Commit Graph

27 Commits

Author SHA1 Message Date
Peter Wu
fa9ccdc8b0 Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream
Merge upstream go post-1.9 crypto/tls changes from master:

d8ee5d11e5 crypto/tls: limit number of consecutive warning alerts
96cd66b266 crypto/tls: advertise support for SHA-512 signatures in 1.2
f265f5db5d archive/zip, crypto/tls: use rand.Read instead of casting ints to bytes
54d04c2fcb crypto/tls: remove bookkeeping code from pHash function
d1bbdbe760 crypto/tls: replace signatureAndHash by SignatureScheme.
cb3b345209 crypto/tls: fix first byte test for 255 CBC padding bytes
d153df8e4b all: revert "all: prefer strings.LastIndexByte over strings.LastIndex"
5e42658fc0 all: prefer bytes.IndexByte over bytes.Index
d2826d3e06 all: prefer strings.LastIndexByte over strings.LastIndex
5a986eca86 all: fix article typos
0f9a2cf2c4 crypto/tls: fix clientHelloMsg fuzzer not to generate the RI SCSV
e7d46cee2f crypto/tls: fix and expand TestVerifyPeerCertificate and TestGetClientCertificate
85deaf6077 crypto/tls: fix docstring of Config.ClientSessionCache
4a5f85babb crypto/tls: disallow handshake messages fragmented across CCS
b3465646ff crypto/tls: add BenchmarkHandshakeServer
d38d357c78 crypto/tls: don't check whether an ec point is on a curve twice
e085a891f0 crypto/tls: split clientHandshake into multiple methods

Conflicts:
 * handshake_client.go: conflict between our ("crypto/tls: allow client to
   pick TLS 1.3, do not enable it by default.") and upstream
   ("crypto/tls: split clientHandshake into multiple methods"), resolve
   by applying the mutualVersion->pickVersion change in pickTLSVersion.
 * handshake_server.go: trivial conflict due to upstreamed patch
   ("crypto/tls: replace signatureAndHash by SignatureScheme.") and
   ("crypto/tls: implement TLS 1.3 server 0-RTT") which added pskBinder.

Other merge changes:
 * tls13.go: signatureAndHashes as added in ("crypto/tls: implement TLS
   1.3 minimal server") was renamed as required by ("crypto/tls: replace
   signatureAndHash by SignatureScheme.").
 * handshake_client.go: moved check from ("crypto/tls: check that client
   cipher suite matches version") to pickCipherSuite as required by
   ("crypto/tls: split clientHandshake into multiple methods").
2017-11-14 14:26:20 +00:00
Peter Wu
3107d575a8 tris: implement SSLKEYLOGFILE for TLS 1.3 server
This makes it easier to validate the handshake contents using Wireshark.
2017-09-21 15:37:34 +01:00
Peter Wu
6f580251ca tris: use keySchedule13 for the server
Use the new keySchedule13 type instead of hash.Hash to avoid tracking
the hashContext and intermediate secrets manually.

checkPSK is modified not to return the calculated early secret, this is
internal to keySchedule13 now. The caller just learns whether it was
resumed using a PSK or not.
2017-09-21 15:37:34 +01:00
Peter Wu
9f9f06de80 tris: add new key schedule implementation
In order to reduce repetitive complexity (extract handshake context,
pass the right secrets around to calculate a secret and build a cipher),
create a new type that tracks the hash type, the handshake context and
intermediate secrets.

Advantages: facilitates reuse between client and server code, makes it
easier to update labels for draft-19, makes it easier to add central
KeyLogWriter functionality.
2017-09-21 15:37:34 +01:00
Henry de Valence
cd63e47f2c tris: rename pk to secretKey 2017-09-05 21:06:36 +01:00
Henry de Valence
d4b8398461 tris: fix typos 2017-09-05 21:06:36 +01:00
Tom Thorogood
f4a6690edc crypto/tls: generate unique ticket_age_add for each ticket
#23 -- CLA ok -- re-author to me+google@tomthorogood.co.uk
2017-09-05 21:06:35 +01:00
Filippo Valsorda
7f449cbaa7 tris: add SessionTicketSealer 2017-09-05 21:06:35 +01:00
Filippo Valsorda
4f7b5988a3 crypto/tls: add ConnectionState.Unique0RTTToken 2017-09-05 21:06:35 +01:00
Filippo Valsorda
0d97989e0d tris: move Commit to just before key share generation
In particular move it to after cipher suite negotiation and after
HelloRetryRequest check.
2017-09-05 21:06:35 +01:00
Brendan Mc
ed105dc308 crypto/tls: add SignedCertificateTimestamps and OCSPStaple to 1.3 2017-09-05 21:06:35 +01:00
Filippo Valsorda
9b94b65b7b crypto/tls: send two session tickets to TLS 1.3 clients 2017-09-05 21:06:35 +01:00
Filippo Valsorda
740fc926aa tris: add single line TLSDEBUG=short 2017-09-05 21:06:35 +01:00
Filippo Valsorda
c758567785 crypto/tls: detect unexpected leftover handshake data
There should be no data in the Handshake buffer on encryption state
changes (including implicit 1.3 transitions). Checking that also blocks
all Handshake messages fragmented across CCS.

BoGo: PartialClientFinishedWithClientHello
2017-09-05 21:06:35 +01:00
Filippo Valsorda
4191962f25 crypto/tls: use correct alerts
BoGo: Resume-Server-PSKBinderFirstExtension
BoGo: Resume-Server-ExtraPSKBinder
BoGo: Resume-Server-ExtraIdentityNoBinder
BoGo: Renegotiate-Server-Forbidden
BoGo: NoNullCompression
BoGo: TrailingMessageData-*
2017-09-05 21:06:35 +01:00
Filippo Valsorda
1bc19494f8 tris: tolerate NSS sending obfuscated_ticket_age as seconds 2017-09-05 21:06:34 +01:00
Filippo Valsorda
faefac5f1a crypto/tls: stop ConfirmHandshake from locking on any Read
ConfirmHandshake should block on a Read until the handshakeConfirmed
state is reached, but past that it shouldn't.
2017-09-05 21:06:34 +01:00
Filippo Valsorda
341de96a61 crypto/tls: fix Conn.phase data races
Phase should only be accessed under in.Mutex. Handshake and all Read
operations obtain that lock. However, many functions checking for
handshakeRunning only obtain handshakeMutex: reintroduce
handshakeCompleted for them. ConnectionState and Close check for
handshakeConfirmed, introduce an atomic flag for them.
2017-09-05 21:06:34 +01:00
Filippo Valsorda
3e31621f57 crypto/tls: pick the first group the client sent a key share for
Fixes NCC-2016-002
2017-09-05 21:06:34 +01:00
Filippo Valsorda
5c4af70647 tris: drop QuietError 2017-09-05 21:06:34 +01:00
Filippo Valsorda
180bfdbd68 crypto/tls: finish the session ticket state checks 2017-09-05 21:06:34 +01:00
Filippo Valsorda
f8c15889af crypto/tls: implement TLS 1.3 server 0-RTT 2017-09-05 21:06:34 +01:00
Filippo Valsorda
1117f76fcc crypto/tls: return from Handshake before the Client Finished in 1.3 2017-09-05 21:06:34 +01:00
Filippo Valsorda
ee3048cfd2 crypto/tls: implement TLS 1.3 server PSK 2017-09-05 21:06:34 +01:00
Filippo Valsorda
6c3765bb15 tris: add error tracing with CH dumping 2017-09-05 21:06:34 +01:00
Filippo Valsorda
8052dc002f tris: extend ConnectionInfo 2017-09-05 21:06:34 +01:00
Filippo Valsorda
4b0d17eca3 crypto/tls: implement TLS 1.3 minimal server 2017-09-05 21:06:29 +01:00