@@ -23,7 +23,7 @@ INSTALL_RACE:= $(words $(filter $(ARCH)_$(shell go env CGO_ENABLED), amd64_1)) | |||||
TARGET_TEST_COMPAT=boring picotls tstclnt | TARGET_TEST_COMPAT=boring picotls tstclnt | ||||
# Some target-specific constants | # Some target-specific constants | ||||
BORINGSSL_REVISION=03de6813d8992a649092b4874ef0ebc022e2f58a | |||||
BORINGSSL_REVISION=d451453067cd665a5c38830fbbaac9e599234a5e | |||||
BOGO_DOCKER_TRIS_LOCATION=/go/src/github.com/cloudflare/tls-tris | BOGO_DOCKER_TRIS_LOCATION=/go/src/github.com/cloudflare/tls-tris | ||||
############### | ############### | ||||
@@ -50,8 +50,8 @@ RUN mkdir boringssl/build | |||||
# Draft 28 | # Draft 28 | ||||
# ARG REVISION=861f384d7bc59241a9df1634ae938d8e75be2d30 | # ARG REVISION=861f384d7bc59241a9df1634ae938d8e75be2d30 | ||||
# Latest | |||||
ARG REVISION=03de6813d8992a649092b4874ef0ebc022e2f58a | |||||
# TLS 1.3 | |||||
ARG REVISION=d451453067cd665a5c38830fbbaac9e599234a5e | |||||
RUN cd boringssl && git fetch | RUN cd boringssl && git fetch | ||||
RUN cd boringssl && git checkout $REVISION | RUN cd boringssl && git checkout $REVISION | ||||
@@ -2,7 +2,7 @@ | |||||
set -e | set -e | ||||
/boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \ | /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \ | ||||
-tls13-variant draft28 -session-out /session -connect "$@" < /httpreq.txt | |||||
-session-out /session -connect "$@" < /httpreq.txt | |||||
exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \ | exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \ | ||||
-tls13-variant draft28 -session-in /session -connect "$@" < /httpreq.txt | |||||
-session-in /session -connect "$@" < /httpreq.txt | |||||
@@ -6,21 +6,18 @@ set -x | |||||
bssl server \ | bssl server \ | ||||
-key rsa.pem \ | -key rsa.pem \ | ||||
-min-version tls1.2 -max-version tls1.3 \ | -min-version tls1.2 -max-version tls1.3 \ | ||||
-tls13-variant draft28 \ | |||||
-accept 1443 -loop -www 2>&1 & | -accept 1443 -loop -www 2>&1 & | ||||
# ECDSA | # ECDSA | ||||
bssl server \ | bssl server \ | ||||
-key ecdsa.pem \ | -key ecdsa.pem \ | ||||
-min-version tls1.2 -max-version tls1.3 \ | -min-version tls1.2 -max-version tls1.3 \ | ||||
-tls13-variant draft28 \ | |||||
-accept 2443 -loop -www 2>&1 & | -accept 2443 -loop -www 2>&1 & | ||||
# Require client authentication (with ECDSA) | # Require client authentication (with ECDSA) | ||||
bssl server \ | bssl server \ | ||||
-key ecdsa.pem \ | -key ecdsa.pem \ | ||||
-min-version tls1.2 -max-version tls1.3 \ | -min-version tls1.2 -max-version tls1.3 \ | ||||
-tls13-variant draft28 \ | |||||
-accept 6443 -loop -www \ | -accept 6443 -loop -www \ | ||||
-require-any-client-cert -debug 2>&1 & | -require-any-client-cert -debug 2>&1 & | ||||
@@ -10,7 +10,7 @@ import time | |||||
# Checks if TLS 1.3 was negotiated | # Checks if TLS 1.3 was negotiated | ||||
RE_PATTERN_HELLO_TLS_13_NORESUME = "^.*Hello TLS 1.3 \(draft .*\) _o/$|^.*Hello TLS 1.3 _o/$" | RE_PATTERN_HELLO_TLS_13_NORESUME = "^.*Hello TLS 1.3 \(draft .*\) _o/$|^.*Hello TLS 1.3 _o/$" | ||||
# Checks if TLS 1.3 was resumed | # Checks if TLS 1.3 was resumed | ||||
RE_PATTERN_HELLO_TLS_13_RESUME = "Hello TLS 1.3 \(draft .*\) \[resumed\] _o/" | |||||
RE_PATTERN_HELLO_TLS_13_RESUME = "Hello TLS 1.3 \[resumed\] _o/" | |||||
# Checks if 0-RTT was used and NOT confirmed | # Checks if 0-RTT was used and NOT confirmed | ||||
RE_PATTERN_HELLO_0RTT = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT\] _o/$" | RE_PATTERN_HELLO_0RTT = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT\] _o/$" | ||||
# Checks if 0-RTT was used and confirmed | # Checks if 0-RTT was used and confirmed | ||||
@@ -48,7 +48,7 @@ class RegexSelfTest(unittest.TestCase): | |||||
LINE_HELLO_TLS ="\nsomestuff\nHello TLS 1.3 _o/\nsomestuff" | LINE_HELLO_TLS ="\nsomestuff\nHello TLS 1.3 _o/\nsomestuff" | ||||
LINE_HELLO_DRAFT_TLS="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nsomestuff" | LINE_HELLO_DRAFT_TLS="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nsomestuff" | ||||
LINE_HELLO_RESUMED ="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] _o/\nsomestuff" | |||||
LINE_HELLO_RESUMED ="\nsomestuff\nHello TLS 1.3 [resumed] _o/\nsomestuff" | |||||
LINE_HELLO_MIXED ="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nHello TLS 1.3 (draft 23) [resumed] _o/\nsomestuff" | LINE_HELLO_MIXED ="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nHello TLS 1.3 (draft 23) [resumed] _o/\nsomestuff" | ||||
LINE_HELLO_TLS_12 ="\nsomestuff\nHello TLS 1.2 (draft 23) [resumed] _o/\nsomestuff" | LINE_HELLO_TLS_12 ="\nsomestuff\nHello TLS 1.2 (draft 23) [resumed] _o/\nsomestuff" | ||||
LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT] _o/\nsomestuff" | LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT] _o/\nsomestuff" | ||||
@@ -32,11 +32,10 @@ type server struct { | |||||
} | } | ||||
var tlsVersionToName = map[uint16]string{ | var tlsVersionToName = map[uint16]string{ | ||||
tls.VersionTLS10: "1.0", | |||||
tls.VersionTLS11: "1.1", | |||||
tls.VersionTLS12: "1.2", | |||||
tls.VersionTLS13: "1.3", | |||||
tls.VersionTLS13Draft28: "1.3 (draft 28)", | |||||
tls.VersionTLS10: "1.0", | |||||
tls.VersionTLS11: "1.1", | |||||
tls.VersionTLS12: "1.2", | |||||
tls.VersionTLS13: "1.3", | |||||
} | } | ||||
func NewServer() *server { | func NewServer() *server { | ||||
@@ -12,11 +12,10 @@ import ( | |||||
) | ) | ||||
var tlsVersionToName = map[uint16]string{ | var tlsVersionToName = map[uint16]string{ | ||||
tls.VersionTLS10: "1.0", | |||||
tls.VersionTLS11: "1.1", | |||||
tls.VersionTLS12: "1.2", | |||||
tls.VersionTLS13: "1.3", | |||||
tls.VersionTLS13Draft28: "1.3 (draft 28)", | |||||
tls.VersionTLS10: "1.0", | |||||
tls.VersionTLS11: "1.1", | |||||
tls.VersionTLS12: "1.2", | |||||
tls.VersionTLS13: "1.3", | |||||
} | } | ||||
var cipherSuiteIdToName = map[uint16]string{ | var cipherSuiteIdToName = map[uint16]string{ | ||||
@@ -27,7 +27,7 @@ ENV USE_64=1 NSS_ENABLE_TLS_1_3=1 | |||||
# ARG REVISION=16c622c9e1cc | # ARG REVISION=16c622c9e1cc | ||||
# Latest | # Latest | ||||
ARG REVISION=09ab3310e710 | |||||
ARG REVISION=ee357b00f2e6 | |||||
RUN cd nss && hg pull | RUN cd nss && hg pull | ||||
RUN cd nss && hg checkout -C $REVISION | RUN cd nss && hg checkout -C $REVISION | ||||
@@ -22,12 +22,11 @@ import ( | |||||
) | ) | ||||
const ( | const ( | ||||
VersionSSL30 = 0x0300 | |||||
VersionTLS10 = 0x0301 | |||||
VersionTLS11 = 0x0302 | |||||
VersionTLS12 = 0x0303 | |||||
VersionTLS13 = 0x0304 | |||||
VersionTLS13Draft28 = 0x7f00 | 28 | |||||
VersionSSL30 = 0x0300 | |||||
VersionTLS10 = 0x0301 | |||||
VersionTLS11 = 0x0302 | |||||
VersionTLS12 = 0x0303 | |||||
VersionTLS13 = 0x0304 | |||||
) | ) | ||||
const ( | const ( | ||||
@@ -38,7 +37,7 @@ const ( | |||||
maxWarnAlertCount = 5 // maximum number of consecutive warning alerts | maxWarnAlertCount = 5 // maximum number of consecutive warning alerts | ||||
minVersion = VersionTLS12 | minVersion = VersionTLS12 | ||||
maxVersion = VersionTLS13Draft28 | |||||
maxVersion = VersionTLS13 | |||||
) | ) | ||||
// TLS record types. | // TLS record types. | ||||
@@ -888,12 +887,6 @@ func (c *Config) pickVersion(peerSupportedVersions []uint16) (uint16, bool) { | |||||
// configSuppVersArray is the backing array of Config.getSupportedVersions | // configSuppVersArray is the backing array of Config.getSupportedVersions | ||||
var configSuppVersArray = [...]uint16{VersionTLS13, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30} | var configSuppVersArray = [...]uint16{VersionTLS13, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30} | ||||
// tls13DraftSuppVersArray is the backing array of Config.getSupportedVersions | |||||
// with TLS 1.3 draft versions included. | |||||
// | |||||
// TODO: remove once TLS 1.3 is finalised. | |||||
var tls13DraftSuppVersArray = [...]uint16{VersionTLS13Draft28, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30} | |||||
// getSupportedVersions returns the protocol versions that are supported by the | // getSupportedVersions returns the protocol versions that are supported by the | ||||
// current configuration. | // current configuration. | ||||
func (c *Config) getSupportedVersions() []uint16 { | func (c *Config) getSupportedVersions() []uint16 { | ||||
@@ -909,10 +902,6 @@ func (c *Config) getSupportedVersions() []uint16 { | |||||
if maxVersion < minVersion { | if maxVersion < minVersion { | ||||
return nil | return nil | ||||
} | } | ||||
// TODO: remove once TLS 1.3 is finalised. | |||||
if maxVersion == VersionTLS13 { | |||||
return tls13DraftSuppVersArray[:len(tls13DraftSuppVersArray)-int(minVersion-VersionSSL30)] | |||||
} | |||||
return configSuppVersArray[VersionTLS13-maxVersion : VersionTLS13-minVersion+1] | return configSuppVersArray[VersionTLS13-maxVersion : VersionTLS13-minVersion+1] | ||||
} | } | ||||
@@ -155,8 +155,8 @@ func ExampleConfig_keyLogWriter_TLS13() { | |||||
// preferences. | // preferences. | ||||
// Output: | // Output: | ||||
// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 16ca97d21087a14d406b2601b4713dd82b156cc01d54665baaa4bdb62b72b9a4 | |||||
// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 102c68d960da4f5e2b76a99636ac07bb5774e43b8ce8c14aa4dfd9bf54d11754 | |||||
// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 f3208d533bb885f32f52142acb484eed104739970c2f426e72a1ee31f6d28650 | |||||
// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 70de6b1936df7db171c02f9cfdb04dfa9405a891c959beb15b86f26b2057ba23 | |||||
// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 b946c84f46f53bd410368a1fd7d53873e74bedd53b4b1a4b125be40c8b0510a1 | |||||
// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 b6c44e95e34cb2616ff2e9a1163577aa1aa5cb3af8df16d0fdbbbaf15f415c8e | |||||
// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 cbecc42509a124ae517f6c9aaae1961d755ab4268548b40b0c7840a9643240e8 | |||||
// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 8f6dd1476706ea8147d829347937694496a7d62d6d01de0a1b4820140d01cad0 | |||||
} | } |
@@ -69,61 +69,6 @@ type dcTestDC struct { | |||||
PrivateKey []byte | PrivateKey []byte | ||||
} | } | ||||
// Test data used for testing the TLS handshake with the delegated credential | |||||
// extension. The PEM block encodes a DER encoded slice of dcTestDCs. | |||||
// Use with maxVersion == VersionTLS13Draft28. | |||||
// | |||||
// TODO(henrydcase): Remove this when we drop support for draft28. | |||||
const DcTestDataDraft28PEM = `-----BEGIN DC TEST DATA----- | |||||
MIIIQjCCAUETCXRsczEzcDI1NgICfxwCAgQDBIGwAAk6gAQDfxwAAFswWTATBgcq | |||||
hkjOPQIBBggqhkjOPQMBBwNCAASfXv9/jTDWOG9nwKmIN1GrFqF0p0frgMl6rxvy | |||||
fu/58dkS0ZduzOUBG7qHsu+jHE8T29jH8SCH4Otl+3abna8IBAMARjBEAiAtDM7j | |||||
w0bNce3QrVupL3wh5CUhIsTAwoYuWLls+1U8mwIgb/MHyZbcA7tALI0mNIJ1WRwy | |||||
V7tByFYV21ataGTa+6UEeTB3AgEBBCDXxru/xm8LfdX+VVZBhBrb4kYrtVU28SNe | |||||
q4TcMhvxUKAKBggqhkjOPQMBB6FEA0IABJ9e/3+NMNY4b2fAqYg3UasWoXSnR+uA | |||||
yXqvG/J+7/nx2RLRl27M5QEbuoey76McTxPb2MfxIIfg62X7dpudrwgwggHsEwl0 | |||||
bHMxM3A1MjECAn8cAgIGAwSB9AAJOoAGA38cAACeMIGbMBAGByqGSM49AgEGBSuB | |||||
BAAjA4GGAAQBPRyZBgt3gNeSrgvhCGfzRJL7YH2nRdWZsi5ot+pDppu7GWwG2Bh7 | |||||
Q8kurueZfyveEwQFnKOqUnqN/lXNxQuGAdcA3wg+Apb/ZjV+wQlaZjRFqCKWsp6A | |||||
gFMPvab6nykiIrDxoJMtmk1+GW/YapaCwMiyBH6VRhqxQpEhR2ZXyXkqZ6EEAwBH | |||||
MEUCIQDQgYRL6lqn+M/fTlPsXilqjwxF0x8TyDRYGd1tsg4wdAIgTvXu8lpzD2t4 | |||||
vEqSKLRPA75HAU+ui1q4V8Hpudp7DkUEgd8wgdwCAQEEQgF3/A259KQTc+cw4ClJ | |||||
pCnTXC9G2Fh5VULrAn3tFIpnzJ4VQun3UgkoPpeUSBdny9Kbd2DbfuFVd5YvNG2i | |||||
HPxVBKAHBgUrgQQAI6GBiQOBhgAEAT0cmQYLd4DXkq4L4Qhn80SS+2B9p0XVmbIu | |||||
aLfqQ6abuxlsBtgYe0PJLq7nmX8r3hMEBZyjqlJ6jf5VzcULhgHXAN8IPgKW/2Y1 | |||||
fsEJWmY0RagilrKegIBTD72m+p8pIiKw8aCTLZpNfhlv2GqWgsDIsgR+lUYasUKR | |||||
IUdmV8l5KmehMIIBQRMHYmFkdmVycwIDAP8AAgIEAwSBsQAJOoAEA/8AAABbMFkw | |||||
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESs4ZQnHHAPPHaA3uxyMAw91T4ajlJvL2 | |||||
BAtP6XYpo9j+QWBtsFpwNRY85acAQJ9+7y1nbCHjn0UwB8Hi8P9pdQQDAEcwRQIg | |||||
YJUpZPXZFbxyXDj/QYqvGlu4veHQJOaT0PL1rx6R/2gCIQC1qAAkNe5lz8W1M97t | |||||
QXwxYRWgt8GLdBqp72EduVHtMgR5MHcCAQEEINU81qgDRzEPrx2YxJNBt7quCeA8 | |||||
VZV9efsB7R7sxkwXoAoGCCqGSM49AwEHoUQDQgAESs4ZQnHHAPPHaA3uxyMAw91T | |||||
4ajlJvL2BAtP6XYpo9j+QWBtsFpwNRY85acAQJ9+7y1nbCHjn0UwB8Hi8P9pdTCC | |||||
AT8TBmJhZGtleQICfxwCAgQDBIGxAAk6gAQDfxwAAFswWTATBgcqhkjOPQIBBggq | |||||
hkjOPQMBBwNCAAQnV8i/4ZrWoZG0nGDy6xsYzCV10FwaCbrvejTxcltSoCJ8HfPT | |||||
u9FhOlHllmVyp/qCdB0ILsSlYDEFG9yzV/kGBAMARzBFAiBw3YabIamIHJAKmUcE | |||||
+AZNsvBPuuYeKGCQ9N5n4/1hpwIhAJ07IU/p4+Nl24u4IneM9Fq5lL4YugiSAtDy | |||||
/pWeCL0XBHkwdwIBAQQgOR6w5qkUyavY92PuOBXslfxJgfS8RUaAImqAlWhniKug | |||||
CgYIKoZIzj0DAQehRANCAARH0kbf92XgJ5Mop4Spbpp3bjwzQw7Pg6T9vQH0q8Hy | |||||
CTG65vcmu2whOu+0nR3eJg7rt9BhcHredcOoUhGbgqbRMIIBPhMGYmFkc2lnAgJ/ | |||||
HAICBAMEgbAACTqABAN/HAAAWzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBlb | |||||
oANTnMd8jcnuzyCv+I+l51tqVog0wagYMo6L7A2RlTqgTYaz0p7mH3wsHfsv/Py8 | |||||
Scv5o7vp/MIQjEbeg8wEAwBGMEQCIDozxK17n3gytnV9h6X9BKz5GsxBgr9+Ympe | |||||
9XXppP57AiAPks17U0EhoIhSk6dhmVpgjkoHt9jxn1xYIwJxceGWywR5MHcCAQEE | |||||
IH7GjuBRPz5WvrYrmD6dlCHX5Fda2C7faa+f0mmjkOfvoAoGCCqGSM49AwEHoUQD | |||||
QgAEGVugA1Ocx3yNye7PIK/4j6XnW2pWiDTBqBgyjovsDZGVOqBNhrPSnuYffCwd | |||||
+y/8/LxJy/mju+n8whCMRt6DzDCCAT8TBXRsczEyAgIDAwICBAMEgbIACTqABAMD | |||||
AwAAWzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFbRSfoqtGJdMb7NP3hENn6A | |||||
b8tzLgr8Cj77JSoSVloy/+XOa+wz1OhEzA2b54WkEhVQor+RAT688z7UwEXFwWsE | |||||
AwBIMEYCIQCdahwKMP01K5rvn3IU7JQElg1TjnGw1vZk7zsjg1B0gQIhAMLlhfUA | |||||
Zd/eyMHutw9HfBOWX7rlcKN12RwtGuNXvZ1BBHkwdwIBAQQgSSNaIBwdPWauUSKg | |||||
LN73E41eUQrWung1lwgTQWV1AhqgCgYIKoZIzj0DAQehRANCAARW0Un6KrRiXTG+ | |||||
zT94RDZ+gG/Lcy4K/Ao++yUqElZaMv/lzmvsM9ToRMwNm+eFpBIVUKK/kQE+vPM+ | |||||
1MBFxcFr | |||||
` | |||||
// Use with maxVersion == VersionTLS13. | // Use with maxVersion == VersionTLS13. | ||||
const DcTestDataTLS13PEM = `-----BEGIN DC TEST DATA----- | const DcTestDataTLS13PEM = `-----BEGIN DC TEST DATA----- | ||||
MIIIQzCCAUMTCXRsczEzcDI1NgICAwQCAgQDBIGyAAk6gAQDAwQAAFswWTATBgcq | MIIIQzCCAUMTCXRsczEzcDI1NgICAwQCAgQDBIGyAAk6gAQDAwQAAFswWTATBgcq | ||||
@@ -222,14 +167,11 @@ var dcTestNow time.Time | |||||
func init() { | func init() { | ||||
// Load the DC test data. | // Load the DC test data. | ||||
var testData []byte | var testData []byte | ||||
switch maxVersion { | |||||
case VersionTLS13Draft28: | |||||
testData = []byte(DcTestDataDraft28PEM) | |||||
case 0x0304: // TODO(henrydcase): Fix once the final version is implemented | |||||
testData = []byte(DcTestDataTLS13PEM) | |||||
default: | |||||
if maxVersion != 0x0304 { | |||||
panic(fmt.Errorf("no test data for version %04x", maxVersion)) | panic(fmt.Errorf("no test data for version %04x", maxVersion)) | ||||
} | } | ||||
testData = []byte(DcTestDataTLS13PEM) | |||||
err := dcLoadTestData(testData, &dcTestDCs) | err := dcLoadTestData(testData, &dcTestDCs) | ||||
if err != nil { | if err != nil { | ||||
panic(err) | panic(err) | ||||