Commit Graph

71 Commits

Author SHA1 Message Date
76231e7564 SIDH: Implement test againt TLSv1.2
Tris tries to connect to BoringSSL over TLS 1.2 with X25519-SIDH
as prefered DH group. As this is not supported by BoringSSL it must
fall back to P-256 (second preference on the list)

Also refactors tris test client
2018-12-10 15:12:56 +00:00
334eee5310 SIDH: Align codepoints with the ones in latest version 2018-12-10 15:12:56 +00:00
1c0d342ecc boringssl: update to newest version 2018-12-10 15:12:56 +00:00
fab2c445b3 makefile: use named tags instead of commit numbers 2018-10-25 20:37:45 +01:00
86b0aecf5e go 1.11: Switch to GO 1.11
Minimal amount of changes needed to switch to GO 1.11
* crypto/internal/cipherhw was removed and internal/cpu was introduced
* wrong code formatting in handhsake_server_test.go was breaking
  the build
2018-10-17 14:06:11 +01:00
8da51abeca sidh: operability tests with BoringSSL
Implements two tests for SIDH/P503-X25519 interoperability. BoringSSL
initiates connection to TRIS and TRIS initiates connection to BoringSSL.
SIDH server always listens on port 7443
2018-10-15 14:55:49 +01:00
96db6f14d8 sidh: sidh support in boringssl 2018-10-15 14:55:49 +01:00
cb67de3e1f
sidh: use version with improved vendoring (#144) 2018-10-12 20:17:03 +01:00
bcc2724bf6 sidh: use implementation with improved performance for ARMv8 2018-10-12 16:15:11 +01:00
ce53b126bc fix: client shouldn't use P751/x448 ID 2018-10-09 09:38:59 +01:00
d184bc0099 sidh: adds PQ secure KEX
* SIDH/P503-X25519
* adds interop tests
2018-10-09 08:46:13 +01:00
ed36ba540a sidh: updates for Makefile 2018-10-09 08:46:13 +01:00
07ad1769c3 fix: in TLSv1.3, the ALPN extension must be sent in EE
serverHandshakeState::readClientHello was setting selected ALPN protocol
always on hs.hello.alpnProtocol, which is specific to TLS 1.2 and older.
Because of that server was marshalling ALPN to SH instead of EE.
2018-09-16 23:33:49 +01:00
da110326f8 Swap TLS 1.3 to RFC 8446 2018-09-16 12:22:20 +01:00
Watson Ladd
7e1760cc7c Add EMS support to tls-tris
see RFC7627
2018-09-07 15:16:11 +01:00
81871bbad5
tls tris server: allow custom server keypairs (#128) 2018-08-19 20:59:43 +01:00
2bcf6466b4
removes old draft version indicators (#127) 2018-08-19 10:27:33 +01:00
242e89da1b refactoring of the tris test client 2018-08-15 17:50:01 +01:00
63ec8fff02 refactoring of the tris test server 2018-08-15 16:25:21 +01:00
d3e18f99e2
Minimal number of changes needed to udpate to draft-28 (#115)
* includes AD in authentication check of TLS records

As per 5.2 of TLS 1.3 draft-28, the additional data is record header.

* tests: Update tests in order to support draft-28

* Interoperability: Updates NSS and BoringSSL versions to the
  one supporting draft-28
* Bogo: Updates revision number to use tests for draft-28
* FIX: makefile was using test-compat target instead of
  test-interop

* DC test: constify

* Use binary interface to encode in big-endian
2018-08-09 20:47:50 +01:00
3ff71dcdc5 tests: enable client authentication in bogo 2018-06-29 08:12:15 +01:00
6e4abe2d07 TLSv1.3 draft-23: align tests
* Changes tests so that they pass with draft-23
* BoringSSL interoperability: uses code at most recent commit. It uses
  "-tls13-variant draft23" flag to indicate compatibility with draft23
* NSS interoperability: Uses release 3.35
* PicoTLS interoperability: blocked. Doesn't seem to implement draft23
* Uses updated bogo from
  https://github.com/henrydcase/crypto-tls-bogo-shim
2018-06-29 07:47:50 +01:00
91d6db578b CI: Fail build if code is wrongly formatted 2018-06-26 09:56:45 +01:00
3f720fc50c Code formatting for TRIS test client and server 2018-06-26 09:56:45 +01:00
Christopher Patton
d485f39ca9 Update _dev/Makefile so that the code builds on Ubuntu 2018-05-24 10:06:54 +01:00
b7765d14c4 (test) Interoperability tris with tris 2018-03-29 13:15:52 +01:00
e5c37bded5 Testing rework
Goal of this PR is to rework testing script so that actual testing is
easy to extend and perform during development cycle.

* For interoperability testing I use python script and test framework,
  instead of complicated bsah scripts. Script itself is not yet perfect
  but it makes it much easier to extend tests and work with them during
  development time

* Makefile has been extended and now includes all steps needed to build
  the library and run tests. It's now possible to run any kind of tests
  without exporting environment variables.  Thanks to this change it is
  stupid-easy to run any kind of tests.

* There are 3 kinds of tests implemented in the library - unittests,
  interoperability tests and bogo. Travis has been changed and now
  dashbord will show only results for those 3 targets.
2018-03-29 13:15:52 +01:00
01c3b768fe (fix) Client MUST send certificate msg if requested by server 2018-03-27 08:52:44 +01:00
68c9776eb9 (tests) Expose 6443 in docker for client auth 2018-03-27 08:52:44 +01:00
c4dfbb897c (tests) Removes 'set -u' from bash as some variables may be unset in the script 2018-03-27 08:52:44 +01:00
1f3a180f14 (tests) Test for client authentication on server side 2018-03-27 08:52:44 +01:00
cd14ae86b4 (tests) Refactor tris test server 2018-03-27 08:52:44 +01:00
58e1a66838 (tests) Makes tstclnt tests passing again 2018-03-27 08:52:44 +01:00
adeb1a5868 (tests) Fixes error: standard_init_linux.go:195: exec user process caused no such file or directory 2018-03-27 08:52:44 +01:00
80fe037aa8 (tests) Client Authentication: Tests against boringssl 2018-03-27 08:52:44 +01:00
ddfc58e5be Changes dependency from go v1.9 to go v1.10 2018-03-21 17:44:28 +00:00
d3da622def
Revert "Use go 1.10 and aligns with current state of TLS in go/crypto/tls" (#77)
Temporarily reverts update to go1.10
2018-03-21 14:27:31 +00:00
1313809b2b (CI) Use go 1.10 also for bogo testing 2018-03-13 08:38:50 +00:00
cb443468e8 Makefile improvement
Following things where added/changed:
* Builds correctly tls-tris. Previously go had a problem with
  a symbolic link resulting in not building tls-tris at all. I've
  used `rsync' instead.
* Can build for selected platform with "ARCH=platform make -f Makefile"
* Possible to build from any directory. Previously ``cd _dev; make``
  was required, it's possible to ``cd /whever/you/want; make -f /tris/Makefile``
2018-03-01 16:12:07 +00:00
Filippo Valsorda
05688e56f4 tris: make Travis-CI use Go 1.9 2018-02-08 15:53:53 +01:00
Filippo Valsorda
844036d474 tris: remove github.com/cloudflare/go
Over time the amount of custom Go patches reduced, and tris got less
tangled to the underlying Go. Finally sever the link.

This allows more flexibility in what base Go is used (the system one),
doesn't require coordinating two repositories, and simplifies the black
magic considerably.

Make sure to use tris with Go 1.9.X.
2018-02-08 15:44:25 +01:00
Peter Wu
8db472667b tris: update tests to track draft 22
Force boringssl client and server to use draft 22 instead of draft 18.
Other clients (tstclnt from NSS, picotls) support only draft 22.

Disable mint, it only supports draft 21.
2017-12-13 20:16:48 +00:00
Peter Wu
a0bab1759d tris: update Server Hello processing for D22
Check SupportedVersions for the actual version and verify that the
server sets the correct SeverHello.legacy_version. Change D21 to D22.
2017-12-13 20:15:00 +00:00
Peter Wu
fd93e9ecf6 tris: implement D19 and D20 changes for secrets
D19 added an additional pre-extract Derive-Secret stage. D20 shortened
labels. Bump from D18 to D21 with no backwards compat option for now
since older drafts are considered undeployable.
2017-12-13 17:49:25 +00:00
Peter Wu
ac01048c5e tris: add NSS server to client interop tests
Similar to boringssl, reuse the NSS client image for the NSS server test
against the tris client. Bump the NSS version to 3.34.1 gain support
for TLS 1.3 keylogging which is useful while debugging.

Adjust read check to fix intermittent NSS test failures:
https://github.com/cloudflare/tls-tris/issues/58
2017-12-13 17:39:53 +00:00
Peter Wu
c89a0a5f3a tris: Add initial client interoperability tests
Prepare framework for testing tls-tris as client against other servers.
Currently only boringssl is implemented, but the idea is to add support
for others too (NSS, OpenSSL, picotls, tris, ...).

To test multiple certificate types, copy ecdsa.pem and rsa.pem from
tris-localserver for boringssl. The boringssl image is reused for the
server since the binaries were built anyway. Revision is bumped to
something to fix a build error and make the -loop and -www options work.
2017-12-13 17:39:53 +00:00
Peter Wu
dee13626ef tris: enable client tests with bogo shim 2017-12-13 17:39:53 +00:00
Peter Wu
d16cde640d tris: enable TLS 1.3 for tris-localserver again.
The default version (TLS 1.2) is no longer overridden with TLS 1.3 so
the server must explicitly set it.

Fixes: ("crypto/tls: allow client to pick TLS 1.3, do not enable it by default.")
2017-09-29 12:47:55 +01:00
Peter Wu
3107d575a8 tris: implement SSLKEYLOGFILE for TLS 1.3 server
This makes it easier to validate the handshake contents using Wireshark.
2017-09-21 15:37:34 +01:00
Peter Wu
25f2efc996 tris: update Go to 1.9
Use Go 1.9 (go1.9) with a patch to enable users to access the 0RTT API:

    net/http: attach TLSConnContextKey to the request Context
2017-09-07 17:40:17 +01:00