Commit Graph

64 Commits

Author SHA1 Message Date
f09eee913a Change package name from tls to trs 2019-05-12 18:42:15 +01:00
334eee5310 SIDH: Align codepoints with the ones in latest version 2018-12-10 15:12:56 +00:00
Watson Ladd
7e1760cc7c Add EMS support to tls-tris
see RFC7627
2018-09-07 15:16:11 +01:00
Marten Seemann
40eb693877 remove support for generating draft 18-21 ServerHellos (#124) 2018-08-18 19:51:42 +01:00
e77e39e7aa
server must NOT send version prior to TLS1.3 in supported_versions (#119)
As per 4.2.1, client must abort with illegal_parameter in case it
gets version 0x0303 or older in supported_versions extensions
2018-08-09 22:16:01 +01:00
Christopher Patton
174a68a0fb Update implementation of draft-ietf-tls-subcerts to draft 02 (#108)
Drops support for delegated credentials with TLS 1.2 and adds the
protocol version and signature algorithm to the credential structure.
2018-08-09 19:24:40 +01:00
Christopher Patton
c5280001a4 Remove delegated credential minting from the API
What's left are the minimal API changes required to use the delegated
credential extension in the TLS handshake.
2018-07-27 19:12:28 +01:00
Christopher Patton
84fe9084cd Implement the delegated_credential extension for TLS
This complies with the standard, currently an Internet draft:
https://tlswg.github.io/tls-subcerts/draft-ietf-tls-subcerts.html

It also adds a minimal interface for generating new delegated
credentials.
2018-07-03 09:57:54 -07:00
03138ec18e TLSv1.3 -draft23: Implementation of signature_algorithms_cert
Tris uses signature_algorithms_cert in order to advertise that it
doesn't support RSA-PSS. See GH#86 for more detailed discussion.
2018-06-29 07:47:50 +01:00
51a4ff64d8 Fixes function name 2018-06-19 11:24:08 +01:00
4b1b463735 Applies go fmt to all the code 2018-06-19 11:17:19 +01:00
e62ddc004c Adds structure for certificate_request in TLS 1.3
* TLS 1.3 requries specific marshalling/unmarshalling of data
* This code should probably be rewritten in order ot use
  a bit cleaner approach for dealing with bytes
2018-03-27 08:52:44 +01:00
Peter Wu
a0bab1759d tris: update Server Hello processing for D22
Check SupportedVersions for the actual version and verify that the
server sets the correct SeverHello.legacy_version. Change D21 to D22.
2017-12-13 20:15:00 +00:00
Peter Wu
e89292ccbe tris: convert end_of_early_data to a handshake message
Draft 21 changed end_of_early_data from an alert into a handshake
message to allow it to integrate better with the handshake. This change
does that, rather than handling EOD at the record layer, it moves
processing up to the actual readers of (early) application data.
2017-12-13 17:49:25 +00:00
Peter Wu
69dddf0612 tris: update NewSessionTicket for draft -19 and -21
D19: use early_data instead of custom ticket_early_data_info extension
codepoint. D21: new ticket nonce field and change in PSK calculation.
This nonce provides some minor security advantage in case one of the PSK
is compromised (which would leak the resumption master secret).

Rename "resumptionSecret" to "pskSecret" in sessionState13 to reflect
the D21 change and use constant-time comparison for the secret.

Also fix potential panic if the ticket is large enough, but the
extensions are missing.
2017-12-13 17:49:25 +00:00
Peter Wu
4e6ebb63dd tris: unify ServerHello processing in preparation for D22
Merge serverHelloMsg13 into serverHelloMsg in preparation for draft 22.
This will also simplify the client implementation since only one
structure has to be checked.

Also fixed potential out-of-bounds access with keyShare unmarshal.
2017-11-24 19:44:22 +00:00
Peter Wu
fa9ccdc8b0 Merge branch 'pwu/go-update/master' into pwu/master-merge-upstream
Merge upstream go post-1.9 crypto/tls changes from master:

d8ee5d11e5 crypto/tls: limit number of consecutive warning alerts
96cd66b266 crypto/tls: advertise support for SHA-512 signatures in 1.2
f265f5db5d archive/zip, crypto/tls: use rand.Read instead of casting ints to bytes
54d04c2fcb crypto/tls: remove bookkeeping code from pHash function
d1bbdbe760 crypto/tls: replace signatureAndHash by SignatureScheme.
cb3b345209 crypto/tls: fix first byte test for 255 CBC padding bytes
d153df8e4b all: revert "all: prefer strings.LastIndexByte over strings.LastIndex"
5e42658fc0 all: prefer bytes.IndexByte over bytes.Index
d2826d3e06 all: prefer strings.LastIndexByte over strings.LastIndex
5a986eca86 all: fix article typos
0f9a2cf2c4 crypto/tls: fix clientHelloMsg fuzzer not to generate the RI SCSV
e7d46cee2f crypto/tls: fix and expand TestVerifyPeerCertificate and TestGetClientCertificate
85deaf6077 crypto/tls: fix docstring of Config.ClientSessionCache
4a5f85babb crypto/tls: disallow handshake messages fragmented across CCS
b3465646ff crypto/tls: add BenchmarkHandshakeServer
d38d357c78 crypto/tls: don't check whether an ec point is on a curve twice
e085a891f0 crypto/tls: split clientHandshake into multiple methods

Conflicts:
 * handshake_client.go: conflict between our ("crypto/tls: allow client to
   pick TLS 1.3, do not enable it by default.") and upstream
   ("crypto/tls: split clientHandshake into multiple methods"), resolve
   by applying the mutualVersion->pickVersion change in pickTLSVersion.
 * handshake_server.go: trivial conflict due to upstreamed patch
   ("crypto/tls: replace signatureAndHash by SignatureScheme.") and
   ("crypto/tls: implement TLS 1.3 server 0-RTT") which added pskBinder.

Other merge changes:
 * tls13.go: signatureAndHashes as added in ("crypto/tls: implement TLS
   1.3 minimal server") was renamed as required by ("crypto/tls: replace
   signatureAndHash by SignatureScheme.").
 * handshake_client.go: moved check from ("crypto/tls: check that client
   cipher suite matches version") to pickCipherSuite as required by
   ("crypto/tls: split clientHandshake into multiple methods").
2017-11-14 14:26:20 +00:00
Peter Wu
6c380f3bb6 crypto/tls: replace signatureAndHash by SignatureScheme.
Consolidate the signature and hash fields (SignatureAndHashAlgorithm in
TLS 1.2) into a single uint16 (SignatureScheme in TLS 1.3 draft 21).
This makes it easier to add RSASSA-PSS for TLS 1.2 in the future.

Fields were named like "signatureAlgorithm" rather than
"signatureScheme" since that name is also used throughout the 1.3 draft.

The only new public symbol is ECDSAWithSHA1, other than that this is an
internal change with no new functionality.

Change-Id: Iba63d262ab1af895420583ac9e302d9705a7e0f0
Reviewed-on: https://go-review.googlesource.com/62210
Reviewed-by: Adam Langley <agl@golang.org>
2017-10-13 23:25:03 +00:00
Peter Wu
1192d2574f crypto/tls: fix SCT decoding
Fixes: ("crypto/tls: add SignedCertificateTimestamps and OCSPStaple to 1.3")
Fixes: ("crypto/tls: fix SCT extension wire format")
2017-09-29 17:00:46 +01:00
Filippo Valsorda
fc5cd7e2f9 crypto/tls: fix SCT extension wire format 2017-09-05 21:06:35 +01:00
Filippo Valsorda
80f82d89c7 crypto/tls: avoid sending empty OCSP or SCT cert extensions 2017-09-05 21:06:35 +01:00
Brendan Mc
ed105dc308 crypto/tls: add SignedCertificateTimestamps and OCSPStaple to 1.3 2017-09-05 21:06:35 +01:00
Filippo Valsorda
4191962f25 crypto/tls: use correct alerts
BoGo: Resume-Server-PSKBinderFirstExtension
BoGo: Resume-Server-ExtraPSKBinder
BoGo: Resume-Server-ExtraIdentityNoBinder
BoGo: Renegotiate-Server-Forbidden
BoGo: NoNullCompression
BoGo: TrailingMessageData-*
2017-09-05 21:06:35 +01:00
Filippo Valsorda
5406418371 crypto/tls: fix panic in PSK binders parsing
BoGo: Resume-Server-ExtraPSKBinder
2017-09-05 21:06:35 +01:00
Filippo Valsorda
f8c15889af crypto/tls: implement TLS 1.3 server 0-RTT 2017-09-05 21:06:34 +01:00
Filippo Valsorda
453bd6af77 crypto/tls: implement TLS 1.3 PSK messages 2017-09-05 21:06:34 +01:00
Filippo Valsorda
9bc837c453 [dev.tls] crypto/tls: implement TLS 1.3 messages
Updates #9671

Change-Id: Ia1b06ae518a4b2821a584a420d99859a2666c8f0
2017-09-05 20:27:04 +01:00
Adam Langley
59e91483bd crypto/tls: reject SNI values with a trailing dot.
SNI values may not include a trailing dot according to
https://tools.ietf.org/html/rfc6066#section-3. Although crypto/tls
handled this correctly as a client, it didn't reject this as a server.

This change makes sending an SNI value with a trailing dot a fatal
error.

Updates #18114.

Change-Id: Ib7897ab40e98d4a7a4646ff8469a55233621f631
Reviewed-on: https://go-review.googlesource.com/33904
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-02-01 21:59:57 +00:00
Adam Langley
1b8b6efd10 crypto/tls: reject zero-length SCTs.
The SignedCertificateTimestampList[1] specifies that both the list and
each element must not be empty. Checking that the list is not empty was
handled in [2] and this change checks that the SCTs themselves are not
zero-length.

[1] https://tools.ietf.org/html/rfc6962#section-3.3
[2] https://golang.org/cl/33265

Change-Id: Iabaae7a15f6d111eb079e5086e0bd2005fae9e48
Reviewed-on: https://go-review.googlesource.com/33355
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2016-11-17 20:53:01 +00:00
woodsaj
8b63f202ce crypto/tls: reject CT extension with no SCTs included
When the CT extension is enabled but no SCTs are present, the existing
code calls "continue" which causes resizing the data byte slice to be
skipped. In fact, such extensions should be rejected.

Fixes #17958

Change-Id: Iad12da10d1ea72d04ae2e1012c28bb2636f06bcd
Reviewed-on: https://go-review.googlesource.com/33265
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-11-17 20:21:48 +00:00
Adam Langley
07b6287f24 crypto/tls: allow renegotiation to be handled by a client.
This change adds Config.Renegotiation which controls whether a TLS
client will accept renegotiation requests from a server. This is used,
for example, by some web servers that wish to “add” a client certificate
to an HTTPS connection.

This is disabled by default because it significantly complicates the
state machine.

Originally, handshakeMutex was taken before locking either Conn.in or
Conn.out. However, if renegotiation is permitted then a handshake may
be triggered during a Read() call. If Conn.in were unlocked before
taking handshakeMutex then a concurrent Read() call could see an
intermediate state and trigger an error. Thus handshakeMutex is now
locked after Conn.in and the handshake functions assume that Conn.in is
locked for the duration of the handshake.

Additionally, handshakeMutex used to protect Conn.out also. With the
possibility of renegotiation that's no longer viable and so
writeRecordLocked has been split off.

Fixes #5742.

Change-Id: I935914db1f185d507ff39bba8274c148d756a1c8
Reviewed-on: https://go-review.googlesource.com/22475
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
2016-04-28 17:56:28 +00:00
Matthew Dempsky
21704146dc all: remove unnecessary type conversions
cmd and runtime were handled separately, and I'm intentionally skipped
syscall. This is the rest of the standard library.

CL generated mechanically with github.com/mdempsky/unconvert.

Change-Id: I9e0eff886974dedc37adb93f602064b83e469122
Reviewed-on: https://go-review.googlesource.com/22104
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Matthew Dempsky <mdempsky@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
2016-04-15 07:31:45 +00:00
Emmanuel Odeke
e15014c62b crypto/tls: minor refactors for readability
Change-Id: I93e73f16474b4b31f7097af2f9479822dfc34c5c
Reviewed-on: https://go-review.googlesource.com/20678
Reviewed-by: Adam Langley <agl@golang.org>
2016-03-14 21:17:37 +00:00
Adam Langley
b5162386a0 crypto/tls: reject ServerHellos with empty ALPN protocols.
https://tools.ietf.org/html/rfc7301#section-3.1 specifies that a
ProtocolName may not be empty. This change enforces this for ServerHello
messages—it's already enforced for ClientHello messages.

Change-Id: Ic5a5be6bebf07fba90a3cabd10b07ab7b4337f53
Reviewed-on: https://go-review.googlesource.com/12003
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-08-30 15:33:36 +00:00
Adam Langley
c757de320b crypto/tls: fix parsing of SNI extension.
The previous code had a brain fart: it took one of the length prefixes
as an element count, not a length. This didn't actually affect anything
because the loop stops as soon as it finds a hostname element, and the
hostname element is always the first and only element. (No other element
types have ever been defined.)

This change fixes the parsing in case SNI is ever changed in the future.

Fixes #10793.

Change-Id: Iafdf3381942bc22b1f33595315c53dc6cc2e9f0f
Reviewed-on: https://go-review.googlesource.com/11059
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-06-14 17:55:53 +00:00
Jonathan Rudenberg
8ea126be4d crypto/tls: add support for Certificate Transparency
This change adds support for serving and receiving Signed Certificate
Timestamps as described in RFC 6962.

The server is now capable of serving SCTs listed in the Certificate
structure. The client now asks for SCTs and, if any are received,
they are exposed in the ConnectionState structure.

Fixes #10201

Change-Id: Ib3adae98cb4f173bc85cec04d2bdd3aa0fec70bb
Reviewed-on: https://go-review.googlesource.com/8988
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
Reviewed-by: Jonathan Rudenberg <jonathan@titanous.com>
2015-04-26 16:53:11 +00:00
Adam Langley
0581a2f81d crypto/tls: fix renegotiation extension.
There are two methods by which TLS clients signal the renegotiation
extension: either a special cipher suite value or a TLS extension.

It appears that I left debugging code in when I landed support for the
extension because there's a "+ 1" in the switch statement that shouldn't
be there.

The effect of this is very small, but it will break Firefox if
security.ssl.require_safe_negotiation is enabled in about:config.
(Although almost nobody does this.)

This change fixes the original bug and adds a test. Sadly the test is a
little complex because there's no OpenSSL s_client option that mirrors
that behaviour of require_safe_negotiation.

Change-Id: Ia6925c7d9bbc0713e7104228a57d2d61d537c07a
Reviewed-on: https://go-review.googlesource.com/1900
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2015-01-06 19:50:07 +00:00
Adam Langley
5e8d397065 crypto/tls: add ALPN support.
Fixes #6736.

LGTM=mikioh.mikioh
R=bradfitz, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/108710046
2014-08-05 11:36:20 -07:00
Adam Langley
514cfc8a40 crypto/tls: pick ECDHE curves based on server preference.
Currently an ECDHE handshake uses the client's curve preference. This
generally means that we use P-521. However, P-521's strength is
mismatched with the rest of the cipher suite in most cases and we have
a fast, constant-time implementation of P-256.

With this change, Go servers will use P-256 where the client supports
it although that can be overridden in the Config.

LGTM=bradfitz
R=bradfitz
CC=golang-codereviews
https://golang.org/cl/66060043
2014-02-24 17:57:51 -05:00
Adam Langley
6f38414b48 crypto/tls: support renegotiation extension.
The renegotiation extension was introduced[1] due to an attack by Ray in
which a client's handshake was spliced into a connection that was
renegotiating, thus giving an attacker the ability to inject an
arbitary prefix into the connection.

Go has never supported renegotiation as a server and so this attack
doesn't apply. As a client, it's possible that at some point in the
future the population of servers will be sufficiently updated that
it'll be possible to reject connections where the server hasn't
demonstrated that it has been updated to address this problem.

We're not at that point yet, but it's good for Go servers to support
the extension so that it might be possible to do in the future.

[1] https://tools.ietf.org/search/rfc5746

R=golang-codereviews, mikioh.mikioh
CC=golang-codereviews
https://golang.org/cl/48580043
2014-01-09 13:38:11 -05:00
Adam Langley
3a888fc059 crypto/tls: implement TLS 1.2.
This does not include AES-GCM yet. Also, it assumes that the handshake and
certificate signature hash are always SHA-256, which is true of the ciphersuites
that we currently support.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/10762044
2013-07-02 19:58:56 -04:00
Adam Langley
cf463f462c crypto/tls: fix NPN extension parsing.
I typoed the code and tried to parse all the way to the end of the
message. Therefore it fails when NPN is not the last extension in the
ServerHello.

Fixes #4088.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/6637052
2012-10-09 13:25:47 -04:00
Adam Langley
13d26a420a crypto/tls: support session ticket resumption.
Session resumption saves a round trip and removes the need to perform
the public-key operations of a TLS handshake when both the client and
server support it (which is true of Firefox and Chrome, at least).

R=golang-dev, bradfitz, rsc
CC=golang-dev
https://golang.org/cl/6555051
2012-09-24 16:52:43 -04:00
Michael Gehring
615733d170 crypto/tls: fix decoding of certLen in certificateMsg.unmarshal
certLen was decoded incorrectly if length > 2^16-1.

R=golang-dev, agl
CC=golang-dev
https://golang.org/cl/6197077
2012-05-14 12:26:29 -04:00
Jeff R. Allen
5fa105421a crypto/tls: Improve TLS Client Authentication
Fix incorrect marshal/unmarshal of certificateRequest.
Add support for configuring client-auth on the server side.
Fix the certificate selection in the client side.
Update generate_cert.go to new time package

Fixes #2521.

R=krautz, agl, bradfitz
CC=golang-dev, mikkel
https://golang.org/cl/5448093
2012-01-05 12:05:38 -05:00
Russ Cox
30373ac5f7 crypto/tls: fix handshake message test
This test breaks when I make reflect.DeepEqual
distinguish empty slices from nil slices.

R=agl
CC=golang-dev
https://golang.org/cl/5369110
2011-11-14 15:21:08 -05:00
Adam Langley
76c2ff557a crypto/tls: support SSLv3
It would be nice not to have to support this since all the clients
that we care about support TLSv1 by now. However, due to buggy
implementations of SSLv3 on the Internet which can't do version
negotiation correctly, browsers will sometimes switch to SSLv3. Since
there's no good way for a browser tell a network problem from a buggy
server, this downgrade can occur even if the server in question is
actually working correctly.

So we need to support SSLv3 for robustness :(

Fixes #1703.

R=bradfitz
CC=golang-dev
https://golang.org/cl/5018045
2011-09-14 15:32:19 -04:00
Adam Langley
4f813669cb crypto/tls: add server-side OCSP stapling support.
We already had support on the client side. I also changed the name of
the flag in the ServerHello structure to match the name of the same
flag in the ClientHello (ocspStapling).

R=bradfitzgo
CC=golang-dev
https://golang.org/cl/4408044
2011-04-14 14:47:28 -04:00
Adam Langley
954c3ec034 crypto/tls: add ECDHE support
(ECDHE is "Elliptic Curve Diffie Hellman Ephemeral")

R=rsc
CC=golang-dev
https://golang.org/cl/3668042
2010-12-16 17:10:50 -05:00
Russ Cox
8fe46b4768 use append
R=gri, r, r2
CC=golang-dev
https://golang.org/cl/2743042
2010-10-27 19:47:23 -07:00