mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-03 20:17:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

crypto/tls: de-prioritize AES-GCM ciphers when lacking hardware support

Browse source 
When either the server or client are lacking hardware support for
AES-GCM ciphers, indicated by the server lacking the relevant
instructions and by the client not putting AES-GCM ciphers at the top
of its preference list, reorder the preference list to de-prioritize
AES-GCM based ciphers when they are adjacent to other AEAD ciphers.

Also updates a number of recorded openssl TLS tests which previously
only specified TLS 1.2 cipher preferences (using -cipher), but not
TLS 1.3 cipher preferences (using -ciphersuites), to specify both
preferences, making these tests more predictable.

Fixes #41181.

Change-Id: Ied896c96c095481e755aaff9ff0746fb4cb9568e
Reviewed-on: https://go-review.googlesource.com/c/go/+/262857
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
This commit is contained in:
Roland Shoemaker 2020-10-15 18:32:20 -07:00 committed by Roland Shoemaker
parent 3e0f07eb2d
commit 18d259497e
37 changed files with 2879 additions and 2549 deletions
Download patch file Download diff file Expand all files Collapse all files

308
handshake_server_test.go
View file

@ -22,6 +22,8 @@ import (
"strings"
"testing"
"time"
"golang.org/x/crypto/curve25519"
)
func testClientHello(t *testing.T, serverConfig *Config, m handshakeMessage) {
@ -856,7 +858,7 @@ func TestHandshakeServerX25519(t *testing.T) {
test := &serverTest{
name: "X25519",
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "X25519"},
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "X25519"},
config: config,
}
runServerTestTLS12(t, test)
@ -869,7 +871,7 @@ func TestHandshakeServerP256(t *testing.T) {
test := &serverTest{
name: "P256",
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"},
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "P-256"},
config: config,
}
runServerTestTLS12(t, test)
@ -882,7 +884,7 @@ func TestHandshakeServerHelloRetryRequest(t *testing.T) {
test := &serverTest{
name: "HelloRetryRequest",
command: []string{"openssl", "s_client", "-no_ticket", "-curves", "X25519:P-256"},
command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "X25519:P-256"},
config: config,
}
runServerTestTLS13(t, test)
@ -896,7 +898,7 @@ func TestHandshakeServerALPN(t *testing.T) {
name: "ALPN",
// Note that this needs OpenSSL 1.0.2 because that is the first
// version that supports the -alpn flag.
command: []string{"openssl", "s_client", "-alpn", "proto2,proto1"},
command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
config: config,
validate: func(state ConnectionState) error {
// The server's preferences should override the client.
@ -918,7 +920,7 @@ func TestHandshakeServerALPNNoMatch(t *testing.T) {
name: "ALPN-NoMatch",
// Note that this needs OpenSSL 1.0.2 because that is the first
// version that supports the -alpn flag.
command: []string{"openssl", "s_client", "-alpn", "proto2,proto1"},
command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
config: config,
validate: func(state ConnectionState) error {
// Rather than reject the connection, Go doesn't select
@ -1071,12 +1073,12 @@ func TestServerResumption(t *testing.T) {
testIssue := &serverTest{
name: "IssueTicket",
command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_out", sessionFilePath},
command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath},
wait: true,
}
testResume := &serverTest{
name: "Resume",
command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_in", sessionFilePath},
command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
validate: func(state ConnectionState) error {
if !state.DidResume {
return errors.New("did not resume")
@ -1095,9 +1097,10 @@ func TestServerResumption(t *testing.T) {
config.CurvePreferences = []CurveID{CurveP256}
testResumeHRR := &serverTest{
name: "Resume-HelloRetryRequest",
command: []string{"openssl", "s_client", "-curves", "X25519:P-256", "-sess_in", sessionFilePath},
config: config,
name: "Resume-HelloRetryRequest",
command: []string{"openssl", "s_client", "-curves", "X25519:P-256", "-cipher", "AES128-SHA", "-ciphersuites",
"TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
config: config,
validate: func(state ConnectionState) error {
if !state.DidResume {
return errors.New("did not resume")
@ -1117,13 +1120,13 @@ func TestServerResumptionDisabled(t *testing.T) {
testIssue := &serverTest{
name: "IssueTicketPreDisable",
command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_out", sessionFilePath},
command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath},
config: config,
wait: true,
}
testResume := &serverTest{
name: "ResumeDisabled",
command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_in", sessionFilePath},
command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath},
config: config,
validate: func(state ConnectionState) error {
if state.DidResume {
@ -1161,7 +1164,7 @@ func TestFallbackSCSV(t *testing.T) {
func TestHandshakeServerExportKeyingMaterial(t *testing.T) {
test := &serverTest{
name: "ExportKeyingMaterial",
command: []string{"openssl", "s_client"},
command: []string{"openssl", "s_client", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
config: testConfig.Clone(),
validate: func(state ConnectionState) error {
if km, err := state.ExportKeyingMaterial("test", nil, 42); err != nil {
@ -1180,7 +1183,7 @@ func TestHandshakeServerExportKeyingMaterial(t *testing.T) {
func TestHandshakeServerRSAPKCS1v15(t *testing.T) {
test := &serverTest{
name: "RSA-RSAPKCS1v15",
command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pkcs1_sha256"},
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-sigalgs", "rsa_pkcs1_sha256"},
}
runServerTestTLS12(t, test)
}
@ -1191,14 +1194,14 @@ func TestHandshakeServerRSAPSS(t *testing.T) {
// that case. See Issue 29793.
test := &serverTest{
name: "RSA-RSAPSS",
command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha512:rsa_pss_rsae_sha256"},
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-sigalgs", "rsa_pss_rsae_sha512:rsa_pss_rsae_sha256"},
}
runServerTestTLS12(t, test)
runServerTestTLS13(t, test)
test = &serverTest{
name: "RSA-RSAPSS-TooSmall",
command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha512"},
command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-sigalgs", "rsa_pss_rsae_sha512"},
expectHandshakeErrorIncluding: "peer doesn't support any of the certificate's signature algorithms",
}
runServerTestTLS13(t, test)
@ -1213,7 +1216,7 @@ func TestHandshakeServerEd25519(t *testing.T) {
test := &serverTest{
name: "Ed25519",
command: []string{"openssl", "s_client", "-no_ticket"},
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"},
config: config,
}
runServerTestTLS12(t, test)
@ -1353,7 +1356,7 @@ func TestClientAuth(t *testing.T) {
test := &serverTest{
name: "ClientAuthRequestedNotGiven",
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA"},
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"},
config: config,
}
runServerTestTLS12(t, test)
@ -1361,7 +1364,7 @@ func TestClientAuth(t *testing.T) {
test = &serverTest{
name: "ClientAuthRequestedAndGiven",
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
"-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pss_rsae_sha256"},
config: config,
expectedPeerCerts: []string{clientCertificatePEM},
@ -1371,7 +1374,7 @@ func TestClientAuth(t *testing.T) {
test = &serverTest{
name: "ClientAuthRequestedAndECDSAGiven",
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
"-cert", ecdsaCertPath, "-key", ecdsaKeyPath},
config: config,
expectedPeerCerts: []string{clientECDSACertificatePEM},
@ -1381,7 +1384,7 @@ func TestClientAuth(t *testing.T) {
test = &serverTest{
name: "ClientAuthRequestedAndEd25519Given",
command: []string{"openssl", "s_client", "-no_ticket",
command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256",
"-cert", ed25519CertPath, "-key", ed25519KeyPath},
config: config,
expectedPeerCerts: []string{clientEd25519CertificatePEM},
@ -1719,3 +1722,266 @@ func TestServerHandshakeContextCancellation(t *testing.T) {
t.Error("Server connection was not closed when the context was canceled")
}
}
func TestAESCipherReordering(t *testing.T) {
currentAESSupport := hasAESGCMHardwareSupport
defer func() { hasAESGCMHardwareSupport = currentAESSupport; initDefaultCipherSuites() }()
tests := []struct {
name string
clientCiphers []uint16
serverHasAESGCM bool
preferServerCipherSuites bool
serverCiphers []uint16
expectedCipher uint16
}{
{
name: "server has hardware AES, client doesn't (pick ChaCha)",
clientCiphers: []uint16{
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
},
serverHasAESGCM: true,
preferServerCipherSuites: true,
expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
},
{
name: "server strongly prefers AES-GCM, client doesn't (pick AES-GCM)",
clientCiphers: []uint16{
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
},
serverHasAESGCM: true,
preferServerCipherSuites: true,
serverCiphers: []uint16{
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_RSA_WITH_AES_128_CBC_SHA,
},
expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
{
name: "client prefers AES-GCM, server doesn't have hardware AES (pick ChaCha)",
clientCiphers: []uint16{
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_RSA_WITH_AES_128_CBC_SHA,
},
serverHasAESGCM: false,
expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
},
{
name: "client prefers AES-GCM, server has hardware AES (pick AES-GCM)",
clientCiphers: []uint16{
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_RSA_WITH_AES_128_CBC_SHA,
},
serverHasAESGCM: true,
expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
{
name: "client prefers AES-GCM and sends GREASE, server has hardware AES (pick AES-GCM)",
clientCiphers: []uint16{
0x0A0A, // GREASE value
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_RSA_WITH_AES_128_CBC_SHA,
},
serverHasAESGCM: true,
expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
{
name: "client prefers AES-GCM and doesn't support ChaCha, server doesn't have hardware AES (pick AES-GCM)",
clientCiphers: []uint16{
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
},
serverHasAESGCM: false,
expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
{
name: "client prefers AES-GCM and AES-CBC over ChaCha, server doesn't have hardware AES (pick AES-GCM)",
clientCiphers: []uint16{
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
},
serverHasAESGCM: false,
expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
{
name: "client prefers AES-GCM over ChaCha and sends GREASE, server doesn't have hardware AES (pick ChaCha)",
clientCiphers: []uint16{
0x0A0A, // GREASE value
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_RSA_WITH_AES_128_CBC_SHA,
},
serverHasAESGCM: false,
expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
},
{
name: "client supports multiple AES-GCM, server doesn't have hardware AES and doesn't support ChaCha (pick corrent AES-GCM)",
clientCiphers: []uint16{
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
serverHasAESGCM: false,
serverCiphers: []uint16{
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
expectedCipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
hasAESGCMHardwareSupport = tc.serverHasAESGCM
initDefaultCipherSuites()
hs := &serverHandshakeState{
c: &Conn{
config: &Config{
PreferServerCipherSuites: tc.preferServerCipherSuites,
CipherSuites: tc.serverCiphers,
},
vers: VersionTLS12,
},
clientHello: &clientHelloMsg{
cipherSuites: tc.clientCiphers,
vers: VersionTLS12,
},
ecdheOk: true,
rsaSignOk: true,
rsaDecryptOk: true,
}
err := hs.pickCipherSuite()
if err != nil {
t.Errorf("pickCipherSuite failed: %s", err)
}
if tc.expectedCipher != hs.suite.id {
t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id)
}
})
}
}
func TestAESCipherReordering13(t *testing.T) {
currentAESSupport := hasAESGCMHardwareSupport
defer func() { hasAESGCMHardwareSupport = currentAESSupport; initDefaultCipherSuites() }()
tests := []struct {
name string
clientCiphers []uint16
serverHasAESGCM bool
preferServerCipherSuites bool
expectedCipher uint16
}{
{
name: "server has hardware AES, client doesn't (pick ChaCha)",
clientCiphers: []uint16{
TLS_CHACHA20_POLY1305_SHA256,
TLS_AES_128_GCM_SHA256,
},
serverHasAESGCM: true,
preferServerCipherSuites: true,
expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
},
{
name: "neither server nor client have hardware AES (pick ChaCha)",
clientCiphers: []uint16{
TLS_CHACHA20_POLY1305_SHA256,
TLS_AES_128_GCM_SHA256,
},
serverHasAESGCM: false,
preferServerCipherSuites: true,
expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
},
{
name: "client prefers AES, server doesn't have hardware, prefer server ciphers (pick ChaCha)",
clientCiphers: []uint16{
TLS_AES_128_GCM_SHA256,
TLS_CHACHA20_POLY1305_SHA256,
},
serverHasAESGCM: false,
preferServerCipherSuites: true,
expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
},
{
name: "client prefers AES and sends GREASE, server doesn't have hardware, prefer server ciphers (pick ChaCha)",
clientCiphers: []uint16{
0x0A0A, // GREASE value
TLS_AES_128_GCM_SHA256,
TLS_CHACHA20_POLY1305_SHA256,
},
serverHasAESGCM: false,
preferServerCipherSuites: true,
expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
},
{
name: "client prefers AES, server doesn't (pick ChaCha)",
clientCiphers: []uint16{
TLS_AES_128_GCM_SHA256,
TLS_CHACHA20_POLY1305_SHA256,
},
serverHasAESGCM: false,
expectedCipher: TLS_CHACHA20_POLY1305_SHA256,
},
{
name: "client prefers AES, server has hardware AES (pick AES)",
clientCiphers: []uint16{
TLS_AES_128_GCM_SHA256,
TLS_CHACHA20_POLY1305_SHA256,
},
serverHasAESGCM: true,
expectedCipher: TLS_AES_128_GCM_SHA256,
},
{
name: "client prefers AES and sends GREASE, server has hardware AES (pick AES)",
clientCiphers: []uint16{
0x0A0A, // GREASE value
TLS_AES_128_GCM_SHA256,
TLS_CHACHA20_POLY1305_SHA256,
},
serverHasAESGCM: true,
expectedCipher: TLS_AES_128_GCM_SHA256,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
hasAESGCMHardwareSupport = tc.serverHasAESGCM
initDefaultCipherSuites()
hs := &serverHandshakeStateTLS13{
c: &Conn{
config: &Config{
PreferServerCipherSuites: tc.preferServerCipherSuites,
},
vers: VersionTLS13,
},
clientHello: &clientHelloMsg{
cipherSuites: tc.clientCiphers,
supportedVersions: []uint16{VersionTLS13},
compressionMethods: []uint8{compressionNone},
keyShares: []keyShare{{group: X25519, data: curve25519.Basepoint}},
},
}
err := hs.processClientHello()
if err != nil {
t.Errorf("pickCipherSuite failed: %s", err)
}
if tc.expectedCipher != hs.suite.id {
t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id)
}
})
}
}