mirrors/uquic
1
0
Fork 0
mirror of https://github.com/refraction-networking/uquic.git synced 2025-04-04 20:57:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

make the TLS cipher suites configurable

Browse source
This commit is contained in:
Marten Seemann 2020-02-01 15:58:40 +07:00
parent 54b38cac0f
commit f91dfda8c3
6 changed files with 50 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Changelog.md
View file

@ -4,6 +4,7 @@
- Add support for 0-RTT. - Add support for 0-RTT.
- Remove `Session.Close()`. Applications need to pass an application error code to the transport using `Session.CloseWithError()`. - Remove `Session.Close()`. Applications need to pass an application error code to the transport using `Session.CloseWithError()`.
- Make the TLS Cipher Suites configurable (via `tls.Config.CipherSuites`).
## v0.14.0 (2019-12-04) ## v0.14.0 (2019-12-04)

2
client.go
View file

@ -59,6 +59,7 @@ var (
// DialAddr establishes a new QUIC connection to a server. // DialAddr establishes a new QUIC connection to a server.
// It uses a new UDP connection and closes this connection when the QUIC session is closed. // It uses a new UDP connection and closes this connection when the QUIC session is closed.
// The hostname for SNI is taken from the given address. // The hostname for SNI is taken from the given address.
// The tls.Config.CipherSuites allows setting of TLS 1.3 cipher suites.
func DialAddr( func DialAddr(
addr string, addr string,
tlsConf *tls.Config, tlsConf *tls.Config,
@ -70,6 +71,7 @@ func DialAddr(
// DialAddrEarly establishes a new 0-RTT QUIC connection to a server. // DialAddrEarly establishes a new 0-RTT QUIC connection to a server.
// It uses a new UDP connection and closes this connection when the QUIC session is closed. // It uses a new UDP connection and closes this connection when the QUIC session is closed.
// The hostname for SNI is taken from the given address. // The hostname for SNI is taken from the given address.
// The tls.Config.CipherSuites allows setting of TLS 1.3 cipher suites.
func DialAddrEarly( func DialAddrEarly(
addr string, addr string,
tlsConf *tls.Config, tlsConf *tls.Config,

2
go.mod
View file

@ -9,7 +9,7 @@ require (
github.com/golang/protobuf v1.3.0 github.com/golang/protobuf v1.3.0
github.com/marten-seemann/chacha20 v0.2.0 github.com/marten-seemann/chacha20 v0.2.0
github.com/marten-seemann/qpack v0.1.0 github.com/marten-seemann/qpack v0.1.0
github.com/marten-seemann/qtls v0.6.1 github.com/marten-seemann/qtls v0.7.0
github.com/onsi/ginkgo v1.11.0 github.com/onsi/ginkgo v1.11.0
github.com/onsi/gomega v1.8.1 github.com/onsi/gomega v1.8.1
golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472 golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472

4
go.sum
View file

@ -15,8 +15,8 @@ github.com/marten-seemann/chacha20 v0.2.0 h1:f40vqzzx+3GdOmzQoItkLX5WLvHgPgyYqFF
github.com/marten-seemann/chacha20 v0.2.0/go.mod h1:HSdjFau7GzYRj+ahFNwsO3ouVJr1HFkWoEwNDb4TMtE= github.com/marten-seemann/chacha20 v0.2.0/go.mod h1:HSdjFau7GzYRj+ahFNwsO3ouVJr1HFkWoEwNDb4TMtE=
github.com/marten-seemann/qpack v0.1.0 h1:/0M7lkda/6mus9B8u34Asqm8ZhHAAt9Ho0vniNuVSVg= github.com/marten-seemann/qpack v0.1.0 h1:/0M7lkda/6mus9B8u34Asqm8ZhHAAt9Ho0vniNuVSVg=
github.com/marten-seemann/qpack v0.1.0/go.mod h1:LFt1NU/Ptjip0C2CPkhimBz5CGE3WGDAUWqna+CNTrI= github.com/marten-seemann/qpack v0.1.0/go.mod h1:LFt1NU/Ptjip0C2CPkhimBz5CGE3WGDAUWqna+CNTrI=
github.com/marten-seemann/qtls v0.6.1 h1:N82hlQA7hMhikLjmx6BCJ/ey4zMc9ioHQmjXWwNu6is= github.com/marten-seemann/qtls v0.7.0 h1:5orVe49aOr4ykvip1sxSEnN37nNjgxB7xTCrySLwN3E=
github.com/marten-seemann/qtls v0.6.1/go.mod h1:pxVXcHHw1pNIt8Qo0pwSYQEoZ8yYOOPXTCZLQQunvRc= github.com/marten-seemann/qtls v0.7.0/go.mod h1:pxVXcHHw1pNIt8Qo0pwSYQEoZ8yYOOPXTCZLQQunvRc=
github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw= github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw=

43
integrationtests/self/handshake_test.go
View file

@ -4,6 +4,7 @@ import (
"context" "context"
"crypto/tls" "crypto/tls"
"fmt" "fmt"
"io/ioutil"
"net" "net"
"time" "time"
@ -135,6 +136,48 @@ var _ = Describe("Handshake tests", func() {
}) })
} }
Context("using different cipher suites", func() {
for n, id := range map[string]uint16{
"TLS_AES_128_GCM_SHA256": tls.TLS_AES_128_GCM_SHA256,
"TLS_AES_256_GCM_SHA384": tls.TLS_AES_256_GCM_SHA384,
"TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256,
} {
name := n
suiteID := id
It(fmt.Sprintf("using %s", name), func() {
tlsServerConf.CipherSuites = []uint16{suiteID}
ln, err := quic.ListenAddr("localhost:0", tlsServerConf, serverConfig)
Expect(err).ToNot(HaveOccurred())
go func() {
defer GinkgoRecover()
sess, err := ln.Accept(context.Background())
Expect(err).ToNot(HaveOccurred())
str, err := sess.OpenStream()
Expect(err).ToNot(HaveOccurred())
defer str.Close()
_, err = str.Write(PRData)
Expect(err).ToNot(HaveOccurred())
}()
sess, err := quic.DialAddr(
fmt.Sprintf("localhost:%d", ln.Addr().(*net.UDPAddr).Port),
getTLSClientConfig(),
nil,
)
Expect(err).ToNot(HaveOccurred())
str, err := sess.AcceptStream(context.Background())
Expect(err).ToNot(HaveOccurred())
data, err := ioutil.ReadAll(str)
Expect(err).ToNot(HaveOccurred())
Expect(data).To(Equal(PRData))
Expect(sess.ConnectionState().CipherSuite).To(Equal(suiteID))
Expect(sess.CloseWithError(0, "")).To(Succeed())
})
}
})
Context("Certifiate validation", func() { Context("Certifiate validation", func() {
for _, v := range protocol.SupportedVersions { for _, v := range protocol.SupportedVersions {
version := v version := v

1
server.go
View file

@ -132,6 +132,7 @@ func listenAddr(addr string, tlsConf *tls.Config, config *Config, acceptEarly bo
// The PacketConn can be used for simultaneous calls to Dial. // The PacketConn can be used for simultaneous calls to Dial.
// QUIC connection IDs are used for demultiplexing the different connections. // QUIC connection IDs are used for demultiplexing the different connections.
// The tls.Config must not be nil and must contain a certificate configuration. // The tls.Config must not be nil and must contain a certificate configuration.
// The tls.Config.CipherSuites allows setting of TLS 1.3 cipher suites.
// Furthermore, it must define an application control (using NextProtos). // Furthermore, it must define an application control (using NextProtos).
// The quic.Config may be nil, in that case the default values will be used. // The quic.Config may be nil, in that case the default values will be used.
func Listen(conn net.PacketConn, tlsConf *tls.Config, config *Config) (Listener, error) { func Listen(conn net.PacketConn, tlsConf *tls.Config, config *Config) (Listener, error) {