Swap TLS 1.3 to RFC 8446
Этот коммит содержится в:
родитель
7e1760cc7c
Коммит
da110326f8
@ -23,7 +23,7 @@ INSTALL_RACE:= $(words $(filter $(ARCH)_$(shell go env CGO_ENABLED), amd64_1))
|
||||
TARGET_TEST_COMPAT=boring picotls tstclnt
|
||||
|
||||
# Some target-specific constants
|
||||
BORINGSSL_REVISION=03de6813d8992a649092b4874ef0ebc022e2f58a
|
||||
BORINGSSL_REVISION=d451453067cd665a5c38830fbbaac9e599234a5e
|
||||
BOGO_DOCKER_TRIS_LOCATION=/go/src/github.com/cloudflare/tls-tris
|
||||
|
||||
###############
|
||||
|
@ -50,8 +50,8 @@ RUN mkdir boringssl/build
|
||||
# Draft 28
|
||||
# ARG REVISION=861f384d7bc59241a9df1634ae938d8e75be2d30
|
||||
|
||||
# Latest
|
||||
ARG REVISION=03de6813d8992a649092b4874ef0ebc022e2f58a
|
||||
# TLS 1.3
|
||||
ARG REVISION=d451453067cd665a5c38830fbbaac9e599234a5e
|
||||
|
||||
RUN cd boringssl && git fetch
|
||||
RUN cd boringssl && git checkout $REVISION
|
||||
|
@ -2,7 +2,7 @@
|
||||
set -e
|
||||
|
||||
/boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
|
||||
-tls13-variant draft28 -session-out /session -connect "$@" < /httpreq.txt
|
||||
-session-out /session -connect "$@" < /httpreq.txt
|
||||
exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
|
||||
-tls13-variant draft28 -session-in /session -connect "$@" < /httpreq.txt
|
||||
-session-in /session -connect "$@" < /httpreq.txt
|
||||
|
||||
|
@ -6,21 +6,18 @@ set -x
|
||||
bssl server \
|
||||
-key rsa.pem \
|
||||
-min-version tls1.2 -max-version tls1.3 \
|
||||
-tls13-variant draft28 \
|
||||
-accept 1443 -loop -www 2>&1 &
|
||||
|
||||
# ECDSA
|
||||
bssl server \
|
||||
-key ecdsa.pem \
|
||||
-min-version tls1.2 -max-version tls1.3 \
|
||||
-tls13-variant draft28 \
|
||||
-accept 2443 -loop -www 2>&1 &
|
||||
|
||||
# Require client authentication (with ECDSA)
|
||||
bssl server \
|
||||
-key ecdsa.pem \
|
||||
-min-version tls1.2 -max-version tls1.3 \
|
||||
-tls13-variant draft28 \
|
||||
-accept 6443 -loop -www \
|
||||
-require-any-client-cert -debug 2>&1 &
|
||||
|
||||
|
@ -10,7 +10,7 @@ import time
|
||||
# Checks if TLS 1.3 was negotiated
|
||||
RE_PATTERN_HELLO_TLS_13_NORESUME = "^.*Hello TLS 1.3 \(draft .*\) _o/$|^.*Hello TLS 1.3 _o/$"
|
||||
# Checks if TLS 1.3 was resumed
|
||||
RE_PATTERN_HELLO_TLS_13_RESUME = "Hello TLS 1.3 \(draft .*\) \[resumed\] _o/"
|
||||
RE_PATTERN_HELLO_TLS_13_RESUME = "Hello TLS 1.3 \[resumed\] _o/"
|
||||
# Checks if 0-RTT was used and NOT confirmed
|
||||
RE_PATTERN_HELLO_0RTT = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT\] _o/$"
|
||||
# Checks if 0-RTT was used and confirmed
|
||||
@ -48,7 +48,7 @@ class RegexSelfTest(unittest.TestCase):
|
||||
LINE_HELLO_TLS ="\nsomestuff\nHello TLS 1.3 _o/\nsomestuff"
|
||||
LINE_HELLO_DRAFT_TLS="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nsomestuff"
|
||||
|
||||
LINE_HELLO_RESUMED ="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] _o/\nsomestuff"
|
||||
LINE_HELLO_RESUMED ="\nsomestuff\nHello TLS 1.3 [resumed] _o/\nsomestuff"
|
||||
LINE_HELLO_MIXED ="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nHello TLS 1.3 (draft 23) [resumed] _o/\nsomestuff"
|
||||
LINE_HELLO_TLS_12 ="\nsomestuff\nHello TLS 1.2 (draft 23) [resumed] _o/\nsomestuff"
|
||||
LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT] _o/\nsomestuff"
|
||||
|
@ -32,11 +32,10 @@ type server struct {
|
||||
}
|
||||
|
||||
var tlsVersionToName = map[uint16]string{
|
||||
tls.VersionTLS10: "1.0",
|
||||
tls.VersionTLS11: "1.1",
|
||||
tls.VersionTLS12: "1.2",
|
||||
tls.VersionTLS13: "1.3",
|
||||
tls.VersionTLS13Draft28: "1.3 (draft 28)",
|
||||
tls.VersionTLS10: "1.0",
|
||||
tls.VersionTLS11: "1.1",
|
||||
tls.VersionTLS12: "1.2",
|
||||
tls.VersionTLS13: "1.3",
|
||||
}
|
||||
|
||||
func NewServer() *server {
|
||||
|
@ -12,11 +12,10 @@ import (
|
||||
)
|
||||
|
||||
var tlsVersionToName = map[uint16]string{
|
||||
tls.VersionTLS10: "1.0",
|
||||
tls.VersionTLS11: "1.1",
|
||||
tls.VersionTLS12: "1.2",
|
||||
tls.VersionTLS13: "1.3",
|
||||
tls.VersionTLS13Draft28: "1.3 (draft 28)",
|
||||
tls.VersionTLS10: "1.0",
|
||||
tls.VersionTLS11: "1.1",
|
||||
tls.VersionTLS12: "1.2",
|
||||
tls.VersionTLS13: "1.3",
|
||||
}
|
||||
|
||||
var cipherSuiteIdToName = map[uint16]string{
|
||||
|
@ -27,7 +27,7 @@ ENV USE_64=1 NSS_ENABLE_TLS_1_3=1
|
||||
# ARG REVISION=16c622c9e1cc
|
||||
|
||||
# Latest
|
||||
ARG REVISION=09ab3310e710
|
||||
ARG REVISION=ee357b00f2e6
|
||||
|
||||
RUN cd nss && hg pull
|
||||
RUN cd nss && hg checkout -C $REVISION
|
||||
|
23
common.go
23
common.go
@ -22,12 +22,11 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
VersionSSL30 = 0x0300
|
||||
VersionTLS10 = 0x0301
|
||||
VersionTLS11 = 0x0302
|
||||
VersionTLS12 = 0x0303
|
||||
VersionTLS13 = 0x0304
|
||||
VersionTLS13Draft28 = 0x7f00 | 28
|
||||
VersionSSL30 = 0x0300
|
||||
VersionTLS10 = 0x0301
|
||||
VersionTLS11 = 0x0302
|
||||
VersionTLS12 = 0x0303
|
||||
VersionTLS13 = 0x0304
|
||||
)
|
||||
|
||||
const (
|
||||
@ -38,7 +37,7 @@ const (
|
||||
maxWarnAlertCount = 5 // maximum number of consecutive warning alerts
|
||||
|
||||
minVersion = VersionTLS12
|
||||
maxVersion = VersionTLS13Draft28
|
||||
maxVersion = VersionTLS13
|
||||
)
|
||||
|
||||
// TLS record types.
|
||||
@ -888,12 +887,6 @@ func (c *Config) pickVersion(peerSupportedVersions []uint16) (uint16, bool) {
|
||||
// configSuppVersArray is the backing array of Config.getSupportedVersions
|
||||
var configSuppVersArray = [...]uint16{VersionTLS13, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}
|
||||
|
||||
// tls13DraftSuppVersArray is the backing array of Config.getSupportedVersions
|
||||
// with TLS 1.3 draft versions included.
|
||||
//
|
||||
// TODO: remove once TLS 1.3 is finalised.
|
||||
var tls13DraftSuppVersArray = [...]uint16{VersionTLS13Draft28, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}
|
||||
|
||||
// getSupportedVersions returns the protocol versions that are supported by the
|
||||
// current configuration.
|
||||
func (c *Config) getSupportedVersions() []uint16 {
|
||||
@ -909,10 +902,6 @@ func (c *Config) getSupportedVersions() []uint16 {
|
||||
if maxVersion < minVersion {
|
||||
return nil
|
||||
}
|
||||
// TODO: remove once TLS 1.3 is finalised.
|
||||
if maxVersion == VersionTLS13 {
|
||||
return tls13DraftSuppVersArray[:len(tls13DraftSuppVersArray)-int(minVersion-VersionSSL30)]
|
||||
}
|
||||
return configSuppVersArray[VersionTLS13-maxVersion : VersionTLS13-minVersion+1]
|
||||
}
|
||||
|
||||
|
@ -155,8 +155,8 @@ func ExampleConfig_keyLogWriter_TLS13() {
|
||||
// preferences.
|
||||
|
||||
// Output:
|
||||
// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 16ca97d21087a14d406b2601b4713dd82b156cc01d54665baaa4bdb62b72b9a4
|
||||
// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 102c68d960da4f5e2b76a99636ac07bb5774e43b8ce8c14aa4dfd9bf54d11754
|
||||
// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 f3208d533bb885f32f52142acb484eed104739970c2f426e72a1ee31f6d28650
|
||||
// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 70de6b1936df7db171c02f9cfdb04dfa9405a891c959beb15b86f26b2057ba23
|
||||
// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 b946c84f46f53bd410368a1fd7d53873e74bedd53b4b1a4b125be40c8b0510a1
|
||||
// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 b6c44e95e34cb2616ff2e9a1163577aa1aa5cb3af8df16d0fdbbbaf15f415c8e
|
||||
// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 cbecc42509a124ae517f6c9aaae1961d755ab4268548b40b0c7840a9643240e8
|
||||
// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 8f6dd1476706ea8147d829347937694496a7d62d6d01de0a1b4820140d01cad0
|
||||
}
|
||||
|
@ -69,61 +69,6 @@ type dcTestDC struct {
|
||||
PrivateKey []byte
|
||||
}
|
||||
|
||||
// Test data used for testing the TLS handshake with the delegated credential
|
||||
// extension. The PEM block encodes a DER encoded slice of dcTestDCs.
|
||||
|
||||
// Use with maxVersion == VersionTLS13Draft28.
|
||||
//
|
||||
// TODO(henrydcase): Remove this when we drop support for draft28.
|
||||
const DcTestDataDraft28PEM = `-----BEGIN DC TEST DATA-----
|
||||
MIIIQjCCAUETCXRsczEzcDI1NgICfxwCAgQDBIGwAAk6gAQDfxwAAFswWTATBgcq
|
||||
hkjOPQIBBggqhkjOPQMBBwNCAASfXv9/jTDWOG9nwKmIN1GrFqF0p0frgMl6rxvy
|
||||
fu/58dkS0ZduzOUBG7qHsu+jHE8T29jH8SCH4Otl+3abna8IBAMARjBEAiAtDM7j
|
||||
w0bNce3QrVupL3wh5CUhIsTAwoYuWLls+1U8mwIgb/MHyZbcA7tALI0mNIJ1WRwy
|
||||
V7tByFYV21ataGTa+6UEeTB3AgEBBCDXxru/xm8LfdX+VVZBhBrb4kYrtVU28SNe
|
||||
q4TcMhvxUKAKBggqhkjOPQMBB6FEA0IABJ9e/3+NMNY4b2fAqYg3UasWoXSnR+uA
|
||||
yXqvG/J+7/nx2RLRl27M5QEbuoey76McTxPb2MfxIIfg62X7dpudrwgwggHsEwl0
|
||||
bHMxM3A1MjECAn8cAgIGAwSB9AAJOoAGA38cAACeMIGbMBAGByqGSM49AgEGBSuB
|
||||
BAAjA4GGAAQBPRyZBgt3gNeSrgvhCGfzRJL7YH2nRdWZsi5ot+pDppu7GWwG2Bh7
|
||||
Q8kurueZfyveEwQFnKOqUnqN/lXNxQuGAdcA3wg+Apb/ZjV+wQlaZjRFqCKWsp6A
|
||||
gFMPvab6nykiIrDxoJMtmk1+GW/YapaCwMiyBH6VRhqxQpEhR2ZXyXkqZ6EEAwBH
|
||||
MEUCIQDQgYRL6lqn+M/fTlPsXilqjwxF0x8TyDRYGd1tsg4wdAIgTvXu8lpzD2t4
|
||||
vEqSKLRPA75HAU+ui1q4V8Hpudp7DkUEgd8wgdwCAQEEQgF3/A259KQTc+cw4ClJ
|
||||
pCnTXC9G2Fh5VULrAn3tFIpnzJ4VQun3UgkoPpeUSBdny9Kbd2DbfuFVd5YvNG2i
|
||||
HPxVBKAHBgUrgQQAI6GBiQOBhgAEAT0cmQYLd4DXkq4L4Qhn80SS+2B9p0XVmbIu
|
||||
aLfqQ6abuxlsBtgYe0PJLq7nmX8r3hMEBZyjqlJ6jf5VzcULhgHXAN8IPgKW/2Y1
|
||||
fsEJWmY0RagilrKegIBTD72m+p8pIiKw8aCTLZpNfhlv2GqWgsDIsgR+lUYasUKR
|
||||
IUdmV8l5KmehMIIBQRMHYmFkdmVycwIDAP8AAgIEAwSBsQAJOoAEA/8AAABbMFkw
|
||||
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESs4ZQnHHAPPHaA3uxyMAw91T4ajlJvL2
|
||||
BAtP6XYpo9j+QWBtsFpwNRY85acAQJ9+7y1nbCHjn0UwB8Hi8P9pdQQDAEcwRQIg
|
||||
YJUpZPXZFbxyXDj/QYqvGlu4veHQJOaT0PL1rx6R/2gCIQC1qAAkNe5lz8W1M97t
|
||||
QXwxYRWgt8GLdBqp72EduVHtMgR5MHcCAQEEINU81qgDRzEPrx2YxJNBt7quCeA8
|
||||
VZV9efsB7R7sxkwXoAoGCCqGSM49AwEHoUQDQgAESs4ZQnHHAPPHaA3uxyMAw91T
|
||||
4ajlJvL2BAtP6XYpo9j+QWBtsFpwNRY85acAQJ9+7y1nbCHjn0UwB8Hi8P9pdTCC
|
||||
AT8TBmJhZGtleQICfxwCAgQDBIGxAAk6gAQDfxwAAFswWTATBgcqhkjOPQIBBggq
|
||||
hkjOPQMBBwNCAAQnV8i/4ZrWoZG0nGDy6xsYzCV10FwaCbrvejTxcltSoCJ8HfPT
|
||||
u9FhOlHllmVyp/qCdB0ILsSlYDEFG9yzV/kGBAMARzBFAiBw3YabIamIHJAKmUcE
|
||||
+AZNsvBPuuYeKGCQ9N5n4/1hpwIhAJ07IU/p4+Nl24u4IneM9Fq5lL4YugiSAtDy
|
||||
/pWeCL0XBHkwdwIBAQQgOR6w5qkUyavY92PuOBXslfxJgfS8RUaAImqAlWhniKug
|
||||
CgYIKoZIzj0DAQehRANCAARH0kbf92XgJ5Mop4Spbpp3bjwzQw7Pg6T9vQH0q8Hy
|
||||
CTG65vcmu2whOu+0nR3eJg7rt9BhcHredcOoUhGbgqbRMIIBPhMGYmFkc2lnAgJ/
|
||||
HAICBAMEgbAACTqABAN/HAAAWzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBlb
|
||||
oANTnMd8jcnuzyCv+I+l51tqVog0wagYMo6L7A2RlTqgTYaz0p7mH3wsHfsv/Py8
|
||||
Scv5o7vp/MIQjEbeg8wEAwBGMEQCIDozxK17n3gytnV9h6X9BKz5GsxBgr9+Ympe
|
||||
9XXppP57AiAPks17U0EhoIhSk6dhmVpgjkoHt9jxn1xYIwJxceGWywR5MHcCAQEE
|
||||
IH7GjuBRPz5WvrYrmD6dlCHX5Fda2C7faa+f0mmjkOfvoAoGCCqGSM49AwEHoUQD
|
||||
QgAEGVugA1Ocx3yNye7PIK/4j6XnW2pWiDTBqBgyjovsDZGVOqBNhrPSnuYffCwd
|
||||
+y/8/LxJy/mju+n8whCMRt6DzDCCAT8TBXRsczEyAgIDAwICBAMEgbIACTqABAMD
|
||||
AwAAWzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFbRSfoqtGJdMb7NP3hENn6A
|
||||
b8tzLgr8Cj77JSoSVloy/+XOa+wz1OhEzA2b54WkEhVQor+RAT688z7UwEXFwWsE
|
||||
AwBIMEYCIQCdahwKMP01K5rvn3IU7JQElg1TjnGw1vZk7zsjg1B0gQIhAMLlhfUA
|
||||
Zd/eyMHutw9HfBOWX7rlcKN12RwtGuNXvZ1BBHkwdwIBAQQgSSNaIBwdPWauUSKg
|
||||
LN73E41eUQrWung1lwgTQWV1AhqgCgYIKoZIzj0DAQehRANCAARW0Un6KrRiXTG+
|
||||
zT94RDZ+gG/Lcy4K/Ao++yUqElZaMv/lzmvsM9ToRMwNm+eFpBIVUKK/kQE+vPM+
|
||||
1MBFxcFr
|
||||
-----END DC TEST DATA-----
|
||||
`
|
||||
|
||||
// Use with maxVersion == VersionTLS13.
|
||||
const DcTestDataTLS13PEM = `-----BEGIN DC TEST DATA-----
|
||||
MIIIQzCCAUMTCXRsczEzcDI1NgICAwQCAgQDBIGyAAk6gAQDAwQAAFswWTATBgcq
|
||||
@ -222,14 +167,11 @@ var dcTestNow time.Time
|
||||
func init() {
|
||||
// Load the DC test data.
|
||||
var testData []byte
|
||||
switch maxVersion {
|
||||
case VersionTLS13Draft28:
|
||||
testData = []byte(DcTestDataDraft28PEM)
|
||||
case 0x0304: // TODO(henrydcase): Fix once the final version is implemented
|
||||
testData = []byte(DcTestDataTLS13PEM)
|
||||
default:
|
||||
if maxVersion != 0x0304 {
|
||||
panic(fmt.Errorf("no test data for version %04x", maxVersion))
|
||||
}
|
||||
testData = []byte(DcTestDataTLS13PEM)
|
||||
|
||||
err := dcLoadTestData(testData, &dcTestDCs)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
|
Загрузка…
Ссылка в новой задаче
Block a user