* includes AD in authentication check of TLS records As per 5.2 of TLS 1.3 draft-28, the additional data is record header. * tests: Update tests in order to support draft-28 * Interoperability: Updates NSS and BoringSSL versions to the one supporting draft-28 * Bogo: Updates revision number to use tests for draft-28 * FIX: makefile was using test-compat target instead of test-interop * DC test: constify * Use binary interface to encode in big-endianv1.2.3
@@ -71,7 +71,7 @@ We run 3 kinds of test:. | |||
* Unit testing: <br/>``make -f _dev/Makefile test-unit`` | |||
* Testing against BoringSSL test suite: <br/>``make -f _dev/Makefile test-bogo`` | |||
* Compatibility testing (see below):<br/>``make -f _dev/Makefile test-compat`` | |||
* Compatibility testing (see below):<br/>``make -f _dev/Makefile test-interop`` | |||
To run all the tests in one go use: | |||
``` | |||
@@ -115,4 +115,4 @@ clean-all: clean | |||
fmtcheck: | |||
$(DEV_DIR)/utils/fmtcheck.sh | |||
.PHONY: $(BUILD_DIR) clean build build-test test test-unit test-bogo test-compat | |||
.PHONY: $(BUILD_DIR) clean build build-test test test-unit test-bogo test-interop |
@@ -26,7 +26,10 @@ RUN git clone https://github.com/henrydcase/crypto-tls-bogo-shim \ | |||
#ARG REVISION=d07b9e80a87c871c2569ce4aabd06695336c5dc5 | |||
# Draft 23 (+ client authentication) | |||
ARG REVISION=cd33ad248ae9490854f0077ca046b47cac3735bf | |||
# ARG REVISION=cd33ad248ae9490854f0077ca046b47cac3735bf | |||
# Draft 28 | |||
ARG REVISION=33204d1eaa497819c6325998d7ba6b66316790f3 | |||
RUN cd /go/src/github.com/henrydcase/crypto-tls-bogo-shim && \ | |||
git checkout $REVISION | |||
@@ -2,7 +2,7 @@ | |||
set -e | |||
/boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \ | |||
-tls13-variant draft23 -session-out /session -connect "$@" < /httpreq.txt | |||
-tls13-variant draft28 -session-out /session -connect "$@" < /httpreq.txt | |||
exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \ | |||
-tls13-variant draft23 -session-in /session -connect "$@" < /httpreq.txt | |||
-tls13-variant draft28 -session-in /session -connect "$@" < /httpreq.txt | |||
@@ -6,21 +6,21 @@ set -x | |||
bssl server \ | |||
-key rsa.pem \ | |||
-min-version tls1.2 -max-version tls1.3 \ | |||
-tls13-variant draft23 \ | |||
-tls13-variant draft28 \ | |||
-accept 1443 -loop -www 2>&1 & | |||
# ECDSA | |||
bssl server \ | |||
-key ecdsa.pem \ | |||
-min-version tls1.2 -max-version tls1.3 \ | |||
-tls13-variant draft23 \ | |||
-tls13-variant draft28 \ | |||
-accept 2443 -loop -www 2>&1 & | |||
# Require client authentication (with ECDSA) | |||
bssl server \ | |||
-key ecdsa.pem \ | |||
-min-version tls1.2 -max-version tls1.3 \ | |||
-tls13-variant draft23 \ | |||
-tls13-variant draft28 \ | |||
-accept 6443 -loop -www \ | |||
-require-any-client-cert -debug 2>&1 & | |||
@@ -44,6 +44,7 @@ var tlsVersionToName = map[uint16]string{ | |||
tls.VersionTLS13Draft21: "1.3 (draft 21)", | |||
tls.VersionTLS13Draft22: "1.3 (draft 22)", | |||
tls.VersionTLS13Draft23: "1.3 (draft 23)", | |||
tls.VersionTLS13Draft28: "1.3 (draft 28)", | |||
} | |||
func NewServer() *server { | |||
@@ -18,6 +18,7 @@ var tlsVersionToName = map[uint16]string{ | |||
tls.VersionTLS13: "1.3", | |||
tls.VersionTLS13Draft18: "1.3 (draft 18)", | |||
tls.VersionTLS13Draft23: "1.3 (draft 23)", | |||
tls.VersionTLS13Draft28: "1.3 (draft 28)", | |||
} | |||
var cipherSuiteIdToName = map[uint16]string{ | |||
@@ -24,7 +24,10 @@ ENV USE_64=1 NSS_ENABLE_TLS_1_3=1 | |||
#ARG REVISION=88c3f3fa581b | |||
# Draft 23 | |||
ARG REVISION=16c622c9e1cc | |||
# ARG REVISION=16c622c9e1cc | |||
# Latest | |||
ARG REVISION=09ab3310e710 | |||
RUN cd nss && hg pull | |||
RUN cd nss && hg checkout -C $REVISION | |||
@@ -174,7 +174,10 @@ type fixedNonceAEAD struct { | |||
aead cipher.AEAD | |||
} | |||
func (f *fixedNonceAEAD) NonceSize() int { return 8 } | |||
func (f *fixedNonceAEAD) NonceSize() int { return 8 } | |||
// Overhead returns the maximum difference between the lengths of a | |||
// plaintext and its ciphertext. | |||
func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() } | |||
func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 } | |||
@@ -31,6 +31,7 @@ const ( | |||
VersionTLS13Draft21 = 0x7f00 | 21 | |||
VersionTLS13Draft22 = 0x7f00 | 22 | |||
VersionTLS13Draft23 = 0x7f00 | 23 | |||
VersionTLS13Draft28 = 0x7f00 | 28 | |||
) | |||
const ( | |||
@@ -41,7 +42,7 @@ const ( | |||
maxWarnAlertCount = 5 // maximum number of consecutive warning alerts | |||
minVersion = VersionTLS12 | |||
maxVersion = VersionTLS13Draft23 | |||
maxVersion = VersionTLS13Draft28 | |||
) | |||
// TLS record types. | |||
@@ -888,7 +889,7 @@ var configSuppVersArray = [...]uint16{VersionTLS13, VersionTLS12, VersionTLS11, | |||
// with TLS 1.3 draft versions included. | |||
// | |||
// TODO: remove once TLS 1.3 is finalised. | |||
var tls13DraftSuppVersArray = [...]uint16{VersionTLS13Draft23, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30} | |||
var tls13DraftSuppVersArray = [...]uint16{VersionTLS13Draft28, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30} | |||
// getSupportedVersions returns the protocol versions that are supported by the | |||
// current configuration. | |||
@@ -11,6 +11,7 @@ import ( | |||
"crypto/cipher" | |||
"crypto/subtle" | |||
"crypto/x509" | |||
"encoding/binary" | |||
"errors" | |||
"fmt" | |||
"io" | |||
@@ -358,6 +359,15 @@ func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertValue alert) | |||
hc.additionalData[11] = byte(n >> 8) | |||
hc.additionalData[12] = byte(n) | |||
additionalData = hc.additionalData[:] | |||
} else { | |||
if len(payload) > int((1<<14)+256) { | |||
return false, 0, alertRecordOverflow | |||
} | |||
// Check AD header, see 5.2 of RFC8446 | |||
additionalData = make([]byte, 5) | |||
additionalData[0] = 23 | |||
binary.BigEndian.PutUint16(additionalData[1:], 0x0303) | |||
binary.BigEndian.PutUint16(additionalData[3:], uint16(len(payload))) | |||
} | |||
var err error | |||
payload, err = c.Open(payload[:0], nonce, payload, additionalData) | |||
@@ -460,10 +470,11 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) { | |||
case cipher.Stream: | |||
c.XORKeyStream(payload, payload) | |||
case aead: | |||
// explicitIVLen is always 0 for TLS1.3 | |||
payloadLen := len(b.data) - recordHeaderLen - explicitIVLen | |||
overhead := c.Overhead() | |||
if hc.version >= VersionTLS13 { | |||
overhead++ | |||
overhead++ // TODO(kk): why this is done? | |||
} | |||
b.resize(len(b.data) + overhead) | |||
@@ -478,16 +489,19 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) { | |||
if hc.version < VersionTLS13 { | |||
copy(hc.additionalData[:], hc.seq[:]) | |||
copy(hc.additionalData[8:], b.data[:3]) | |||
hc.additionalData[11] = byte(payloadLen >> 8) | |||
hc.additionalData[12] = byte(payloadLen) | |||
binary.BigEndian.PutUint16(hc.additionalData[11:], uint16(payloadLen)) | |||
additionalData = hc.additionalData[:] | |||
} | |||
if hc.version >= VersionTLS13 { | |||
} else { | |||
// opaque type | |||
payload = payload[:len(payload)+1] | |||
payload[len(payload)-1] = b.data[0] | |||
b.data[0] = byte(recordTypeApplicationData) | |||
// Add AD header, see 5.2 of RFC8446 | |||
additionalData = make([]byte, 5) | |||
additionalData[0] = byte(recordTypeApplicationData) | |||
binary.BigEndian.PutUint16(additionalData[1:], VersionTLS12) | |||
binary.BigEndian.PutUint16(additionalData[3:], uint16(payloadLen+overhead)) | |||
} | |||
c.Seal(payload[:0], nonce, payload, additionalData) | |||
@@ -155,8 +155,8 @@ func ExampleConfig_keyLogWriter_TLS13() { | |||
// preferences. | |||
// Output: | |||
// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 a829dab06ccbe9323e0ad6cf331cd64d9a499f7f4b1e0b52d0dfaba90c07f275 | |||
// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 5f6a288b5b5aba5cfc65d9966b279e911ac58bd7f81abbb67b10427106f01940 | |||
// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 1f202d1c1d43e74a8c4f46a56eae2cef9de417ff9f5f3927195eacc168f459b3 | |||
// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 67ece7874ec4f661fe1f06fb4240decd25f54062d78f0784844bf222d1967c20 | |||
// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 16ca97d21087a14d406b2601b4713dd82b156cc01d54665baaa4bdb62b72b9a4 | |||
// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 102c68d960da4f5e2b76a99636ac07bb5774e43b8ce8c14aa4dfd9bf54d11754 | |||
// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 f3208d533bb885f32f52142acb484eed104739970c2f426e72a1ee31f6d28650 | |||
// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 70de6b1936df7db171c02f9cfdb04dfa9405a891c959beb15b86f26b2057ba23 | |||
} |
@@ -18,7 +18,7 @@ import ( | |||
// A PEM-encoded "delegation certificate", an X.509 certificate with the | |||
// DelegationUsage extension. The extension is defined in | |||
// specified in https://tools.ietf.org/html/draft-ietf-tls-subcerts-02. | |||
var dcDelegationCertPEM = `-----BEGIN CERTIFICATE----- | |||
const DcCertWithDelegationUsage = `-----BEGIN CERTIFICATE----- | |||
MIIBejCCASGgAwIBAgIQXXtl0v50W2OadoW0QwLUlzAKBggqhkjOPQQDAjAUMRIw | |||
EAYDVQQKEwlBY21lIEluYy4wHhcNMTgwNzMwMjAxMTE5WhcNMTgwODA2MjAxMTE5 | |||
WjAUMRIwEAYDVQQKEwlBY21lIEluYy4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC | |||
@@ -32,7 +32,7 @@ AQQBgtpLLAQAMAoGCCqGSM49BAMCA0cAMEQCIEMdIkwwmzQAJ6RSDT3wcrsySx2B | |||
// The PEM-encoded "delegation key", the secret key associated with the | |||
// delegation certificate. This is a key for ECDSA with P256 and SHA256. | |||
var dcDelegationKeyPEM = `-----BEGIN EC PRIVATE KEY----- | |||
const DcKeyWithDelegationUsage = `-----BEGIN EC PRIVATE KEY----- | |||
MHcCAQEEIAS/pGktmxK1hlt3gF4N2nkMrJnoZihvOO63nnNcxXQroAoGCCqGSM49 | |||
AwEHoUQDQgAE3ELrmlDSd5KihrOAwXSVXe81s8hgDU+LgTRlZGdnIGg7HRZ8ffXx | |||
om34KFnq/By7fWfkuh7PvGwzwRzYE0fy3w== | |||
@@ -40,7 +40,7 @@ om34KFnq/By7fWfkuh7PvGwzwRzYE0fy3w== | |||
` | |||
// A certificate without the DelegationUsage extension. | |||
var dcCertPEM = `-----BEGIN CERTIFICATE----- | |||
const DcCertWithoutDelegationUsage = `-----BEGIN CERTIFICATE----- | |||
MIIBajCCAQ+gAwIBAgIRAMUg/VFqJaWWJwZ9iHoMjqIwCgYIKoZIzj0EAwIwEjEQ | |||
MA4GA1UEChMHQWNtZSBDbzAeFw0xODA3MzAyMDExMTlaFw0xOTA3MzAyMDExMTla | |||
MBIxEDAOBgNVBAoTB0FjbWUgQ28wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATA | |||
@@ -52,8 +52,8 @@ KFyrowMTan791RJnyANH/4uYhmvkfhfrFGSTXUli | |||
-----END CERTIFICATE----- | |||
` | |||
// The secret key associatted with dcCertPEM. | |||
var dcKeyPEM = `-----BEGIN EC PRIVATE KEY----- | |||
// The secret key associatted with DcCertWithoutDelegationUsage. | |||
const DcKeyWithoutDelegationUsage = `-----BEGIN EC PRIVATE KEY----- | |||
MHcCAQEEIEP82pOhzx0tKkky9t0OmUo9MHgmfdAHxDN2cHmWGqOhoAoGCCqGSM49 | |||
AwEHoUQDQgAEwJ/qHlkr0jR4RLJEkYJJHqwkA6FfzQPq90uQLQjhU+QGC7fMZbUk | |||
1nqxSP2JWSyHC8ZST0+0/l6QZ30usWgLsQ== | |||
@@ -75,7 +75,7 @@ type dcTestDC struct { | |||
// Use with maxVersion == VersionTLS13Draft23. | |||
// | |||
// TODO(henrydcase): Remove this when we drop support for draft23. | |||
var dcTestDataDraft23PEM = `-----BEGIN DC TEST DATA----- | |||
const DcTestDataDraft23PEM = `-----BEGIN DC TEST DATA----- | |||
MIIIPDCCAUETCXRsczEzcDI1NgICfxcCAgQDBIGwAAk6gAQDfxcAWzBZMBMGByqG | |||
SM49AgEGCCqGSM49AwEHA0IABDFeK+EcMQWKDM6xZJqHEHLcIWE0iHTAL1xAB5r6 | |||
bkm7GLlz1HLWcTy28PNsb9KQLV3Yeay2WYA2d2zGQjNbEhcEAwBHMEUCIQDnXyP4 | |||
@@ -126,7 +126,7 @@ AiEiKCRicw1Upfdy+xdSF0N3XXkLHB13criCfJr2rbZ1o8V7CsX6U70o+/48huPI | |||
// Use with maxVersion == VersionTLS13Draft28. | |||
// | |||
// TODO(henrydcase): Remove this when we drop support for draft28. | |||
var dcTestDataDraft28PEM = `-----BEGIN DC TEST DATA----- | |||
const DcTestDataDraft28PEM = `-----BEGIN DC TEST DATA----- | |||
MIIIOjCCAUATCXRsczEzcDI1NgICfxwCAgQDBIGvAAk6gAQDfxwAWzBZMBMGByqG | |||
SM49AgEGCCqGSM49AwEHA0IABAOcQMVs6VmVQ1BYyK+YhUAucZqH3LmDQmAaVDs8 | |||
brnePHVmSdOoQCU+Ybp3kgnklW958EFZiJ2oK7iWkIpi4TIEAwBGMEQCIB8w0eko | |||
@@ -175,7 +175,7 @@ x/tlNfATUGmFQGwPug4RyWVux22dGrn81/SsIXJ8hz1eb0s9EKOBbxwhJ//ACg== | |||
` | |||
// Use with maxVersion == VersionTLS13. | |||
var dcTestDataPEM = `-----BEGIN DC TEST DATA----- | |||
const DcTestDataTLS13PEM = `-----BEGIN DC TEST DATA----- | |||
MIIIOzCCAUATCXRsczEzcDI1NgICAwQCAgQDBIGvAAk6gAQDAwQAWzBZMBMGByqG | |||
SM49AgEGCCqGSM49AwEHA0IABFTImzqflLfyu3rqlCVsezSv45fKJglhjDYcwJ3H | |||
ylqX6rFCupeCwKmMhFvxRkkWAOobv2DZxLYALFgggC8KckkEAwBGMEQCIBWO8rFt | |||
@@ -273,11 +273,11 @@ func init() { | |||
var testData []byte | |||
switch maxVersion { | |||
case VersionTLS13Draft23: | |||
testData = []byte(dcTestDataDraft23PEM) | |||
testData = []byte(DcTestDataDraft23PEM) | |||
case 0x7f00 | 28: // TODO(henrydcase): Fix once draft 28 is implemented | |||
testData = []byte(dcTestDataDraft28PEM) | |||
testData = []byte(DcTestDataDraft28PEM) | |||
case 0x0304: // TODO(henrydcase): Fix once the final version is implemented | |||
testData = []byte(dcTestDataPEM) | |||
testData = []byte(DcTestDataTLS13PEM) | |||
default: | |||
panic(fmt.Errorf("no test data for version %04x", maxVersion)) | |||
} | |||
@@ -299,7 +299,7 @@ func init() { | |||
} | |||
// The delegation certificate. | |||
dcTestDelegationCert, err = X509KeyPair([]byte(dcDelegationCertPEM), []byte(dcDelegationKeyPEM)) | |||
dcTestDelegationCert, err = X509KeyPair([]byte(DcCertWithDelegationUsage), []byte(DcKeyWithDelegationUsage)) | |||
if err != nil { | |||
panic(err) | |||
} | |||
@@ -309,7 +309,7 @@ func init() { | |||
} | |||
// A certificate without the the DelegationUsage extension for X.509. | |||
dcTestCert, err = X509KeyPair([]byte(dcCertPEM), []byte(dcKeyPEM)) | |||
dcTestCert, err = X509KeyPair([]byte(DcCertWithoutDelegationUsage), []byte(DcKeyWithoutDelegationUsage)) | |||
if err != nil { | |||
panic(err) | |||
} | |||