Add reality ML-DSA-65 verification

- Add `mldsa65_verify` option to REALITY outbound configuration.
- Implement ML-DSA-65 signature verification in `VerifyPeerCertificate`
  to verify certificate's extra extensions.
- Add Trace logging for the ML-DSA-65 verification process.
- Add unit tests to verify the ML-DSA-65 signature logic.
- Follow Xray-core PR #4915 implementation.

Author: oluceps

common/tls/reality_client.go

@@ -38,17 +38,20 @@ import (
 	aTLS "github.com/sagernet/sing/common/tls"
 
 	utls "github.com/metacubex/utls"
+	"github.com/cloudflare/circl/sign/mldsa/mldsa65"
 	"golang.org/x/crypto/hkdf"
 	"golang.org/x/net/http2"
 )
 
 var _ ConfigCompat = (*RealityClientConfig)(nil)
 
 type RealityClientConfig struct {
-	ctx       context.Context
-	uClient   *UTLSClientConfig
-	publicKey []byte
-	shortID   [8]byte
+	ctx           context.Context
+	logger        logger.ContextLogger
+	uClient       *UTLSClientConfig
+	publicKey     []byte
+	shortID       [8]byte
+	mldsa65Verify []byte
 }
 
 func NewRealityClient(ctx context.Context, logger logger.ContextLogger, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
@@ -84,7 +87,18 @@ func newRealityClient(ctx context.Context, logger logger.ContextLogger, serverAd
 		return nil, E.New("invalid short_id")
 	}
 
-	var config Config = &RealityClientConfig{ctx, uClient.(*UTLSClientConfig), publicKey, shortID}
+	var mldsa65Verify []byte
+	if options.Reality.Mldsa65Verify != "" {
+		mldsa65Verify, err = base64.RawURLEncoding.DecodeString(options.Reality.Mldsa65Verify)
+		if err != nil {
+			return nil, E.Cause(err, "decode mldsa65_verify")
+		}
+		if len(mldsa65Verify) != 1952 {
+			return nil, E.New("invalid mldsa65_verify")
+		}
+	}
+
+	var config Config = &RealityClientConfig{ctx, logger, uClient.(*UTLSClientConfig), publicKey, shortID, mldsa65Verify}
 	if options.KernelRx || options.KernelTx {
 		if !C.IsLinux {
 			return nil, E.New("kTLS is only supported on Linux")
@@ -133,7 +147,9 @@ func (e *RealityClientConfig) Client(conn net.Conn) (Conn, error) {
 
 func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
 	verifier := &realityVerifier{
-		serverName: e.uClient.ServerName(),
+		serverName:    e.uClient.ServerName(),
+		mldsa65Verify: e.mldsa65Verify,
+		logger:        e.logger,
 	}
 	uConfig := e.uClient.config.Clone()
 	uConfig.InsecureSkipVerify = true
@@ -268,17 +284,21 @@ func realityClientFallback(ctx context.Context, uConn net.Conn, serverName strin
 func (e *RealityClientConfig) Clone() Config {
 	return &RealityClientConfig{
 		e.ctx,
+		e.logger,
 		e.uClient.Clone().(*UTLSClientConfig),
 		e.publicKey,
 		e.shortID,
+		e.mldsa65Verify,
 	}
 }
 
 type realityVerifier struct {
 	*utls.UConn
-	serverName string
-	authKey    []byte
-	verified   bool
+	serverName    string
+	authKey       []byte
+	verified      bool
+	mldsa65Verify []byte
+	logger        logger.ContextLogger
 }
 
 func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
@@ -288,8 +308,46 @@ func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChain
 		h := hmac.New(sha512.New, c.authKey)
 		h.Write(pub)
 		if bytes.Equal(h.Sum(nil), certs[0].Signature) {
-			c.verified = true
-			return nil
+			if len(c.mldsa65Verify) > 0 {
+				if c.logger != nil {
+					c.logger.Trace("REALITY: verifying certificate with ML-DSA-65")
+				}
+				if debug.Enabled {
+					fmt.Printf("REALITY: verifying certificate with ML-DSA-65\n")
+				}
+				if len(certs[0].Extensions) > 0 {
+					h.Write(c.HandshakeState.Hello.Raw)
+					h.Write(c.HandshakeState.ServerHello.Raw)
+					verify, err := mldsa65.Scheme().UnmarshalBinaryPublicKey(c.mldsa65Verify)
+					if err != nil {
+						if c.logger != nil {
+							c.logger.Trace("REALITY: failed to unmarshal ML-DSA-65 public key")
+						}
+						return E.Cause(err, "unmarshal ML-DSA-65 public key")
+					}
+					if mldsa65.Verify(verify.(*mldsa65.PublicKey), h.Sum(nil), nil, certs[0].Extensions[0].Value) {
+						if c.logger != nil {
+							c.logger.Trace("REALITY: ML-DSA-65 verification succeeded")
+						}
+						if debug.Enabled {
+							fmt.Printf("REALITY: ML-DSA-65 verification succeeded\n")
+						}
+						c.verified = true
+						return nil
+					} else {
+						if c.logger != nil {
+							c.logger.Trace("REALITY: ML-DSA-65 verification failed")
+						}
+					}
+				} else {
+					if c.logger != nil {
+						c.logger.Trace("REALITY: certificate has no extensions for ML-DSA-65 signature")
+					}
+				}
+			} else {
+				c.verified = true
+				return nil
+			}
 		}
 	}
 	opts := x509.VerifyOptions{

common/tls/reality_mldsa_test.go

@@ -0,0 +1,80 @@
+//go:build with_utls
+
+package tls
+
+import (
+	"crypto/ed25519"
+	"crypto/hmac"
+	"crypto/sha512"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"reflect"
+	"testing"
+	"unsafe"
+
+	"github.com/cloudflare/circl/sign/mldsa/mldsa65"
+	utls "github.com/metacubex/utls"
+	"github.com/stretchr/testify/require"
+)
+
+func TestMLDSA65Verifier(t *testing.T) {
+	pub, priv, err := mldsa65.GenerateKey(nil)
+	require.NoError(t, err)
+	pubBinary, _ := pub.MarshalBinary()
+
+	// Mock AuthKey and peer cert public key
+	authKey := make([]byte, 32)
+	peerPubKey, _, _ := ed25519.GenerateKey(nil)
+
+	helloRaw := make([]byte, 100)
+	serverHelloRaw := make([]byte, 100)
+
+	h := hmac.New(sha512.New, authKey)
+	h.Write(peerPubKey)
+	certSignature := h.Sum(nil)
+
+	h.Write(helloRaw)
+	h.Write(serverHelloRaw)
+	mldsaMsg := h.Sum(nil)
+
+	scheme := mldsa65.Scheme()
+	mldsaSig := scheme.Sign(priv, mldsaMsg, nil)
+
+	cert := &x509.Certificate{
+		PublicKey: peerPubKey,
+		Signature: certSignature,
+		Extensions: []pkix.Extension{
+			{
+				Id:    []int{1, 2, 3}, // Dummy OID
+				Value: mldsaSig,
+			},
+		},
+	}
+
+	verifier := &realityVerifier{
+		authKey:       authKey,
+		mldsa65Verify: pubBinary,
+		UConn: &utls.UConn{
+			Conn: &utls.Conn{},
+		},
+	}
+
+	// Set peerCertificates using unsafe as sing-box does
+	p, _ := reflect.TypeOf(verifier.Conn).Elem().FieldByName("peerCertificates")
+	*(*([]*x509.Certificate))(unsafe.Pointer(uintptr(unsafe.Pointer(verifier.Conn)) + p.Offset)) = []*x509.Certificate{cert}
+
+	// Use reflection to set Hello and ServerHello since types are not easily nameable
+	hType := reflect.TypeOf(verifier.HandshakeState.Hello).Elem()
+	hVal := reflect.New(hType)
+	hVal.Elem().FieldByName("Raw").SetBytes(helloRaw)
+	reflect.ValueOf(&verifier.HandshakeState).Elem().FieldByName("Hello").Set(hVal)
+
+	shType := reflect.TypeOf(verifier.HandshakeState.ServerHello).Elem()
+	shVal := reflect.New(shType)
+	shVal.Elem().FieldByName("Raw").SetBytes(serverHelloRaw)
+	reflect.ValueOf(&verifier.HandshakeState).Elem().FieldByName("ServerHello").Set(shVal)
+
+	err = verifier.VerifyPeerCertificate(nil, nil)
+	require.NoError(t, err)
+	require.True(t, verifier.verified)
+}

docs/configuration/shared/tls.md

@@ -8,6 +8,7 @@ icon: material/new-box
     :material-plus: [handshake_timeout](#handshake_timeout)  
     :material-plus: [spoof](#spoof)  
     :material-plus: [spoof_method](#spoof_method)  
+    :material-plus: [reality.mldsa65_verify](#mldsa65_verify)  
     :material-delete-clock: [acme](#acme-fields)
 
 !!! quote "Changes in sing-box 1.13.0"
@@ -151,7 +152,8 @@ icon: material/new-box
   "reality": {
     "enabled": false,
     "public_key": "jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0",
-    "short_id": "0123456789abcdef"
+    "short_id": "0123456789abcdef",
+    "mldsa65_verify": ""
   }
 }
 ```
@@ -799,3 +801,11 @@ A hexadecimal string with zero to eight digits.
 The maximum time difference between the server and the client.
 
 Check disabled if empty.
+
+#### mldsa65_verify
+
+!!! question "Since sing-box 1.14.0"
+
+==Client only==
+
+A 1952 bytes ML-DSA-65 public key in base64 format, used to verify the additional post-quantum signature in the first certificate extension.

docs/configuration/shared/tls.zh.md

@@ -8,6 +8,7 @@ icon: material/new-box
     :material-plus: [handshake_timeout](#handshake_timeout)  
     :material-plus: [spoof](#spoof)  
     :material-plus: [spoof_method](#spoof_method)  
+    :material-plus: [reality.mldsa65_verify](#mldsa65_verify)  
     :material-delete-clock: [acme](#acme-字段)
 
 !!! quote "sing-box 1.13.0 中的更改"
@@ -151,7 +152,8 @@ icon: material/new-box
   "reality": {
     "enabled": false,
     "public_key": "jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0",
-    "short_id": "0123456789abcdef"
+    "short_id": "0123456789abcdef",
+    "mldsa65_verify": ""
   }
 }
 ```
@@ -786,3 +788,11 @@ ACME DNS01 验证字段。如果配置，将禁用其他验证方法。
 服务器和客户端之间的最大时间差。
 
 如果为空则禁用检查。
+
+#### mldsa65_verify
+
+!!! question "自 sing-box 1.14.0 起"
+
+==仅客户端==
+
+Base64 格式的 1952 字节 ML-DSA-65 公钥，用于验证证书第一个扩展中的额外后量子签名。

go.mod

@@ -73,6 +73,7 @@ require (
 	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/andybalholm/brotli v1.1.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
 	github.com/coreos/go-oidc/v3 v3.17.0 // indirect
 	github.com/database64128/netx-go v0.1.1 // indirect

go.sum

@@ -24,6 +24,8 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
+github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
+github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
 github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
 github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
 github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 h1:8h5+bWd7R6AYUslN6c6iuZWTKsKxUFDlpnmilO6R2n0=

option/tls.go

@@ -241,7 +241,8 @@ type OutboundUTLSOptions struct {
 }
 
 type OutboundRealityOptions struct {
-	Enabled   bool   `json:"enabled,omitempty"`
-	PublicKey string `json:"public_key,omitempty"`
-	ShortID   string `json:"short_id,omitempty"`
+	Enabled       bool   `json:"enabled,omitempty"`
+	PublicKey     string `json:"public_key,omitempty"`
+	ShortID       string `json:"short_id,omitempty"`
+	Mldsa65Verify string `json:"mldsa65_verify,omitempty"`
 }