mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-06 05:27:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

[dev.boringcrypto] crypto/tls: test for TLS 1.3 to be disabled in FIPS mode

Browse source 
Change-Id: I32b3e29a3e34f20cccc51666905fd36744ef00b2
Reviewed-on: https://go-review.googlesource.com/c/149602
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
This commit is contained in:
Filippo Valsorda 2018-11-14 12:34:38 -05:00
parent 76b370b1b0
commit 7fdc251066
4 changed files with 31 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

65
boring_test.go
View file

@ -32,6 +32,7 @@ func TestBoringServerProtocolVersion(t *testing.T) {
random: make([]byte, 32), random: make([]byte, 32),
cipherSuites: allCipherSuites(), cipherSuites: allCipherSuites(),
compressionMethods: []uint8{compressionNone}, compressionMethods: []uint8{compressionNone},
supportedVersions: []uint16{v},
} }
testClientHelloFailure(t, serverConfig, clientHello, msg) testClientHelloFailure(t, serverConfig, clientHello, msg)
}) })
@ -41,6 +42,7 @@ func TestBoringServerProtocolVersion(t *testing.T) {
test("VersionTLS10", VersionTLS10, "") test("VersionTLS10", VersionTLS10, "")
test("VersionTLS11", VersionTLS11, "") test("VersionTLS11", VersionTLS11, "")
test("VersionTLS12", VersionTLS12, "") test("VersionTLS12", VersionTLS12, "")
test("VersionTLS13", VersionTLS13, "")
fipstls.Force() fipstls.Force()
defer fipstls.Abandon() defer fipstls.Abandon()
@ -48,6 +50,11 @@ func TestBoringServerProtocolVersion(t *testing.T) {
test("VersionTLS10", VersionTLS10, "client offered only unsupported versions") test("VersionTLS10", VersionTLS10, "client offered only unsupported versions")
test("VersionTLS11", VersionTLS11, "client offered only unsupported versions") test("VersionTLS11", VersionTLS11, "client offered only unsupported versions")
test("VersionTLS12", VersionTLS12, "") test("VersionTLS12", VersionTLS12, "")
test("VersionTLS13", VersionTLS13, "client offered only unsupported versions")
}
func isBoringVersion(v uint16) bool {
return v == VersionTLS12
} }
func isBoringCipherSuite(id uint16) bool { func isBoringCipherSuite(id uint16) bool {
@ -171,7 +178,7 @@ func TestBoringServerCurves(t *testing.T) {
} }
func boringHandshake(t *testing.T, clientConfig, serverConfig *Config) (clientErr, serverErr error) { func boringHandshake(t *testing.T, clientConfig, serverConfig *Config) (clientErr, serverErr error) {
c, s := realNetPipe(t) c, s := localPipe(t)
client := Client(c, clientConfig) client := Client(c, clientConfig)
server := Server(s, serverConfig) server := Server(s, serverConfig)
done := make(chan error, 1) done := make(chan error, 1)
@ -196,7 +203,7 @@ func TestBoringServerSignatureAndHash(t *testing.T) {
for _, sigHash := range defaultSupportedSignatureAlgorithms { for _, sigHash := range defaultSupportedSignatureAlgorithms {
testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash} testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash}
t.Run(fmt.Sprintf("%v", sigHash), func(t *testing.T) { t.Run(fmt.Sprintf("%#x", sigHash), func(t *testing.T) {
switch sigHash { switch sigHash {
case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512,
PSSWithSHA256, PSSWithSHA384, PSSWithSHA512: PSSWithSHA256, PSSWithSHA384, PSSWithSHA512:
@ -214,9 +221,9 @@ func TestBoringServerSignatureAndHash(t *testing.T) {
// 1.3, and the ECDSA ones bind to the curve used. // 1.3, and the ECDSA ones bind to the curve used.
serverConfig.MaxVersion = VersionTLS12 serverConfig.MaxVersion = VersionTLS12
clientErr, _ := boringHandshake(t, testConfig, serverConfig) clientErr, serverErr := boringHandshake(t, testConfig, serverConfig)
if clientErr != nil { if clientErr != nil {
t.Fatalf("expected handshake with %v to succeed; err=%v", sigHash, clientErr) t.Fatalf("expected handshake with %#x to succeed; client error: %v; server error: %v", sigHash, clientErr, serverErr)
} }
// With fipstls forced, bad curves should be rejected. // With fipstls forced, bad curves should be rejected.
@ -226,11 +233,11 @@ func TestBoringServerSignatureAndHash(t *testing.T) {
clientErr, _ := boringHandshake(t, testConfig, serverConfig) clientErr, _ := boringHandshake(t, testConfig, serverConfig)
if isBoringSignatureScheme(sigHash) { if isBoringSignatureScheme(sigHash) {
if clientErr != nil { if clientErr != nil {
t.Fatalf("expected handshake with %v to succeed; err=%v", sigHash, clientErr) t.Fatalf("expected handshake with %#x to succeed; err=%v", sigHash, clientErr)
} }
} else { } else {
if clientErr == nil { if clientErr == nil {
t.Fatalf("expected handshake with %v to fail, but it succeeded", sigHash) t.Fatalf("expected handshake with %#x to fail, but it succeeded", sigHash)
} }
} }
}) })
@ -251,6 +258,7 @@ func TestBoringClientHello(t *testing.T) {
clientConfig := testConfig.Clone() clientConfig := testConfig.Clone()
// All sorts of traps for the client to avoid. // All sorts of traps for the client to avoid.
clientConfig.MinVersion = VersionSSL30 clientConfig.MinVersion = VersionSSL30
clientConfig.MaxVersion = VersionTLS13
clientConfig.CipherSuites = allCipherSuites() clientConfig.CipherSuites = allCipherSuites()
clientConfig.CurvePreferences = defaultCurvePreferences clientConfig.CurvePreferences = defaultCurvePreferences
@ -265,9 +273,14 @@ func TestBoringClientHello(t *testing.T) {
t.Fatalf("unexpected message type %T", msg) t.Fatalf("unexpected message type %T", msg)
} }
if hello.vers != VersionTLS12 { if !isBoringVersion(hello.vers) {
t.Errorf("client vers=%#x, want %#x (TLS 1.2)", hello.vers, VersionTLS12) t.Errorf("client vers=%#x, want %#x (TLS 1.2)", hello.vers, VersionTLS12)
} }
for _, v := range hello.supportedVersions {
if !isBoringVersion(v) {
t.Errorf("client offered disallowed version %#x", v)
}
}
for _, id := range hello.cipherSuites { for _, id := range hello.cipherSuites {
if !isBoringCipherSuite(id) { if !isBoringCipherSuite(id) {
t.Errorf("client offered disallowed suite %#x", id) t.Errorf("client offered disallowed suite %#x", id)
@ -549,26 +562,6 @@ func boringCert(t *testing.T, name string, key interface{}, parent *boringCertif
return &boringCertificate{name, org, parentOrg, der, cert, key, fipsOK} return &boringCertificate{name, org, parentOrg, der, cert, key, fipsOK}
} }
func boringPool(t *testing.T, list ...*boringCertificate) *x509.CertPool {
pool := x509.NewCertPool()
for _, c := range list {
cert, err := x509.ParseCertificate(c.der)
if err != nil {
t.Fatal(err)
}
pool.AddCert(cert)
}
return pool
}
func boringList(t *testing.T, list ...*boringCertificate) [][]byte {
var all [][]byte
for _, c := range list {
all = append(all, c.der)
}
return all
}
// A self-signed test certificate with an RSA key of size 2048, for testing // A self-signed test certificate with an RSA key of size 2048, for testing
// RSA-PSS with SHA512. SAN of example.golang. // RSA-PSS with SHA512. SAN of example.golang.
var ( var (
@ -633,21 +626,3 @@ oOrtvMdrl6upy9Hz4BJD3FXwVFiPFE7jqeNqi0F21viLxBPMMD3UODF6LL5EyLiR
panic(err) panic(err)
} }
} }
// realNetPipe is like net.Pipe but returns an actual network socket pair,
// which has buffering that avoids various deadlocks if both sides
// try to speak at the same time.
func realNetPipe(t *testing.T) (net.Conn, net.Conn) {
l := newLocalListener(t)
defer l.Close()
c, err := net.Dial("tcp", l.Addr().String())
if err != nil {
t.Fatal(err)
}
s, err := l.Accept()
if err != nil {
c.Close()
t.Fatal(err)
}
return c, s
}

8
cipher_suites.go
View file

@ -151,6 +151,8 @@ func macSHA1(version uint16, key []byte) macFunction {
return mac return mac
} }
h := sha1.New h := sha1.New
// The BoringCrypto SHA1 does not have a constant-time
// checksum function, so don't try to use it.
if !boring.Enabled { if !boring.Enabled {
h = newConstantTimeHash(h) h = newConstantTimeHash(h)
} }
@ -361,11 +363,7 @@ func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }
func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) } func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) }
func newConstantTimeHash(h func() hash.Hash) func() hash.Hash { func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {
if boring.Enabled { boring.Unreachable()
// The BoringCrypto SHA1 does not have a constant-time
// checksum function, so don't try to use it.
return h
}
return func() hash.Hash { return func() hash.Hash {
return &cthWrapper{h().(constantTimeHash)} return &cthWrapper{h().(constantTimeHash)}
} }

4
handshake_client_tls13.go
View file

@ -40,6 +40,10 @@ type clientHandshakeStateTLS13 struct {
func (hs *clientHandshakeStateTLS13) handshake() error { func (hs *clientHandshakeStateTLS13) handshake() error {
c := hs.c c := hs.c
if needFIPS() {
return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
}
// The server must not select TLS 1.3 in a renegotiation. See RFC 8446, // The server must not select TLS 1.3 in a renegotiation. See RFC 8446,
// sections 4.1.2 and 4.1.3. // sections 4.1.2 and 4.1.3.
if c.handshakes > 0 { if c.handshakes > 0 {

4
handshake_server_tls13.go
View file

@ -43,6 +43,10 @@ type serverHandshakeStateTLS13 struct {
func (hs *serverHandshakeStateTLS13) handshake() error { func (hs *serverHandshakeStateTLS13) handshake() error {
c := hs.c c := hs.c
if needFIPS() {
return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
}
// For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2. // For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2.
if err := hs.processClientHello(); err != nil { if err := hs.processClientHello(); err != nil {
return err return err