2009-11-03 02:25:20 +00:00
|
|
|
// Copyright 2009 The Go Authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
package tls
|
|
|
|
|
|
|
|
import (
|
2014-01-22 23:24:03 +00:00
|
|
|
"container/list"
|
2011-12-19 15:39:30 +00:00
|
|
|
"crypto"
|
2016-11-07 18:25:57 +00:00
|
|
|
"crypto/internal/cipherhw"
|
2010-04-05 22:38:02 +01:00
|
|
|
"crypto/rand"
|
2015-04-18 02:32:11 +01:00
|
|
|
"crypto/sha512"
|
2011-03-10 15:22:53 +00:00
|
|
|
"crypto/x509"
|
2015-04-13 00:41:31 +01:00
|
|
|
"errors"
|
2014-02-12 16:20:01 +00:00
|
|
|
"fmt"
|
2009-12-15 23:33:31 +00:00
|
|
|
"io"
|
2013-07-17 17:33:16 +01:00
|
|
|
"math/big"
|
2016-10-19 14:21:54 +01:00
|
|
|
"net"
|
2011-10-08 15:06:53 +01:00
|
|
|
"strings"
|
2010-08-05 21:14:41 +01:00
|
|
|
"sync"
|
2010-04-05 22:38:02 +01:00
|
|
|
"time"
|
2009-11-03 02:25:20 +00:00
|
|
|
)
|
|
|
|
|
2013-06-05 01:02:22 +01:00
|
|
|
const (
|
2016-11-06 17:01:12 +00:00
|
|
|
VersionSSL30 = 0x0300
|
|
|
|
VersionTLS10 = 0x0301
|
|
|
|
VersionTLS11 = 0x0302
|
|
|
|
VersionTLS12 = 0x0303
|
|
|
|
VersionTLS13 = 0x0304
|
|
|
|
VersionTLS13Draft18 = 0x7f00 | 18
|
2017-11-24 18:10:50 +00:00
|
|
|
VersionTLS13Draft21 = 0x7f00 | 21
|
2013-06-05 01:02:22 +01:00
|
|
|
)
|
|
|
|
|
2009-11-03 02:25:20 +00:00
|
|
|
const (
|
2017-11-03 02:45:04 +00:00
|
|
|
maxPlaintext = 16384 // maximum plaintext payload length
|
|
|
|
maxCiphertext = 16384 + 2048 // maximum ciphertext payload length
|
|
|
|
recordHeaderLen = 5 // record header length
|
|
|
|
maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB)
|
|
|
|
maxWarnAlertCount = 5 // maximum number of consecutive warning alerts
|
2009-11-03 02:25:20 +00:00
|
|
|
|
2014-12-18 19:31:14 +00:00
|
|
|
minVersion = VersionTLS10
|
2013-07-03 00:58:56 +01:00
|
|
|
maxVersion = VersionTLS12
|
2010-04-27 06:19:04 +01:00
|
|
|
)
|
2009-11-03 02:25:20 +00:00
|
|
|
|
|
|
|
// TLS record types.
|
|
|
|
type recordType uint8
|
|
|
|
|
|
|
|
const (
|
2009-12-15 23:33:31 +00:00
|
|
|
recordTypeChangeCipherSpec recordType = 20
|
|
|
|
recordTypeAlert recordType = 21
|
|
|
|
recordTypeHandshake recordType = 22
|
|
|
|
recordTypeApplicationData recordType = 23
|
2009-11-03 02:25:20 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS handshake message types.
|
|
|
|
const (
|
2016-11-19 22:10:00 +00:00
|
|
|
typeHelloRequest uint8 = 0
|
|
|
|
typeClientHello uint8 = 1
|
|
|
|
typeServerHello uint8 = 2
|
|
|
|
typeNewSessionTicket uint8 = 4
|
|
|
|
typeEncryptedExtensions uint8 = 8
|
|
|
|
typeCertificate uint8 = 11
|
|
|
|
typeServerKeyExchange uint8 = 12
|
|
|
|
typeCertificateRequest uint8 = 13
|
|
|
|
typeServerHelloDone uint8 = 14
|
|
|
|
typeCertificateVerify uint8 = 15
|
|
|
|
typeClientKeyExchange uint8 = 16
|
|
|
|
typeFinished uint8 = 20
|
|
|
|
typeCertificateStatus uint8 = 22
|
|
|
|
typeNextProtocol uint8 = 67 // Not IANA assigned
|
2009-11-03 02:25:20 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS compression types.
|
2010-07-14 15:40:15 +01:00
|
|
|
const (
|
2009-12-15 23:33:31 +00:00
|
|
|
compressionNone uint8 = 0
|
2009-11-03 02:25:20 +00:00
|
|
|
)
|
|
|
|
|
2009-12-23 19:13:09 +00:00
|
|
|
// TLS extension numbers
|
2014-01-09 18:38:11 +00:00
|
|
|
const (
|
2013-07-03 00:58:56 +01:00
|
|
|
extensionServerName uint16 = 0
|
|
|
|
extensionStatusRequest uint16 = 5
|
2016-11-19 22:10:00 +00:00
|
|
|
extensionSupportedCurves uint16 = 10 // Supported Groups in 1.3 nomenclature
|
2013-07-03 00:58:56 +01:00
|
|
|
extensionSupportedPoints uint16 = 11
|
|
|
|
extensionSignatureAlgorithms uint16 = 13
|
2014-08-05 19:36:20 +01:00
|
|
|
extensionALPN uint16 = 16
|
2015-04-16 19:59:22 +01:00
|
|
|
extensionSCT uint16 = 18 // https://tools.ietf.org/html/rfc6962#section-6
|
2013-07-03 00:58:56 +01:00
|
|
|
extensionSessionTicket uint16 = 35
|
2016-11-19 22:10:00 +00:00
|
|
|
extensionKeyShare uint16 = 40
|
2016-11-21 22:24:45 +00:00
|
|
|
extensionPreSharedKey uint16 = 41
|
2016-11-25 21:46:50 +00:00
|
|
|
extensionEarlyData uint16 = 42
|
2016-11-19 22:10:00 +00:00
|
|
|
extensionSupportedVersions uint16 = 43
|
2016-11-21 22:24:45 +00:00
|
|
|
extensionPSKKeyExchangeModes uint16 = 45
|
|
|
|
extensionTicketEarlyDataInfo uint16 = 46
|
2013-07-03 00:58:56 +01:00
|
|
|
extensionNextProtoNeg uint16 = 13172 // not IANA assigned
|
2014-01-09 18:38:11 +00:00
|
|
|
extensionRenegotiationInfo uint16 = 0xff01
|
|
|
|
)
|
|
|
|
|
|
|
|
// TLS signaling cipher suite values
|
|
|
|
const (
|
|
|
|
scsvRenegotiation uint16 = 0x00ff
|
2010-12-16 22:10:50 +00:00
|
|
|
)
|
|
|
|
|
2016-11-21 22:24:45 +00:00
|
|
|
// PSK Key Exchange Modes
|
|
|
|
// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7
|
|
|
|
const (
|
|
|
|
pskDHEKeyExchange uint8 = 1
|
|
|
|
)
|
|
|
|
|
2014-02-24 22:57:51 +00:00
|
|
|
// CurveID is the type of a TLS identifier for an elliptic curve. See
|
2010-12-16 22:10:50 +00:00
|
|
|
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8
|
2016-11-19 22:10:00 +00:00
|
|
|
//
|
|
|
|
// TLS 1.3 refers to these as Groups, but this library implements only
|
|
|
|
// curve-based ones anyway. See https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4.
|
2014-02-24 22:57:51 +00:00
|
|
|
type CurveID uint16
|
|
|
|
|
2014-01-09 18:38:11 +00:00
|
|
|
const (
|
2014-02-24 22:57:51 +00:00
|
|
|
CurveP256 CurveID = 23
|
|
|
|
CurveP384 CurveID = 24
|
|
|
|
CurveP521 CurveID = 25
|
2016-10-11 02:23:37 +01:00
|
|
|
X25519 CurveID = 29
|
2010-12-16 22:10:50 +00:00
|
|
|
)
|
|
|
|
|
2016-11-19 22:10:00 +00:00
|
|
|
// TLS 1.3 Key Share
|
|
|
|
// See https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.5
|
|
|
|
type keyShare struct {
|
|
|
|
group CurveID
|
|
|
|
data []byte
|
|
|
|
}
|
|
|
|
|
2016-11-21 22:24:45 +00:00
|
|
|
// TLS 1.3 PSK Identity and Binder, as sent by the client
|
|
|
|
// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6
|
|
|
|
|
|
|
|
type psk struct {
|
|
|
|
identity []byte
|
|
|
|
obfTicketAge uint32
|
|
|
|
binder []byte
|
|
|
|
}
|
|
|
|
|
2010-12-16 22:10:50 +00:00
|
|
|
// TLS Elliptic Curve Point Formats
|
|
|
|
// http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9
|
2014-01-09 18:38:11 +00:00
|
|
|
const (
|
2010-12-16 22:10:50 +00:00
|
|
|
pointFormatUncompressed uint8 = 0
|
2010-07-14 15:40:15 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
// TLS CertificateStatusType (RFC 3546)
|
|
|
|
const (
|
|
|
|
statusTypeOCSP uint8 = 1
|
2009-12-23 19:13:09 +00:00
|
|
|
)
|
|
|
|
|
2010-08-16 16:22:22 +01:00
|
|
|
// Certificate types (for certificateRequestMsg)
|
|
|
|
const (
|
|
|
|
certTypeRSASign = 1 // A certificate containing an RSA key
|
|
|
|
certTypeDSSSign = 2 // A certificate containing a DSA key
|
|
|
|
certTypeRSAFixedDH = 3 // A certificate containing a static DH key
|
2011-05-18 18:14:56 +01:00
|
|
|
certTypeDSSFixedDH = 4 // A certificate containing a static DH key
|
2013-07-17 17:33:16 +01:00
|
|
|
|
2016-04-12 20:58:56 +01:00
|
|
|
// See RFC 4492 sections 3 and 5.5.
|
2013-07-17 17:33:16 +01:00
|
|
|
certTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA.
|
|
|
|
certTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA.
|
|
|
|
certTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA.
|
|
|
|
|
2010-08-16 16:22:22 +01:00
|
|
|
// Rest of these are reserved by the TLS spec
|
|
|
|
)
|
|
|
|
|
2013-07-03 00:58:56 +01:00
|
|
|
// Signature algorithms for TLS 1.2 (See RFC 5246, section A.4.1)
|
|
|
|
const (
|
2017-11-22 19:27:20 +00:00
|
|
|
signaturePKCS1v15 uint8 = iota + 1
|
|
|
|
signatureECDSA
|
|
|
|
signatureRSAPSS
|
2013-07-03 00:58:56 +01:00
|
|
|
)
|
|
|
|
|
crypto/tls: decouple handshake signatures from the handshake hash.
Prior to TLS 1.2, the handshake had a pleasing property that one could
incrementally hash it and, from that, get the needed hashes for both
the CertificateVerify and Finished messages.
TLS 1.2 introduced negotiation for the signature and hash and it became
possible for the handshake hash to be, say, SHA-384, but for the
CertificateVerify to sign the handshake with SHA-1. The problem is that
one doesn't know in advance which hashes will be needed and thus the
handshake needs to be buffered.
Go ignored this, always kept a single handshake hash, and any signatures
over the handshake had to use that hash.
However, there are a set of servers that inspect the client's offered
signature hash functions and will abort the handshake if one of the
server's certificates is signed with a hash function outside of that
set. https://robertsspaceindustries.com/ is an example of such a server.
Clearly not a lot of thought happened when that server code was written,
but its out there and we have to deal with it.
This change decouples the handshake hash from the CertificateVerify
hash. This lays the groundwork for advertising support for SHA-384 but
doesn't actually make that change in the interests of reviewability.
Updating the advertised hash functions will cause changes in many of the
testdata/ files and some errors might get lost in the noise. This change
only needs to update four testdata/ files: one because a SHA-384-based
handshake is now being signed with SHA-256 and the others because the
TLS 1.2 CertificateRequest message now includes SHA-1.
This change also has the effect of adding support for
client-certificates in SSLv3 servers. However, SSLv3 is now disabled by
default so this should be moot.
It would be possible to avoid much of this change and just support
SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces
and SKX params (a design mistake in TLS). However, that would leave Go
in the odd situation where it advertised support for SHA-384, but would
only use the handshake hash when signing client certificates. I fear
that'll just cause problems in the future.
Much of this code was written by davidben@ for the purposes of testing
BoringSSL.
Partly addresses #9757
Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485
Reviewed-on: https://go-review.googlesource.com/9415
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-28 17:13:38 +01:00
|
|
|
// supportedSignatureAlgorithms contains the signature and hash algorithms that
|
|
|
|
// the code advertises as supported in a TLS 1.2 ClientHello and in a TLS 1.2
|
2017-09-07 17:50:10 +01:00
|
|
|
// CertificateRequest. The two fields are merged to match with TLS 1.3.
|
|
|
|
// Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
|
|
|
|
var supportedSignatureAlgorithms = []SignatureScheme{
|
|
|
|
PKCS1WithSHA256,
|
|
|
|
ECDSAWithP256AndSHA256,
|
|
|
|
PKCS1WithSHA384,
|
|
|
|
ECDSAWithP384AndSHA384,
|
2017-10-31 23:43:05 +00:00
|
|
|
PKCS1WithSHA512,
|
|
|
|
ECDSAWithP521AndSHA512,
|
2017-09-07 17:50:10 +01:00
|
|
|
PKCS1WithSHA1,
|
|
|
|
ECDSAWithSHA1,
|
2013-10-21 21:35:09 +01:00
|
|
|
}
|
|
|
|
|
2017-11-27 16:44:01 +00:00
|
|
|
// supportedSignatureAlgorithms13 lists the advertised signature algorithms
|
|
|
|
// allowed for digital signatures. It includes TLS 1.2 + PSS.
|
|
|
|
var supportedSignatureAlgorithms13 = []SignatureScheme{
|
|
|
|
PSSWithSHA256,
|
|
|
|
PKCS1WithSHA256,
|
|
|
|
ECDSAWithP256AndSHA256,
|
|
|
|
PSSWithSHA384,
|
|
|
|
PKCS1WithSHA384,
|
|
|
|
ECDSAWithP384AndSHA384,
|
|
|
|
PSSWithSHA512,
|
|
|
|
PKCS1WithSHA512,
|
|
|
|
ECDSAWithP521AndSHA512,
|
|
|
|
PKCS1WithSHA1,
|
|
|
|
ECDSAWithSHA1,
|
|
|
|
}
|
|
|
|
|
2010-12-07 21:15:15 +00:00
|
|
|
// ConnectionState records basic TLS details about the connection.
|
2009-11-03 02:25:20 +00:00
|
|
|
type ConnectionState struct {
|
2016-11-05 00:07:36 +00:00
|
|
|
ConnectionID []byte // Random unique connection id
|
2015-04-16 19:59:22 +01:00
|
|
|
Version uint16 // TLS version used by the connection (e.g. VersionTLS12)
|
|
|
|
HandshakeComplete bool // TLS handshake is complete
|
|
|
|
DidResume bool // connection resumes a previous TLS connection
|
|
|
|
CipherSuite uint16 // cipher suite in use (TLS_RSA_WITH_RC4_128_SHA, ...)
|
2017-01-29 08:18:17 +00:00
|
|
|
NegotiatedProtocol string // negotiated next protocol (not guaranteed to be from Config.NextProtos)
|
|
|
|
NegotiatedProtocolIsMutual bool // negotiated protocol was advertised by server (client side only)
|
2015-04-16 19:59:22 +01:00
|
|
|
ServerName string // server name requested by client, if any (server side only)
|
|
|
|
PeerCertificates []*x509.Certificate // certificate chain presented by remote peer
|
|
|
|
VerifiedChains [][]*x509.Certificate // verified chains built from PeerCertificates
|
|
|
|
SignedCertificateTimestamps [][]byte // SCTs from the server, if any
|
2015-04-26 17:05:37 +01:00
|
|
|
OCSPResponse []byte // stapled OCSP response from server, if any
|
2014-08-12 00:40:42 +01:00
|
|
|
|
|
|
|
// TLSUnique contains the "tls-unique" channel binding value (see RFC
|
|
|
|
// 5929, section 3). For resumed sessions this value will be nil
|
|
|
|
// because resumption does not include enough context (see
|
2017-01-30 12:11:01 +00:00
|
|
|
// https://mitls.org/pages/attacks/3SHAKE#channelbindings). This will
|
|
|
|
// change in future versions of Go once the TLS master-secret fix has
|
|
|
|
// been standardized and implemented.
|
2014-08-12 00:40:42 +01:00
|
|
|
TLSUnique []byte
|
2016-11-05 00:07:36 +00:00
|
|
|
|
2016-11-25 21:46:50 +00:00
|
|
|
// HandshakeConfirmed is true once all data returned by Read
|
|
|
|
// (past and future) is guaranteed not to be replayed.
|
|
|
|
HandshakeConfirmed bool
|
|
|
|
|
2017-02-09 20:50:39 +00:00
|
|
|
// Unique0RTTToken is a value that never repeats, and can be used
|
|
|
|
// to detect replay attacks against 0-RTT connections.
|
|
|
|
// Unique0RTTToken is only present if HandshakeConfirmed is false.
|
|
|
|
Unique0RTTToken []byte
|
|
|
|
|
2016-11-05 00:07:36 +00:00
|
|
|
ClientHello []byte // ClientHello packet
|
2009-11-03 02:25:20 +00:00
|
|
|
}
|
|
|
|
|
2012-01-05 17:05:38 +00:00
|
|
|
// ClientAuthType declares the policy the server will follow for
|
|
|
|
// TLS Client Authentication.
|
|
|
|
type ClientAuthType int
|
|
|
|
|
|
|
|
const (
|
|
|
|
NoClientCert ClientAuthType = iota
|
|
|
|
RequestClientCert
|
|
|
|
RequireAnyClientCert
|
|
|
|
VerifyClientCertIfGiven
|
|
|
|
RequireAndVerifyClientCert
|
|
|
|
)
|
|
|
|
|
2014-01-22 23:24:03 +00:00
|
|
|
// ClientSessionState contains the state needed by clients to resume TLS
|
|
|
|
// sessions.
|
|
|
|
type ClientSessionState struct {
|
2015-08-05 14:53:56 +01:00
|
|
|
sessionTicket []uint8 // Encrypted ticket used for session resumption with server
|
|
|
|
vers uint16 // SSL/TLS version negotiated for the session
|
|
|
|
cipherSuite uint16 // Ciphersuite negotiated for the session
|
|
|
|
masterSecret []byte // MasterSecret generated by client on a full handshake
|
|
|
|
serverCertificates []*x509.Certificate // Certificate chain presented by the server
|
|
|
|
verifiedChains [][]*x509.Certificate // Certificate chains we built for verification
|
2014-01-22 23:24:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// ClientSessionCache is a cache of ClientSessionState objects that can be used
|
|
|
|
// by a client to resume a TLS session with a given server. ClientSessionCache
|
|
|
|
// implementations should expect to be called concurrently from different
|
2017-02-08 17:47:34 +00:00
|
|
|
// goroutines. Only ticket-based resumption is supported, not SessionID-based
|
|
|
|
// resumption.
|
2014-01-22 23:24:03 +00:00
|
|
|
type ClientSessionCache interface {
|
|
|
|
// Get searches for a ClientSessionState associated with the given key.
|
|
|
|
// On return, ok is true if one was found.
|
|
|
|
Get(sessionKey string) (session *ClientSessionState, ok bool)
|
|
|
|
|
|
|
|
// Put adds the ClientSessionState to the cache with the given key.
|
|
|
|
Put(sessionKey string, cs *ClientSessionState)
|
|
|
|
}
|
|
|
|
|
2016-10-26 20:30:30 +01:00
|
|
|
// SignatureScheme identifies a signature algorithm supported by TLS. See
|
|
|
|
// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.3.
|
|
|
|
type SignatureScheme uint16
|
|
|
|
|
|
|
|
const (
|
|
|
|
PKCS1WithSHA1 SignatureScheme = 0x0201
|
|
|
|
PKCS1WithSHA256 SignatureScheme = 0x0401
|
|
|
|
PKCS1WithSHA384 SignatureScheme = 0x0501
|
|
|
|
PKCS1WithSHA512 SignatureScheme = 0x0601
|
|
|
|
|
|
|
|
PSSWithSHA256 SignatureScheme = 0x0804
|
|
|
|
PSSWithSHA384 SignatureScheme = 0x0805
|
|
|
|
PSSWithSHA512 SignatureScheme = 0x0806
|
|
|
|
|
|
|
|
ECDSAWithP256AndSHA256 SignatureScheme = 0x0403
|
|
|
|
ECDSAWithP384AndSHA384 SignatureScheme = 0x0503
|
|
|
|
ECDSAWithP521AndSHA512 SignatureScheme = 0x0603
|
2017-09-07 17:50:10 +01:00
|
|
|
|
|
|
|
// Legacy signature and hash algorithms for TLS 1.2.
|
|
|
|
ECDSAWithSHA1 SignatureScheme = 0x0203
|
2016-10-26 20:30:30 +01:00
|
|
|
)
|
|
|
|
|
2014-08-06 19:22:00 +01:00
|
|
|
// ClientHelloInfo contains information from a ClientHello message in order to
|
|
|
|
// guide certificate selection in the GetCertificate callback.
|
|
|
|
type ClientHelloInfo struct {
|
|
|
|
// CipherSuites lists the CipherSuites supported by the client (e.g.
|
|
|
|
// TLS_RSA_WITH_RC4_128_SHA).
|
|
|
|
CipherSuites []uint16
|
|
|
|
|
|
|
|
// ServerName indicates the name of the server requested by the client
|
|
|
|
// in order to support virtual hosting. ServerName is only set if the
|
|
|
|
// client is using SNI (see
|
|
|
|
// http://tools.ietf.org/html/rfc4366#section-3.1).
|
|
|
|
ServerName string
|
|
|
|
|
|
|
|
// SupportedCurves lists the elliptic curves supported by the client.
|
|
|
|
// SupportedCurves is set only if the Supported Elliptic Curves
|
|
|
|
// Extension is being used (see
|
|
|
|
// http://tools.ietf.org/html/rfc4492#section-5.1.1).
|
|
|
|
SupportedCurves []CurveID
|
|
|
|
|
|
|
|
// SupportedPoints lists the point formats supported by the client.
|
|
|
|
// SupportedPoints is set only if the Supported Point Formats Extension
|
|
|
|
// is being used (see
|
|
|
|
// http://tools.ietf.org/html/rfc4492#section-5.1.2).
|
|
|
|
SupportedPoints []uint8
|
2016-10-19 14:21:54 +01:00
|
|
|
|
|
|
|
// SignatureSchemes lists the signature and hash schemes that the client
|
|
|
|
// is willing to verify. SignatureSchemes is set only if the Signature
|
|
|
|
// Algorithms Extension is being used (see
|
|
|
|
// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1).
|
2016-10-26 20:30:30 +01:00
|
|
|
SignatureSchemes []SignatureScheme
|
2016-10-19 14:21:54 +01:00
|
|
|
|
|
|
|
// SupportedProtos lists the application protocols supported by the client.
|
|
|
|
// SupportedProtos is set only if the Application-Layer Protocol
|
|
|
|
// Negotiation Extension is being used (see
|
|
|
|
// https://tools.ietf.org/html/rfc7301#section-3.1).
|
|
|
|
//
|
|
|
|
// Servers can select a protocol by setting Config.NextProtos in a
|
|
|
|
// GetConfigForClient return value.
|
|
|
|
SupportedProtos []string
|
|
|
|
|
|
|
|
// SupportedVersions lists the TLS versions supported by the client.
|
|
|
|
// For TLS versions less than 1.3, this is extrapolated from the max
|
|
|
|
// version advertised by the client, so values other than the greatest
|
|
|
|
// might be rejected if used.
|
|
|
|
SupportedVersions []uint16
|
|
|
|
|
|
|
|
// Conn is the underlying net.Conn for the connection. Do not read
|
|
|
|
// from, or write to, this connection; that will cause the TLS
|
|
|
|
// connection to fail.
|
|
|
|
Conn net.Conn
|
2016-11-25 21:46:50 +00:00
|
|
|
|
|
|
|
// Offered0RTTData is true if the client announced that it will send
|
|
|
|
// 0-RTT data. If the server Config.Accept0RTTData is true, and the
|
|
|
|
// client offered a session ticket valid for that purpose, it will
|
|
|
|
// be notified that the 0-RTT data is accepted and it will be made
|
|
|
|
// immediately available for Read.
|
|
|
|
Offered0RTTData bool
|
|
|
|
|
|
|
|
// The Fingerprint is an sequence of bytes unique to this Client Hello.
|
|
|
|
// It can be used to prevent or mitigate 0-RTT data replays as it's
|
|
|
|
// guaranteed that a replayed connection will have the same Fingerprint.
|
|
|
|
Fingerprint []byte
|
2014-08-06 19:22:00 +01:00
|
|
|
}
|
|
|
|
|
2016-10-26 18:05:03 +01:00
|
|
|
// CertificateRequestInfo contains information from a server's
|
|
|
|
// CertificateRequest message, which is used to demand a certificate and proof
|
|
|
|
// of control from a client.
|
|
|
|
type CertificateRequestInfo struct {
|
|
|
|
// AcceptableCAs contains zero or more, DER-encoded, X.501
|
|
|
|
// Distinguished Names. These are the names of root or intermediate CAs
|
|
|
|
// that the server wishes the returned certificate to be signed by. An
|
|
|
|
// empty slice indicates that the server has no preference.
|
|
|
|
AcceptableCAs [][]byte
|
|
|
|
|
|
|
|
// SignatureSchemes lists the signature schemes that the server is
|
|
|
|
// willing to verify.
|
|
|
|
SignatureSchemes []SignatureScheme
|
|
|
|
}
|
|
|
|
|
2016-04-26 18:45:35 +01:00
|
|
|
// RenegotiationSupport enumerates the different levels of support for TLS
|
|
|
|
// renegotiation. TLS renegotiation is the act of performing subsequent
|
|
|
|
// handshakes on a connection after the first. This significantly complicates
|
|
|
|
// the state machine and has been the source of numerous, subtle security
|
|
|
|
// issues. Initiating a renegotiation is not supported, but support for
|
|
|
|
// accepting renegotiation requests may be enabled.
|
|
|
|
//
|
|
|
|
// Even when enabled, the server may not change its identity between handshakes
|
|
|
|
// (i.e. the leaf certificate must be the same). Additionally, concurrent
|
|
|
|
// handshake and application data flow is not permitted so renegotiation can
|
|
|
|
// only be used with protocols that synchronise with the renegotiation, such as
|
|
|
|
// HTTPS.
|
|
|
|
type RenegotiationSupport int
|
|
|
|
|
|
|
|
const (
|
|
|
|
// RenegotiateNever disables renegotiation.
|
|
|
|
RenegotiateNever RenegotiationSupport = iota
|
|
|
|
|
|
|
|
// RenegotiateOnceAsClient allows a remote server to request
|
|
|
|
// renegotiation once per connection.
|
|
|
|
RenegotiateOnceAsClient
|
|
|
|
|
|
|
|
// RenegotiateFreelyAsClient allows a remote server to repeatedly
|
|
|
|
// request renegotiation.
|
|
|
|
RenegotiateFreelyAsClient
|
|
|
|
)
|
|
|
|
|
2014-03-20 15:32:06 +00:00
|
|
|
// A Config structure is used to configure a TLS client or server.
|
|
|
|
// After one has been passed to a TLS function it must not be
|
|
|
|
// modified. A Config may be reused; the tls package will also not
|
|
|
|
// modify it.
|
2009-11-03 02:25:20 +00:00
|
|
|
type Config struct {
|
|
|
|
// Rand provides the source of entropy for nonces and RSA blinding.
|
2010-12-07 21:15:15 +00:00
|
|
|
// If Rand is nil, TLS uses the cryptographic random reader in package
|
|
|
|
// crypto/rand.
|
2014-03-20 15:32:06 +00:00
|
|
|
// The Reader must be safe for use by multiple goroutines.
|
2009-12-15 23:33:31 +00:00
|
|
|
Rand io.Reader
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2009-11-03 02:25:20 +00:00
|
|
|
// Time returns the current time as the number of seconds since the epoch.
|
2012-01-05 17:05:38 +00:00
|
|
|
// If Time is nil, TLS uses time.Now.
|
2011-11-30 17:01:46 +00:00
|
|
|
Time func() time.Time
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2016-10-26 18:05:03 +01:00
|
|
|
// Certificates contains one or more certificate chains to present to
|
|
|
|
// the other side of the connection. Server configurations must include
|
|
|
|
// at least one certificate or else set GetCertificate. Clients doing
|
|
|
|
// client-authentication may set either Certificates or
|
|
|
|
// GetClientCertificate.
|
2009-12-15 23:33:31 +00:00
|
|
|
Certificates []Certificate
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2011-10-08 15:06:53 +01:00
|
|
|
// NameToCertificate maps from a certificate name to an element of
|
|
|
|
// Certificates. Note that a certificate name can be of the form
|
|
|
|
// '*.example.com' and so doesn't have to be a domain name as such.
|
|
|
|
// See Config.BuildNameToCertificate
|
|
|
|
// The nil value causes the first element of Certificates to be used
|
|
|
|
// for all connections.
|
|
|
|
NameToCertificate map[string]*Certificate
|
|
|
|
|
2014-08-06 19:22:00 +01:00
|
|
|
// GetCertificate returns a Certificate based on the given
|
2015-04-13 00:41:31 +01:00
|
|
|
// ClientHelloInfo. It will only be called if the client supplies SNI
|
|
|
|
// information or if Certificates is empty.
|
|
|
|
//
|
|
|
|
// If GetCertificate is nil or returns nil, then the certificate is
|
|
|
|
// retrieved from NameToCertificate. If NameToCertificate is nil, the
|
|
|
|
// first element of Certificates will be used.
|
2016-10-10 23:27:34 +01:00
|
|
|
GetCertificate func(*ClientHelloInfo) (*Certificate, error)
|
|
|
|
|
2016-10-26 18:05:03 +01:00
|
|
|
// GetClientCertificate, if not nil, is called when a server requests a
|
|
|
|
// certificate from a client. If set, the contents of Certificates will
|
|
|
|
// be ignored.
|
|
|
|
//
|
|
|
|
// If GetClientCertificate returns an error, the handshake will be
|
|
|
|
// aborted and that error will be returned. Otherwise
|
|
|
|
// GetClientCertificate must return a non-nil Certificate. If
|
|
|
|
// Certificate.Certificate is empty then no certificate will be sent to
|
|
|
|
// the server. If this is unacceptable to the server then it may abort
|
|
|
|
// the handshake.
|
|
|
|
//
|
|
|
|
// GetClientCertificate may be called multiple times for the same
|
|
|
|
// connection if renegotiation occurs or if TLS 1.3 is in use.
|
|
|
|
GetClientCertificate func(*CertificateRequestInfo) (*Certificate, error)
|
|
|
|
|
2016-10-10 23:27:34 +01:00
|
|
|
// GetConfigForClient, if not nil, is called after a ClientHello is
|
|
|
|
// received from a client. It may return a non-nil Config in order to
|
|
|
|
// change the Config that will be used to handle this connection. If
|
|
|
|
// the returned Config is nil, the original Config will be used. The
|
|
|
|
// Config returned by this callback may not be subsequently modified.
|
|
|
|
//
|
|
|
|
// If GetConfigForClient is nil, the Config passed to Server() will be
|
|
|
|
// used for all connections.
|
|
|
|
//
|
|
|
|
// Uniquely for the fields in the returned Config, session ticket keys
|
|
|
|
// will be duplicated from the original Config if not set.
|
|
|
|
// Specifically, if SetSessionTicketKeys was called on the original
|
|
|
|
// config but not on the returned config then the ticket keys from the
|
|
|
|
// original config will be copied into the new config before use.
|
|
|
|
// Otherwise, if SessionTicketKey was set in the original config but
|
|
|
|
// not in the returned config then it will be copied into the returned
|
|
|
|
// config before use. If neither of those cases applies then the key
|
|
|
|
// material from the returned config will be used for session tickets.
|
|
|
|
GetConfigForClient func(*ClientHelloInfo) (*Config, error)
|
2014-08-06 19:22:00 +01:00
|
|
|
|
2016-07-13 23:22:28 +01:00
|
|
|
// VerifyPeerCertificate, if not nil, is called after normal
|
|
|
|
// certificate verification by either a TLS client or server. It
|
|
|
|
// receives the raw ASN.1 certificates provided by the peer and also
|
|
|
|
// any verified chains that normal processing found. If it returns a
|
|
|
|
// non-nil error, the handshake is aborted and that error results.
|
|
|
|
//
|
|
|
|
// If normal verification fails then the handshake will abort before
|
|
|
|
// considering this callback. If normal verification is disabled by
|
|
|
|
// setting InsecureSkipVerify then this callback will be considered but
|
|
|
|
// the verifiedChains argument will always be nil.
|
|
|
|
VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
|
|
|
|
|
2010-12-07 21:15:15 +00:00
|
|
|
// RootCAs defines the set of root certificate authorities
|
|
|
|
// that clients use when verifying server certificates.
|
|
|
|
// If RootCAs is nil, TLS uses the host's root CA set.
|
2011-04-19 14:57:58 +01:00
|
|
|
RootCAs *x509.CertPool
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2009-12-23 19:13:09 +00:00
|
|
|
// NextProtos is a list of supported, application level protocols.
|
|
|
|
NextProtos []string
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2014-02-19 16:17:09 +00:00
|
|
|
// ServerName is used to verify the hostname on the returned
|
|
|
|
// certificates unless InsecureSkipVerify is given. It is also included
|
2015-11-10 19:18:50 +00:00
|
|
|
// in the client's handshake to support virtual hosting unless it is
|
|
|
|
// an IP address.
|
2010-07-21 16:36:01 +01:00
|
|
|
ServerName string
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2012-01-05 17:05:38 +00:00
|
|
|
// ClientAuth determines the server's policy for
|
|
|
|
// TLS Client Authentication. The default is NoClientCert.
|
|
|
|
ClientAuth ClientAuthType
|
|
|
|
|
|
|
|
// ClientCAs defines the set of root certificate authorities
|
|
|
|
// that servers use if required to verify a client certificate
|
|
|
|
// by the policy in ClientAuth.
|
|
|
|
ClientCAs *x509.CertPool
|
2010-12-15 16:49:55 +00:00
|
|
|
|
2011-10-13 18:59:13 +01:00
|
|
|
// InsecureSkipVerify controls whether a client verifies the
|
|
|
|
// server's certificate chain and host name.
|
|
|
|
// If InsecureSkipVerify is true, TLS accepts any certificate
|
|
|
|
// presented by the server and any host name in that certificate.
|
|
|
|
// In this mode, TLS is susceptible to man-in-the-middle attacks.
|
|
|
|
// This should be used only for testing.
|
|
|
|
InsecureSkipVerify bool
|
|
|
|
|
2016-11-20 15:13:40 +00:00
|
|
|
// CipherSuites is a list of supported cipher suites to be used in
|
|
|
|
// TLS 1.0-1.2. If CipherSuites is nil, TLS uses a list of suites
|
|
|
|
// supported by the implementation.
|
2010-12-15 16:49:55 +00:00
|
|
|
CipherSuites []uint16
|
2012-09-24 21:52:43 +01:00
|
|
|
|
2013-01-22 15:10:38 +00:00
|
|
|
// PreferServerCipherSuites controls whether the server selects the
|
|
|
|
// client's most preferred ciphersuite, or the server's most preferred
|
|
|
|
// ciphersuite. If true then the server's preference, as expressed in
|
|
|
|
// the order of elements in CipherSuites, is used.
|
|
|
|
PreferServerCipherSuites bool
|
|
|
|
|
2012-09-24 21:52:43 +01:00
|
|
|
// SessionTicketsDisabled may be set to true to disable session ticket
|
|
|
|
// (resumption) support.
|
|
|
|
SessionTicketsDisabled bool
|
|
|
|
|
|
|
|
// SessionTicketKey is used by TLS servers to provide session
|
|
|
|
// resumption. See RFC 5077. If zero, it will be filled with
|
|
|
|
// random data before the first server handshake.
|
|
|
|
//
|
|
|
|
// If multiple servers are terminating connections for the same host
|
|
|
|
// they should all have the same SessionTicketKey. If the
|
|
|
|
// SessionTicketKey leaks, previously recorded and future TLS
|
|
|
|
// connections using that key are compromised.
|
|
|
|
SessionTicketKey [32]byte
|
|
|
|
|
2017-08-18 11:26:41 +01:00
|
|
|
// ClientSessionCache is a cache of ClientSessionState entries for TLS
|
|
|
|
// session resumption.
|
2014-01-22 23:24:03 +00:00
|
|
|
ClientSessionCache ClientSessionCache
|
|
|
|
|
2013-06-05 01:02:22 +01:00
|
|
|
// MinVersion contains the minimum SSL/TLS version that is acceptable.
|
2015-02-22 01:14:36 +00:00
|
|
|
// If zero, then TLS 1.0 is taken as the minimum.
|
2013-06-05 01:02:22 +01:00
|
|
|
MinVersion uint16
|
|
|
|
|
|
|
|
// MaxVersion contains the maximum SSL/TLS version that is acceptable.
|
|
|
|
// If zero, then the maximum version supported by this package is used,
|
2013-09-23 21:05:23 +01:00
|
|
|
// which is currently TLS 1.2.
|
2013-06-05 01:02:22 +01:00
|
|
|
MaxVersion uint16
|
|
|
|
|
2014-02-24 22:57:51 +00:00
|
|
|
// CurvePreferences contains the elliptic curves that will be used in
|
|
|
|
// an ECDHE handshake, in preference order. If empty, the default will
|
|
|
|
// be used.
|
|
|
|
CurvePreferences []CurveID
|
|
|
|
|
crypto/tls: implement dynamic record sizing
Currently, if a client of crypto/tls (e.g., net/http, http2) calls
tls.Conn.Write with a 33KB buffer, that ends up writing three TLS
records: 16KB, 16KB, and 1KB. Slow clients (such as 2G phones) must
download the first 16KB record before they can decrypt the first byte.
To improve latency, it's better to send smaller TLS records. However,
sending smaller records adds overhead (more overhead bytes and more
crypto calls), which slightly hurts throughput.
A simple heuristic, implemented in this change, is to send small
records for new connections, then boost to large records after the
first 1MB has been written on the connection.
Fixes #14376
Change-Id: Ice0f6279325be6775aa55351809f88e07dd700cd
Reviewed-on: https://go-review.googlesource.com/19591
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Tom Bergan <tombergan@google.com>
Reviewed-by: Adam Langley <agl@golang.org>
2016-02-18 02:20:24 +00:00
|
|
|
// DynamicRecordSizingDisabled disables adaptive sizing of TLS records.
|
|
|
|
// When true, the largest possible TLS record size is always used. When
|
|
|
|
// false, the size of TLS records may be adjusted in an attempt to
|
|
|
|
// improve latency.
|
|
|
|
DynamicRecordSizingDisabled bool
|
|
|
|
|
2016-04-26 18:45:35 +01:00
|
|
|
// Renegotiation controls what types of renegotiation are supported.
|
|
|
|
// The default, none, is correct for the vast majority of applications.
|
|
|
|
Renegotiation RenegotiationSupport
|
|
|
|
|
2016-08-20 12:41:42 +01:00
|
|
|
// KeyLogWriter optionally specifies a destination for TLS master secrets
|
|
|
|
// in NSS key log format that can be used to allow external programs
|
|
|
|
// such as Wireshark to decrypt TLS connections.
|
|
|
|
// See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format.
|
|
|
|
// Use of KeyLogWriter compromises security and should only be
|
|
|
|
// used for debugging.
|
|
|
|
KeyLogWriter io.Writer
|
|
|
|
|
2016-11-25 21:46:50 +00:00
|
|
|
// If Max0RTTDataSize is not zero, the client will be allowed to use
|
|
|
|
// session tickets to send at most this number of bytes of 0-RTT data.
|
|
|
|
// 0-RTT data is subject to replay and has memory DoS implications.
|
|
|
|
// The server will later be able to refuse the 0-RTT data with
|
|
|
|
// Accept0RTTData, or wait for the client to prove that it's not
|
|
|
|
// replayed with Conn.ConfirmHandshake.
|
|
|
|
//
|
|
|
|
// It has no meaning on the client.
|
|
|
|
//
|
|
|
|
// See https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-2.3.
|
|
|
|
Max0RTTDataSize uint32
|
|
|
|
|
|
|
|
// Accept0RTTData makes the 0-RTT data received from the client
|
|
|
|
// immediately available to Read. 0-RTT data is subject to replay.
|
|
|
|
// Use Conn.ConfirmHandshake to wait until the data is known not
|
|
|
|
// to be replayed after reading it.
|
|
|
|
//
|
|
|
|
// It has no meaning on the client.
|
|
|
|
//
|
|
|
|
// See https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-2.3.
|
|
|
|
Accept0RTTData bool
|
|
|
|
|
2017-02-22 21:56:04 +00:00
|
|
|
// SessionTicketSealer, if not nil, is used to wrap and unwrap
|
|
|
|
// session tickets, instead of SessionTicketKey.
|
|
|
|
SessionTicketSealer SessionTicketSealer
|
|
|
|
|
2013-03-21 03:53:38 +00:00
|
|
|
serverInitOnce sync.Once // guards calling (*Config).serverInit
|
2015-04-18 02:32:11 +01:00
|
|
|
|
2017-04-28 21:37:52 +01:00
|
|
|
// mutex protects sessionTicketKeys.
|
2015-04-18 02:32:11 +01:00
|
|
|
mutex sync.RWMutex
|
|
|
|
// sessionTicketKeys contains zero or more ticket keys. If the length
|
|
|
|
// is zero, SessionTicketsDisabled must be true. The first key is used
|
|
|
|
// for new tickets and any subsequent keys can be used to decrypt old
|
|
|
|
// tickets.
|
|
|
|
sessionTicketKeys []ticketKey
|
|
|
|
}
|
|
|
|
|
|
|
|
// ticketKeyNameLen is the number of bytes of identifier that is prepended to
|
|
|
|
// an encrypted session ticket in order to identify the key used to encrypt it.
|
|
|
|
const ticketKeyNameLen = 16
|
|
|
|
|
|
|
|
// ticketKey is the internal representation of a session ticket key.
|
|
|
|
type ticketKey struct {
|
|
|
|
// keyName is an opaque byte string that serves to identify the session
|
|
|
|
// ticket key. It's exposed as plaintext in every session ticket.
|
|
|
|
keyName [ticketKeyNameLen]byte
|
|
|
|
aesKey [16]byte
|
|
|
|
hmacKey [16]byte
|
|
|
|
}
|
|
|
|
|
|
|
|
// ticketKeyFromBytes converts from the external representation of a session
|
|
|
|
// ticket key to a ticketKey. Externally, session ticket keys are 32 random
|
|
|
|
// bytes and this function expands that into sufficient name and key material.
|
|
|
|
func ticketKeyFromBytes(b [32]byte) (key ticketKey) {
|
|
|
|
hashed := sha512.Sum512(b[:])
|
|
|
|
copy(key.keyName[:], hashed[:ticketKeyNameLen])
|
|
|
|
copy(key.aesKey[:], hashed[ticketKeyNameLen:ticketKeyNameLen+16])
|
|
|
|
copy(key.hmacKey[:], hashed[ticketKeyNameLen+16:ticketKeyNameLen+32])
|
|
|
|
return key
|
2013-03-21 03:53:38 +00:00
|
|
|
}
|
|
|
|
|
2016-10-20 17:48:24 +01:00
|
|
|
// Clone returns a shallow clone of c. It is safe to clone a Config that is
|
|
|
|
// being used concurrently by a TLS client or server.
|
2016-08-30 04:19:01 +01:00
|
|
|
func (c *Config) Clone() *Config {
|
2016-10-20 17:48:24 +01:00
|
|
|
// Running serverInit ensures that it's safe to read
|
|
|
|
// SessionTicketsDisabled.
|
2017-04-28 21:37:52 +01:00
|
|
|
c.serverInitOnce.Do(func() { c.serverInit(nil) })
|
2016-10-20 17:48:24 +01:00
|
|
|
|
2016-10-10 23:27:34 +01:00
|
|
|
var sessionTicketKeys []ticketKey
|
|
|
|
c.mutex.RLock()
|
|
|
|
sessionTicketKeys = c.sessionTicketKeys
|
|
|
|
c.mutex.RUnlock()
|
|
|
|
|
2016-06-21 15:00:41 +01:00
|
|
|
return &Config{
|
|
|
|
Rand: c.Rand,
|
|
|
|
Time: c.Time,
|
|
|
|
Certificates: c.Certificates,
|
|
|
|
NameToCertificate: c.NameToCertificate,
|
|
|
|
GetCertificate: c.GetCertificate,
|
2017-03-01 18:43:57 +00:00
|
|
|
GetClientCertificate: c.GetClientCertificate,
|
2016-10-10 23:27:34 +01:00
|
|
|
GetConfigForClient: c.GetConfigForClient,
|
2016-07-13 23:22:28 +01:00
|
|
|
VerifyPeerCertificate: c.VerifyPeerCertificate,
|
2016-06-21 15:00:41 +01:00
|
|
|
RootCAs: c.RootCAs,
|
|
|
|
NextProtos: c.NextProtos,
|
|
|
|
ServerName: c.ServerName,
|
|
|
|
ClientAuth: c.ClientAuth,
|
|
|
|
ClientCAs: c.ClientCAs,
|
|
|
|
InsecureSkipVerify: c.InsecureSkipVerify,
|
|
|
|
CipherSuites: c.CipherSuites,
|
|
|
|
PreferServerCipherSuites: c.PreferServerCipherSuites,
|
|
|
|
SessionTicketsDisabled: c.SessionTicketsDisabled,
|
|
|
|
SessionTicketKey: c.SessionTicketKey,
|
|
|
|
ClientSessionCache: c.ClientSessionCache,
|
|
|
|
MinVersion: c.MinVersion,
|
|
|
|
MaxVersion: c.MaxVersion,
|
|
|
|
CurvePreferences: c.CurvePreferences,
|
|
|
|
DynamicRecordSizingDisabled: c.DynamicRecordSizingDisabled,
|
|
|
|
Renegotiation: c.Renegotiation,
|
2016-08-20 12:41:42 +01:00
|
|
|
KeyLogWriter: c.KeyLogWriter,
|
2016-11-25 21:46:50 +00:00
|
|
|
Accept0RTTData: c.Accept0RTTData,
|
|
|
|
Max0RTTDataSize: c.Max0RTTDataSize,
|
2017-02-22 21:56:04 +00:00
|
|
|
SessionTicketSealer: c.SessionTicketSealer,
|
2016-10-10 23:27:34 +01:00
|
|
|
sessionTicketKeys: sessionTicketKeys,
|
2016-06-21 15:00:41 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-04-28 21:37:52 +01:00
|
|
|
// serverInit is run under c.serverInitOnce to do initialization of c. If c was
|
|
|
|
// returned by a GetConfigForClient callback then the argument should be the
|
|
|
|
// Config that was passed to Server, otherwise it should be nil.
|
|
|
|
func (c *Config) serverInit(originalConfig *Config) {
|
2017-02-22 21:56:04 +00:00
|
|
|
if c.SessionTicketsDisabled || len(c.ticketKeys()) != 0 || c.SessionTicketSealer != nil {
|
2013-03-21 03:53:38 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2015-04-18 02:32:11 +01:00
|
|
|
alreadySet := false
|
2013-03-21 03:53:38 +00:00
|
|
|
for _, b := range c.SessionTicketKey {
|
|
|
|
if b != 0 {
|
2015-04-18 02:32:11 +01:00
|
|
|
alreadySet = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if !alreadySet {
|
2016-10-10 23:27:34 +01:00
|
|
|
if originalConfig != nil {
|
|
|
|
copy(c.SessionTicketKey[:], originalConfig.SessionTicketKey[:])
|
|
|
|
} else if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil {
|
2015-04-18 02:32:11 +01:00
|
|
|
c.SessionTicketsDisabled = true
|
2013-03-21 03:53:38 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-10-10 23:27:34 +01:00
|
|
|
if originalConfig != nil {
|
|
|
|
originalConfig.mutex.RLock()
|
|
|
|
c.sessionTicketKeys = originalConfig.sessionTicketKeys
|
|
|
|
originalConfig.mutex.RUnlock()
|
|
|
|
} else {
|
|
|
|
c.sessionTicketKeys = []ticketKey{ticketKeyFromBytes(c.SessionTicketKey)}
|
|
|
|
}
|
2015-04-18 02:32:11 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Config) ticketKeys() []ticketKey {
|
|
|
|
c.mutex.RLock()
|
|
|
|
// c.sessionTicketKeys is constant once created. SetSessionTicketKeys
|
|
|
|
// will only update it by replacing it with a new value.
|
|
|
|
ret := c.sessionTicketKeys
|
|
|
|
c.mutex.RUnlock()
|
|
|
|
return ret
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetSessionTicketKeys updates the session ticket keys for a server. The first
|
|
|
|
// key will be used when creating new tickets, while all keys can be used for
|
|
|
|
// decrypting tickets. It is safe to call this function while the server is
|
|
|
|
// running in order to rotate the session ticket keys. The function will panic
|
|
|
|
// if keys is empty.
|
|
|
|
func (c *Config) SetSessionTicketKeys(keys [][32]byte) {
|
|
|
|
if len(keys) == 0 {
|
|
|
|
panic("tls: keys must have at least one key")
|
2013-03-21 03:53:38 +00:00
|
|
|
}
|
2015-04-18 02:32:11 +01:00
|
|
|
|
|
|
|
newKeys := make([]ticketKey, len(keys))
|
|
|
|
for i, bytes := range keys {
|
|
|
|
newKeys[i] = ticketKeyFromBytes(bytes)
|
|
|
|
}
|
|
|
|
|
|
|
|
c.mutex.Lock()
|
|
|
|
c.sessionTicketKeys = newKeys
|
|
|
|
c.mutex.Unlock()
|
2009-11-03 02:25:20 +00:00
|
|
|
}
|
|
|
|
|
2010-12-07 21:15:15 +00:00
|
|
|
func (c *Config) rand() io.Reader {
|
|
|
|
r := c.Rand
|
|
|
|
if r == nil {
|
|
|
|
return rand.Reader
|
|
|
|
}
|
|
|
|
return r
|
|
|
|
}
|
|
|
|
|
2011-11-30 17:01:46 +00:00
|
|
|
func (c *Config) time() time.Time {
|
2010-12-07 21:15:15 +00:00
|
|
|
t := c.Time
|
|
|
|
if t == nil {
|
2011-11-30 17:01:46 +00:00
|
|
|
t = time.Now
|
2010-12-07 21:15:15 +00:00
|
|
|
}
|
|
|
|
return t()
|
|
|
|
}
|
|
|
|
|
2017-09-12 19:50:24 +01:00
|
|
|
func hasOverlappingCipherSuites(cs1, cs2 []uint16) bool {
|
|
|
|
for _, c1 := range cs1 {
|
|
|
|
for _, c2 := range cs2 {
|
|
|
|
if c1 == c2 {
|
|
|
|
return true
|
|
|
|
}
|
2016-11-20 15:13:40 +00:00
|
|
|
}
|
|
|
|
}
|
2017-09-12 19:50:24 +01:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Config) cipherSuites() []uint16 {
|
2010-12-15 16:49:55 +00:00
|
|
|
s := c.CipherSuites
|
2010-12-15 18:58:57 +00:00
|
|
|
if s == nil {
|
2010-12-15 16:49:55 +00:00
|
|
|
s = defaultCipherSuites()
|
2017-09-12 19:50:24 +01:00
|
|
|
} else if c.maxVersion() >= VersionTLS13 {
|
|
|
|
// Ensure that TLS 1.3 suites are always present, but respect
|
|
|
|
// the application cipher suite preferences.
|
|
|
|
s13 := defaultTLS13CipherSuites()
|
|
|
|
if !hasOverlappingCipherSuites(s, s13) {
|
|
|
|
allSuites := make([]uint16, len(s13)+len(s))
|
|
|
|
allSuites = append(allSuites, s13...)
|
|
|
|
s = append(allSuites, s...)
|
|
|
|
}
|
2010-12-15 16:49:55 +00:00
|
|
|
}
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2013-06-05 01:02:22 +01:00
|
|
|
func (c *Config) minVersion() uint16 {
|
|
|
|
if c == nil || c.MinVersion == 0 {
|
|
|
|
return minVersion
|
|
|
|
}
|
|
|
|
return c.MinVersion
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *Config) maxVersion() uint16 {
|
|
|
|
if c == nil || c.MaxVersion == 0 {
|
|
|
|
return maxVersion
|
|
|
|
}
|
|
|
|
return c.MaxVersion
|
|
|
|
}
|
|
|
|
|
2016-10-11 23:08:35 +01:00
|
|
|
var defaultCurvePreferences = []CurveID{X25519, CurveP256, CurveP384, CurveP521}
|
2014-02-24 22:57:51 +00:00
|
|
|
|
|
|
|
func (c *Config) curvePreferences() []CurveID {
|
|
|
|
if c == nil || len(c.CurvePreferences) == 0 {
|
|
|
|
return defaultCurvePreferences
|
|
|
|
}
|
|
|
|
return c.CurvePreferences
|
|
|
|
}
|
|
|
|
|
2013-06-05 01:02:22 +01:00
|
|
|
// mutualVersion returns the protocol version to use given the advertised
|
2017-01-16 12:29:54 +00:00
|
|
|
// version of the peer using the legacy non-extension methods.
|
2013-06-05 01:02:22 +01:00
|
|
|
func (c *Config) mutualVersion(vers uint16) (uint16, bool) {
|
|
|
|
minVersion := c.minVersion()
|
|
|
|
maxVersion := c.maxVersion()
|
|
|
|
|
2017-01-16 12:29:54 +00:00
|
|
|
// Version 1.3 and higher are not negotiated via this mechanism.
|
|
|
|
if maxVersion > VersionTLS12 {
|
|
|
|
maxVersion = VersionTLS12
|
|
|
|
}
|
|
|
|
|
2013-06-05 01:02:22 +01:00
|
|
|
if vers < minVersion {
|
|
|
|
return 0, false
|
|
|
|
}
|
|
|
|
if vers > maxVersion {
|
|
|
|
vers = maxVersion
|
|
|
|
}
|
|
|
|
return vers, true
|
|
|
|
}
|
|
|
|
|
2017-01-16 12:29:54 +00:00
|
|
|
// pickVersion returns the protocol version to use given the advertised
|
|
|
|
// versions of the peer using the Supported Versions extension.
|
2017-09-12 18:49:42 +01:00
|
|
|
func (c *Config) pickVersion(peerSupportedVersions []uint16) (uint16, bool) {
|
|
|
|
supportedVersions := c.getSupportedVersions()
|
|
|
|
for _, supportedVersion := range supportedVersions {
|
|
|
|
for _, version := range peerSupportedVersions {
|
|
|
|
if version == supportedVersion {
|
|
|
|
return version, true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return 0, false
|
|
|
|
}
|
|
|
|
|
2017-10-02 09:04:42 +01:00
|
|
|
// configSuppVersArray is the backing array of Config.getSupportedVersions
|
|
|
|
var configSuppVersArray = [...]uint16{VersionTLS13, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}
|
|
|
|
|
|
|
|
// tls13DraftSuppVersArray is the backing array of Config.getSupportedVersions
|
|
|
|
// with TLS 1.3 draft versions included.
|
|
|
|
//
|
|
|
|
// TODO: remove once TLS 1.3 is finalised.
|
|
|
|
var tls13DraftSuppVersArray = [...]uint16{VersionTLS13Draft18, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}
|
|
|
|
|
2017-09-12 18:49:42 +01:00
|
|
|
// getSupportedVersions returns the protocol versions that are supported by the
|
|
|
|
// current configuration.
|
|
|
|
func (c *Config) getSupportedVersions() []uint16 {
|
2017-01-16 12:29:54 +00:00
|
|
|
minVersion := c.minVersion()
|
|
|
|
maxVersion := c.maxVersion()
|
2017-09-12 18:49:42 +01:00
|
|
|
// Sanity check to avoid advertising unsupported versions.
|
|
|
|
if minVersion < VersionSSL30 {
|
|
|
|
minVersion = VersionSSL30
|
2017-01-16 12:29:54 +00:00
|
|
|
}
|
2017-09-12 18:49:42 +01:00
|
|
|
if maxVersion > VersionTLS13 {
|
|
|
|
maxVersion = VersionTLS13
|
2017-01-16 12:29:54 +00:00
|
|
|
}
|
2017-10-02 09:04:42 +01:00
|
|
|
if maxVersion < minVersion {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
// TODO: remove once TLS 1.3 is finalised.
|
|
|
|
if maxVersion == VersionTLS13 {
|
|
|
|
return tls13DraftSuppVersArray[:len(tls13DraftSuppVersArray)-int(minVersion-VersionSSL30)]
|
2017-01-16 12:29:54 +00:00
|
|
|
}
|
2017-10-02 09:04:42 +01:00
|
|
|
return configSuppVersArray[VersionTLS13-maxVersion : VersionTLS13-minVersion+1]
|
2017-01-16 12:29:54 +00:00
|
|
|
}
|
|
|
|
|
2014-08-06 19:22:00 +01:00
|
|
|
// getCertificate returns the best certificate for the given ClientHelloInfo,
|
|
|
|
// defaulting to the first element of c.Certificates.
|
|
|
|
func (c *Config) getCertificate(clientHello *ClientHelloInfo) (*Certificate, error) {
|
2015-04-13 00:41:31 +01:00
|
|
|
if c.GetCertificate != nil &&
|
|
|
|
(len(c.Certificates) == 0 || len(clientHello.ServerName) > 0) {
|
2014-08-06 19:22:00 +01:00
|
|
|
cert, err := c.GetCertificate(clientHello)
|
|
|
|
if cert != nil || err != nil {
|
|
|
|
return cert, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-13 00:41:31 +01:00
|
|
|
if len(c.Certificates) == 0 {
|
2016-04-12 18:43:44 +01:00
|
|
|
return nil, errors.New("tls: no certificates configured")
|
2015-04-13 00:41:31 +01:00
|
|
|
}
|
|
|
|
|
2011-10-08 15:06:53 +01:00
|
|
|
if len(c.Certificates) == 1 || c.NameToCertificate == nil {
|
|
|
|
// There's only one choice, so no point doing any work.
|
2014-08-06 19:22:00 +01:00
|
|
|
return &c.Certificates[0], nil
|
2011-10-08 15:06:53 +01:00
|
|
|
}
|
|
|
|
|
2014-08-06 19:22:00 +01:00
|
|
|
name := strings.ToLower(clientHello.ServerName)
|
2011-10-08 15:06:53 +01:00
|
|
|
for len(name) > 0 && name[len(name)-1] == '.' {
|
|
|
|
name = name[:len(name)-1]
|
|
|
|
}
|
|
|
|
|
|
|
|
if cert, ok := c.NameToCertificate[name]; ok {
|
2014-08-06 19:22:00 +01:00
|
|
|
return cert, nil
|
2011-10-08 15:06:53 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// try replacing labels in the name with wildcards until we get a
|
|
|
|
// match.
|
|
|
|
labels := strings.Split(name, ".")
|
|
|
|
for i := range labels {
|
|
|
|
labels[i] = "*"
|
|
|
|
candidate := strings.Join(labels, ".")
|
|
|
|
if cert, ok := c.NameToCertificate[candidate]; ok {
|
2014-08-06 19:22:00 +01:00
|
|
|
return cert, nil
|
2011-10-08 15:06:53 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// If nothing matches, return the first certificate.
|
2014-08-06 19:22:00 +01:00
|
|
|
return &c.Certificates[0], nil
|
2011-10-08 15:06:53 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate
|
|
|
|
// from the CommonName and SubjectAlternateName fields of each of the leaf
|
|
|
|
// certificates.
|
|
|
|
func (c *Config) BuildNameToCertificate() {
|
|
|
|
c.NameToCertificate = make(map[string]*Certificate)
|
|
|
|
for i := range c.Certificates {
|
|
|
|
cert := &c.Certificates[i]
|
|
|
|
x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
|
|
|
|
if err != nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if len(x509Cert.Subject.CommonName) > 0 {
|
|
|
|
c.NameToCertificate[x509Cert.Subject.CommonName] = cert
|
|
|
|
}
|
|
|
|
for _, san := range x509Cert.DNSNames {
|
|
|
|
c.NameToCertificate[san] = cert
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-09-30 20:55:25 +01:00
|
|
|
// writeKeyLog logs client random and master secret if logging was enabled by
|
|
|
|
// setting c.KeyLogWriter.
|
2017-09-18 16:50:43 +01:00
|
|
|
func (c *Config) writeKeyLog(what string, clientRandom, masterSecret []byte) error {
|
2016-08-20 12:41:42 +01:00
|
|
|
if c.KeyLogWriter == nil {
|
|
|
|
return nil
|
|
|
|
}
|
2016-09-30 20:55:25 +01:00
|
|
|
|
2017-09-18 16:50:43 +01:00
|
|
|
logLine := []byte(fmt.Sprintf("%s %x %x\n", what, clientRandom, masterSecret))
|
2016-09-30 20:55:25 +01:00
|
|
|
|
2016-09-10 20:07:33 +01:00
|
|
|
writerMutex.Lock()
|
2016-09-30 20:55:25 +01:00
|
|
|
_, err := c.KeyLogWriter.Write(logLine)
|
2016-09-10 20:07:33 +01:00
|
|
|
writerMutex.Unlock()
|
2016-09-30 20:55:25 +01:00
|
|
|
|
2016-08-20 12:41:42 +01:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2016-09-10 20:07:33 +01:00
|
|
|
// writerMutex protects all KeyLogWriters globally. It is rarely enabled,
|
|
|
|
// and is only for debugging, so a global mutex saves space.
|
|
|
|
var writerMutex sync.Mutex
|
|
|
|
|
2010-12-07 21:15:15 +00:00
|
|
|
// A Certificate is a chain of one or more certificates, leaf first.
|
2009-11-03 02:25:20 +00:00
|
|
|
type Certificate struct {
|
2009-12-15 23:33:31 +00:00
|
|
|
Certificate [][]byte
|
2014-08-29 20:36:30 +01:00
|
|
|
// PrivateKey contains the private key corresponding to the public key
|
2015-04-03 00:19:46 +01:00
|
|
|
// in Leaf. For a server, this must implement crypto.Signer and/or
|
|
|
|
// crypto.Decrypter, with an RSA or ECDSA PublicKey. For a client
|
|
|
|
// (performing client authentication), this must be a crypto.Signer
|
|
|
|
// with an RSA or ECDSA PublicKey.
|
2014-08-29 20:36:30 +01:00
|
|
|
PrivateKey crypto.PrivateKey
|
2011-04-14 19:47:28 +01:00
|
|
|
// OCSPStaple contains an optional OCSP response which will be served
|
|
|
|
// to clients that request it.
|
|
|
|
OCSPStaple []byte
|
2015-04-16 19:59:22 +01:00
|
|
|
// SignedCertificateTimestamps contains an optional list of Signed
|
|
|
|
// Certificate Timestamps which will be served to clients that request it.
|
|
|
|
SignedCertificateTimestamps [][]byte
|
2012-01-05 17:05:38 +00:00
|
|
|
// Leaf is the parsed form of the leaf certificate, which may be
|
|
|
|
// initialized using x509.ParseCertificate to reduce per-handshake
|
|
|
|
// processing for TLS clients doing client authentication. If nil, the
|
|
|
|
// leaf certificate will be parsed as needed.
|
|
|
|
Leaf *x509.Certificate
|
2009-11-03 02:25:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type handshakeMessage interface {
|
2009-12-15 23:33:31 +00:00
|
|
|
marshal() []byte
|
2017-01-16 12:23:17 +00:00
|
|
|
unmarshal([]byte) alert
|
2009-11-03 02:25:20 +00:00
|
|
|
}
|
|
|
|
|
2014-01-22 23:24:03 +00:00
|
|
|
// lruSessionCache is a ClientSessionCache implementation that uses an LRU
|
|
|
|
// caching strategy.
|
|
|
|
type lruSessionCache struct {
|
|
|
|
sync.Mutex
|
|
|
|
|
|
|
|
m map[string]*list.Element
|
|
|
|
q *list.List
|
|
|
|
capacity int
|
|
|
|
}
|
|
|
|
|
|
|
|
type lruSessionCacheEntry struct {
|
|
|
|
sessionKey string
|
|
|
|
state *ClientSessionState
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewLRUClientSessionCache returns a ClientSessionCache with the given
|
|
|
|
// capacity that uses an LRU strategy. If capacity is < 1, a default capacity
|
|
|
|
// is used instead.
|
|
|
|
func NewLRUClientSessionCache(capacity int) ClientSessionCache {
|
|
|
|
const defaultSessionCacheCapacity = 64
|
|
|
|
|
|
|
|
if capacity < 1 {
|
|
|
|
capacity = defaultSessionCacheCapacity
|
|
|
|
}
|
|
|
|
return &lruSessionCache{
|
|
|
|
m: make(map[string]*list.Element),
|
|
|
|
q: list.New(),
|
|
|
|
capacity: capacity,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Put adds the provided (sessionKey, cs) pair to the cache.
|
|
|
|
func (c *lruSessionCache) Put(sessionKey string, cs *ClientSessionState) {
|
|
|
|
c.Lock()
|
|
|
|
defer c.Unlock()
|
|
|
|
|
|
|
|
if elem, ok := c.m[sessionKey]; ok {
|
|
|
|
entry := elem.Value.(*lruSessionCacheEntry)
|
|
|
|
entry.state = cs
|
|
|
|
c.q.MoveToFront(elem)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if c.q.Len() < c.capacity {
|
|
|
|
entry := &lruSessionCacheEntry{sessionKey, cs}
|
|
|
|
c.m[sessionKey] = c.q.PushFront(entry)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
elem := c.q.Back()
|
|
|
|
entry := elem.Value.(*lruSessionCacheEntry)
|
|
|
|
delete(c.m, entry.sessionKey)
|
|
|
|
entry.sessionKey = sessionKey
|
|
|
|
entry.state = cs
|
|
|
|
c.q.MoveToFront(elem)
|
|
|
|
c.m[sessionKey] = elem
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get returns the ClientSessionState value associated with a given key. It
|
|
|
|
// returns (nil, false) if no value is found.
|
|
|
|
func (c *lruSessionCache) Get(sessionKey string) (*ClientSessionState, bool) {
|
|
|
|
c.Lock()
|
|
|
|
defer c.Unlock()
|
|
|
|
|
|
|
|
if elem, ok := c.m[sessionKey]; ok {
|
|
|
|
c.q.MoveToFront(elem)
|
|
|
|
return elem.Value.(*lruSessionCacheEntry).state, true
|
|
|
|
}
|
|
|
|
return nil, false
|
|
|
|
}
|
|
|
|
|
2013-07-17 17:33:16 +01:00
|
|
|
// TODO(jsing): Make these available to both crypto/x509 and crypto/tls.
|
|
|
|
type dsaSignature struct {
|
|
|
|
R, S *big.Int
|
|
|
|
}
|
|
|
|
|
|
|
|
type ecdsaSignature dsaSignature
|
|
|
|
|
2010-12-07 21:15:15 +00:00
|
|
|
var emptyConfig Config
|
2010-08-05 21:14:41 +01:00
|
|
|
|
2010-04-05 22:38:02 +01:00
|
|
|
func defaultConfig() *Config {
|
2010-12-07 21:15:15 +00:00
|
|
|
return &emptyConfig
|
2010-04-05 22:38:02 +01:00
|
|
|
}
|
|
|
|
|
2012-03-07 18:12:35 +00:00
|
|
|
var (
|
2016-11-20 15:13:40 +00:00
|
|
|
once sync.Once
|
|
|
|
varDefaultCipherSuites []uint16
|
|
|
|
varDefaultTLS13CipherSuites []uint16
|
2012-03-07 18:12:35 +00:00
|
|
|
)
|
2010-12-07 21:15:15 +00:00
|
|
|
|
2010-12-15 16:49:55 +00:00
|
|
|
func defaultCipherSuites() []uint16 {
|
2012-03-07 18:12:35 +00:00
|
|
|
once.Do(initDefaultCipherSuites)
|
2010-12-15 16:49:55 +00:00
|
|
|
return varDefaultCipherSuites
|
|
|
|
}
|
|
|
|
|
2016-11-20 15:13:40 +00:00
|
|
|
func defaultTLS13CipherSuites() []uint16 {
|
|
|
|
once.Do(initDefaultCipherSuites)
|
|
|
|
return varDefaultTLS13CipherSuites
|
|
|
|
}
|
|
|
|
|
2010-12-15 16:49:55 +00:00
|
|
|
func initDefaultCipherSuites() {
|
2016-11-20 15:13:40 +00:00
|
|
|
var topCipherSuites, topTLS13CipherSuites []uint16
|
2016-11-07 18:25:57 +00:00
|
|
|
if cipherhw.AESGCMSupport() {
|
|
|
|
// If AES-GCM hardware is provided then prioritise AES-GCM
|
|
|
|
// cipher suites.
|
2016-11-20 15:13:40 +00:00
|
|
|
topTLS13CipherSuites = []uint16{
|
|
|
|
TLS_AES_128_GCM_SHA256,
|
|
|
|
TLS_AES_256_GCM_SHA384,
|
|
|
|
TLS_CHACHA20_POLY1305_SHA256,
|
|
|
|
}
|
2016-11-07 18:25:57 +00:00
|
|
|
topCipherSuites = []uint16{
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
|
|
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// Without AES-GCM hardware, we put the ChaCha20-Poly1305
|
|
|
|
// cipher suites first.
|
2016-11-20 15:13:40 +00:00
|
|
|
topTLS13CipherSuites = []uint16{
|
|
|
|
TLS_CHACHA20_POLY1305_SHA256,
|
|
|
|
TLS_AES_128_GCM_SHA256,
|
|
|
|
TLS_AES_256_GCM_SHA384,
|
|
|
|
}
|
2016-11-07 18:25:57 +00:00
|
|
|
topCipherSuites = []uint16{
|
|
|
|
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
|
|
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
|
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-11-20 15:13:40 +00:00
|
|
|
varDefaultTLS13CipherSuites = make([]uint16, 0, len(cipherSuites))
|
2017-09-12 19:50:24 +01:00
|
|
|
varDefaultTLS13CipherSuites = append(varDefaultTLS13CipherSuites, topTLS13CipherSuites...)
|
2015-03-17 00:13:10 +00:00
|
|
|
varDefaultCipherSuites = make([]uint16, 0, len(cipherSuites))
|
2017-02-06 11:03:58 +00:00
|
|
|
varDefaultCipherSuites = append(varDefaultCipherSuites, topCipherSuites...)
|
2016-11-07 18:25:57 +00:00
|
|
|
|
|
|
|
NextCipherSuite:
|
2015-03-17 00:13:10 +00:00
|
|
|
for _, suite := range cipherSuites {
|
|
|
|
if suite.flags&suiteDefaultOff != 0 {
|
|
|
|
continue
|
|
|
|
}
|
2016-11-20 15:13:40 +00:00
|
|
|
if suite.flags&suiteTLS13 != 0 {
|
|
|
|
for _, existing := range varDefaultTLS13CipherSuites {
|
|
|
|
if existing == suite.id {
|
|
|
|
continue NextCipherSuite
|
|
|
|
}
|
|
|
|
}
|
|
|
|
varDefaultTLS13CipherSuites = append(varDefaultTLS13CipherSuites, suite.id)
|
|
|
|
} else {
|
|
|
|
for _, existing := range varDefaultCipherSuites {
|
|
|
|
if existing == suite.id {
|
|
|
|
continue NextCipherSuite
|
|
|
|
}
|
2016-11-07 18:25:57 +00:00
|
|
|
}
|
2016-11-20 15:13:40 +00:00
|
|
|
varDefaultCipherSuites = append(varDefaultCipherSuites, suite.id)
|
2016-11-07 18:25:57 +00:00
|
|
|
}
|
2010-12-15 16:49:55 +00:00
|
|
|
}
|
2017-09-12 19:50:24 +01:00
|
|
|
varDefaultCipherSuites = append(varDefaultTLS13CipherSuites, varDefaultCipherSuites...)
|
2010-12-15 16:49:55 +00:00
|
|
|
}
|
2014-02-12 16:20:01 +00:00
|
|
|
|
|
|
|
func unexpectedMessageError(wanted, got interface{}) error {
|
|
|
|
return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted)
|
|
|
|
}
|
crypto/tls: decouple handshake signatures from the handshake hash.
Prior to TLS 1.2, the handshake had a pleasing property that one could
incrementally hash it and, from that, get the needed hashes for both
the CertificateVerify and Finished messages.
TLS 1.2 introduced negotiation for the signature and hash and it became
possible for the handshake hash to be, say, SHA-384, but for the
CertificateVerify to sign the handshake with SHA-1. The problem is that
one doesn't know in advance which hashes will be needed and thus the
handshake needs to be buffered.
Go ignored this, always kept a single handshake hash, and any signatures
over the handshake had to use that hash.
However, there are a set of servers that inspect the client's offered
signature hash functions and will abort the handshake if one of the
server's certificates is signed with a hash function outside of that
set. https://robertsspaceindustries.com/ is an example of such a server.
Clearly not a lot of thought happened when that server code was written,
but its out there and we have to deal with it.
This change decouples the handshake hash from the CertificateVerify
hash. This lays the groundwork for advertising support for SHA-384 but
doesn't actually make that change in the interests of reviewability.
Updating the advertised hash functions will cause changes in many of the
testdata/ files and some errors might get lost in the noise. This change
only needs to update four testdata/ files: one because a SHA-384-based
handshake is now being signed with SHA-256 and the others because the
TLS 1.2 CertificateRequest message now includes SHA-1.
This change also has the effect of adding support for
client-certificates in SSLv3 servers. However, SSLv3 is now disabled by
default so this should be moot.
It would be possible to avoid much of this change and just support
SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces
and SKX params (a design mistake in TLS). However, that would leave Go
in the odd situation where it advertised support for SHA-384, but would
only use the handshake hash when signing client certificates. I fear
that'll just cause problems in the future.
Much of this code was written by davidben@ for the purposes of testing
BoringSSL.
Partly addresses #9757
Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485
Reviewed-on: https://go-review.googlesource.com/9415
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-28 17:13:38 +01:00
|
|
|
|
2017-09-07 17:50:10 +01:00
|
|
|
func isSupportedSignatureAlgorithm(sigAlg SignatureScheme, supportedSignatureAlgorithms []SignatureScheme) bool {
|
|
|
|
for _, s := range supportedSignatureAlgorithms {
|
|
|
|
if s == sigAlg {
|
crypto/tls: decouple handshake signatures from the handshake hash.
Prior to TLS 1.2, the handshake had a pleasing property that one could
incrementally hash it and, from that, get the needed hashes for both
the CertificateVerify and Finished messages.
TLS 1.2 introduced negotiation for the signature and hash and it became
possible for the handshake hash to be, say, SHA-384, but for the
CertificateVerify to sign the handshake with SHA-1. The problem is that
one doesn't know in advance which hashes will be needed and thus the
handshake needs to be buffered.
Go ignored this, always kept a single handshake hash, and any signatures
over the handshake had to use that hash.
However, there are a set of servers that inspect the client's offered
signature hash functions and will abort the handshake if one of the
server's certificates is signed with a hash function outside of that
set. https://robertsspaceindustries.com/ is an example of such a server.
Clearly not a lot of thought happened when that server code was written,
but its out there and we have to deal with it.
This change decouples the handshake hash from the CertificateVerify
hash. This lays the groundwork for advertising support for SHA-384 but
doesn't actually make that change in the interests of reviewability.
Updating the advertised hash functions will cause changes in many of the
testdata/ files and some errors might get lost in the noise. This change
only needs to update four testdata/ files: one because a SHA-384-based
handshake is now being signed with SHA-256 and the others because the
TLS 1.2 CertificateRequest message now includes SHA-1.
This change also has the effect of adding support for
client-certificates in SSLv3 servers. However, SSLv3 is now disabled by
default so this should be moot.
It would be possible to avoid much of this change and just support
SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces
and SKX params (a design mistake in TLS). However, that would leave Go
in the odd situation where it advertised support for SHA-384, but would
only use the handshake hash when signing client certificates. I fear
that'll just cause problems in the future.
Much of this code was written by davidben@ for the purposes of testing
BoringSSL.
Partly addresses #9757
Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485
Reviewed-on: https://go-review.googlesource.com/9415
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2015-04-28 17:13:38 +01:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
2017-09-07 17:50:10 +01:00
|
|
|
|
|
|
|
// signatureFromSignatureScheme maps a signature algorithm to the underlying
|
|
|
|
// signature method (without hash function).
|
|
|
|
func signatureFromSignatureScheme(signatureAlgorithm SignatureScheme) uint8 {
|
|
|
|
switch signatureAlgorithm {
|
|
|
|
case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512:
|
2017-11-22 19:27:20 +00:00
|
|
|
return signaturePKCS1v15
|
|
|
|
case PSSWithSHA256, PSSWithSHA384, PSSWithSHA512:
|
|
|
|
return signatureRSAPSS
|
2017-09-07 17:50:10 +01:00
|
|
|
case ECDSAWithSHA1, ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512:
|
|
|
|
return signatureECDSA
|
|
|
|
default:
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
}
|