From aff697f53de44c995e8905e72be68bfc3e6a9ece Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Mon, 4 Nov 2019 02:14:18 -0500 Subject: [PATCH 01/14] crypto/tls: take key size into account in signature algorithm selection Fixes #29793 Change-Id: I6e389d166c2d9a2ba8664a41f4b9569f2481b27f Reviewed-on: https://go-review.googlesource.com/c/go/+/205177 Run-TryBot: Filippo Valsorda TryBot-Result: Gobot Gobot Reviewed-by: Katie Hockman --- auth.go | 41 ++++---- auth_test.go | 2 + handshake_server_test.go | 14 ++- testdata/Server-TLSv12-RSA-RSAPSS | 39 ++------ testdata/Server-TLSv13-RSA-RSAPSS | 105 ++------------------- testdata/Server-TLSv13-RSA-RSAPSS-TooSmall | 16 ++++ 6 files changed, 71 insertions(+), 146 deletions(-) create mode 100644 testdata/Server-TLSv13-RSA-RSAPSS-TooSmall diff --git a/auth.go b/auth.go index 1407249..009f8d3 100644 --- a/auth.go +++ b/auth.go @@ -153,6 +153,25 @@ func legacyTypeAndHashFromPublicKey(pub crypto.PublicKey) (sigType uint8, hash c } } +var rsaSignatureSchemes = []struct { + scheme SignatureScheme + minModulusBytes int + maxVersion uint16 +}{ + // RSA-PSS is used with PSSSaltLengthEqualsHash, and requires + // emLen >= hLen + sLen + 2 + {PSSWithSHA256, crypto.SHA256.Size()*2 + 2, VersionTLS13}, + {PSSWithSHA384, crypto.SHA384.Size()*2 + 2, VersionTLS13}, + {PSSWithSHA512, crypto.SHA512.Size()*2 + 2, VersionTLS13}, + // PKCS#1 v1.5 uses prefixes from hashPrefixes in crypto/rsa, and requires + // emLen >= len(prefix) + hLen + 11 + // TLS 1.3 dropped support for PKCS#1 v1.5 in favor of RSA-PSS. + {PKCS1WithSHA256, 19 + crypto.SHA256.Size() + 11, VersionTLS12}, + {PKCS1WithSHA384, 19 + crypto.SHA384.Size() + 11, VersionTLS12}, + {PKCS1WithSHA512, 19 + crypto.SHA512.Size() + 11, VersionTLS12}, + {PKCS1WithSHA1, 15 + crypto.SHA1.Size() + 11, VersionTLS12}, +} + // signatureSchemesForCertificate returns the list of supported SignatureSchemes // for a given certificate, based on the public key and the protocol version, // and optionally filtered by its explicit SupportedSignatureAlgorithms. @@ -189,23 +208,12 @@ func signatureSchemesForCertificate(version uint16, cert *Certificate) []Signatu return nil } case *rsa.PublicKey: - if version != VersionTLS13 { - sigAlgs = []SignatureScheme{ - PSSWithSHA256, - PSSWithSHA384, - PSSWithSHA512, - PKCS1WithSHA256, - PKCS1WithSHA384, - PKCS1WithSHA512, - PKCS1WithSHA1, + size := pub.Size() + sigAlgs = make([]SignatureScheme, 0, len(rsaSignatureSchemes)) + for _, candidate := range rsaSignatureSchemes { + if size >= candidate.minModulusBytes && version <= candidate.maxVersion { + sigAlgs = append(sigAlgs, candidate.scheme) } - break - } - // TLS 1.3 dropped support for PKCS#1 v1.5 in favor of RSA-PSS. - sigAlgs = []SignatureScheme{ - PSSWithSHA256, - PSSWithSHA384, - PSSWithSHA512, } case ed25519.PublicKey: sigAlgs = []SignatureScheme{Ed25519} @@ -275,6 +283,7 @@ func unsupportedCertificateError(cert *Certificate) error { return fmt.Errorf("tls: unsupported certificate curve (%s)", pub.Curve.Params().Name) } case *rsa.PublicKey: + return fmt.Errorf("tls: certificate RSA key size too small for supported signature algorithms") case ed25519.PublicKey: default: return fmt.Errorf("tls: unsupported certificate key (%T)", pub) diff --git a/auth_test.go b/auth_test.go index 0b39442..c8d8c8f 100644 --- a/auth_test.go +++ b/auth_test.go @@ -108,6 +108,8 @@ func TestSignatureSelection(t *testing.T) { {rsaCert, []SignatureScheme{PKCS1WithSHA256}, VersionTLS13}, {pkcs1Cert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS13}, {ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS13}, + // The key can be too small for the hash. + {rsaCert, []SignatureScheme{PSSWithSHA512}, VersionTLS12}, } for testNo, test := range badTests { diff --git a/handshake_server_test.go b/handshake_server_test.go index e242181..2a44af0 100644 --- a/handshake_server_test.go +++ b/handshake_server_test.go @@ -1180,12 +1180,22 @@ func TestHandshakeServerRSAPKCS1v15(t *testing.T) { } func TestHandshakeServerRSAPSS(t *testing.T) { + // We send rsa_pss_rsae_sha512 first, as the test key won't fit, and we + // verify the server implementation will disregard the client preference in + // that case. See Issue 29793. test := &serverTest{ name: "RSA-RSAPSS", - command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha256"}, + command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha512:rsa_pss_rsae_sha256"}, } runServerTestTLS12(t, test) runServerTestTLS13(t, test) + + test = &serverTest{ + name: "RSA-RSAPSS-TooSmall", + command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha512"}, + expectHandshakeErrorIncluding: "peer doesn't support any of the certificate's signature algorithms", + } + runServerTestTLS13(t, test) } func TestHandshakeServerEd25519(t *testing.T) { @@ -1637,7 +1647,7 @@ T+E0J8wlH24pgwQHzy7Ko2qLwn1b5PW8ecrlvP1g config.MinVersion = VersionTLS13 server := Server(serverConn, config) err := server.Handshake() - expectError(t, err, "key size too small for PSS signature") + expectError(t, err, "key size too small") close(done) }() err = client.Handshake() diff --git a/testdata/Server-TLSv12-RSA-RSAPSS b/testdata/Server-TLSv12-RSA-RSAPSS index fdc3c1a..465d8db 100644 --- a/testdata/Server-TLSv12-RSA-RSAPSS +++ b/testdata/Server-TLSv12-RSA-RSAPSS @@ -1,14 +1,14 @@ >>> Flow 1 (client to server) -00000000 16 03 01 00 91 01 00 00 8d 03 03 63 d6 91 ee ad |...........c....| -00000010 71 ef 42 ad de f0 3f 02 a1 93 33 d9 f0 e1 cf 4c |q.B...?...3....L| -00000020 30 f7 2c 9f a1 0c b8 d5 4e 0a c5 00 00 2a c0 30 |0.,.....N....*.0| +00000000 16 03 01 00 91 01 00 00 8d 03 03 6d d9 a6 ff 3e |...........m...>| +00000010 4b 00 33 67 b4 8c c6 e8 07 ee f3 77 83 31 81 e9 |K.3g.......w.1..| +00000020 8f 3e 9e 77 8b 5c 8b 84 47 b4 33 00 00 2a c0 30 |.>.w.\..G.3..*.0| 00000030 00 9f cc a8 cc aa c0 2f 00 9e c0 28 00 6b c0 27 |......./...(.k.'| 00000040 00 67 c0 14 00 39 c0 13 00 33 00 9d 00 9c 00 3d |.g...9...3.....=| 00000050 00 3c 00 35 00 2f 00 ff 01 00 00 3a 00 00 00 0e |.<.5./.....:....| 00000060 00 0c 00 00 09 31 32 37 2e 30 2e 30 2e 31 00 0b |.....127.0.0.1..| 00000070 00 04 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 |................| 00000080 00 1e 00 19 00 18 00 16 00 00 00 17 00 00 00 0d |................| -00000090 00 04 00 02 08 04 |......| +00000090 00 04 00 02 08 06 |......| >>> Flow 2 (server to client) 00000000 16 03 03 00 37 02 00 00 33 03 03 00 00 00 00 00 |....7...3.......| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| @@ -51,32 +51,5 @@ 00000260 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d |.\.....l..s..Cw.| 00000270 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db |......@.a.Lr+...| 00000280 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d |F..M...>...B...=| -00000290 13 60 84 5c 21 d3 3b e9 fa e7 16 03 03 00 ac 0c |.`.\!.;.........| -000002a0 00 00 a8 03 00 1d 20 2f e5 7d a3 47 cd 62 43 15 |...... /.}.G.bC.| -000002b0 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf c2 ed |(.._.).0........| -000002c0 90 99 5f 58 cb 3b 74 08 04 00 80 bf 7b 0d b8 ab |.._X.;t.....{...| -000002d0 95 96 80 37 60 fb 2f 53 0d 21 aa 6a 0d c9 48 6f |...7`./S.!.j..Ho| -000002e0 d7 d2 d3 ca 22 58 9e 77 4a aa 32 c6 e7 0a 77 2e |...."X.wJ.2...w.| -000002f0 59 72 f2 24 5a 2c 9e a3 7e a5 cc a1 b5 68 55 30 |Yr.$Z,..~....hU0| -00000300 c8 a8 c1 b0 5b 74 49 85 07 bf 7b 36 16 ba 48 54 |....[tI...{6..HT| -00000310 3f 1d 28 08 d7 c3 26 c3 8e 6f 5c 49 13 e9 49 55 |?.(...&..o\I..IU| -00000320 b3 3e bb 70 8c df 6f 0b f0 e7 6c ac 7d fe 1e 4c |.>.p..o...l.}..L| -00000330 6b 8c 22 e7 d0 97 b0 c9 4a b9 11 94 ef 13 c7 d3 |k.".....J.......| -00000340 3f 07 d8 e6 6f 87 85 de 97 25 b2 16 03 03 00 04 |?...o....%......| -00000350 0e 00 00 00 |....| ->>> Flow 3 (client to server) -00000000 16 03 03 00 25 10 00 00 21 20 3f 05 77 b8 ef bf |....%...! ?.w...| -00000010 2e dd af ba 76 d7 6f 36 35 7e c7 99 23 dc e7 a6 |....v.o65~..#...| -00000020 52 a3 81 76 71 8a b0 be 85 73 14 03 03 00 01 01 |R..vq....s......| -00000030 16 03 03 00 28 d1 45 19 f0 ef 75 54 ff 90 a0 36 |....(.E...uT...6| -00000040 d0 06 c8 9e e5 67 fa 38 eb 13 4c ed 84 ab 8f 37 |.....g.8..L....7| -00000050 63 23 8a 5d 8c d7 ce 96 2f 4f 91 b7 03 |c#.]..../O...| ->>> Flow 4 (server to client) -00000000 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 |..........(.....| -00000010 00 00 00 2d d2 61 48 46 5b 15 3b d8 09 bc be 9a |...-.aHF[.;.....| -00000020 08 39 e3 b1 9f 2a 33 50 64 8b 11 92 13 dd dd 34 |.9...*3Pd......4| -00000030 90 43 a2 17 03 03 00 25 00 00 00 00 00 00 00 01 |.C.....%........| -00000040 81 7f c4 4f 37 a3 d0 b3 e7 b9 b7 c1 90 8e 96 51 |...O7..........Q| -00000050 4e 77 2c 4c a9 85 d5 61 6c b7 8b 8a 8c 15 03 03 |Nw,L...al.......| -00000060 00 1a 00 00 00 00 00 00 00 02 1f 57 78 97 2b 6f |...........Wx.+o| -00000070 11 95 09 77 61 82 6e 7c 6d 48 05 c0 |...wa.n|mH..| +00000290 13 60 84 5c 21 d3 3b e9 fa e7 15 03 03 00 02 02 |.`.\!.;.........| +000002a0 28 |(| diff --git a/testdata/Server-TLSv13-RSA-RSAPSS b/testdata/Server-TLSv13-RSA-RSAPSS index 21f57b7..8151fd4 100644 --- a/testdata/Server-TLSv13-RSA-RSAPSS +++ b/testdata/Server-TLSv13-RSA-RSAPSS @@ -1,101 +1,16 @@ >>> Flow 1 (client to server) -00000000 16 03 01 00 c6 01 00 00 c2 03 03 39 95 ab cc 1c |...........9....| -00000010 64 13 9d 19 2e 3e 73 33 48 b1 a9 f7 88 14 5a 83 |d....>s3H.....Z.| -00000020 19 f7 b5 08 8d e4 80 09 72 21 99 20 23 ad 4c 2c |........r!. #.L,| -00000030 66 84 1e e8 c3 0c 9f 66 19 76 df a3 e0 62 cd 7d |f......f.v...b.}| -00000040 95 85 70 4f 37 fb 39 58 50 b1 d5 7b 00 08 13 02 |..pO7.9XP..{....| +00000000 16 03 01 00 c6 01 00 00 c2 03 03 6b 64 fe be 82 |...........kd...| +00000010 d3 c7 f8 26 35 c1 7c 50 d0 a9 19 a5 1d 6b d5 1b |...&5.|P.....k..| +00000020 25 9b 47 fb 49 01 fc df 2e dc 8e 20 92 d0 73 81 |%.G.I...... ..s.| +00000030 91 5a 8a f9 2a cf 29 c7 9d 43 b2 b0 7d b9 5a a3 |.Z..*.)..C..}.Z.| +00000040 5f 74 53 a0 8e fe 4e 2e 83 0d 3b 0f 00 08 13 02 |_tS...N...;.....| 00000050 13 03 13 01 00 ff 01 00 00 71 00 00 00 0e 00 0c |.........q......| 00000060 00 00 09 31 32 37 2e 30 2e 30 2e 31 00 0b 00 04 |...127.0.0.1....| 00000070 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e |................| 00000080 00 19 00 18 00 16 00 00 00 17 00 00 00 0d 00 04 |................| -00000090 00 02 08 04 00 2b 00 03 02 03 04 00 2d 00 02 01 |.....+......-...| -000000a0 01 00 33 00 26 00 24 00 1d 00 20 be 29 89 8d 44 |..3.&.$... .)..D| -000000b0 4d e5 51 88 7a 1a 56 52 a8 86 74 13 0e e9 a5 a7 |M.Q.z.VR..t.....| -000000c0 b6 7f 38 b3 ef 62 e6 b0 c5 2a 0a |..8..b...*.| +00000090 00 02 08 06 00 2b 00 03 02 03 04 00 2d 00 02 01 |.....+......-...| +000000a0 01 00 33 00 26 00 24 00 1d 00 20 76 43 b3 ed 62 |..3.&.$... vC..b| +000000b0 22 72 15 69 b5 5b fd 9c ac 4a bd 36 4a 8d 3a 08 |"r.i.[...J.6J.:.| +000000c0 9d a0 5e 10 e6 13 87 2b 41 51 66 |..^....+AQf| >>> Flow 2 (server to client) -00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| -00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| -00000020 00 00 00 00 00 00 00 00 00 00 00 20 23 ad 4c 2c |........... #.L,| -00000030 66 84 1e e8 c3 0c 9f 66 19 76 df a3 e0 62 cd 7d |f......f.v...b.}| -00000040 95 85 70 4f 37 fb 39 58 50 b1 d5 7b 13 02 00 00 |..pO7.9XP..{....| -00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| -00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| -00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| -00000080 03 03 00 01 01 17 03 03 00 17 49 c6 88 9c 3b 2f |..........I...;/| -00000090 3a 0a e6 8e 75 d0 39 11 ad 08 87 17 2c 14 96 28 |:...u.9.....,..(| -000000a0 85 17 03 03 02 6d 2a d6 89 4d 5d f3 6c 28 97 dd |.....m*..M].l(..| -000000b0 4e 45 88 e8 90 a4 f3 45 86 cf 59 d6 61 6e 1a a7 |NE.....E..Y.an..| -000000c0 b7 35 7e 9c 6e 11 19 c4 1b 89 b9 5a 7c aa 1f 96 |.5~.n......Z|...| -000000d0 e2 36 6d 54 09 12 2f 28 12 20 a3 41 06 bd 44 3c |.6mT../(. .A..D<| -000000e0 73 be d3 8c 78 18 a1 63 ad f9 9d 41 20 5e 32 55 |s...x..c...A ^2U| -000000f0 8e 18 c1 d8 b0 93 13 7e 88 a0 af 8a 59 e2 af 43 |.......~....Y..C| -00000100 d2 82 66 ba c5 a1 97 94 e8 63 40 1b 8f c4 eb 49 |..f......c@....I| -00000110 19 91 65 e9 54 d3 90 76 d6 f8 ff 15 20 31 3c 86 |..e.T..v.... 1<.| -00000120 88 8a 43 be 77 a0 28 de fa 9f d5 30 14 a8 35 2f |..C.w.(....0..5/| -00000130 5e ee 9d cf b5 69 d1 f5 f6 55 d1 1a 61 3f 4c a1 |^....i...U..a?L.| -00000140 97 38 5b 87 7e ce 88 23 8a d0 bd fc 4b c5 da f7 |.8[.~..#....K...| -00000150 25 6c 6c 0b ec 61 50 72 97 6b f7 fe 9b 5b 5a f9 |%ll..aPr.k...[Z.| -00000160 59 19 71 10 74 2d 14 8c 1b 52 8b 39 1c 56 ea 7e |Y.q.t-...R.9.V.~| -00000170 7a c9 8f 7c bd db 1e c5 02 9f 42 8b 63 ee 13 52 |z..|......B.c..R| -00000180 fe 46 40 de 7b 97 27 b0 16 87 75 96 c7 1c 88 5d |.F@.{.'...u....]| -00000190 2e 64 7f a8 df e0 16 b9 ee 27 7e b3 98 99 f7 4a |.d.......'~....J| -000001a0 83 05 78 bb 59 07 8e 1a 46 1d 0f 45 87 ae d9 ae |..x.Y...F..E....| -000001b0 6f 42 ed b1 72 14 8c 9d 33 72 95 ac 12 bb a0 20 |oB..r...3r..... | -000001c0 56 a8 8a 23 e4 51 6a 89 f5 8e bc 55 5a e2 8d 78 |V..#.Qj....UZ..x| -000001d0 84 24 55 99 cf 37 61 8c 7e 46 17 f3 26 ca 27 ec |.$U..7a.~F..&.'.| -000001e0 f4 04 f6 76 1d cf 82 0c bd 85 82 81 06 f1 96 ce |...v............| -000001f0 78 54 6c eb a0 f8 cf 30 6a 10 17 08 e6 94 83 4f |xTl....0j......O| -00000200 56 34 80 ef ac fa ab e7 59 9e 6b f9 f8 38 76 cc |V4......Y.k..8v.| -00000210 3b 09 b0 16 3f 3f 5c d3 6a ad d9 2c 65 d8 ce b4 |;...??\.j..,e...| -00000220 19 53 c4 c9 d1 82 e8 19 72 ec bc 85 ef 3a 6e e5 |.S......r....:n.| -00000230 ba 3c f8 37 98 98 80 47 5f 47 4f cd ed f5 0e bc |.<.7...G_GO.....| -00000240 4e 14 a2 7d 8d 43 0b 18 ba 3b 10 50 e4 18 fc ac |N..}.C...;.P....| -00000250 0e 01 21 73 68 da 50 51 8a 64 b6 18 28 ca e3 a4 |..!sh.PQ.d..(...| -00000260 aa d2 5c 28 ff 64 fd cb 28 00 db b1 5c bf 75 81 |..\(.d..(...\.u.| -00000270 bb d2 8c df 5c 26 70 1d d6 fe 7a 94 65 27 93 72 |....\&p...z.e'.r| -00000280 bc ba 17 92 8f be 61 ec f5 88 04 ed fb cc f3 5c |......a........\| -00000290 71 d0 a4 5d 13 a6 a3 82 89 e8 9e 1a 8e 31 fd 2f |q..].........1./| -000002a0 57 53 98 d5 1f c4 3f 8e 92 7f 1b 90 a3 ad 6c 96 |WS....?.......l.| -000002b0 42 cc f2 f0 1c 8d 3f 31 fd b2 53 29 79 16 9a 96 |B.....?1..S)y...| -000002c0 fd d6 fe d4 3f 13 aa 39 73 d4 73 6d 9a ff f6 db |....?..9s.sm....| -000002d0 52 0a 1e 76 71 0f d3 ee de a8 b3 05 3b 24 c4 72 |R..vq.......;$.r| -000002e0 67 78 f1 be df c5 c0 87 32 60 28 96 8e b2 2e 3f |gx......2`(....?| -000002f0 7d e9 aa b7 66 57 ee 67 e6 ac 70 da 60 ce c2 00 |}...fW.g..p.`...| -00000300 55 2f 20 25 39 a5 5e b9 65 c3 00 63 c7 5a a9 31 |U/ %9.^.e..c.Z.1| -00000310 de fe 65 17 03 03 00 99 95 83 6d be 56 ef 4f a3 |..e.......m.V.O.| -00000320 96 5f a8 3d d5 a1 f3 8e 9a 8c 40 35 f4 12 2c 0a |._.=......@5..,.| -00000330 b3 02 3b d2 14 d8 a4 f1 12 01 be e1 8a 6b 5f 01 |..;..........k_.| -00000340 71 de ac 70 e9 7a 90 78 2e 2a a8 29 64 20 85 dd |q..p.z.x.*.)d ..| -00000350 57 09 cf 48 29 d0 63 42 bc 9b ec 0c e2 2d 41 d0 |W..H).cB.....-A.| -00000360 cb d8 68 46 b7 17 fc 1d 95 12 5a 4c c3 10 67 32 |..hF......ZL..g2| -00000370 f7 7a 14 55 63 fb 57 6e 59 ee b6 66 b8 65 e1 37 |.z.Uc.WnY..f.e.7| -00000380 e6 7c 6c 07 8b d1 84 80 01 11 ce 7f 20 f0 4d 42 |.|l......... .MB| -00000390 a7 67 01 12 e6 b5 9b d4 6a fe 38 37 71 ca 60 d6 |.g......j.87q.`.| -000003a0 12 d7 00 b5 26 c3 97 1d 9f 37 6a 82 31 ef c3 12 |....&....7j.1...| -000003b0 bc 17 03 03 00 45 65 1e cf 1f 1e 73 93 8d 66 54 |.....Ee....s..fT| -000003c0 47 b0 73 9f d1 a4 9d 3b b0 72 b4 f2 5f 06 e1 d2 |G.s....;.r.._...| -000003d0 1f bb 3d 13 48 7c 7a e0 19 15 9f aa a5 ed 09 18 |..=.H|z.........| -000003e0 2e 4e 8a cd 66 2b 9c b3 fe 99 b0 57 06 2e b3 a0 |.N..f+.....W....| -000003f0 79 92 c1 bb 0e 29 44 02 f1 b0 43 17 03 03 00 a3 |y....)D...C.....| -00000400 52 cd d9 d7 60 1c f5 06 83 aa 2f e0 0c 0f 5e 6d |R...`...../...^m| -00000410 0f 29 93 b9 ae 50 04 c6 f7 d3 ff c7 d1 ac 9d 43 |.)...P.........C| -00000420 d7 b5 76 7a 16 b7 2c b7 79 48 a4 c3 28 2a 86 10 |..vz..,.yH..(*..| -00000430 d1 24 7c 04 ed af 1f 8a 0b 18 29 97 7a 7a 47 3f |.$|.......).zzG?| -00000440 1f fe ba 9c 72 d9 9b ae 9b 83 5f f4 5a 4f 10 b8 |....r....._.ZO..| -00000450 e5 45 35 76 77 a2 ac 99 1c bc 78 cf 6f 62 ef ef |.E5vw.....x.ob..| -00000460 9b 1b 90 eb 95 6b a1 25 82 b7 c1 1b 6f da 10 4c |.....k.%....o..L| -00000470 aa 3e a8 ba dd 77 b1 39 a0 b2 6a 11 18 44 2a 8d |.>...w.9..j..D*.| -00000480 58 9a 53 31 e1 d1 ec 8b 47 95 63 67 44 67 8d 09 |X.S1....G.cgDg..| -00000490 2f 16 f5 19 cd 65 1d 52 d7 bd 19 f0 bb ec 7b 55 |/....e.R......{U| -000004a0 33 4f 84 |3O.| ->>> Flow 3 (client to server) -00000000 14 03 03 00 01 01 17 03 03 00 45 07 3f db d9 c7 |..........E.?...| -00000010 05 fd c4 0c 2d ae ee d8 d7 e7 ac 46 19 a2 17 e5 |....-......F....| -00000020 5e 10 30 65 05 be e0 c7 1e b3 e2 16 a4 d6 69 e1 |^.0e..........i.| -00000030 2c ff 18 ba e4 8f d0 3d 12 45 df c3 d4 08 0d e6 |,......=.E......| -00000040 94 6e 83 6d 99 9d f3 f1 02 48 6b 6f d1 2d f0 c6 |.n.m.....Hko.-..| ->>> Flow 4 (server to client) -00000000 17 03 03 00 1e 2a 3d 96 b4 6a 9e 7f 7f ca e0 8e |.....*=..j......| -00000010 41 4e bd 82 86 61 b8 59 19 e4 97 02 c2 00 7e 69 |AN...a.Y......~i| -00000020 81 b0 64 17 03 03 00 13 63 91 94 1a a3 51 bf 95 |..d.....c....Q..| -00000030 9e 09 a2 a1 f0 01 57 93 00 71 49 |......W..qI| +00000000 15 03 03 00 02 02 28 |......(| diff --git a/testdata/Server-TLSv13-RSA-RSAPSS-TooSmall b/testdata/Server-TLSv13-RSA-RSAPSS-TooSmall new file mode 100644 index 0000000..94f5818 --- /dev/null +++ b/testdata/Server-TLSv13-RSA-RSAPSS-TooSmall @@ -0,0 +1,16 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 c6 01 00 00 c2 03 03 7c a4 3e 3b dd |...........|.>;.| +00000010 d4 90 de 04 87 40 12 a6 f8 63 d9 9d b3 44 7b 52 |.....@...c...D{R| +00000020 9b b2 2d e2 da 0a 6b 87 30 2e 1f 20 38 be 06 6e |..-...k.0.. 8..n| +00000030 b8 2d 46 93 8d ed 31 ea 5c 44 5a 3a 6e 3a bd 3c |.-F...1.\DZ:n:.<| +00000040 0d 69 99 2c 5d 59 30 85 1a bc ce 59 00 08 13 02 |.i.,]Y0....Y....| +00000050 13 03 13 01 00 ff 01 00 00 71 00 00 00 0e 00 0c |.........q......| +00000060 00 00 09 31 32 37 2e 30 2e 30 2e 31 00 0b 00 04 |...127.0.0.1....| +00000070 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e |................| +00000080 00 19 00 18 00 16 00 00 00 17 00 00 00 0d 00 04 |................| +00000090 00 02 08 06 00 2b 00 03 02 03 04 00 2d 00 02 01 |.....+......-...| +000000a0 01 00 33 00 26 00 24 00 1d 00 20 d9 cb e9 03 27 |..3.&.$... ....'| +000000b0 59 f0 bd 7a 1f 17 88 c7 35 2b 92 0c d9 0c 0f 9a |Y..z....5+......| +000000c0 b5 47 c7 e2 97 aa 92 04 c6 63 2d |.G.......c-| +>>> Flow 2 (server to client) +00000000 15 03 03 00 02 02 28 |......(| From 8010a411f4a7c4c1509084cf8e5b6ffacc3312c0 Mon Sep 17 00:00:00 2001 From: "Bryan C. Mills" Date: Tue, 12 Nov 2019 12:10:03 -0500 Subject: [PATCH 02/14] crypto/tls: retry ETIMEDOUT flakes in localPipe on dragonfly Fixes #29583 Change-Id: Ia89433bddd4c9f67ec1f0150b730cde8a7e973ee Reviewed-on: https://go-review.googlesource.com/c/go/+/206759 Run-TryBot: Bryan C. Mills Reviewed-by: Brad Fitzpatrick TryBot-Result: Gobot Gobot --- handshake_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/handshake_test.go b/handshake_test.go index baf8adb..f55cd16 100644 --- a/handshake_test.go +++ b/handshake_test.go @@ -275,9 +275,9 @@ Dialing: var c1 net.Conn c1, err = net.Dial(addr.Network(), addr.String()) if err != nil { - if runtime.GOOS == "dragonfly" && isConnRefused(err) { - // golang.org/issue/29583: Dragonfly sometimes returned a spurious - // ECONNREFUSED. + if runtime.GOOS == "dragonfly" && (isConnRefused(err) || os.IsTimeout(err)) { + // golang.org/issue/29583: Dragonfly sometimes returns a spurious + // ECONNREFUSED or ETIMEDOUT. <-tooSlow.C continue } From affd11bcb17e576e51f250fa92b63c42ab920902 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Mon, 11 Nov 2019 20:37:50 -0500 Subject: [PATCH 03/14] src/vendor,crypto/tls: update to latest x/crypto and use new X25519 API Change-Id: Icd5006e37861d892a5f3d4397c3826179c1b12ad Reviewed-on: https://go-review.googlesource.com/c/go/+/206657 Run-TryBot: Filippo Valsorda TryBot-Result: Gobot Gobot Reviewed-by: Katie Hockman --- key_schedule.go | 39 ++++++++++++++++----------------------- 1 file changed, 16 insertions(+), 23 deletions(-) diff --git a/key_schedule.go b/key_schedule.go index 83e5480..2aab323 100644 --- a/key_schedule.go +++ b/key_schedule.go @@ -7,14 +7,14 @@ package tls import ( "crypto/elliptic" "crypto/hmac" - "crypto/subtle" "errors" - "golang.org/x/crypto/cryptobyte" - "golang.org/x/crypto/curve25519" - "golang.org/x/crypto/hkdf" "hash" "io" "math/big" + + "golang.org/x/crypto/cryptobyte" + "golang.org/x/crypto/curve25519" + "golang.org/x/crypto/hkdf" ) // This file contains the functions necessary to compute the TLS 1.3 key @@ -111,12 +111,15 @@ type ecdheParameters interface { func generateECDHEParameters(rand io.Reader, curveID CurveID) (ecdheParameters, error) { if curveID == X25519 { - p := &x25519Parameters{} - if _, err := io.ReadFull(rand, p.privateKey[:]); err != nil { + privateKey := make([]byte, curve25519.ScalarSize) + if _, err := io.ReadFull(rand, privateKey); err != nil { return nil, err } - curve25519.ScalarBaseMult(&p.publicKey, &p.privateKey) - return p, nil + publicKey, err := curve25519.X25519(privateKey, curve25519.Basepoint) + if err != nil { + return nil, err + } + return &x25519Parameters{privateKey: privateKey, publicKey: publicKey}, nil } curve, ok := curveForCurveID(curveID) @@ -178,8 +181,8 @@ func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte { } type x25519Parameters struct { - privateKey [32]byte - publicKey [32]byte + privateKey []byte + publicKey []byte } func (p *x25519Parameters) CurveID() CurveID { @@ -191,19 +194,9 @@ func (p *x25519Parameters) PublicKey() []byte { } func (p *x25519Parameters) SharedKey(peerPublicKey []byte) []byte { - if len(peerPublicKey) != 32 { + sharedKey, err := curve25519.X25519(p.privateKey, peerPublicKey) + if err != nil { return nil } - - var theirPublicKey, sharedKey [32]byte - copy(theirPublicKey[:], peerPublicKey) - curve25519.ScalarMult(&sharedKey, &p.privateKey, &theirPublicKey) - - // Check for low-order inputs. See RFC 8422, Section 5.11. - var allZeroes [32]byte - if subtle.ConstantTimeCompare(allZeroes[:], sharedKey[:]) == 1 { - return nil - } - - return sharedKey[:] + return sharedKey } From d16c68e836ca9a52769442862dfe0232ec2f45d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ville=20Skytt=C3=A4?= Date: Fri, 15 Nov 2019 19:49:30 +0000 Subject: [PATCH 04/14] all: fix a bunch of misspellings Change-Id: I5b909df0fd048cd66c5a27fca1b06466d3bcaac7 GitHub-Last-Rev: 778c5d21311abee09a5fbda2e4005a5fd4cc3f9f GitHub-Pull-Request: golang/go#35624 Reviewed-on: https://go-review.googlesource.com/c/go/+/207421 Run-TryBot: Ian Lance Taylor TryBot-Result: Gobot Gobot Reviewed-by: Ian Lance Taylor --- handshake_server.go | 2 +- handshake_server_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/handshake_server.go b/handshake_server.go index a593700..b16415a 100644 --- a/handshake_server.go +++ b/handshake_server.go @@ -241,7 +241,7 @@ func (hs *serverHandshakeState) processClientHello() error { hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints) if hs.ecdheOk { - // Although omiting the ec_point_formats extension is permitted, some + // Although omitting the ec_point_formats extension is permitted, some // old OpenSSL version will refuse to handshake if not present. // // Per RFC 4492, section 5.1.2, implementations MUST support the diff --git a/handshake_server_test.go b/handshake_server_test.go index 2a44af0..1e5da1e 100644 --- a/handshake_server_test.go +++ b/handshake_server_test.go @@ -274,7 +274,7 @@ func TestTLS12OnlyCipherSuites(t *testing.T) { } func TestTLSPointFormats(t *testing.T) { - // Test that a Server returns the ec_point_format extention when ECC is + // Test that a Server returns the ec_point_format extension when ECC is // negotiated, and not returned on RSA handshake. tests := []struct { name string From 07647441e7c84cc95a76b4139ee67e5f648d83e9 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Thu, 21 Nov 2019 13:24:51 -0500 Subject: [PATCH 05/14] crypto/tls: remove leftover extensionNextProtoNeg constant NPN was removed in CL 174329. Change-Id: Ic63ad53e7e24872e28673d590727e0300f435619 Reviewed-on: https://go-review.googlesource.com/c/go/+/208224 Run-TryBot: Filippo Valsorda TryBot-Result: Gobot Gobot Reviewed-by: Brad Fitzpatrick --- common.go | 1 - 1 file changed, 1 deletion(-) diff --git a/common.go b/common.go index 1e77d5c..c3de0b3 100644 --- a/common.go +++ b/common.go @@ -100,7 +100,6 @@ const ( extensionCertificateAuthorities uint16 = 47 extensionSignatureAlgorithmsCert uint16 = 50 extensionKeyShare uint16 = 51 - extensionNextProtoNeg uint16 = 13172 // not IANA assigned extensionRenegotiationInfo uint16 = 0xff01 ) From 53573e0b8c81d5d5516723b5c07a143add779908 Mon Sep 17 00:00:00 2001 From: Alex Harford Date: Fri, 6 Dec 2019 23:27:29 +0000 Subject: [PATCH 06/14] crypto/tls: fix a typo in TLS handshake comment Fix a minor typo in the TLS handshake comment. Change-Id: I0fd243e5440f6c77c97e844e6669a7974a2c8798 GitHub-Last-Rev: 21e91a1a48e8a9200e6fca89a988e1383ded7bb2 GitHub-Pull-Request: golang/go#36030 Reviewed-on: https://go-review.googlesource.com/c/go/+/210289 Reviewed-by: Brad Fitzpatrick --- conn.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conn.go b/conn.go index 029f744..fac4b91 100644 --- a/conn.go +++ b/conn.go @@ -1344,7 +1344,7 @@ func (c *Conn) Handshake() error { if c.handshakeErr == nil { c.handshakes++ } else { - // If an error occurred during the hadshake try to flush the + // If an error occurred during the handshake try to flush the // alert that might be left in the buffer. c.flush() } From 2d37eca87a9b2bbc7d4f2e2b7f8f6a992cd86a7b Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Wed, 15 Jan 2020 19:29:33 +0000 Subject: [PATCH 07/14] crypto/tls: stop a timeout timer I noticed this leak while writing CL 214977. Change-Id: I7566952b8e4bc58939d23435aea86576fc58ddca Reviewed-on: https://go-review.googlesource.com/c/go/+/214978 Run-TryBot: Brad Fitzpatrick TryBot-Result: Gobot Gobot Reviewed-by: Ian Lance Taylor --- tls.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tls.go b/tls.go index 228f4a7..af44485 100644 --- a/tls.go +++ b/tls.go @@ -116,9 +116,10 @@ func DialWithDialer(dialer *net.Dialer, network, addr string, config *Config) (* if timeout != 0 { errChannel = make(chan error, 2) - time.AfterFunc(timeout, func() { + timer := time.AfterFunc(timeout, func() { errChannel <- timeoutError{} }) + defer timer.Stop() } rawConn, err := dialer.Dial(network, addr) From 6003433e60e774c7f6067cc623f5868b48826bc8 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Thu, 21 Nov 2019 13:48:38 -0500 Subject: [PATCH 08/14] crypto/tls: clarify TLS 1.0/1.1 CertificateRequestInfo.SignatureSchemes This CL should not change the logic at all, but it took me a while to figure out why we use these specific SignatureSchemes, so reformulate the comment. Change-Id: If519a58264209e6575417be07668e92ead0e772f Reviewed-on: https://go-review.googlesource.com/c/go/+/208225 Run-TryBot: Filippo Valsorda TryBot-Result: Gobot Gobot Reviewed-by: Katie Hockman --- handshake_client.go | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/handshake_client.go b/handshake_client.go index 4fb528c..64be82e 100644 --- a/handshake_client.go +++ b/handshake_client.go @@ -839,14 +839,6 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error { return nil } -// tls11SignatureSchemes contains the signature schemes that we synthesise for -// a TLS <= 1.1 connection, based on the supported certificate types. -var ( - tls11SignatureSchemes = []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1} - tls11SignatureSchemesECDSA = tls11SignatureSchemes[:3] - tls11SignatureSchemesRSA = tls11SignatureSchemes[3:] -) - // certificateRequestInfoFromMsg generates a CertificateRequestInfo from a TLS // <= 1.2 CertificateRequest, making an effort to fill in missing information. func certificateRequestInfoFromMsg(vers uint16, certReq *certificateRequestMsg) *CertificateRequestInfo { @@ -866,17 +858,25 @@ func certificateRequestInfoFromMsg(vers uint16, certReq *certificateRequestMsg) } if !certReq.hasSignatureAlgorithm { - // Prior to TLS 1.2, the signature schemes were not - // included in the certificate request message. In this - // case we use a plausible list based on the acceptable - // certificate types. + // Prior to TLS 1.2, signature schemes did not exist. In this case we + // make up a list based on the acceptable certificate types, to help + // GetClientCertificate and SupportsCertificate select the right certificate. + // The hash part of the SignatureScheme is a lie here, because + // TLS 1.0 and 1.1 always use MD5+SHA1 for RSA and SHA1 for ECDSA. switch { case rsaAvail && ecAvail: - cri.SignatureSchemes = tls11SignatureSchemes + cri.SignatureSchemes = []SignatureScheme{ + ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512, + PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1, + } case rsaAvail: - cri.SignatureSchemes = tls11SignatureSchemesRSA + cri.SignatureSchemes = []SignatureScheme{ + PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1, + } case ecAvail: - cri.SignatureSchemes = tls11SignatureSchemesECDSA + cri.SignatureSchemes = []SignatureScheme{ + ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512, + } } return cri } From 5e6895faa755d3d75e11b5fd4ba66e91c4805406 Mon Sep 17 00:00:00 2001 From: Johan Jansson Date: Wed, 1 Jan 2020 18:48:22 +0200 Subject: [PATCH 09/14] crypto/tls: update ExampleDial with a valid root When run as a separate program, the code in ExampleDial panicked due to an expired certificate. Fixed this problem by replacing the expired certificate with a valid one. Also added a comment in the certificate to give a hint about why it might fail in the future. Fixes #35706 Change-Id: I3d300f7bccae050e4b73ded28b8029aa04b480bd Reviewed-on: https://go-review.googlesource.com/c/go/+/212601 Run-TryBot: Filippo Valsorda TryBot-Result: Gobot Gobot Reviewed-by: Filippo Valsorda --- example_test.go | 43 +++++++++++++++++++++---------------------- 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/example_test.go b/example_test.go index c88f8ad..cf58a58 100644 --- a/example_test.go +++ b/example_test.go @@ -30,29 +30,28 @@ func ExampleDial() { // Connecting with a custom root-certificate set. const rootPEM = ` +-- GlobalSign Root R2, valid until Dec 15, 2021 -----BEGIN CERTIFICATE----- -MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT -MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i -YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG -EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy -bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP -VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv -h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE -ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ -EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC -DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7 -qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD -VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g -K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI -KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n -ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB -BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY -/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/ -zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza -HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto -WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6 -yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx +MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G +A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp +Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1 +MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG +A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL +v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8 +eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq +tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd +C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa +zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB +mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH +V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n +bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG +3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs +J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO +291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS +ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd +AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 +TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== -----END CERTIFICATE-----` // First, create the set of root certificates. For this example we only From 008ada74ecc7c790e56cce7ab69ae6b55a6f8e1d Mon Sep 17 00:00:00 2001 From: Katie Hockman Date: Mon, 24 Feb 2020 17:23:19 -0500 Subject: [PATCH 10/14] crypto/tls: use new ecdsa.VerifyASN1 API Change-Id: I2a233190bda78ca022ff4074b4553788847d7583 Reviewed-on: https://go-review.googlesource.com/c/go/+/220720 Run-TryBot: Katie Hockman TryBot-Result: Gobot Gobot Reviewed-by: Filippo Valsorda --- auth.go | 10 +--------- common.go | 8 -------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/auth.go b/auth.go index 009f8d3..d87f7bd 100644 --- a/auth.go +++ b/auth.go @@ -11,7 +11,6 @@ import ( "crypto/ed25519" "crypto/elliptic" "crypto/rsa" - "encoding/asn1" "errors" "fmt" "hash" @@ -27,14 +26,7 @@ func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc c if !ok { return fmt.Errorf("expected an ECDSA public key, got %T", pubkey) } - ecdsaSig := new(ecdsaSignature) - if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil { - return err - } - if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 { - return errors.New("ECDSA signature contained zero or negative values") - } - if !ecdsa.Verify(pubKey, signed, ecdsaSig.R, ecdsaSig.S) { + if !ecdsa.VerifyASN1(pubKey, signed, sig) { return errors.New("ECDSA verification failure") } case signatureEd25519: diff --git a/common.go b/common.go index c3de0b3..53719c4 100644 --- a/common.go +++ b/common.go @@ -19,7 +19,6 @@ import ( "fmt" "internal/cpu" "io" - "math/big" "net" "strings" "sync" @@ -1264,13 +1263,6 @@ func (c *lruSessionCache) Get(sessionKey string) (*ClientSessionState, bool) { return nil, false } -// TODO(jsing): Make these available to both crypto/x509 and crypto/tls. -type dsaSignature struct { - R, S *big.Int -} - -type ecdsaSignature dsaSignature - var emptyConfig Config func defaultConfig() *Config { From 5cb310fdd26fc67734e41010e086e8ad82718d39 Mon Sep 17 00:00:00 2001 From: Ziheng Liu Date: Thu, 13 Feb 2020 16:20:30 -0500 Subject: [PATCH 11/14] all: fix incorrect channel and API usage in some unit tests This CL changes some unit test functions, making sure that these tests (and goroutines spawned during test) won't block. Since they are just test functions, I use one CL to fix them all. I hope this won't cause trouble to reviewers and can save time for us. There are three main categories of incorrect logic fixed by this CL: 1. Use testing.Fatal()/Fatalf() in spawned goroutines, which is forbidden by Go's document. 2. Channels are used in such a way that, when errors or timeout happen, the test will be blocked and never return. 3. Channels are used in such a way that, when errors or timeout happen, the test can return but some spawned goroutines will be leaked, occupying resource until all other tests return and the process is killed. Change-Id: I3df931ec380794a0cf1404e632c1dd57c65d63e8 Reviewed-on: https://go-review.googlesource.com/c/go/+/219380 Run-TryBot: Ian Lance Taylor TryBot-Result: Gobot Gobot Reviewed-by: Ian Lance Taylor --- handshake_client_test.go | 2 +- handshake_server_test.go | 5 +++-- tls_test.go | 29 ++++++++++++++++++++++++++--- 3 files changed, 30 insertions(+), 6 deletions(-) diff --git a/handshake_client_test.go b/handshake_client_test.go index 6bd3c37..8632d98 100644 --- a/handshake_client_test.go +++ b/handshake_client_test.go @@ -1748,7 +1748,7 @@ func TestHandshakeRace(t *testing.T) { startWrite := make(chan struct{}) startRead := make(chan struct{}) - readDone := make(chan struct{}) + readDone := make(chan struct{}, 1) client := Client(c, testConfig) go func() { diff --git a/handshake_server_test.go b/handshake_server_test.go index 1e5da1e..953ca00 100644 --- a/handshake_server_test.go +++ b/handshake_server_test.go @@ -182,7 +182,7 @@ func TestRenegotiationExtension(t *testing.T) { cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, } - bufChan := make(chan []byte) + bufChan := make(chan []byte, 1) c, s := localPipe(t) go func() { @@ -575,11 +575,12 @@ func (test *serverTest) connFromCommand() (conn *recordingConn, child *exec.Cmd, return nil, nil, err } - connChan := make(chan interface{}) + connChan := make(chan interface{}, 1) go func() { tcpConn, err := l.Accept() if err != nil { connChan <- err + return } connChan <- tcpConn }() diff --git a/tls_test.go b/tls_test.go index 178b519..89fac60 100644 --- a/tls_test.go +++ b/tls_test.go @@ -294,7 +294,11 @@ func TestTLSUniqueMatches(t *testing.T) { defer ln.Close() serverTLSUniques := make(chan []byte) + parentDone := make(chan struct{}) + childDone := make(chan struct{}) + defer close(parentDone) go func() { + defer close(childDone) for i := 0; i < 2; i++ { sconn, err := ln.Accept() if err != nil { @@ -308,7 +312,11 @@ func TestTLSUniqueMatches(t *testing.T) { t.Error(err) return } - serverTLSUniques <- srv.ConnectionState().TLSUnique + select { + case <-parentDone: + return + case serverTLSUniques <- srv.ConnectionState().TLSUnique: + } } }() @@ -318,7 +326,15 @@ func TestTLSUniqueMatches(t *testing.T) { if err != nil { t.Fatal(err) } - if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) { + + var serverTLSUniquesValue []byte + select { + case <-childDone: + return + case serverTLSUniquesValue = <-serverTLSUniques: + } + + if !bytes.Equal(conn.ConnectionState().TLSUnique, serverTLSUniquesValue) { t.Error("client and server channel bindings differ") } conn.Close() @@ -331,7 +347,14 @@ func TestTLSUniqueMatches(t *testing.T) { if !conn.ConnectionState().DidResume { t.Error("second session did not use resumption") } - if !bytes.Equal(conn.ConnectionState().TLSUnique, <-serverTLSUniques) { + + select { + case <-childDone: + return + case serverTLSUniquesValue = <-serverTLSUniques: + } + + if !bytes.Equal(conn.ConnectionState().TLSUnique, serverTLSUniquesValue) { t.Error("client and server channel bindings differ when session resumption is used") } } From 3b8ecfe1a32f10a8410f6a4898d55c6c6625e374 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Thu, 21 Nov 2019 13:52:18 -0500 Subject: [PATCH 12/14] crypto/tls: add {SignatureScheme,CurveID,ClientAuthType}.String() Fixes #35499 Change-Id: Ieb487782f389f6d80e8f68ee980e584d906cb4da Reviewed-on: https://go-review.googlesource.com/c/go/+/208226 Run-TryBot: Filippo Valsorda TryBot-Result: Gobot Gobot Reviewed-by: Katie Hockman --- auth.go | 4 +- auth_test.go | 14 +++--- common.go | 2 + common_string.go | 116 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 127 insertions(+), 9 deletions(-) create mode 100644 common_string.go diff --git a/auth.go b/auth.go index d87f7bd..ad5f9a2 100644 --- a/auth.go +++ b/auth.go @@ -106,7 +106,7 @@ func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType case Ed25519: sigType = signatureEd25519 default: - return 0, 0, fmt.Errorf("unsupported signature algorithm: %#04x", signatureAlgorithm) + return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm) } switch signatureAlgorithm { case PKCS1WithSHA1, ECDSAWithSHA1: @@ -120,7 +120,7 @@ func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType case Ed25519: hash = directSigning default: - return 0, 0, fmt.Errorf("unsupported signature algorithm: %#04x", signatureAlgorithm) + return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm) } return sigType, hash, nil } diff --git a/auth_test.go b/auth_test.go index c8d8c8f..c42e349 100644 --- a/auth_test.go +++ b/auth_test.go @@ -62,7 +62,7 @@ func TestSignatureSelection(t *testing.T) { t.Errorf("test[%d]: unexpected selectSignatureScheme error: %v", testNo, err) } if test.expectedSigAlg != sigAlg { - t.Errorf("test[%d]: expected signature scheme %#x, got %#x", testNo, test.expectedSigAlg, sigAlg) + t.Errorf("test[%d]: expected signature scheme %v, got %v", testNo, test.expectedSigAlg, sigAlg) } sigType, hashFunc, err := typeAndHashFromSignatureScheme(sigAlg) if err != nil { @@ -115,7 +115,7 @@ func TestSignatureSelection(t *testing.T) { for testNo, test := range badTests { sigAlg, err := selectSignatureScheme(test.tlsVersion, test.cert, test.peerSigAlgs) if err == nil { - t.Errorf("test[%d]: unexpected success, got %#x", testNo, sigAlg) + t.Errorf("test[%d]: unexpected success, got %v", testNo, sigAlg) } } } @@ -129,7 +129,7 @@ func TestLegacyTypeAndHash(t *testing.T) { t.Errorf("RSA: expected signature type %#x, got %#x", expectedSigType, sigType) } if expectedHashFunc := crypto.MD5SHA1; expectedHashFunc != hashFunc { - t.Errorf("RSA: expected hash %#x, got %#x", expectedHashFunc, sigType) + t.Errorf("RSA: expected hash %#x, got %#x", expectedHashFunc, hashFunc) } sigType, hashFunc, err = legacyTypeAndHashFromPublicKey(testECDSAPrivateKey.Public()) @@ -140,7 +140,7 @@ func TestLegacyTypeAndHash(t *testing.T) { t.Errorf("ECDSA: expected signature type %#x, got %#x", expectedSigType, sigType) } if expectedHashFunc := crypto.SHA1; expectedHashFunc != hashFunc { - t.Errorf("ECDSA: expected hash %#x, got %#x", expectedHashFunc, sigType) + t.Errorf("ECDSA: expected hash %#x, got %#x", expectedHashFunc, hashFunc) } // Ed25519 is not supported by TLS 1.0 and 1.1. @@ -156,13 +156,13 @@ func TestSupportedSignatureAlgorithms(t *testing.T) { for _, sigAlg := range supportedSignatureAlgorithms { sigType, hash, err := typeAndHashFromSignatureScheme(sigAlg) if err != nil { - t.Errorf("%#04x: unexpected error: %v", sigAlg, err) + t.Errorf("%v: unexpected error: %v", sigAlg, err) } if sigType == 0 { - t.Errorf("%#04x: missing signature type", sigAlg) + t.Errorf("%v: missing signature type", sigAlg) } if hash == 0 && sigAlg != Ed25519 { - t.Errorf("%#04x: missing hash", sigAlg) + t.Errorf("%v: missing hash", sigAlg) } } } diff --git a/common.go b/common.go index 53719c4..ef95e9b 100644 --- a/common.go +++ b/common.go @@ -299,6 +299,8 @@ type ClientSessionCache interface { Put(sessionKey string, cs *ClientSessionState) } +//go:generate stringer -type=SignatureScheme,CurveID,ClientAuthType -output=common_string.go + // SignatureScheme identifies a signature algorithm supported by TLS. See // RFC 8446, Section 4.2.3. type SignatureScheme uint16 diff --git a/common_string.go b/common_string.go new file mode 100644 index 0000000..2381088 --- /dev/null +++ b/common_string.go @@ -0,0 +1,116 @@ +// Code generated by "stringer -type=SignatureScheme,CurveID,ClientAuthType -output=common_string.go"; DO NOT EDIT. + +package tls + +import "strconv" + +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[PKCS1WithSHA256-1025] + _ = x[PKCS1WithSHA384-1281] + _ = x[PKCS1WithSHA512-1537] + _ = x[PSSWithSHA256-2052] + _ = x[PSSWithSHA384-2053] + _ = x[PSSWithSHA512-2054] + _ = x[ECDSAWithP256AndSHA256-1027] + _ = x[ECDSAWithP384AndSHA384-1283] + _ = x[ECDSAWithP521AndSHA512-1539] + _ = x[Ed25519-2055] + _ = x[PKCS1WithSHA1-513] + _ = x[ECDSAWithSHA1-515] +} + +const ( + _SignatureScheme_name_0 = "PKCS1WithSHA1" + _SignatureScheme_name_1 = "ECDSAWithSHA1" + _SignatureScheme_name_2 = "PKCS1WithSHA256" + _SignatureScheme_name_3 = "ECDSAWithP256AndSHA256" + _SignatureScheme_name_4 = "PKCS1WithSHA384" + _SignatureScheme_name_5 = "ECDSAWithP384AndSHA384" + _SignatureScheme_name_6 = "PKCS1WithSHA512" + _SignatureScheme_name_7 = "ECDSAWithP521AndSHA512" + _SignatureScheme_name_8 = "PSSWithSHA256PSSWithSHA384PSSWithSHA512Ed25519" +) + +var ( + _SignatureScheme_index_8 = [...]uint8{0, 13, 26, 39, 46} +) + +func (i SignatureScheme) String() string { + switch { + case i == 513: + return _SignatureScheme_name_0 + case i == 515: + return _SignatureScheme_name_1 + case i == 1025: + return _SignatureScheme_name_2 + case i == 1027: + return _SignatureScheme_name_3 + case i == 1281: + return _SignatureScheme_name_4 + case i == 1283: + return _SignatureScheme_name_5 + case i == 1537: + return _SignatureScheme_name_6 + case i == 1539: + return _SignatureScheme_name_7 + case 2052 <= i && i <= 2055: + i -= 2052 + return _SignatureScheme_name_8[_SignatureScheme_index_8[i]:_SignatureScheme_index_8[i+1]] + default: + return "SignatureScheme(" + strconv.FormatInt(int64(i), 10) + ")" + } +} +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[CurveP256-23] + _ = x[CurveP384-24] + _ = x[CurveP521-25] + _ = x[X25519-29] +} + +const ( + _CurveID_name_0 = "CurveP256CurveP384CurveP521" + _CurveID_name_1 = "X25519" +) + +var ( + _CurveID_index_0 = [...]uint8{0, 9, 18, 27} +) + +func (i CurveID) String() string { + switch { + case 23 <= i && i <= 25: + i -= 23 + return _CurveID_name_0[_CurveID_index_0[i]:_CurveID_index_0[i+1]] + case i == 29: + return _CurveID_name_1 + default: + return "CurveID(" + strconv.FormatInt(int64(i), 10) + ")" + } +} +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[NoClientCert-0] + _ = x[RequestClientCert-1] + _ = x[RequireAnyClientCert-2] + _ = x[VerifyClientCertIfGiven-3] + _ = x[RequireAndVerifyClientCert-4] +} + +const _ClientAuthType_name = "NoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCert" + +var _ClientAuthType_index = [...]uint8{0, 12, 29, 49, 72, 98} + +func (i ClientAuthType) String() string { + if i < 0 || i >= ClientAuthType(len(_ClientAuthType_index)-1) { + return "ClientAuthType(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _ClientAuthType_name[_ClientAuthType_index[i]:_ClientAuthType_index[i+1]] +} From f28969082ec10f382688d1f073bcdbc6bbbe9fa3 Mon Sep 17 00:00:00 2001 From: Chris Le Roy Date: Thu, 19 Mar 2020 21:31:23 +0000 Subject: [PATCH 13/14] crypto/tls: update the MITM reference to "machine-in-the-middle" Changing "man-in-the-middle" references to "machine-in-the-middle", it's a more inclusive term and still aligns with the MITM acronym. Change-Id: I81f954cff3d252433443f159ff9edaf59a28ab9d GitHub-Last-Rev: 3e8f91424a207233b537984747ae90cbc1f03755 GitHub-Pull-Request: golang/go#37918 Reviewed-on: https://go-review.googlesource.com/c/go/+/223897 Reviewed-by: Filippo Valsorda --- common.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common.go b/common.go index ef95e9b..9121148 100644 --- a/common.go +++ b/common.go @@ -549,7 +549,7 @@ type Config struct { // server's certificate chain and host name. // If InsecureSkipVerify is true, TLS accepts any certificate // presented by the server and any host name in that certificate. - // In this mode, TLS is susceptible to man-in-the-middle attacks. + // In this mode, TLS is susceptible to machine-in-the-middle attacks. // This should be used only for testing. InsecureSkipVerify bool From 321fc90102b6be82c7493767dbd23bff8908771a Mon Sep 17 00:00:00 2001 From: Katie Hockman Date: Wed, 1 Apr 2020 13:49:57 -0400 Subject: [PATCH 14/14] crypto/tls: add missing alert values Fixes #35911 Change-Id: I093d25aa169963769b51c37d2481bce71bd0fd2f Reviewed-on: https://go-review.googlesource.com/c/go/+/226858 Run-TryBot: Katie Hockman TryBot-Result: Gobot Gobot Reviewed-by: Filippo Valsorda --- alert.go | 120 ++++++++++++++++++++++++++++++------------------------- 1 file changed, 66 insertions(+), 54 deletions(-) diff --git a/alert.go b/alert.go index 22b3eca..4790b73 100644 --- a/alert.go +++ b/alert.go @@ -15,63 +15,75 @@ const ( ) const ( - alertCloseNotify alert = 0 - alertUnexpectedMessage alert = 10 - alertBadRecordMAC alert = 20 - alertDecryptionFailed alert = 21 - alertRecordOverflow alert = 22 - alertDecompressionFailure alert = 30 - alertHandshakeFailure alert = 40 - alertBadCertificate alert = 42 - alertUnsupportedCertificate alert = 43 - alertCertificateRevoked alert = 44 - alertCertificateExpired alert = 45 - alertCertificateUnknown alert = 46 - alertIllegalParameter alert = 47 - alertUnknownCA alert = 48 - alertAccessDenied alert = 49 - alertDecodeError alert = 50 - alertDecryptError alert = 51 - alertProtocolVersion alert = 70 - alertInsufficientSecurity alert = 71 - alertInternalError alert = 80 - alertInappropriateFallback alert = 86 - alertUserCanceled alert = 90 - alertNoRenegotiation alert = 100 - alertMissingExtension alert = 109 - alertUnsupportedExtension alert = 110 - alertUnrecognizedName alert = 112 - alertNoApplicationProtocol alert = 120 + alertCloseNotify alert = 0 + alertUnexpectedMessage alert = 10 + alertBadRecordMAC alert = 20 + alertDecryptionFailed alert = 21 + alertRecordOverflow alert = 22 + alertDecompressionFailure alert = 30 + alertHandshakeFailure alert = 40 + alertBadCertificate alert = 42 + alertUnsupportedCertificate alert = 43 + alertCertificateRevoked alert = 44 + alertCertificateExpired alert = 45 + alertCertificateUnknown alert = 46 + alertIllegalParameter alert = 47 + alertUnknownCA alert = 48 + alertAccessDenied alert = 49 + alertDecodeError alert = 50 + alertDecryptError alert = 51 + alertExportRestriction alert = 60 + alertProtocolVersion alert = 70 + alertInsufficientSecurity alert = 71 + alertInternalError alert = 80 + alertInappropriateFallback alert = 86 + alertUserCanceled alert = 90 + alertNoRenegotiation alert = 100 + alertMissingExtension alert = 109 + alertUnsupportedExtension alert = 110 + alertCertificateUnobtainable alert = 111 + alertUnrecognizedName alert = 112 + alertBadCertificateStatusResponse alert = 113 + alertBadCertificateHashValue alert = 114 + alertUnknownPSKIdentity alert = 115 + alertCertificateRequired alert = 116 + alertNoApplicationProtocol alert = 120 ) var alertText = map[alert]string{ - alertCloseNotify: "close notify", - alertUnexpectedMessage: "unexpected message", - alertBadRecordMAC: "bad record MAC", - alertDecryptionFailed: "decryption failed", - alertRecordOverflow: "record overflow", - alertDecompressionFailure: "decompression failure", - alertHandshakeFailure: "handshake failure", - alertBadCertificate: "bad certificate", - alertUnsupportedCertificate: "unsupported certificate", - alertCertificateRevoked: "revoked certificate", - alertCertificateExpired: "expired certificate", - alertCertificateUnknown: "unknown certificate", - alertIllegalParameter: "illegal parameter", - alertUnknownCA: "unknown certificate authority", - alertAccessDenied: "access denied", - alertDecodeError: "error decoding message", - alertDecryptError: "error decrypting message", - alertProtocolVersion: "protocol version not supported", - alertInsufficientSecurity: "insufficient security level", - alertInternalError: "internal error", - alertInappropriateFallback: "inappropriate fallback", - alertUserCanceled: "user canceled", - alertNoRenegotiation: "no renegotiation", - alertMissingExtension: "missing extension", - alertUnsupportedExtension: "unsupported extension", - alertUnrecognizedName: "unrecognized name", - alertNoApplicationProtocol: "no application protocol", + alertCloseNotify: "close notify", + alertUnexpectedMessage: "unexpected message", + alertBadRecordMAC: "bad record MAC", + alertDecryptionFailed: "decryption failed", + alertRecordOverflow: "record overflow", + alertDecompressionFailure: "decompression failure", + alertHandshakeFailure: "handshake failure", + alertBadCertificate: "bad certificate", + alertUnsupportedCertificate: "unsupported certificate", + alertCertificateRevoked: "revoked certificate", + alertCertificateExpired: "expired certificate", + alertCertificateUnknown: "unknown certificate", + alertIllegalParameter: "illegal parameter", + alertUnknownCA: "unknown certificate authority", + alertAccessDenied: "access denied", + alertDecodeError: "error decoding message", + alertDecryptError: "error decrypting message", + alertExportRestriction: "export restriction", + alertProtocolVersion: "protocol version not supported", + alertInsufficientSecurity: "insufficient security level", + alertInternalError: "internal error", + alertInappropriateFallback: "inappropriate fallback", + alertUserCanceled: "user canceled", + alertNoRenegotiation: "no renegotiation", + alertMissingExtension: "missing extension", + alertUnsupportedExtension: "unsupported extension", + alertCertificateUnobtainable: "certificate unobtainable", + alertUnrecognizedName: "unrecognized name", + alertBadCertificateStatusResponse: "bad certificate status response", + alertBadCertificateHashValue: "bad certificate hash value", + alertUnknownPSKIdentity: "unknown PSK identity", + alertCertificateRequired: "certificate required", + alertNoApplicationProtocol: "no application protocol", } func (e alert) String() string {