sync: Go 1.21 with QUIC support (#208)

* sync: Go 1.21rc3, QUIC support added (#207) * sync: merge with upstream tag/go-1.21rc3 (#11) * fix: all tests pass * impl: UQUIC Transport * deps: bump up min Go version * new: uquic * fix: add QUICTransportParameter * deprecated: Go 1.19 no longer supported Go 1.19 will fail to build or pass the test once we bump up to the new version. * sync: crypto/tls: restrict RSA keys in certificates to <= 8192 bits (#209) * [release-branch.go1.21] crypto/tls: restrict RSA keys in certificates to <= 8192 bits Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. Limit this by restricting the size of RSA keys transmitted during handshakes to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable. Thanks to Mateusz Poliwczak for reporting this issue. Fixes CVE-2023-29409 * build: [ci skip] boring not included * fix: typo [ci skip] * docs: replenish readme [ci skip] replace old build status badge with new ones, bump up required version noted in docs, update developer contact to reflect current status.
2025-04-03 20:17:36 +03:00 · 2023-08-03 23:22:53 -06:00 · 2023-08-03 23:22:53 -06:00 · 86e9b69fdd
commit 86e9b69fdd
parent d73321bb14
150 changed files with 13344 additions and 10239 deletions
--- a/u_public.go
+++ b/u_public.go
@ -6,8 +6,10 @@ package tls

 import (
 	"crypto"
+	"crypto/ecdh"
 	"crypto/x509"
 	"hash"
+	"time"
 )

 // ClientHandshakeState includes both TLS 1.3-only and TLS 1.2-only states,
@ -24,7 +26,7 @@ type PubClientHandshakeState struct {
 	ServerHello  *PubServerHelloMsg
 	Hello        *PubClientHelloMsg
 	MasterSecret []byte
-	Session      *ClientSessionState
+	Session      *SessionState

 	State12 TLS12OnlyState
 	State13 TLS13OnlyState
@ -35,7 +37,7 @@ type PubClientHandshakeState struct {
 // TLS 1.3 only
 type TLS13OnlyState struct {
 	Suite                *PubCipherSuiteTLS13
-	EcdheParams          EcdheParameters
+	EcdheKey             *ecdh.PrivateKey
 	KeySharesEcdheParams KeySharesEcdheParameters
 	EarlySecret          []byte
 	BinderKey            []byte
@ -60,7 +62,7 @@ func (chs *PubClientHandshakeState) toPrivate13() *clientHandshakeStateTLS13 {
 			c:                    chs.C,
 			serverHello:          chs.ServerHello.getPrivatePtr(),
 			hello:                chs.Hello.getPrivatePtr(),
-			ecdheParams:          chs.State13.EcdheParams,
+			ecdheKey:             chs.State13.EcdheKey,
 			keySharesEcdheParams: chs.State13.KeySharesEcdheParams,

 			session:     chs.Session,
@ -86,7 +88,7 @@ func (chs13 *clientHandshakeStateTLS13) toPublic13() *PubClientHandshakeState {
 	} else {
 		tls13State := TLS13OnlyState{
 			KeySharesEcdheParams: chs13.keySharesEcdheParams,
-			EcdheParams:          chs13.ecdheParams,
+			EcdheKey:             chs13.ecdheKey,
 			EarlySecret:          chs13.earlySecret,
 			BinderKey:            chs13.binderKey,
 			CertReq:              chs13.certReq.toPublic(),
@ -156,9 +158,9 @@ func (chs12 *clientHandshakeState) toPublic12() *PubClientHandshakeState {
 	}
 }

-type EcdheParameters interface {
-	ecdheParameters
-}
+// type EcdheParameters interface {
+// 	ecdheParameters
+// }

 type CertificateRequestMsgTLS13 struct {
 	Raw                              []byte
@ -243,7 +245,7 @@ type PubServerHelloMsg struct {
 	NextProtos                   []string
 	OcspStapling                 bool
 	Scts                         [][]byte
-	Ems                          bool
+	ExtendedMasterSecret         bool
 	TicketSupported              bool
 	SecureRenegotiation          []byte
 	SecureRenegotiationSupported bool
@ -274,7 +276,7 @@ func (shm *PubServerHelloMsg) getPrivatePtr() *serverHelloMsg {
 			nextProtos:                   shm.NextProtos,
 			ocspStapling:                 shm.OcspStapling,
 			scts:                         shm.Scts,
-			ems:                          shm.Ems,
+			extendedMasterSecret:         shm.ExtendedMasterSecret,
 			ticketSupported:              shm.TicketSupported,
 			secureRenegotiation:          shm.SecureRenegotiation,
 			secureRenegotiationSupported: shm.SecureRenegotiationSupported,
@ -304,7 +306,7 @@ func (shm *serverHelloMsg) getPublicPtr() *PubServerHelloMsg {
 			NextProtos:                   shm.nextProtos,
 			OcspStapling:                 shm.ocspStapling,
 			Scts:                         shm.scts,
-			Ems:                          shm.ems,
+			ExtendedMasterSecret:         shm.extendedMasterSecret,
 			TicketSupported:              shm.ticketSupported,
 			SecureRenegotiation:          shm.secureRenegotiation,
 			SecureRenegotiationSupported: shm.secureRenegotiationSupported,
@ -349,6 +351,7 @@ type PubClientHelloMsg struct {
 	PskModes                         []uint8
 	PskIdentities                    []PskIdentity
 	PskBinders                       [][]byte
+	QuicTransportParameters          []byte
 }

 func (chm *PubClientHelloMsg) getPrivatePtr() *clientHelloMsg {
@ -356,34 +359,36 @@ func (chm *PubClientHelloMsg) getPrivatePtr() *clientHelloMsg {
 		return nil
 	} else {
 		return &clientHelloMsg{
-			raw:                          chm.Raw,
-			vers:                         chm.Vers,
-			random:                       chm.Random,
-			sessionId:                    chm.SessionId,
-			cipherSuites:                 chm.CipherSuites,
-			compressionMethods:           chm.CompressionMethods,
-			nextProtoNeg:                 chm.NextProtoNeg,
-			serverName:                   chm.ServerName,
-			ocspStapling:                 chm.OcspStapling,
-			scts:                         chm.Scts,
-			ems:                          chm.Ems,
-			supportedCurves:              chm.SupportedCurves,
-			supportedPoints:              chm.SupportedPoints,
-			ticketSupported:              chm.TicketSupported,
-			sessionTicket:                chm.SessionTicket,
-			supportedSignatureAlgorithms: chm.SupportedSignatureAlgorithms,
-			secureRenegotiation:          chm.SecureRenegotiation,
-			secureRenegotiationSupported: chm.SecureRenegotiationSupported,
-			alpnProtocols:                chm.AlpnProtocols,
-
+			raw:                              chm.Raw,
+			vers:                             chm.Vers,
+			random:                           chm.Random,
+			sessionId:                        chm.SessionId,
+			cipherSuites:                     chm.CipherSuites,
+			compressionMethods:               chm.CompressionMethods,
+			serverName:                       chm.ServerName,
+			ocspStapling:                     chm.OcspStapling,
+			supportedCurves:                  chm.SupportedCurves,
+			supportedPoints:                  chm.SupportedPoints,
+			ticketSupported:                  chm.TicketSupported,
+			sessionTicket:                    chm.SessionTicket,
+			supportedSignatureAlgorithms:     chm.SupportedSignatureAlgorithms,
 			supportedSignatureAlgorithmsCert: chm.SupportedSignatureAlgorithmsCert,
-			supportedVersions:                chm.SupportedVersions,
-			cookie:                           chm.Cookie,
-			keyShares:                        KeyShares(chm.KeyShares).ToPrivate(),
-			earlyData:                        chm.EarlyData,
-			pskModes:                         chm.PskModes,
-			pskIdentities:                    PskIdentities(chm.PskIdentities).ToPrivate(),
-			pskBinders:                       chm.PskBinders,
+			secureRenegotiationSupported:     chm.SecureRenegotiationSupported,
+			secureRenegotiation:              chm.SecureRenegotiation,
+			extendedMasterSecret:             chm.Ems,
+			alpnProtocols:                    chm.AlpnProtocols,
+			scts:                             chm.Scts,
+
+			supportedVersions:       chm.SupportedVersions,
+			cookie:                  chm.Cookie,
+			keyShares:               KeyShares(chm.KeyShares).ToPrivate(),
+			earlyData:               chm.EarlyData,
+			pskModes:                chm.PskModes,
+			pskIdentities:           PskIdentities(chm.PskIdentities).ToPrivate(),
+			pskBinders:              chm.PskBinders,
+			quicTransportParameters: chm.QuicTransportParameters,
+
+			nextProtoNeg: chm.NextProtoNeg,
 		}
 	}
 }
@ -403,7 +408,7 @@ func (chm *clientHelloMsg) getPublicPtr() *PubClientHelloMsg {
 			ServerName:                   chm.serverName,
 			OcspStapling:                 chm.ocspStapling,
 			Scts:                         chm.scts,
-			Ems:                          chm.ems,
+			Ems:                          chm.extendedMasterSecret,
 			SupportedCurves:              chm.supportedCurves,
 			SupportedPoints:              chm.supportedPoints,
 			TicketSupported:              chm.ticketSupported,
@ -421,6 +426,7 @@ func (chm *clientHelloMsg) getPublicPtr() *PubClientHelloMsg {
 			PskModes:                         chm.pskModes,
 			PskIdentities:                    pskIdentities(chm.pskIdentities).ToPublic(),
 			PskBinders:                       chm.pskBinders,
+			QuicTransportParameters:          chm.quicTransportParameters,
 		}
 	}
 }
@ -601,71 +607,89 @@ func MakeClientSessionState(
 	MasterSecret []byte,
 	ServerCertificates []*x509.Certificate,
 	VerifiedChains [][]*x509.Certificate) *ClientSessionState {
-	css := ClientSessionState{sessionTicket: SessionTicket,
-		vers:               Vers,
-		cipherSuite:        CipherSuite,
-		masterSecret:       MasterSecret,
-		serverCertificates: ServerCertificates,
-		verifiedChains:     VerifiedChains}
-	return &css
+	css := &ClientSessionState{
+		ticket: SessionTicket,
+		session: &SessionState{
+			version:          Vers,
+			cipherSuite:      CipherSuite,
+			secret:           MasterSecret,
+			peerCertificates: ServerCertificates,
+			verifiedChains:   VerifiedChains,
+		},
+	}
+	return css
 }

 // Encrypted ticket used for session resumption with server
 func (css *ClientSessionState) SessionTicket() []uint8 {
-	return css.sessionTicket
+	return css.ticket
 }

 // SSL/TLS version negotiated for the session
 func (css *ClientSessionState) Vers() uint16 {
-	return css.vers
+	return css.session.version
 }

 // Ciphersuite negotiated for the session
 func (css *ClientSessionState) CipherSuite() uint16 {
-	return css.cipherSuite
+	return css.session.cipherSuite
 }

 // MasterSecret generated by client on a full handshake
 func (css *ClientSessionState) MasterSecret() []byte {
-	return css.masterSecret
+	return css.session.secret
 }

 // Certificate chain presented by the server
 func (css *ClientSessionState) ServerCertificates() []*x509.Certificate {
-	return css.serverCertificates
+	return css.session.peerCertificates
 }

 // Certificate chains we built for verification
 func (css *ClientSessionState) VerifiedChains() [][]*x509.Certificate {
-	return css.verifiedChains
+	return css.session.verifiedChains
 }

 func (css *ClientSessionState) SetSessionTicket(SessionTicket []uint8) {
-	css.sessionTicket = SessionTicket
+	css.ticket = SessionTicket
 }
 func (css *ClientSessionState) SetVers(Vers uint16) {
-	css.vers = Vers
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.version = Vers
 }
 func (css *ClientSessionState) SetCipherSuite(CipherSuite uint16) {
-	css.cipherSuite = CipherSuite
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.cipherSuite = CipherSuite
 }
 func (css *ClientSessionState) SetMasterSecret(MasterSecret []byte) {
-	css.masterSecret = MasterSecret
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.secret = MasterSecret
 }
 func (css *ClientSessionState) SetServerCertificates(ServerCertificates []*x509.Certificate) {
-	css.serverCertificates = ServerCertificates
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.peerCertificates = ServerCertificates
 }
 func (css *ClientSessionState) SetVerifiedChains(VerifiedChains [][]*x509.Certificate) {
-	css.verifiedChains = VerifiedChains
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.verifiedChains = VerifiedChains
 }

 // TicketKey is the internal representation of a session ticket key.
 type TicketKey struct {
-	// KeyName is an opaque byte string that serves to identify the session
-	// ticket key. It's exposed as plaintext in every session ticket.
-	KeyName [ticketKeyNameLen]byte
 	AesKey  [16]byte
 	HmacKey [16]byte
+	// created is the time at which this ticket key was created. See Config.ticketKeys.
+	Created time.Time
 }

 type TicketKeys []TicketKey
@ -681,17 +705,17 @@ func TicketKeyFromBytes(b [32]byte) TicketKey {

 func (tk ticketKey) ToPublic() TicketKey {
 	return TicketKey{
-		KeyName: tk.keyName,
 		AesKey:  tk.aesKey,
 		HmacKey: tk.hmacKey,
+		Created: tk.created,
 	}
 }

 func (TK TicketKey) ToPrivate() ticketKey {
 	return ticketKey{
-		keyName: TK.KeyName,
 		aesKey:  TK.AesKey,
 		hmacKey: TK.HmacKey,
+		created: TK.Created,
 	}
 }