Commit Graph

528 Commits

Author SHA1 Message Date
0d06e5c19c Server side of client authentication 2018-03-27 08:52:44 +01:00
68c9776eb9 (tests) Expose 6443 in docker for client auth 2018-03-27 08:52:44 +01:00
c4dfbb897c (tests) Removes 'set -u' from bash as some variables may be unset in the script 2018-03-27 08:52:44 +01:00
1f3a180f14 (tests) Test for client authentication on server side 2018-03-27 08:52:44 +01:00
cd14ae86b4 (tests) Refactor tris test server 2018-03-27 08:52:44 +01:00
58e1a66838 (tests) Makes tstclnt tests passing again 2018-03-27 08:52:44 +01:00
adeb1a5868 (tests) Fixes error: standard_init_linux.go:195: exec user process caused no such file or directory 2018-03-27 08:52:44 +01:00
80fe037aa8 (tests) Client Authentication: Tests against boringssl 2018-03-27 08:52:44 +01:00
6acee69d6b Use certificate_request specific to TLS 1.3 2018-03-27 08:52:44 +01:00
c6745f1879 Client authentication 2018-03-27 08:52:44 +01:00
e62ddc004c Adds structure for certificate_request in TLS 1.3
* TLS 1.3 requries specific marshalling/unmarshalling of data
* This code should probably be rewritten in order ot use
  a bit cleaner approach for dealing with bytes
2018-03-27 08:52:44 +01:00
054f9b8f24 Adds 'certificate required' alert 2018-03-27 08:52:44 +01:00
b05f4a6a51 Adds ID for CA's extension 2018-03-27 08:52:44 +01:00
ddfc58e5be Changes dependency from go v1.9 to go v1.10 2018-03-21 17:44:28 +00:00
Brad Burch
f1a5602bba crypto/tls: optional "certificate_status" with OCSP
Follows the wording in RFC4366 more precisely which allows a server
to optionally return a "certificate_status" when responding to a
client hello containing "status_request" extension.

fixes #8549

Change-Id: Ib02dc9f972da185b25554568fe6f8bc411d9c0b7
Reviewed-on: https://go-review.googlesource.com/86115
Reviewed-by: Adam Langley <agl@golang.org>
2018-03-21 16:26:26 +00:00
Filippo Valsorda
2e765efc88 crypto/tls: document VerifyPeerCertificate behavior in relation to ClientAuth
Change-Id: I3ff478912a5a178492d544d2f4ee9cc7570d9acc
Reviewed-on: https://go-review.googlesource.com/84475
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-21 16:26:26 +00:00
d3da622def
Revert "Use go 1.10 and aligns with current state of TLS in go/crypto/tls" (#77)
Temporarily reverts update to go1.10
2018-03-21 14:27:31 +00:00
1313809b2b (CI) Use go 1.10 also for bogo testing 2018-03-13 08:38:50 +00:00
ec236c5591 [PATCH] all: use HTTPS for iana.org links
This is merge of commit 5158aab7d662e274aed870ae6bf9cf8ae0786f5b
from https://github.com/golang/go.git for go/crypto/tls only.

iana.org, www.iana.org and data.iana.org all present a valid TLS
certificate, so let's use it when fetching data or linking to
resources to avoid errors in transit.

Reviewed-on: https://go-review.googlesource.com/89416
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-13 08:38:50 +00:00
Kevin Burke
137239b5b7 crypto/tls: handle errors in generate_cert.go
I don't expect these to hit often, but we should still alert users if
we fail to write the correct data to the file, or fail to close it.

Change-Id: I33774e94108f7f18ed655ade8cca229b1993d4d2
Reviewed-on: https://go-review.googlesource.com/91456
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-13 08:38:50 +00:00
Brad Burch
0957fdb171 crypto/tls: optional "certificate_status" with OCSP
Follows the wording in RFC4366 more precisely which allows a server
to optionally return a "certificate_status" when responding to a
client hello containing "status_request" extension.

fixes #8549

Change-Id: Ib02dc9f972da185b25554568fe6f8bc411d9c0b7
Reviewed-on: https://go-review.googlesource.com/86115
Reviewed-by: Adam Langley <agl@golang.org>
2018-03-13 08:38:50 +00:00
Filippo Valsorda
eaa1196b44 crypto/tls: document VerifyPeerCertificate behavior in relation to ClientAuth
Change-Id: I3ff478912a5a178492d544d2f4ee9cc7570d9acc
Reviewed-on: https://go-review.googlesource.com/84475
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-13 08:38:50 +00:00
70e5aeb62a (CI) Use go 10 2018-03-13 08:38:50 +00:00
03db2e7d58
Merge pull request #71 from henrydcase/dev/package_prep_makefile
Makefile improvement
2018-03-13 05:28:31 +00:00
cb443468e8 Makefile improvement
Following things where added/changed:
* Builds correctly tls-tris. Previously go had a problem with
  a symbolic link resulting in not building tls-tris at all. I've
  used `rsync' instead.
* Can build for selected platform with "ARCH=platform make -f Makefile"
* Possible to build from any directory. Previously ``cd _dev; make``
  was required, it's possible to ``cd /whever/you/want; make -f /tris/Makefile``
2018-03-01 16:12:07 +00:00
Filippo Valsorda
a982da063d tris: allow failure of NSS interop tests at HEAD 2018-02-08 16:26:04 +01:00
Filippo Valsorda
05688e56f4 tris: make Travis-CI use Go 1.9 2018-02-08 15:53:53 +01:00
Filippo Valsorda
844036d474 tris: remove github.com/cloudflare/go
Over time the amount of custom Go patches reduced, and tris got less
tangled to the underlying Go. Finally sever the link.

This allows more flexibility in what base Go is used (the system one),
doesn't require coordinating two repositories, and simplifies the black
magic considerably.

Make sure to use tris with Go 1.9.X.
2018-02-08 15:44:25 +01:00
Peter Wu
8db472667b tris: update tests to track draft 22
Force boringssl client and server to use draft 22 instead of draft 18.
Other clients (tstclnt from NSS, picotls) support only draft 22.

Disable mint, it only supports draft 21.
2017-12-13 20:16:48 +00:00
Peter Wu
824987c5ad tris: implement draft-22 middlebox compatibility mode
Send/Skip CCS, set legacy record version to 3,3 and echo session ID.
CCS must be ignored while the handshake is running, but not thereafter:
https://tools.ietf.org/html/draft-ietf-tls-tls13-22#section-5

Unconditionally send CCS as server because bogo requires it, even if no
session ID is included in the Client Hello. TLS 1.3 clients MUST ignore
it anyway, so it should not hurt.

Fixes interop with boringssl and openssl and passes bogo.
2017-12-13 20:16:48 +00:00
Peter Wu
a0bab1759d tris: update Server Hello processing for D22
Check SupportedVersions for the actual version and verify that the
server sets the correct SeverHello.legacy_version. Change D21 to D22.
2017-12-13 20:15:00 +00:00
Peter Wu
e89292ccbe tris: convert end_of_early_data to a handshake message
Draft 21 changed end_of_early_data from an alert into a handshake
message to allow it to integrate better with the handshake. This change
does that, rather than handling EOD at the record layer, it moves
processing up to the actual readers of (early) application data.
2017-12-13 17:49:25 +00:00
Peter Wu
69dddf0612 tris: update NewSessionTicket for draft -19 and -21
D19: use early_data instead of custom ticket_early_data_info extension
codepoint. D21: new ticket nonce field and change in PSK calculation.
This nonce provides some minor security advantage in case one of the PSK
is compromised (which would leak the resumption master secret).

Rename "resumptionSecret" to "pskSecret" in sessionState13 to reflect
the D21 change and use constant-time comparison for the secret.

Also fix potential panic if the ticket is large enough, but the
extensions are missing.
2017-12-13 17:49:25 +00:00
Peter Wu
fd93e9ecf6 tris: implement D19 and D20 changes for secrets
D19 added an additional pre-extract Derive-Secret stage. D20 shortened
labels. Bump from D18 to D21 with no backwards compat option for now
since older drafts are considered undeployable.
2017-12-13 17:49:25 +00:00
Peter Wu
ac01048c5e tris: add NSS server to client interop tests
Similar to boringssl, reuse the NSS client image for the NSS server test
against the tris client. Bump the NSS version to 3.34.1 gain support
for TLS 1.3 keylogging which is useful while debugging.

Adjust read check to fix intermittent NSS test failures:
https://github.com/cloudflare/tls-tris/issues/58
2017-12-13 17:39:53 +00:00
Peter Wu
c89a0a5f3a tris: Add initial client interoperability tests
Prepare framework for testing tls-tris as client against other servers.
Currently only boringssl is implemented, but the idea is to add support
for others too (NSS, OpenSSL, picotls, tris, ...).

To test multiple certificate types, copy ecdsa.pem and rsa.pem from
tris-localserver for boringssl. The boringssl image is reused for the
server since the binaries were built anyway. Revision is bumped to
something to fix a build error and make the -loop and -www options work.
2017-12-13 17:39:53 +00:00
Peter Wu
dee13626ef tris: enable client tests with bogo shim 2017-12-13 17:39:53 +00:00
Peter Wu
e9ff50fcb0 tris: process ALPN in EE received by client 2017-12-13 17:39:53 +00:00
Peter Wu
0b636d21fb crypto/tls: enable certificate validation on the client
Support validation of ECDSA and RSASSA-PSS signatures. Explicitly do not
support PKCS1-v1_5 signatures since these are not allowed for handshake
messages.
2017-12-13 17:39:53 +00:00
Peter Wu
92d04f3ebd tris: advertise PSS in Client Hello for TLS 1.3
Until PSS support is finalized for TLS 1.2, let's not advertise support
for that. Since TLS 1.3 however mandates PSS, we have no other option
than advertising this even if we have not added complete support.

Another reason why I apply it to just TLS 1.3 and not 1.2 is because the
latter would require updating the testdata.
2017-12-13 17:39:53 +00:00
Peter Wu
928e35b73a crypto/tls: extract certificate validation for the client
Moved some code and added a comment in preparation for extending the TLS
1.3 client with certificate validation. No functional change.
2017-12-13 17:39:53 +00:00
Peter Wu
9e25a0a25d crypto/tls: initial TLS 1.3 client support
Advertise TLS 1.3 in supported_versions and send a key share for the
first preferred curve. Missing are HRR, certificate validation and
Encrypted Extensions processing (see TODO notes).

For simplicity only a single key share is remembered. This key share
should be updated with a HRR (when implemented).
2017-12-13 17:39:53 +00:00
Peter Wu
634f9a5858 crypto/tls: prepare for TLS 1.3 client handshake.
This change splits handshake processing for TLS 1.3, reindenting the TLS
1.2 code path and splitting initializationg of the handshake hash. No
equivalent is added for processServerHello because session resumption is
not supported yet.
2017-12-13 17:39:53 +00:00
Peter Wu
9eb1d7faf7 crypto/tls: skip session cache for TLS 1.3
Skip reading the session cache if TLS 1.3 is in use (the cache has no
use), skip storing a session if TLS 1.3 is in use (sessionCache can
still be set when TLS 1.2 is allowed).
2017-12-13 17:39:53 +00:00
Peter Wu
9f46cf9e2d crypto/tls: add RSASSA-PSS support for handshake messages
This adds support for RSASSA-PSS signatures in handshake messages as
required by TLS 1.3. Even if TLS 1.2 is negotiated, it must support PSS
when advertised in the Client Hello (this will be done later as the
testdata will change).

Updates #9671

Change-Id: I8006b92e017453ae408c153233ce5ccef99b5c3f
2017-12-13 17:34:03 +00:00
Peter Wu
1850fd015e crypto/tls: consolidate signatures handling in SKE and CV
ServerKeyExchange and CertificateVerify can share the same logic for
picking a signature algorithm (based on the certificate public key and
advertised algorithms), selecting a hash algorithm (depending on TLS
version) and signature verification.

Refactor the code to achieve code reuse, have common error checking
(especially for intersecting supported signature algorithms) and to
prepare for addition of new signature algorithms. Code should be easier
to read since version-dependent logic is concentrated at one place.

Change-Id: I978dec3815d28e33c3cfbc85f0c704b1894c25a3
2017-12-13 17:34:03 +00:00
Peter Wu
759dbb355a tris: fix nonce length definition and actually use it
All TLS 1.3 cipher suites so far use a nonce length of 12, but that does
not have to be the case. Correct the cipher suite definition and use it.
Spec: https://tools.ietf.org/html/draft-ietf-tls-tls13-22#section-5.3

Note: there is no functional change, the values were previously unused.

Fixes: ("[dev.tls] crypto/tls: implement TLS 1.3 cipher suites")
2017-12-04 19:17:56 +00:00
Peter Wu
b1e5feadef tris: prevent sending 0.5-RTT data
Disable 0.5-RTT as it has weaker security properties than 1-RTT. The
same security considerations from TLS False Start (RFC 7918) apply.

Currently the server Handshake method returns as soon as it has sent its
parameters, but it does not wait for the client to authenticate the
handshake via a Finished message. This broke a test that assumed that
the Handshake message performs a full handshake and also
(unintentionally?) enabled the server to send application data before
the handshake is complete ("0.5-RTT data").

Fix this by moving the implicit Finished message check in the handshake
message reader to the server handshake itself (previously readRecord
would process the Finished message as a side-effect of requesting
recordTypeApplicationData). And in the special case where 0-RTT data is
actually desired, process the Finished message in the ConfirmHandshake
and Read functions.

NOTE: 0.5-RTT is not disabled when the server enables 0-RTT. It is the
server responsibility to use ConfirmHandshake before writing anything.

Explicitly panic when ConfirmHandshake is used for client connections,
this is not the intended use of that API.
2017-12-01 19:08:31 +00:00
Peter Wu
8523d7d8e0 tris: ignore NewSessionTicket messages as client
Prevent unexpected_message alert, PSK resumption is not supported so
ignore the received session ticket as client.
2017-12-01 19:08:31 +00:00
Peter Wu
de3ae8f61d tris: accept other post-handshake messages as client
Do not assume that every post-handshake messages are HelloRequests that
try to trigger a renegotiation. This could result in a no_renegotiation
(rather than an unexpected_message) alert even for other message types
(like NewSessionTicket).

This change makes the caller of readRecord(recordTypeApplicationData)
responsible for checking for renegotiation in case of a handshake
message, but that is currently already the case. And the condition
"c.phase == waitingClientFinished" can only be hit by the server, so
that won't have break the handshake either.

Related: https://github.com/cloudflare/tls-tris/issues/50
2017-12-01 19:08:31 +00:00