From 5796f9738a429b13b61428132ca038d84f53a21c Mon Sep 17 00:00:00 2001 From: Gaukas Wang Date: Wed, 10 Jan 2024 22:09:25 -0700 Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=91=20fix:=20code=20broken=20after=20m?= =?UTF-8?q?erging?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gaukas Wang --- common.go | 22 ++++++++++++++++------ conn.go | 13 ++++++++----- handshake_client.go | 31 ++++++++++++++++++------------- handshake_server.go | 18 ++++++++++++------ handshake_server_tls13.go | 21 --------------------- internal/boring/notboring.go | 4 ++++ 6 files changed, 58 insertions(+), 51 deletions(-) diff --git a/common.go b/common.go index 5032c66..c6da2c7 100644 --- a/common.go +++ b/common.go @@ -1084,7 +1084,7 @@ func (c *Config) time() time.Time { return t() } -var tlsrsakex = godebug.New("tlsrsakex") +// var tlsrsakex = godebug.New("tlsrsakex") // [UTLS] unsupported func (c *Config) cipherSuites() []uint16 { if needFIPS() { @@ -1093,9 +1093,13 @@ func (c *Config) cipherSuites() []uint16 { if c.CipherSuites != nil { return c.CipherSuites } - if tlsrsakex.Value() == "1" { - return defaultCipherSuitesWithRSAKex - } + + // [uTLS SECTION BEGIN] + // Disable unsupported godebug package + // if tlsrsakex.Value() == "1" { + // return defaultCipherSuitesWithRSAKex + // } + // [uTLS SECTION END] return defaultCipherSuites } @@ -1111,7 +1115,7 @@ var supportedVersions = []uint16{ const roleClient = true const roleServer = false -var tls10server = godebug.New("tls10server") +// var tls10server = godebug.New("tls10server") // [UTLS] unsupported func (c *Config) supportedVersions(isClient bool) []uint16 { versions := make([]uint16, 0, len(supportedVersions)) @@ -1120,9 +1124,15 @@ func (c *Config) supportedVersions(isClient bool) []uint16 { continue } if (c == nil || c.MinVersion == 0) && v < VersionTLS12 { - if isClient || tls10server.Value() != "1" { + // [uTLS SECTION BEGIN] + // Disable unsupported godebug package + // if isClient || tls10server.Value() != "1" { + // continue + // } + if isClient { continue } + // [uTLS SECTION END] } if c != nil && c.MinVersion != 0 && v < c.MinVersion { continue diff --git a/conn.go b/conn.go index d3ffabf..36222bd 100644 --- a/conn.go +++ b/conn.go @@ -1610,7 +1610,7 @@ func (c *Conn) ConnectionState() ConnectionState { return c.connectionStateLocked() } -var tlsunsafeekm = godebug.New("tlsunsafeekm") +// var tlsunsafeekm = godebug.New("tlsunsafeekm") // [uTLS] unsupportted func (c *Conn) connectionStateLocked() ConnectionState { var state ConnectionState @@ -1636,10 +1636,13 @@ func (c *Conn) connectionStateLocked() ConnectionState { state.ekm = noEKMBecauseRenegotiation } else if c.vers != VersionTLS13 && !c.extMasterSecret { state.ekm = func(label string, context []byte, length int) ([]byte, error) { - if tlsunsafeekm.Value() == "1" { - tlsunsafeekm.IncNonDefault() - return c.ekm(label, context, length) - } + // [uTLS SECTION START] + // Disabling unsupported godebug package + // if tlsunsafeekm.Value() == "1" { + // tlsunsafeekm.IncNonDefault() + // return c.ekm(label, context, length) + // } + // [uTLS SECTION END] return noEKMBecauseNoEMS(label, context, length) } } else { diff --git a/handshake_client.go b/handshake_client.go index 67fd90d..b142b4d 100644 --- a/handshake_client.go +++ b/handshake_client.go @@ -19,7 +19,6 @@ import ( "hash" "io" "net" - "strconv" "strings" "time" @@ -593,9 +592,12 @@ func (hs *clientHandshakeState) pickCipherSuite() error { return errors.New("tls: server chose an unconfigured cipher suite") } - if hs.c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] { - tlsrsakex.IncNonDefault() - } + // [UTLS SECTION START] + // Disable unsupported godebug packages + // if hs.c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] { + // tlsrsakex.IncNonDefault() + // } + // [UTLS SECTION END] hs.c.cipherSuite = hs.suite.id return nil @@ -1017,17 +1019,20 @@ func (hs *clientHandshakeState) sendFinished(out []byte) error { // to verify the signatures of during a TLS handshake. const defaultMaxRSAKeySize = 8192 -var tlsmaxrsasize = godebug.New("tlsmaxrsasize") +// var tlsmaxrsasize = godebug.New("tlsmaxrsasize") // [uTLS] unused func checkKeySize(n int) (max int, ok bool) { - if v := tlsmaxrsasize.Value(); v != "" { - if max, err := strconv.Atoi(v); err == nil { - if (n <= max) != (n <= defaultMaxRSAKeySize) { - tlsmaxrsasize.IncNonDefault() - } - return max, n <= max - } - } + // [uTLS SECTION START] + // Disable the unsupported godebug package + // if v := tlsmaxrsasize.Value(); v != "" { + // if max, err := strconv.Atoi(v); err == nil { + // if (n <= max) != (n <= defaultMaxRSAKeySize) { + // tlsmaxrsasize.IncNonDefault() + // } + // return max, n <= max + // } + // } + // [uTLS SECTION END] return defaultMaxRSAKeySize, n <= defaultMaxRSAKeySize } diff --git a/handshake_server.go b/handshake_server.go index 5902ce5..ca10a3a 100644 --- a/handshake_server.go +++ b/handshake_server.go @@ -171,9 +171,12 @@ func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) { c.in.version = c.vers c.out.version = c.vers - if c.config.MinVersion == 0 && c.vers < VersionTLS12 { - tls10server.IncNonDefault() - } + // [UTLS SECTION BEGIN] + // Disable unsupported godebug package + // if c.config.MinVersion == 0 && c.vers < VersionTLS12 { + // tls10server.IncNonDefault() + // } + // [UTLS SECTION END] return clientHello, nil } @@ -373,9 +376,12 @@ func (hs *serverHandshakeState) pickCipherSuite() error { } c.cipherSuite = hs.suite.id - if c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] { - tlsrsakex.IncNonDefault() - } + // [UTLS SECTION BEGIN] + // Disable unsupported godebug package + // if c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] { + // tlsrsakex.IncNonDefault() + // } + // [UTLS SECTION END] for _, id := range hs.clientHello.cipherSuites { if id == TLS_FALLBACK_SCSV { diff --git a/handshake_server_tls13.go b/handshake_server_tls13.go index d35423a..f0e4b70 100644 --- a/handshake_server_tls13.go +++ b/handshake_server_tls13.go @@ -276,27 +276,6 @@ GroupSelection: } } - selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, c.quic != nil) - if err != nil { - c.sendAlert(alertNoApplicationProtocol) - return err - } - c.clientProtocol = selectedProto - - if c.quic != nil { - if hs.clientHello.quicTransportParameters == nil { - // RFC 9001 Section 8.2. - c.sendAlert(alertMissingExtension) - return errors.New("tls: client did not send a quic_transport_parameters extension") - } - c.quicSetTransportParameters(hs.clientHello.quicTransportParameters) - } else { - if hs.clientHello.quicTransportParameters != nil { - c.sendAlert(alertUnsupportedExtension) - return errors.New("tls: client sent an unexpected quic_transport_parameters extension") - } - } - c.serverName = hs.clientHello.serverName return nil } diff --git a/internal/boring/notboring.go b/internal/boring/notboring.go index ebc2fd5..913afd5 100644 --- a/internal/boring/notboring.go +++ b/internal/boring/notboring.go @@ -11,6 +11,10 @@ func NewGCMTLS(_ cipher.Block) (cipher.AEAD, error) { return nil, errors.New("boring not implemented") } +func NewGCMTLS13(_ cipher.Block) (cipher.AEAD, error) { + return nil, errors.New("boring not implemented") +} + func Unreachable() { // do nothing }