mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-04 12:37:35 +03:00
Code Issues Projects Releases Packages Wiki Activity

Fix #33: renegotiation and export extension fields

Browse source 
Renegotiation:
 - Disallow specifying the body of Renegotiation extensions to
   avoid assumption that it will be verified.
 - Marshal the extension, if it is present in the uconn.Extensions list,
   even if Renegotiation is set to Never.

Exports all unexported uTLS extension fields.

Fixes #33
This commit is contained in:
Sergey Frolov 2019-08-22 16:33:47 -06:00
parent 4da6795186
commit 1552a980ce
2 changed files with 34 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

16
u_parrots.go
View file

@ -39,7 +39,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
CompressionMethods: []byte{compressionNone}, CompressionMethods: []byte{compressionNone},
Extensions: []TLSExtension{ Extensions: []TLSExtension{
&UtlsGREASEExtension{}, &UtlsGREASEExtension{},
&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient}, &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient},
&SNIExtension{}, &SNIExtension{},
&UtlsExtendedMasterSecretExtension{}, &UtlsExtendedMasterSecretExtension{},
&SessionTicketExtension{}, &SessionTicketExtension{},
@ -94,7 +94,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
}, },
Extensions: []TLSExtension{ Extensions: []TLSExtension{
&UtlsGREASEExtension{}, &UtlsGREASEExtension{},
&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient}, &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient},
&SNIExtension{}, &SNIExtension{},
&UtlsExtendedMasterSecretExtension{}, &UtlsExtendedMasterSecretExtension{},
&SessionTicketExtension{}, &SessionTicketExtension{},
@ -166,7 +166,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
&UtlsGREASEExtension{}, &UtlsGREASEExtension{},
&SNIExtension{}, &SNIExtension{},
&UtlsExtendedMasterSecretExtension{}, &UtlsExtendedMasterSecretExtension{},
&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient}, &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient},
&SupportedCurvesExtension{[]CurveID{ &SupportedCurvesExtension{[]CurveID{
CurveID(GREASE_PLACEHOLDER), CurveID(GREASE_PLACEHOLDER),
X25519, X25519,
@ -237,7 +237,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
Extensions: []TLSExtension{ Extensions: []TLSExtension{
&SNIExtension{}, &SNIExtension{},
&UtlsExtendedMasterSecretExtension{}, &UtlsExtendedMasterSecretExtension{},
&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient}, &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient},
&SupportedCurvesExtension{[]CurveID{X25519, CurveP256, CurveP384, CurveP521}}, &SupportedCurvesExtension{[]CurveID{X25519, CurveP256, CurveP384, CurveP521}},
&SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}}, &SupportedPointsExtension{SupportedPoints: []byte{pointFormatUncompressed}},
&SessionTicketExtension{}, &SessionTicketExtension{},
@ -290,7 +290,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
Extensions: []TLSExtension{ Extensions: []TLSExtension{
&SNIExtension{}, &SNIExtension{},
&UtlsExtendedMasterSecretExtension{}, &UtlsExtendedMasterSecretExtension{},
&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient}, &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient},
&SupportedCurvesExtension{[]CurveID{ &SupportedCurvesExtension{[]CurveID{
X25519, X25519,
CurveP256, CurveP256,
@ -361,7 +361,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
compressionNone, compressionNone,
}, },
Extensions: []TLSExtension{ Extensions: []TLSExtension{
&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient}, &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient},
&SNIExtension{}, &SNIExtension{},
&UtlsExtendedMasterSecretExtension{}, &UtlsExtendedMasterSecretExtension{},
&SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{
@ -421,7 +421,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
compressionNone, compressionNone,
}, },
Extensions: []TLSExtension{ Extensions: []TLSExtension{
&RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient}, &RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient},
&SNIExtension{}, &SNIExtension{},
&UtlsExtendedMasterSecretExtension{}, &UtlsExtendedMasterSecretExtension{},
&SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{ &SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []SignatureScheme{
@ -722,7 +722,7 @@ func (uconn *UConn) generateRandomizedSpec() (ClientHelloSpec, error) {
curves := SupportedCurvesExtension{curveIDs} curves := SupportedCurvesExtension{curveIDs}
padding := UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle} padding := UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle}
reneg := RenegotiationInfoExtension{renegotiation: RenegotiateOnceAsClient} reneg := RenegotiationInfoExtension{Renegotiation: RenegotiateOnceAsClient}
p.Extensions = []TLSExtension{ p.Extensions = []TLSExtension{
&sni, &sni,

75
u_tls_extensions.go
View file

@ -194,20 +194,18 @@ func (e *SignatureAlgorithmsExtension) Read(b []byte) (int, error) {
} }
type RenegotiationInfoExtension struct { type RenegotiationInfoExtension struct {
renegotiation RenegotiationSupport // Renegotiation field limits how many times client will perform renegotiation: no limit, once, or never.
SecureRenegotiation []byte // if empty, default []byte{0} is assumed // The extension still will be sent, even if Renegotiation is set to RenegotiateNever.
Renegotiation RenegotiationSupport
} }
func (e *RenegotiationInfoExtension) writeToUConn(uc *UConn) error { func (e *RenegotiationInfoExtension) writeToUConn(uc *UConn) error {
uc.config.Renegotiation = e.renegotiation uc.config.Renegotiation = e.Renegotiation
switch e.renegotiation { switch e.Renegotiation {
case RenegotiateOnceAsClient: case RenegotiateOnceAsClient:
fallthrough fallthrough
case RenegotiateFreelyAsClient: case RenegotiateFreelyAsClient:
uc.HandshakeState.Hello.SecureRenegotiationSupported = true uc.HandshakeState.Hello.SecureRenegotiationSupported = true
// Note that if we manage to use this in renegotiation(currently only in initial handshake), we'd have to point
// uc.ClientHelloMsg.SecureRenegotiation = chs.C.clientFinished
// and probably do something else. It's a mess.
case RenegotiateNever: case RenegotiateNever:
default: default:
} }
@ -215,47 +213,25 @@ func (e *RenegotiationInfoExtension) writeToUConn(uc *UConn) error {
} }
func (e *RenegotiationInfoExtension) Len() int { func (e *RenegotiationInfoExtension) Len() int {
switch e.renegotiation { return 5
case RenegotiateOnceAsClient:
fallthrough
case RenegotiateFreelyAsClient:
extBodyLen := len(e.SecureRenegotiation)
if extBodyLen == 0 {
extBodyLen = 1
}
return 4 + extBodyLen
case RenegotiateNever:
default:
}
return 0
} }
func (e *RenegotiationInfoExtension) Read(b []byte) (int, error) { func (e *RenegotiationInfoExtension) Read(b []byte) (int, error) {
if len(b) < e.Len() { if len(b) < e.Len() {
return 0, io.ErrShortBuffer return 0, io.ErrShortBuffer
} }
switch e.renegotiation {
case RenegotiateOnceAsClient:
fallthrough
case RenegotiateFreelyAsClient:
secureRenegBody := e.SecureRenegotiation
if len(secureRenegBody) == 0 {
secureRenegBody = []byte{0}
}
extBodyLen := len(secureRenegBody)
b[0] = byte(extensionRenegotiationInfo >> 8) var extInnerBody []byte // inner body is empty
b[1] = byte(extensionRenegotiationInfo & 0xff) innerBodyLen := len(extInnerBody)
b[2] = byte(extBodyLen >> 8) extBodyLen := innerBodyLen + 1
b[3] = byte(extBodyLen)
copy(b[4:], secureRenegBody) b[0] = byte(extensionRenegotiationInfo >> 8)
b[1] = byte(extensionRenegotiationInfo & 0xff)
b[2] = byte(extBodyLen >> 8)
b[3] = byte(extBodyLen)
b[4] = byte(innerBodyLen)
copy(b[5:], extInnerBody)
if len(e.SecureRenegotiation) != 0 {
copy(b[5:], e.SecureRenegotiation)
}
case RenegotiateNever:
default:
}
return e.Len(), io.EOF return e.Len(), io.EOF
} }
@ -364,9 +340,10 @@ func (e *SessionTicketExtension) Read(b []byte) (int, error) {
return e.Len(), io.EOF return e.Len(), io.EOF
} }
// GenericExtension allows to include in ClientHello arbitrary unsupported extensions.
type GenericExtension struct { type GenericExtension struct {
id uint16 Id uint16
data []byte Data []byte
} }
func (e *GenericExtension) writeToUConn(uc *UConn) error { func (e *GenericExtension) writeToUConn(uc *UConn) error {
@ -374,7 +351,7 @@ func (e *GenericExtension) writeToUConn(uc *UConn) error {
} }
func (e *GenericExtension) Len() int { func (e *GenericExtension) Len() int {
return 4 + len(e.data) return 4 + len(e.Data)
} }
func (e *GenericExtension) Read(b []byte) (int, error) { func (e *GenericExtension) Read(b []byte) (int, error) {
@ -382,12 +359,12 @@ func (e *GenericExtension) Read(b []byte) (int, error) {
return 0, io.ErrShortBuffer return 0, io.ErrShortBuffer
} }
b[0] = byte(e.id >> 8) b[0] = byte(e.Id >> 8)
b[1] = byte(e.id) b[1] = byte(e.Id)
b[2] = byte(len(e.data) >> 8) b[2] = byte(len(e.Data) >> 8)
b[3] = byte(len(e.data)) b[3] = byte(len(e.Data))
if len(e.data) > 0 { if len(e.Data) > 0 {
copy(b[4:], e.data) copy(b[4:], e.Data)
} }
return e.Len(), io.EOF return e.Len(), io.EOF
} }