Commit Graph

565 Commits

Author SHA1 Message Date
Peter Wu
d16cde640d tris: enable TLS 1.3 for tris-localserver again.
The default version (TLS 1.2) is no longer overridden with TLS 1.3 so
the server must explicitly set it.

Fixes: ("crypto/tls: allow client to pick TLS 1.3, do not enable it by default.")
2017-09-29 12:47:55 +01:00
Peter Wu
aab74cb372 crypto/tls: allow client to pick TLS 1.3, do not enable it by default.
mutualVersion takes a maximum version, but skips TLS 1.3 because this
version is not negotiated via ClientHello.legacy_version. The server
however still uses its ServerHello.version field to select a version
from the supported_versions extension and the client must do the same.

A new getSupportedVersions method is introduced to have a single place
to handle the mapping of VersionTLS13 to the draft values.

Remove the MaxVersion override to TLS 1.3, users must set MaxVersion if
they intent to use the experimental TLS 1.3 functionality.

Fixes: ("crypto/tls: make 1.3 version negotiation more robust")
2017-09-29 12:47:55 +01:00
Peter Wu
857c7243c9 crypto/tls: check that client cipher suite matches version 2017-09-29 12:47:14 +01:00
Peter Wu
998f77009e crypto/tls: remove TLS13CipherSuites.
To allow clients to advertise both TLS 1.2 and TLS 1.3 cipher suites,
remove the distinction between both suites. TLS 1.3 suites are now
always included in the default cipher list (and the client will send it
if MaxVersion allows for it).

Since TLS 1.3 is expected to become the default MaxVersion and
applications might have set only TLS 1.2 cipher suites in their
configuration, TLS 1.3 cipher suites are added when none are present.

Alternatively, I considered disallowing overriding the TLS 1.3 suites,
but that requires more complexity and has not much benefits. Provide a
mechanism and do not dictate policy, application developers might want
to fix a cipher suite for testing other implementations for example.

Fixes https://github.com/cloudflare/tls-tris/pull/22
2017-09-29 12:47:14 +01:00
Tom Thorogood
599c1f949b crypto/tls: Don't advertise TLS 1.3-only cipher unless attempting TLS 1.3 2017-09-29 12:47:14 +01:00
Marvin Stenger
d7983b094e all: prefer bytes.IndexByte over bytes.Index
bytes.IndexByte can be used wherever the second argument to
strings.Index is exactly one byte long, so we do that with this change.

This avoids generating unnecessary string symbols/converison and saves
a few calls to bytes.Index.

Change-Id: If31c775790e01edfece1169e398ad6a754fb4428
Reviewed-on: https://go-review.googlesource.com/66373
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2017-09-27 01:09:13 +00:00
Marvin Stenger
d547ccf7ac all: prefer strings.LastIndexByte over strings.LastIndex
strings.LastIndexByte was introduced in go1.5 and it can be used
effectively wherever the second argument to strings.LastIndex is
exactly one byte long.

This avoids generating unnecessary string symbols and saves
a few calls to strings.LastIndex.

Change-Id: I7b5679d616197b055cffe6882a8675d24a98b574
Reviewed-on: https://go-review.googlesource.com/66372
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
2017-09-27 00:54:24 +00:00
Peter Wu
3107d575a8 tris: implement SSLKEYLOGFILE for TLS 1.3 server
This makes it easier to validate the handshake contents using Wireshark.
2017-09-21 15:37:34 +01:00
Peter Wu
6f580251ca tris: use keySchedule13 for the server
Use the new keySchedule13 type instead of hash.Hash to avoid tracking
the hashContext and intermediate secrets manually.

checkPSK is modified not to return the calculated early secret, this is
internal to keySchedule13 now. The caller just learns whether it was
resumed using a PSK or not.
2017-09-21 15:37:34 +01:00
Peter Wu
9f9f06de80 tris: add new key schedule implementation
In order to reduce repetitive complexity (extract handshake context,
pass the right secrets around to calculate a secret and build a cipher),
create a new type that tracks the hash type, the handshake context and
intermediate secrets.

Advantages: facilitates reuse between client and server code, makes it
easier to update labels for draft-19, makes it easier to add central
KeyLogWriter functionality.
2017-09-21 15:37:34 +01:00
Peter Wu
079992e500 tris: whitespace fix
Fixes: "tris: add picotls interop"
2017-09-21 12:59:48 +01:00
Kunpei Sakai
0648fb0f1c all: fix article typos
a -> an

Change-Id: I7362bdc199e83073a712be657f5d9ba16df3077e
Reviewed-on: https://go-review.googlesource.com/63850
Reviewed-by: Rob Pike <r@golang.org>
2017-09-15 02:39:16 +00:00
EKR
2fda84b4f0 crypto/tls: fix clientHelloMsg fuzzer not to generate the RI SCSV
It was causing mysterious fuzzing failure because it affects the
unmarshaling of the secureNegotiationSupported field.

Change-Id: Id396b84eab90a3b22fb6e306b10bdd7e39707012
Reviewed-on: https://go-review.googlesource.com/60912
Run-TryBot: Filippo Valsorda <hi@filippo.io>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2017-09-09 19:24:12 +00:00
Filippo Valsorda
50729f1a6c crypto/tls: fix and expand TestVerifyPeerCertificate and TestGetClientCertificate
TestGetClientCertificate had disabled verification, and was only passing
because it was mistakenly checking for empty verifiedChains.

Change-Id: Iea0ddbdbbdf8ac34b499569820a2e4ce543a69c7
Reviewed-on: https://go-review.googlesource.com/47430
Run-TryBot: Filippo Valsorda <hi@filippo.io>
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
2017-09-09 19:23:45 +00:00
Peter Wu
25f2efc996 tris: update Go to 1.9
Use Go 1.9 (go1.9) with a patch to enable users to access the 0RTT API:

    net/http: attach TLSConnContextKey to the request Context
2017-09-07 17:40:17 +01:00
Henry de Valence
cd63e47f2c tris: rename pk to secretKey 2017-09-05 21:06:36 +01:00
Henry de Valence
d4b8398461 tris: fix typos 2017-09-05 21:06:36 +01:00
Tomas Susanka
4b944d1428 tris: typos 2017-09-05 21:06:35 +01:00
Filippo Valsorda
44343a1e4d tris: make the boring incremental build deterministic
HEAD is currently breaking the build.
2017-09-05 21:06:35 +01:00
Filippo Valsorda
7d575cd9ba tris: add Dockerfile to run unit tests with -update 2017-09-05 21:06:35 +01:00
Tom Thorogood
bc76e35b75 tris-localserver: fix Content-Type header for /ch endpoint (#21) 2017-09-05 21:06:35 +01:00
Tom Thorogood
f4a6690edc crypto/tls: generate unique ticket_age_add for each ticket
#23 -- CLA ok -- re-author to me+google@tomthorogood.co.uk
2017-09-05 21:06:35 +01:00
Filippo Valsorda
ba45c1a5ca tris: add echo.filippo.io 2017-09-05 21:06:35 +01:00
Filippo Valsorda
7f449cbaa7 tris: add SessionTicketSealer 2017-09-05 21:06:35 +01:00
Filippo Valsorda
2ace09e9b4 tris: upgrade to Go 1.8 2017-09-05 21:06:35 +01:00
Filippo Valsorda
fc5cd7e2f9 crypto/tls: fix SCT extension wire format 2017-09-05 21:06:35 +01:00
Filippo Valsorda
80f82d89c7 crypto/tls: avoid sending empty OCSP or SCT cert extensions 2017-09-05 21:06:35 +01:00
Filippo Valsorda
815d56e5a7 tris: update README for public consumption 2017-09-05 21:06:35 +01:00
Filippo Valsorda
4f7b5988a3 crypto/tls: add ConnectionState.Unique0RTTToken 2017-09-05 21:06:35 +01:00
Filippo Valsorda
563bf91c28 tris: update to Go 1.8rc3+ 2017-09-05 21:06:35 +01:00
Filippo Valsorda
0d97989e0d tris: move Commit to just before key share generation
In particular move it to after cipher suite negotiation and after
HelloRetryRequest check.
2017-09-05 21:06:35 +01:00
Brendan Mc
ed105dc308 crypto/tls: add SignedCertificateTimestamps and OCSPStaple to 1.3 2017-09-05 21:06:35 +01:00
Filippo Valsorda
9b94b65b7b crypto/tls: send two session tickets to TLS 1.3 clients 2017-09-05 21:06:35 +01:00
Filippo Valsorda
44df381ccb crypto/tls: peek at unencrypted alerts to give better errors 2017-09-05 21:06:35 +01:00
Filippo Valsorda
740fc926aa tris: add single line TLSDEBUG=short 2017-09-05 21:06:35 +01:00
Filippo Valsorda
7aa542753f tris: update to Go 1.8rc2 2017-09-05 21:06:35 +01:00
Filippo Valsorda
6bff168a06 tris: add proper BoGo tests 2017-09-05 21:06:35 +01:00
Filippo Valsorda
c758567785 crypto/tls: detect unexpected leftover handshake data
There should be no data in the Handshake buffer on encryption state
changes (including implicit 1.3 transitions). Checking that also blocks
all Handshake messages fragmented across CCS.

BoGo: PartialClientFinishedWithClientHello
2017-09-05 21:06:35 +01:00
Filippo Valsorda
de613b152d crypto/tls: disallow handshake messages fragmented across CCS
BoGo: FragmentAcrossChangeCipherSpec-Server-Packed
2017-09-05 21:06:35 +01:00
Filippo Valsorda
4191962f25 crypto/tls: use correct alerts
BoGo: Resume-Server-PSKBinderFirstExtension
BoGo: Resume-Server-ExtraPSKBinder
BoGo: Resume-Server-ExtraIdentityNoBinder
BoGo: Renegotiate-Server-Forbidden
BoGo: NoNullCompression
BoGo: TrailingMessageData-*
2017-09-05 21:06:35 +01:00
Filippo Valsorda
5406418371 crypto/tls: fix panic in PSK binders parsing
BoGo: Resume-Server-ExtraPSKBinder
2017-09-05 21:06:35 +01:00
Filippo Valsorda
bbb712bfd8 crypto/tls: simplify supported points handling to match BoringSSL
BoGo: PointFormat-Server-*
2017-09-05 21:06:35 +01:00
Filippo Valsorda
922b99e473 crypto/tls: make 1.3 version negotiation more robust
BoGo: IgnoreClientVersionOrder
BoGO: *VersionTolerance
BoGo: RejectFinalTLS13
2017-09-05 21:06:34 +01:00
Filippo Valsorda
58aab36b6e crypto/tls: use negotiated version for fallback check
BoGo: FallbackSCSV-VersionMatch-TLS13
2017-09-05 21:06:34 +01:00
EKR
ed06c77b1d crypto/tls: fix clientHelloMsg fuzzer not to generate the RI SCSV
It was causing mysterious fuzzing failure because it affects the
unmarshaling of the secureNegotiationSupported field.
2017-09-05 21:06:34 +01:00
Filippo Valsorda
147d78ad99 tris: switch to Go 1.8beta1 2017-09-05 21:06:34 +01:00
Filippo Valsorda
052978de5e crypto/tls: expose extension versions in ClientHelloInfo.SupportedVersions 2017-09-05 21:06:34 +01:00
Filippo Valsorda
1bc19494f8 tris: tolerate NSS sending obfuscated_ticket_age as seconds 2017-09-05 21:06:34 +01:00
Filippo Valsorda
faefac5f1a crypto/tls: stop ConfirmHandshake from locking on any Read
ConfirmHandshake should block on a Read until the handshakeConfirmed
state is reached, but past that it shouldn't.
2017-09-05 21:06:34 +01:00
Filippo Valsorda
1b03258899 crypto/tls: simplify the Handshake locking
See https://groups.google.com/forum/#!topic/golang-dev/Xxiai-R_jH0

Change-Id: I6052695ece9aff9e3112c2fb176596fde8aa9cb2
2017-09-05 21:06:34 +01:00