Commit Graph

535 Commits

Author SHA1 Message Date
Peter Wu
9eb1d7faf7 crypto/tls: skip session cache for TLS 1.3
Skip reading the session cache if TLS 1.3 is in use (the cache has no
use), skip storing a session if TLS 1.3 is in use (sessionCache can
still be set when TLS 1.2 is allowed).
2017-12-13 17:39:53 +00:00
Peter Wu
9f46cf9e2d crypto/tls: add RSASSA-PSS support for handshake messages
This adds support for RSASSA-PSS signatures in handshake messages as
required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS
when advertised in the Client Hello (this will be done later as the
testdata will change).

Updates #9671

Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
2017-12-13 17:34:03 +00:00
Peter Wu
1850fd015e crypto/tls: consolidate signatures handling in SKE and CV
ServerKeyExchange and CertificateVerify can share the same logic for
picking a signature algorithm (based on the certificate public key and
advertised algorithms), selecting a hash algorithm (depending on TLS
version) and signature verification.

Refactor the code to achieve code reuse, have common error checking
(especially for intersecting supported signature algorithms) and to
prepare for addition of new signature algorithms. Code should be easier
to read since version-dependent logic is concentrated at one place.

Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
2017-12-13 17:34:03 +00:00
Peter Wu
759dbb355a tris: fix nonce length definition and actually use it
All TLS 1.3 cipher suites so far use a nonce length of 12, but that does
not have to be the case. Correct the cipher suite definition and use it.
Spec: https://tools.ietf.org/html/draft-ietf-tls-tls13-22#section-5.3

Note: there is no functional change, the values were previously unused.

Fixes: ("[dev.tls] crypto/tls: implement TLS 1.3 cipher suites")
2017-12-04 19:17:56 +00:00
Peter Wu
b1e5feadef tris: prevent sending 0.5-RTT data
Disable 0.5-RTT as it has weaker security properties than 1-RTT. The
same security considerations from TLS False Start (RFC 7918) apply.

Currently the server Handshake method returns as soon as it has sent its
parameters, but it does not wait for the client to authenticate the
handshake via a Finished message. This broke a test that assumed that
the Handshake message performs a full handshake and also
(unintentionally?) enabled the server to send application data before
the handshake is complete ("0.5-RTT data").

Fix this by moving the implicit Finished message check in the handshake
message reader to the server handshake itself (previously readRecord
would process the Finished message as a side-effect of requesting
recordTypeApplicationData). And in the special case where 0-RTT data is
actually desired, process the Finished message in the ConfirmHandshake
and Read functions.

NOTE: 0.5-RTT is not disabled when the server enables 0-RTT. It is the
server responsibility to use ConfirmHandshake before writing anything.

Explicitly panic when ConfirmHandshake is used for client connections,
this is not the intended use of that API.
2017-12-01 19:08:31 +00:00
Peter Wu
8523d7d8e0 tris: ignore NewSessionTicket messages as client
Prevent unexpected_message alert, PSK resumption is not supported so
ignore the received session ticket as client.
2017-12-01 19:08:31 +00:00
Peter Wu
de3ae8f61d tris: accept other post-handshake messages as client
Do not assume that every post-handshake messages are HelloRequests that
try to trigger a renegotiation. This could result in a no_renegotiation
(rather than an unexpected_message) alert even for other message types
(like NewSessionTicket).

This change makes the caller of readRecord(recordTypeApplicationData)
responsible for checking for renegotiation in case of a handshake
message, but that is currently already the case. And the condition
"c.phase == waitingClientFinished" can only be hit by the server, so
that won't have break the handshake either.

Related: https://github.com/cloudflare/tls-tris/issues/50
2017-12-01 19:08:31 +00:00
Peter Wu
4e6ebb63dd tris: unify ServerHello processing in preparation for D22
Merge serverHelloMsg13 into serverHelloMsg in preparation for draft 22.
This will also simplify the client implementation since only one
structure has to be checked.

Also fixed potential out-of-bounds access with keyShare unmarshal.
2017-11-24 19:44:22 +00:00
Peter Wu
0bbbecd894 crypto/tls: accept 2^14+1 TLSInnerPlaintext
The record layer splits application data into chunks of at most 2^14
octets. When record protection is engaged in TLS 1.3, the application
data is serialized into a TLSInnerPlaintext which has an additional byte
for the content type, resulting in a maximum length of 2^14+1.

Fixes LargeMessage, TLS13-AEAD-CHACHA20-POLY1305-LargeRecord,
TLS13-AEAD-AES128-GCM-SHA256-LargeRecord and
TLS13-AEAD-AES256-GCM-SHA384-LargeRecord bogo tests.

Fixes: https://github.com/cloudflare/tls-tris/issues/46
2017-11-16 19:32:56 +00:00
Peter Wu
fa9ccdc8b0 Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream
Merge upstream go post-1.9 crypto/tls changes from master:

d8ee5d11e5 crypto/tls: limit number of consecutive warning alerts
96cd66b266 crypto/tls: advertise support for SHA-512 signatures in 1.2
f265f5db5d archive/zip, crypto/tls: use rand.Read instead of casting ints to bytes
54d04c2fcb crypto/tls: remove bookkeeping code from pHash function
d1bbdbe760 crypto/tls: replace signatureAndHash by SignatureScheme.
cb3b345209 crypto/tls: fix first byte test for 255 CBC padding bytes
d153df8e4b all: revert "all: prefer strings.LastIndexByte over strings.LastIndex"
5e42658fc0 all: prefer bytes.IndexByte over bytes.Index
d2826d3e06 all: prefer strings.LastIndexByte over strings.LastIndex
5a986eca86 all: fix article typos
0f9a2cf2c4 crypto/tls: fix clientHelloMsg fuzzer not to generate the RI SCSV
e7d46cee2f crypto/tls: fix and expand TestVerifyPeerCertificate and TestGetClientCertificate
85deaf6077 crypto/tls: fix docstring of Config.ClientSessionCache
4a5f85babb crypto/tls: disallow handshake messages fragmented across CCS
b3465646ff crypto/tls: add BenchmarkHandshakeServer
d38d357c78 crypto/tls: don't check whether an ec point is on a curve twice
e085a891f0 crypto/tls: split clientHandshake into multiple methods

Conflicts:
 * handshake_client.go: conflict between our ("crypto/tls: allow client to
   pick TLS 1.3, do not enable it by default.") and upstream
   ("crypto/tls: split clientHandshake into multiple methods"), resolve
   by applying the mutualVersion->pickVersion change in pickTLSVersion.
 * handshake_server.go: trivial conflict due to upstreamed patch
   ("crypto/tls: replace signatureAndHash by SignatureScheme.") and
   ("crypto/tls: implement TLS 1.3 server 0-RTT") which added pskBinder.

Other merge changes:
 * tls13.go: signatureAndHashes as added in ("crypto/tls: implement TLS
   1.3 minimal server") was renamed as required by ("crypto/tls: replace
   signatureAndHash by SignatureScheme.").
 * handshake_client.go: moved check from ("crypto/tls: check that client
   cipher suite matches version") to pickCipherSuite as required by
   ("crypto/tls: split clientHandshake into multiple methods").
2017-11-14 14:26:20 +00:00
Peter Wu
9e22da5ecc tris: restore retry logic on warning alerts
Not sure why the retry logic was removed since 0-RTT works even in
presence of the special alerts handling (alertEndOfEarlyData is
processed before the warning alert). To reduce divergence from upstream
code (which adds a restriction on the number of consecutive warnings),
restore the original retry logic.

Do not do anything fancy here, later drafts will remove the special
alert handling since it becomes a special handshake message.

Fixes: ("crypto/tls: implement TLS 1.3 server 0-RTT")
2017-11-14 13:32:40 +00:00
filewalkwithme
ff1bc5469f crypto/tls: limit number of consecutive warning alerts
In the current implementation, it is possible for a client to
continuously send warning alerts, which are just dropped on the floor
inside readRecord.

This can enable scenarios in where someone can try to continuously
send warning alerts to the server just to keep it busy.

This CL implements a simple counter that triggers an error if
we hit the warning alert limit.

Fixes #22543

Change-Id: Ief0ca10308cf5a4dea21a5a67d3e8f6501912da6
Reviewed-on: https://go-review.googlesource.com/75750
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-11-08 23:18:52 +00:00
Filippo Valsorda
64bffb76ca crypto/tls: advertise support for SHA-512 signatures in 1.2
This is the equivalent change to 1c105980 but for SHA-512.

SHA-512 certificates are already supported by default since b53bb2ca,
but some servers will refuse connections if the algorithm is not
advertised in the overloaded signatureAndHash extension (see 09b238f1).

This required adding support for SHA-512 signatures on CertificateVerify
and ServerKeyExchange messages, because of said overloading.

Some testdata/Client-TLSv1{0,1} files changed because they send a 1.2
ClientHello even if the server picks a lower version.

Closes #22422

Change-Id: I16282d03a3040260d203711ec21e6b20a0e1e105
Reviewed-on: https://go-review.googlesource.com/74950
Run-TryBot: Filippo Valsorda <hi@filippo.io>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2017-11-08 22:39:36 +00:00
Carl Mastrangelo
5731b5256b archive/zip, crypto/tls: use rand.Read instead of casting ints to bytes
Makes tests run ~1ms faster.

Change-Id: Ida509952469540280996d2bd9266724829e53c91
Reviewed-on: https://go-review.googlesource.com/47359
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Run-TryBot: Filippo Valsorda <hi@filippo.io>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-11-01 05:51:30 +00:00
Joe Kyo
00b53d39c3 crypto/tls: remove bookkeeping code from pHash function
Since copy function can figure out how many bytes of data to copy when
two slices have different length, it is not necessary to check how many
bytes need to copy each time before copying the data.

Change-Id: I5151ddfe46af5575566fe9c9a2648e111575ec3d
Reviewed-on: https://go-review.googlesource.com/71090
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Run-TryBot: Filippo Valsorda <hi@filippo.io>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-10-31 19:11:03 +00:00
Peter Wu
6c380f3bb6 crypto/tls: replace signatureAndHash by SignatureScheme.
Consolidate the signature and hash fields (SignatureAndHashAlgorithm in
TLS 1.2) into a single uint16 (SignatureScheme in TLS 1.3 draft 21).
This makes it easier to add RSASSA-PSS for TLS 1.2 in the future.

Fields were named like "signatureAlgorithm" rather than
"signatureScheme" since that name is also used throughout the 1.3 draft.

The only new public symbol is ECDSAWithSHA1, other than that this is an
internal change with no new functionality.

Change-Id: Iba63d262ab1af895420583ac9e302d9705a7e0f0
Reviewed-on: https://go-review.googlesource.com/62210
Reviewed-by: Adam Langley <agl@golang.org>
2017-10-13 23:25:03 +00:00
Peter Wu
8ae95fd882 crypto/tls: fix first byte test for 255 CBC padding bytes
The BadCBCPadding255 test from bogo failed because at most 255 trailing
bytes were checked, but for a padding of 255 there are 255 padding bytes
plus 1 length byte with value 255.

Change-Id: I7dd237c013d2c7c8599067246e31b7ba93106cf7
Reviewed-on: https://go-review.googlesource.com/68070
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2017-10-06 18:07:04 +00:00
Marvin Stenger
8251c0f791 all: revert "all: prefer strings.LastIndexByte over strings.LastIndex"
This reverts https://golang.org/cl/66372.

Updates #22148

Change-Id: I3e94af3dfc11a2883bf28e1d5e1f32f98760b3ee
Reviewed-on: https://go-review.googlesource.com/68431
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2017-10-05 23:19:42 +00:00
Tom Thorogood
710e9e9631 crypto/tls: Use a backing array for getSupportedVersions
Avoid runtime heap memory allocation.

Fixes: ("crypto/tls: allow client to pick TLS 1.3, do not enable it by default.")
2017-10-03 12:38:04 +01:00
Peter Wu
1192d2574f crypto/tls: fix SCT decoding
Fixes: ("crypto/tls: add SignedCertificateTimestamps and OCSPStaple to 1.3")
Fixes: ("crypto/tls: fix SCT extension wire format")
2017-09-29 17:00:46 +01:00
Peter Wu
d16cde640d tris: enable TLS 1.3 for tris-localserver again.
The default version (TLS 1.2) is no longer overridden with TLS 1.3 so
the server must explicitly set it.

Fixes: ("crypto/tls: allow client to pick TLS 1.3, do not enable it by default.")
2017-09-29 12:47:55 +01:00
Peter Wu
aab74cb372 crypto/tls: allow client to pick TLS 1.3, do not enable it by default.
mutualVersion takes a maximum version, but skips TLS 1.3 because this
version is not negotiated via ClientHello.legacy_version. The server
however still uses its ServerHello.version field to select a version
from the supported_versions extension and the client must do the same.

A new getSupportedVersions method is introduced to have a single place
to handle the mapping of VersionTLS13 to the draft values.

Remove the MaxVersion override to TLS 1.3, users must set MaxVersion if
they intent to use the experimental TLS 1.3 functionality.

Fixes: ("crypto/tls: make 1.3 version negotiation more robust")
2017-09-29 12:47:55 +01:00
Peter Wu
857c7243c9 crypto/tls: check that client cipher suite matches version 2017-09-29 12:47:14 +01:00
Peter Wu
998f77009e crypto/tls: remove TLS13CipherSuites.
To allow clients to advertise both TLS 1.2 and TLS 1.3 cipher suites,
remove the distinction between both suites. TLS 1.3 suites are now
always included in the default cipher list (and the client will send it
if MaxVersion allows for it).

Since TLS 1.3 is expected to become the default MaxVersion and
applications might have set only TLS 1.2 cipher suites in their
configuration, TLS 1.3 cipher suites are added when none are present.

Alternatively, I considered disallowing overriding the TLS 1.3 suites,
but that requires more complexity and has not much benefits. Provide a
mechanism and do not dictate policy, application developers might want
to fix a cipher suite for testing other implementations for example.

Fixes https://github.com/cloudflare/tls-tris/pull/22
2017-09-29 12:47:14 +01:00
Tom Thorogood
599c1f949b crypto/tls: Don't advertise TLS 1.3-only cipher unless attempting TLS 1.3 2017-09-29 12:47:14 +01:00
Marvin Stenger
d7983b094e all: prefer bytes.IndexByte over bytes.Index
bytes.IndexByte can be used wherever the second argument to
strings.Index is exactly one byte long, so we do that with this change.

This avoids generating unnecessary string symbols/converison and saves
a few calls to bytes.Index.

Change-Id: If31c775790e01edfece1169e398ad6a754fb4428
Reviewed-on: https://go-review.googlesource.com/66373
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2017-09-27 01:09:13 +00:00
Marvin Stenger
d547ccf7ac all: prefer strings.LastIndexByte over strings.LastIndex
strings.LastIndexByte was introduced in go1.5 and it can be used
effectively wherever the second argument to strings.LastIndex is
exactly one byte long.

This avoids generating unnecessary string symbols and saves
a few calls to strings.LastIndex.

Change-Id: I7b5679d616197b055cffe6882a8675d24a98b574
Reviewed-on: https://go-review.googlesource.com/66372
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2017-09-27 00:54:24 +00:00
Peter Wu
3107d575a8 tris: implement SSLKEYLOGFILE for TLS 1.3 server
This makes it easier to validate the handshake contents using Wireshark.
2017-09-21 15:37:34 +01:00
Peter Wu
6f580251ca tris: use keySchedule13 for the server
Use the new keySchedule13 type instead of hash.Hash to avoid tracking
the hashContext and intermediate secrets manually.

checkPSK is modified not to return the calculated early secret, this is
internal to keySchedule13 now. The caller just learns whether it was
resumed using a PSK or not.
2017-09-21 15:37:34 +01:00
Peter Wu
9f9f06de80 tris: add new key schedule implementation
In order to reduce repetitive complexity (extract handshake context,
pass the right secrets around to calculate a secret and build a cipher),
create a new type that tracks the hash type, the handshake context and
intermediate secrets.

Advantages: facilitates reuse between client and server code, makes it
easier to update labels for draft-19, makes it easier to add central
KeyLogWriter functionality.
2017-09-21 15:37:34 +01:00
Peter Wu
079992e500 tris: whitespace fix
Fixes: "tris: add picotls interop"
2017-09-21 12:59:48 +01:00
Kunpei Sakai
0648fb0f1c all: fix article typos
a -> an

Change-Id: I7362bdc199e83073a712be657f5d9ba16df3077e
Reviewed-on: https://go-review.googlesource.com/63850
Reviewed-by: Rob Pike <r@golang.org>
2017-09-15 02:39:16 +00:00
EKR
2fda84b4f0 crypto/tls: fix clientHelloMsg fuzzer not to generate the RI SCSV
It was causing mysterious fuzzing failure because it affects the
unmarshaling of the secureNegotiationSupported field.

Change-Id: Id396b84eab90a3b22fb6e306b10bdd7e39707012
Reviewed-on: https://go-review.googlesource.com/60912
Run-TryBot: Filippo Valsorda <hi@filippo.io>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2017-09-09 19:24:12 +00:00
Filippo Valsorda
50729f1a6c crypto/tls: fix and expand TestVerifyPeerCertificate and TestGetClientCertificate
TestGetClientCertificate had disabled verification, and was only passing
because it was mistakenly checking for empty verifiedChains.

Change-Id: Iea0ddbdbbdf8ac34b499569820a2e4ce543a69c7
Reviewed-on: https://go-review.googlesource.com/47430
Run-TryBot: Filippo Valsorda <hi@filippo.io>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2017-09-09 19:23:45 +00:00
Peter Wu
25f2efc996 tris: update Go to 1.9
Use Go 1.9 (go1.9) with a patch to enable users to access the 0RTT API:

    net/http: attach TLSConnContextKey to the request Context
2017-09-07 17:40:17 +01:00
Henry de Valence
cd63e47f2c tris: rename pk to secretKey 2017-09-05 21:06:36 +01:00
Henry de Valence
d4b8398461 tris: fix typos 2017-09-05 21:06:36 +01:00
Tomas Susanka
4b944d1428 tris: typos 2017-09-05 21:06:35 +01:00
Filippo Valsorda
44343a1e4d tris: make the boring incremental build deterministic
HEAD is currently breaking the build.
2017-09-05 21:06:35 +01:00
Filippo Valsorda
7d575cd9ba tris: add Dockerfile to run unit tests with -update 2017-09-05 21:06:35 +01:00
Tom Thorogood
bc76e35b75 tris-localserver: fix Content-Type header for /ch endpoint (#21) 2017-09-05 21:06:35 +01:00
Tom Thorogood
f4a6690edc crypto/tls: generate unique ticket_age_add for each ticket
#23 -- CLA ok -- re-author to me+google@tomthorogood.co.uk
2017-09-05 21:06:35 +01:00
Filippo Valsorda
ba45c1a5ca tris: add echo.filippo.io 2017-09-05 21:06:35 +01:00
Filippo Valsorda
7f449cbaa7 tris: add SessionTicketSealer 2017-09-05 21:06:35 +01:00
Filippo Valsorda
2ace09e9b4 tris: upgrade to Go 1.8 2017-09-05 21:06:35 +01:00
Filippo Valsorda
fc5cd7e2f9 crypto/tls: fix SCT extension wire format 2017-09-05 21:06:35 +01:00
Filippo Valsorda
80f82d89c7 crypto/tls: avoid sending empty OCSP or SCT cert extensions 2017-09-05 21:06:35 +01:00
Filippo Valsorda
815d56e5a7 tris: update README for public consumption 2017-09-05 21:06:35 +01:00
Filippo Valsorda
4f7b5988a3 crypto/tls: add ConnectionState.Unique0RTTToken 2017-09-05 21:06:35 +01:00
Filippo Valsorda
563bf91c28 tris: update to Go 1.8rc3+ 2017-09-05 21:06:35 +01:00