Peter Wu
6f580251ca
tris: use keySchedule13 for the server
...
Use the new keySchedule13 type instead of hash.Hash to avoid tracking
the hashContext and intermediate secrets manually.
checkPSK is modified not to return the calculated early secret, this is
internal to keySchedule13 now. The caller just learns whether it was
resumed using a PSK or not.
2017-09-21 15:37:34 +01:00
Peter Wu
9f9f06de80
tris: add new key schedule implementation
...
In order to reduce repetitive complexity (extract handshake context,
pass the right secrets around to calculate a secret and build a cipher),
create a new type that tracks the hash type, the handshake context and
intermediate secrets.
Advantages: facilitates reuse between client and server code, makes it
easier to update labels for draft-19, makes it easier to add central
KeyLogWriter functionality.
2017-09-21 15:37:34 +01:00
Peter Wu
079992e500
tris: whitespace fix
...
Fixes: "tris: add picotls interop"
2017-09-21 12:59:48 +01:00
Peter Wu
25f2efc996
tris: update Go to 1.9
...
Use Go 1.9 (go1.9) with a patch to enable users to access the 0RTT API:
net/http: attach TLSConnContextKey to the request Context
2017-09-07 17:40:17 +01:00
Henry de Valence
cd63e47f2c
tris: rename pk
to secretKey
2017-09-05 21:06:36 +01:00
Henry de Valence
d4b8398461
tris: fix typos
2017-09-05 21:06:36 +01:00
Tomas Susanka
4b944d1428
tris: typos
2017-09-05 21:06:35 +01:00
Filippo Valsorda
44343a1e4d
tris: make the boring incremental build deterministic
...
HEAD is currently breaking the build.
2017-09-05 21:06:35 +01:00
Filippo Valsorda
7d575cd9ba
tris: add Dockerfile to run unit tests with -update
2017-09-05 21:06:35 +01:00
Tom Thorogood
bc76e35b75
tris-localserver: fix Content-Type header for /ch endpoint ( #21 )
2017-09-05 21:06:35 +01:00
Tom Thorogood
f4a6690edc
crypto/tls: generate unique ticket_age_add for each ticket
...
#23 -- CLA ok -- re-author to me+google@tomthorogood.co.uk
2017-09-05 21:06:35 +01:00
Filippo Valsorda
ba45c1a5ca
tris: add echo.filippo.io
2017-09-05 21:06:35 +01:00
Filippo Valsorda
7f449cbaa7
tris: add SessionTicketSealer
2017-09-05 21:06:35 +01:00
Filippo Valsorda
2ace09e9b4
tris: upgrade to Go 1.8
2017-09-05 21:06:35 +01:00
Filippo Valsorda
fc5cd7e2f9
crypto/tls: fix SCT extension wire format
2017-09-05 21:06:35 +01:00
Filippo Valsorda
80f82d89c7
crypto/tls: avoid sending empty OCSP or SCT cert extensions
2017-09-05 21:06:35 +01:00
Filippo Valsorda
815d56e5a7
tris: update README for public consumption
2017-09-05 21:06:35 +01:00
Filippo Valsorda
4f7b5988a3
crypto/tls: add ConnectionState.Unique0RTTToken
2017-09-05 21:06:35 +01:00
Filippo Valsorda
563bf91c28
tris: update to Go 1.8rc3+
2017-09-05 21:06:35 +01:00
Filippo Valsorda
0d97989e0d
tris: move Commit to just before key share generation
...
In particular move it to after cipher suite negotiation and after
HelloRetryRequest check.
2017-09-05 21:06:35 +01:00
Brendan Mc
ed105dc308
crypto/tls: add SignedCertificateTimestamps and OCSPStaple to 1.3
2017-09-05 21:06:35 +01:00
Filippo Valsorda
9b94b65b7b
crypto/tls: send two session tickets to TLS 1.3 clients
2017-09-05 21:06:35 +01:00
Filippo Valsorda
44df381ccb
crypto/tls: peek at unencrypted alerts to give better errors
2017-09-05 21:06:35 +01:00
Filippo Valsorda
740fc926aa
tris: add single line TLSDEBUG=short
2017-09-05 21:06:35 +01:00
Filippo Valsorda
7aa542753f
tris: update to Go 1.8rc2
2017-09-05 21:06:35 +01:00
Filippo Valsorda
6bff168a06
tris: add proper BoGo tests
2017-09-05 21:06:35 +01:00
Filippo Valsorda
c758567785
crypto/tls: detect unexpected leftover handshake data
...
There should be no data in the Handshake buffer on encryption state
changes (including implicit 1.3 transitions). Checking that also blocks
all Handshake messages fragmented across CCS.
BoGo: PartialClientFinishedWithClientHello
2017-09-05 21:06:35 +01:00
Filippo Valsorda
de613b152d
crypto/tls: disallow handshake messages fragmented across CCS
...
BoGo: FragmentAcrossChangeCipherSpec-Server-Packed
2017-09-05 21:06:35 +01:00
Filippo Valsorda
4191962f25
crypto/tls: use correct alerts
...
BoGo: Resume-Server-PSKBinderFirstExtension
BoGo: Resume-Server-ExtraPSKBinder
BoGo: Resume-Server-ExtraIdentityNoBinder
BoGo: Renegotiate-Server-Forbidden
BoGo: NoNullCompression
BoGo: TrailingMessageData-*
2017-09-05 21:06:35 +01:00
Filippo Valsorda
5406418371
crypto/tls: fix panic in PSK binders parsing
...
BoGo: Resume-Server-ExtraPSKBinder
2017-09-05 21:06:35 +01:00
Filippo Valsorda
bbb712bfd8
crypto/tls: simplify supported points handling to match BoringSSL
...
BoGo: PointFormat-Server-*
2017-09-05 21:06:35 +01:00
Filippo Valsorda
922b99e473
crypto/tls: make 1.3 version negotiation more robust
...
BoGo: IgnoreClientVersionOrder
BoGO: *VersionTolerance
BoGo: RejectFinalTLS13
2017-09-05 21:06:34 +01:00
Filippo Valsorda
58aab36b6e
crypto/tls: use negotiated version for fallback check
...
BoGo: FallbackSCSV-VersionMatch-TLS13
2017-09-05 21:06:34 +01:00
EKR
ed06c77b1d
crypto/tls: fix clientHelloMsg fuzzer not to generate the RI SCSV
...
It was causing mysterious fuzzing failure because it affects the
unmarshaling of the secureNegotiationSupported field.
2017-09-05 21:06:34 +01:00
Filippo Valsorda
147d78ad99
tris: switch to Go 1.8beta1
2017-09-05 21:06:34 +01:00
Filippo Valsorda
052978de5e
crypto/tls: expose extension versions in ClientHelloInfo.SupportedVersions
2017-09-05 21:06:34 +01:00
Filippo Valsorda
1bc19494f8
tris: tolerate NSS sending obfuscated_ticket_age as seconds
2017-09-05 21:06:34 +01:00
Filippo Valsorda
faefac5f1a
crypto/tls: stop ConfirmHandshake from locking on any Read
...
ConfirmHandshake should block on a Read until the handshakeConfirmed
state is reached, but past that it shouldn't.
2017-09-05 21:06:34 +01:00
Filippo Valsorda
1b03258899
crypto/tls: simplify the Handshake locking
...
See https://groups.google.com/forum/#!topic/golang-dev/Xxiai-R_jH0
Change-Id: I6052695ece9aff9e3112c2fb176596fde8aa9cb2
2017-09-05 21:06:34 +01:00
Filippo Valsorda
341de96a61
crypto/tls: fix Conn.phase data races
...
Phase should only be accessed under in.Mutex. Handshake and all Read
operations obtain that lock. However, many functions checking for
handshakeRunning only obtain handshakeMutex: reintroduce
handshakeCompleted for them. ConnectionState and Close check for
handshakeConfirmed, introduce an atomic flag for them.
2017-09-05 21:06:34 +01:00
Filippo Valsorda
f3fe024dc7
crypto/tls: do not drain 0-RTT data on Close
...
There is no reason a server can't just send a CloseNotify in its first
flight, and then close the connection without reading the 0-RTT data.
Also, it's not expected of Close to block on reading, and interlocking
with a Read can cause a deadlock.
Fixes NCC-2016-001
2017-09-05 21:06:34 +01:00
Filippo Valsorda
3e31621f57
crypto/tls: pick the first group the client sent a key share for
...
Fixes NCC-2016-002
2017-09-05 21:06:34 +01:00
Filippo Valsorda
831410a948
tris: fix cross-compilation and relocation
2017-09-05 21:06:34 +01:00
Filippo Valsorda
345fbe2a39
tris: fix http2 tls.Conn context
2017-09-05 21:06:34 +01:00
Filippo Valsorda
df557b2b05
tris: fix NSS 0-RTT interop
2017-09-05 21:06:34 +01:00
Filippo Valsorda
5c4af70647
tris: drop QuietError
2017-09-05 21:06:34 +01:00
Filippo Valsorda
2b667f2952
tris: fix mint interop
2017-09-05 21:06:34 +01:00
Filippo Valsorda
180bfdbd68
crypto/tls: finish the session ticket state checks
2017-09-05 21:06:34 +01:00
Filippo Valsorda
6ca044cede
tris: add picotls interop
2017-09-05 21:06:34 +01:00
Filippo Valsorda
f8c15889af
crypto/tls: implement TLS 1.3 server 0-RTT
2017-09-05 21:06:34 +01:00