShares) > i+1 && ext.KeyShares[i+1].Group == X25519 {
-						// Reuse the same X25519 ephemeral key for both keyshares, as allowed by draft-ietf-tls-hybrid-design-09, Section 3.2.
-						uconn.HandshakeState.State13.KeyShareKeys.Ecdhe = ecdheKey
-						ext.KeyShares[i+1].Data = ecdheKey.PublicKey().Bytes()
-					}
+					uconn.HandshakeState.State13.KeyShareKeys.mlkem = mlkemKey
+					uconn.HandshakeState.State13.KeyShareKeys.mlkemEcdhe = ecdheKey
 				} else {
 					ecdheKey, err := generateECDHEKey(uconn.config.rand(), curveID)
 					if err != nil {

u_public.go

@@ -888,19 +888,21 @@ func (kpk *kemPrivateKey) ToPublic() *KemPrivateKey {
 }
 
 type KeySharePrivateKeys struct {
-	CurveID CurveID
-	Ecdhe   *ecdh.PrivateKey
-	mlkem   *mlkem.DecapsulationKey768
+	CurveID    CurveID
+	Ecdhe      *ecdh.PrivateKey
+	mlkem      *mlkem.DecapsulationKey768
+	mlkemEcdhe *ecdh.PrivateKey
 }
 
 func (ksp *KeySharePrivateKeys) ToPrivate() *keySharePrivateKeys {
 	if ksp == nil {
 		return nil
 	}
 	return &keySharePrivateKeys{
-		curveID: ksp.CurveID,
-		ecdhe:   ksp.Ecdhe,
-		mlkem:   ksp.mlkem,
+		curveID:    ksp.CurveID,
+		ecdhe:      ksp.Ecdhe,
+		mlkem:      ksp.mlkem,
+		mlkemEcdhe: ksp.mlkemEcdhe,
 	}
 }
 
@@ -909,8 +911,9 @@ func (ksp *keySharePrivateKeys) ToPublic() *KeySharePrivateKeys {
 		return nil
 	}
 	return &KeySharePrivateKeys{
-		CurveID: ksp.curveID,
-		Ecdhe:   ksp.ecdhe,
-		mlkem:   ksp.mlkem,
+		CurveID:    ksp.curveID,
+		Ecdhe:      ksp.ecdhe,
+		mlkem:      ksp.mlkem,
+		mlkemEcdhe: ksp.mlkemEcdhe,
 	}
 }