Commit Graph

497 Commits

Author SHA1 Message Date
Evan Klitzke
67bc308e04 Update client SCT list during TLS 1.3 handshake, fixes #76 2018-06-28 23:24:26 +01:00
b1d6c0aeaa Change function name verifyPeerCertificate->verifyPeerHandshakeSignature 2018-06-27 19:41:50 +01:00
91d6db578b CI: Fail build if code is wrongly formatted 2018-06-26 09:56:45 +01:00
b6af4dd343 Code formatting for handshake_server_test.go 2018-06-26 09:56:45 +01:00
3f720fc50c Code formatting for TRIS test client and server 2018-06-26 09:56:45 +01:00
Brendan Mc
9557e92e52
Merge pull request #97 from henrydcase/fix_name
Fixes function name
2018-06-19 09:23:58 -07:00
Brendan Mc
b9d61edfd5
Merge pull request #96 from henrydcase/fmt2
Applies go fmt to all the code
2018-06-19 09:23:46 -07:00
51a4ff64d8 Fixes function name 2018-06-19 11:24:08 +01:00
4b1b463735 Applies go fmt to all the code 2018-06-19 11:17:19 +01:00
Christopher Patton
81ee64180a Lint 13.go 2018-06-05 13:46:43 +01:00
c20de2f694 DOC: Update for building
* Makes building instructions for Ubuntu copy-paste'able
* Updates dependency list
2018-05-24 10:29:21 +01:00
Christopher Patton
160c4f5eab Add additional instructions for building on Ubuntu 2018-05-24 10:06:54 +01:00
Christopher Patton
d485f39ca9 Update _dev/Makefile so that the code builds on Ubuntu 2018-05-24 10:06:54 +01:00
b7765d14c4 (test) Interoperability tris with tris 2018-03-29 13:15:52 +01:00
e5c37bded5 Testing rework
Goal of this PR is to rework testing script so that actual testing is
easy to extend and perform during development cycle.

* For interoperability testing I use python script and test framework,
  instead of complicated bsah scripts. Script itself is not yet perfect
  but it makes it much easier to extend tests and work with them during
  development time

* Makefile has been extended and now includes all steps needed to build
  the library and run tests. It's now possible to run any kind of tests
  without exporting environment variables.  Thanks to this change it is
  stupid-easy to run any kind of tests.

* There are 3 kinds of tests implemented in the library - unittests,
  interoperability tests and bogo. Travis has been changed and now
  dashbord will show only results for those 3 targets.
2018-03-29 13:15:52 +01:00
42d5f61fd6 Set default MinVersion of protocol to TLSv12 2018-03-27 16:03:31 +01:00
c1206cd452 Enable TLS 1.3 (draft-22) as default
* Also alignes some tests which were broken because of this
  change
2018-03-27 16:03:31 +01:00
7b3759576a Cleanup
* Implements verifyPeerCertificate common for client and server
* Removes processCertsFromServer13 and processCertsFromClient13
  and implements getCertsFromEntries common to server and client
  which is used instead.
2018-03-27 08:52:44 +01:00
01c3b768fe (fix) Client MUST send certificate msg if requested by server 2018-03-27 08:52:44 +01:00
0d06e5c19c Server side of client authentication 2018-03-27 08:52:44 +01:00
68c9776eb9 (tests) Expose 6443 in docker for client auth 2018-03-27 08:52:44 +01:00
c4dfbb897c (tests) Removes 'set -u' from bash as some variables may be unset in the script 2018-03-27 08:52:44 +01:00
1f3a180f14 (tests) Test for client authentication on server side 2018-03-27 08:52:44 +01:00
cd14ae86b4 (tests) Refactor tris test server 2018-03-27 08:52:44 +01:00
58e1a66838 (tests) Makes tstclnt tests passing again 2018-03-27 08:52:44 +01:00
adeb1a5868 (tests) Fixes error: standard_init_linux.go:195: exec user process caused no such file or directory 2018-03-27 08:52:44 +01:00
80fe037aa8 (tests) Client Authentication: Tests against boringssl 2018-03-27 08:52:44 +01:00
6acee69d6b Use certificate_request specific to TLS 1.3 2018-03-27 08:52:44 +01:00
c6745f1879 Client authentication 2018-03-27 08:52:44 +01:00
e62ddc004c Adds structure for certificate_request in TLS 1.3
* TLS 1.3 requries specific marshalling/unmarshalling of data
* This code should probably be rewritten in order ot use
  a bit cleaner approach for dealing with bytes
2018-03-27 08:52:44 +01:00
054f9b8f24 Adds 'certificate required' alert 2018-03-27 08:52:44 +01:00
b05f4a6a51 Adds ID for CA's extension 2018-03-27 08:52:44 +01:00
ddfc58e5be Changes dependency from go v1.9 to go v1.10 2018-03-21 17:44:28 +00:00
Brad Burch
f1a5602bba crypto/tls: optional "certificate_status" with OCSP
Follows the wording in RFC4366 more precisely which allows a server
to optionally return a "certificate_status" when responding to a
client hello containing "status_request" extension.

fixes #8549

Change-Id: Ib02dc9f972da185b25554568fe6f8bc411d9c0b7
Reviewed-on: https://go-review.googlesource.com/86115
Reviewed-by: Adam Langley <agl@golang.org>
2018-03-21 16:26:26 +00:00
Filippo Valsorda
2e765efc88 crypto/tls: document VerifyPeerCertificate behavior in relation to ClientAuth
Change-Id: I3ff478912a5a178492d544d2f4ee9cc7570d9acc
Reviewed-on: https://go-review.googlesource.com/84475
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-21 16:26:26 +00:00
d3da622def
Revert "Use go 1.10 and aligns with current state of TLS in go/crypto/tls" (#77)
Temporarily reverts update to go1.10
2018-03-21 14:27:31 +00:00
1313809b2b (CI) Use go 1.10 also for bogo testing 2018-03-13 08:38:50 +00:00
ec236c5591 [PATCH] all: use HTTPS for iana.org links
This is merge of commit 5158aab7d662e274aed870ae6bf9cf8ae0786f5b
from https://github.com/golang/go.git for go/crypto/tls only.

iana.org, www.iana.org and data.iana.org all present a valid TLS
certificate, so let's use it when fetching data or linking to
resources to avoid errors in transit.

Reviewed-on: https://go-review.googlesource.com/89416
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-13 08:38:50 +00:00
Kevin Burke
137239b5b7 crypto/tls: handle errors in generate_cert.go
I don't expect these to hit often, but we should still alert users if
we fail to write the correct data to the file, or fail to close it.

Change-Id: I33774e94108f7f18ed655ade8cca229b1993d4d2
Reviewed-on: https://go-review.googlesource.com/91456
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-13 08:38:50 +00:00
Brad Burch
0957fdb171 crypto/tls: optional "certificate_status" with OCSP
Follows the wording in RFC4366 more precisely which allows a server
to optionally return a "certificate_status" when responding to a
client hello containing "status_request" extension.

fixes #8549

Change-Id: Ib02dc9f972da185b25554568fe6f8bc411d9c0b7
Reviewed-on: https://go-review.googlesource.com/86115
Reviewed-by: Adam Langley <agl@golang.org>
2018-03-13 08:38:50 +00:00
Filippo Valsorda
eaa1196b44 crypto/tls: document VerifyPeerCertificate behavior in relation to ClientAuth
Change-Id: I3ff478912a5a178492d544d2f4ee9cc7570d9acc
Reviewed-on: https://go-review.googlesource.com/84475
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-13 08:38:50 +00:00
70e5aeb62a (CI) Use go 10 2018-03-13 08:38:50 +00:00
03db2e7d58
Merge pull request #71 from henrydcase/dev/package_prep_makefile
Makefile improvement
2018-03-13 05:28:31 +00:00
cb443468e8 Makefile improvement
Following things where added/changed:
* Builds correctly tls-tris. Previously go had a problem with
  a symbolic link resulting in not building tls-tris at all. I've
  used `rsync' instead.
* Can build for selected platform with "ARCH=platform make -f Makefile"
* Possible to build from any directory. Previously ``cd _dev; make``
  was required, it's possible to ``cd /whever/you/want; make -f /tris/Makefile``
2018-03-01 16:12:07 +00:00
Filippo Valsorda
a982da063d tris: allow failure of NSS interop tests at HEAD 2018-02-08 16:26:04 +01:00
Filippo Valsorda
05688e56f4 tris: make Travis-CI use Go 1.9 2018-02-08 15:53:53 +01:00
Filippo Valsorda
844036d474 tris: remove github.com/cloudflare/go
Over time the amount of custom Go patches reduced, and tris got less
tangled to the underlying Go. Finally sever the link.

This allows more flexibility in what base Go is used (the system one),
doesn't require coordinating two repositories, and simplifies the black
magic considerably.

Make sure to use tris with Go 1.9.X.
2018-02-08 15:44:25 +01:00
Peter Wu
8db472667b tris: update tests to track draft 22
Force boringssl client and server to use draft 22 instead of draft 18.
Other clients (tstclnt from NSS, picotls) support only draft 22.

Disable mint, it only supports draft 21.
2017-12-13 20:16:48 +00:00
Peter Wu
824987c5ad tris: implement draft-22 middlebox compatibility mode
Send/Skip CCS, set legacy record version to 3,3 and echo session ID.
CCS must be ignored while the handshake is running, but not thereafter:
https://tools.ietf.org/html/draft-ietf-tls-tls13-22#section-5

Unconditionally send CCS as server because bogo requires it, even if no
session ID is included in the Client Hello. TLS 1.3 clients MUST ignore
it anyway, so it should not hurt.

Fixes interop with boringssl and openssl and passes bogo.
2017-12-13 20:16:48 +00:00
Peter Wu
a0bab1759d tris: update Server Hello processing for D22
Check SupportedVersions for the actual version and verify that the
server sets the correct SeverHello.legacy_version. Change D21 to D22.
2017-12-13 20:15:00 +00:00