crypto/tls: decouple handshake signatures from the handshake hash.

Prior to TLS 1.2, the handshake had a pleasing property that one could incrementally hash it and, from that, get the needed hashes for both the CertificateVerify and Finished messages. TLS 1.2 introduced negotiation for the signature and hash and it became possible for the handshake hash to be, say, SHA-384, but for the CertificateVerify to sign the handshake with SHA-1. The problem is that one doesn't know in advance which hashes will be needed and thus the handshake needs to be buffered. Go ignored this, always kept a single handshake hash, and any signatures over the handshake had to use that hash. However, there are a set of servers that inspect the client's offered signature hash functions and will abort the handshake if one of the server's certificates is signed with a hash function outside of that set. https://robertsspaceindustries.com/ is an example of such a server. Clearly not a lot of thought happened when that server code was written, but its out there and we have to deal with it. This change decouples the handshake hash from the CertificateVerify hash. This lays the groundwork for advertising support for SHA-384 but doesn't actually make that change in the interests of reviewability. Updating the advertised hash functions will cause changes in many of the testdata/ files and some errors might get lost in the noise. This change only needs to update four testdata/ files: one because a SHA-384-based handshake is now being signed with SHA-256 and the others because the TLS 1.2 CertificateRequest message now includes SHA-1. This change also has the effect of adding support for client-certificates in SSLv3 servers. However, SSLv3 is now disabled by default so this should be moot. It would be possible to avoid much of this change and just support SHA-384 for the ServerKeyExchange as the SKX only signs over the nonces and SKX params (a design mistake in TLS). However, that would leave Go in the odd situation where it advertised support for SHA-384, but would only use the handshake hash when signing client certificates. I fear that'll just cause problems in the future. Much of this code was written by davidben@ for the purposes of testing BoringSSL. Partly addresses #9757 Change-Id: I5137a472b6076812af387a5a69fc62c7373cd485 Reviewed-on: https://go-review.googlesource.com/9415 Run-TryBot: Adam Langley <agl@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2025-04-03 20:17:36 +03:00 · 2015-04-28 09:13:38 -07:00 · 2015-04-28 09:13:38 -07:00 · 7de6f5ad0c
commit 7de6f5ad0c
parent ee94166b41
12 changed files with 447 additions and 322 deletions
--- a/testdata/Server-TLSv12-ClientAuthRequestedNotGiven
+++ b/testdata/Server-TLSv12-ClientAuthRequestedNotGiven
@ -1,11 +1,10 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 5c 01 00 00  58 03 03 52 cc 57 59 1b  |....\...X..R.WY.|
-00000010  08 fe f7 8a bf 07 84 2b  60 a6 13 2d 15 13 f8 b6  |.......+`..-....|
-00000020  d4 b6 3b f2 7a 98 ff 32  a0 68 7c 00 00 04 00 05  |..;.z..2.h|.....|
-00000030  00 ff 01 00 00 2b 00 0d  00 22 00 20 06 01 06 02  |.....+...". ....|
-00000040  06 03 05 01 05 02 05 03  04 01 04 02 04 03 03 01  |................|
-00000050  03 02 03 03 02 01 02 02  02 03 01 01 00 0f 00 01  |................|
-00000060  01                                                |.|
+00000000  16 03 01 00 5b 01 00 00  57 03 03 d7 96 89 ca 52  |....[...W......R|
+00000010  d3 5b 27 58 b9 d2 4a 09  ce 09 7a 0f ee ea fc be  |.['X..J...z.....|
+00000020  04 8b 05 15 5b ab 26 52  88 72 51 00 00 04 00 05  |....[.&R.rQ.....|
+00000030  00 ff 02 01 00 00 29 00  0d 00 20 00 1e 06 01 06  |......)... .....|
+00000040  02 06 03 05 01 05 02 05  03 04 01 04 02 04 03 03  |................|
+00000050  01 03 02 03 03 02 01 02  02 02 03 00 0f 00 01 01  |................|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 31 02 00 00  2d 03 03 00 00 00 00 00  |....1...-.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@ -54,28 +53,28 @@
 000002c0  50 56 5c d5 82 5a 2d 5a  5f 33 c4 b6 d8 c9 75 90  |PV\..Z-Z_3....u.|
 000002d0  96 8c 0f 52 98 b5 cd 98  1f 89 20 5f f2 a0 1c a3  |...R...... _....|
 000002e0  1b 96 94 dd a9 fd 57 e9  70 e8 26 6d 71 99 9b 26  |......W.p.&mq..&|
-000002f0  6e 38 50 29 6c 90 a7 bd  d9 16 03 03 00 0f 0d 00  |n8P)l...........|
-00000300  00 0b 02 01 40 00 04 04  01 04 03 00 00 16 03 03  |....@...........|
-00000310  00 04 0e 00 00 00                                 |......|
+000002f0  6e 38 50 29 6c 90 a7 bd  d9 16 03 03 00 13 0d 00  |n8P)l...........|
+00000300  00 0f 02 01 40 00 08 04  01 04 03 02 01 02 03 00  |....@...........|
+00000310  00 16 03 03 00 04 0e 00  00 00                    |..........|
 >>> Flow 3 (client to server)
 00000000  16 03 03 00 07 0b 00 00  03 00 00 00 16 03 03 00  |................|
-00000010  86 10 00 00 82 00 80 6b  51 48 d3 18 7d 30 e0 0c  |.......kQH..}0..|
-00000020  20 8d f3 e4 39 47 30 0e  a5 85 79 f9 8b 11 50 9e  | ...9G0...y...P.|
-00000030  81 71 5c 26 c6 bb cb aa  d5 00 d1 89 79 b1 77 2d  |.q\&........y.w-|
-00000040  eb 9b 86 7c 52 c6 f7 b7  10 b0 b6 94 22 51 b8 12  |...|R......."Q..|
-00000050  3c 09 35 8e 1b cc f4 3b  b7 b8 78 ab 89 59 41 49  |<.5....;..x..YAI|
-00000060  21 31 eb f0 f8 94 63 3d  e6 96 8f b6 63 95 05 dd  |!1....c=....c...|
-00000070  46 b3 00 8a d6 83 75 99  1b 5a 48 0a 23 b5 10 c1  |F.....u..ZH.#...|
-00000080  95 b5 bc 15 72 b5 f5 a0  62 e2 1d c0 ff d2 87 a5  |....r...b.......|
-00000090  97 5c 33 49 a7 26 35 14  03 03 00 01 01 16 03 03  |.\3I.&5.........|
-000000a0  00 24 61 38 1f 9d fb d9  65 2e 02 07 fb be f9 85  |.$a8....e.......|
-000000b0  8d 15 34 c0 d1 0e 4e 10  3c 25 60 2f ac 04 21 66  |..4...N.<%`/..!f|
-000000c0  04 9d 9a 60 31 72                                 |...`1r|
+00000010  86 10 00 00 82 00 80 2a  d6 5e 1d 41 2f 3e 28 16  |.......*.^.A/>(.|
+00000020  59 0e af 65 a4 10 24 a0  cb 7b cb c5 4d f2 5b 61  |Y..e..$..{..M.[a|
+00000030  48 b2 13 26 0c 6e 7f 8d  7a fc cf 40 7c 1f 9b ca  |H..&.n..z..@|...|
+00000040  e2 2e 62 ba e0 54 be b4  3b b4 93 20 87 e9 55 58  |..b..T..;.. ..UX|
+00000050  b7 e3 8f 16 d0 9b 92 09  c3 37 fb 90 75 0d b1 34  |.........7..u..4|
+00000060  2c 2f da 8e 91 a2 54 a8  23 82 35 06 a6 37 98 d7  |,/....T.#.5..7..|
+00000070  54 13 35 48 3c bb db 5e  02 30 5d e6 76 ac 72 bd  |T.5H<..^.0].v.r.|
+00000080  40 da 41 62 0a 6c c1 4a  bc 4d c2 e0 19 2c 0a d0  |@.Ab.l.J.M...,..|
+00000090  02 be ca 74 9d fe f0 14  03 03 00 01 01 16 03 03  |...t............|
+000000a0  00 24 69 1d 39 5e 3d 56  c4 a9 69 be 15 e3 3f 54  |.$i.9^=V..i...?T|
+000000b0  59 cf 24 b1 6b 02 cf e3  88 89 e2 61 1e 28 a2 ac  |Y.$.k......a.(..|
+000000c0  cb e0 e2 26 d7 eb                                 |...&..|
 >>> Flow 4 (server to client)
-00000000  14 03 03 00 01 01 16 03  03 00 24 fe 0e 3e 84 af  |..........$..>..|
-00000010  e5 6b 10 ed 41 9c 2b e0  ba e0 2b 53 61 36 1b 40  |.k..A.+...+Sa6.@|
-00000020  35 de 3a c7 c3 5c df 74  67 f7 05 74 84 f5 e1 17  |5.:..\.tg..t....|
-00000030  03 03 00 21 d3 8d 81 85  b7 1f 30 bd 89 33 f9 81  |...!......0..3..|
-00000040  89 f7 af d1 be b0 c1 46  e3 df 32 f6 dc 2f 4d 82  |.......F..2../M.|
-00000050  0a 84 9f 5b 03 15 03 03  00 16 13 af 37 91 82 67  |...[........7..g|
-00000060  b0 7c 5e 0e ec 8e cc 31  a0 ea a5 72 a4 2b 0b 73  |.|^....1...r.+.s|
+00000000  14 03 03 00 01 01 16 03  03 00 24 30 d5 30 a5 a9  |..........$0.0..|
+00000010  c2 4d 71 23 01 6d d2 86  fa 08 77 a0 c2 a8 06 f9  |.Mq#.m....w.....|
+00000020  76 af e2 60 cd a8 8a c9  ee 7c 47 70 02 e6 04 17  |v..`.....|Gp....|
+00000030  03 03 00 21 a8 23 bf 89  d0 ec 14 17 8b 13 1f 66  |...!.#.........f|
+00000040  83 f8 b3 6b ce 70 ba 77  ab 04 6e b5 38 76 bc 4c  |...k.p.w..n.8v.L|
+00000050  b3 a2 ed 67 9a 15 03 03  00 16 1d c3 b9 d1 e5 39  |...g...........9|
+00000060  d8 1e f8 49 46 49 6c 58  57 fc c7 07 0f 10 94 c7  |...IFIlXW.......|