From c3aeef03b3e246554f6d6232e26eb030dcefa2fa Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Fri, 26 Jan 2024 23:22:45 +0100 Subject: [PATCH] Revert "crypto/internal/boring: upgrade module to fips-20220613" +1 This reverts commit 7383b2a4db5dc93c9b875b42d5add73d27cc4b9f ("crypto/internal/boring: upgrade module to fips-20220613") and commit 4106de901a8efe914cda6f6c4e8d45ff8c115da4 ("crypto/tls: align FIPS-only mode with BoringSSL policy"). Fixes #65321 Updates #64717 Updates #62372 Change-Id: I0938b97e5b4904e6532448b8ae76e920d03d0508 Reviewed-on: https://go-review.googlesource.com/c/go/+/558796 Reviewed-by: Michael Knyszek Reviewed-by: Roland Shoemaker Auto-Submit: Filippo Valsorda LUCI-TryBot-Result: Go LUCI --- boring.go | 26 +++++++-------- boring_test.go | 69 ++++++++++----------------------------- cipher_suites.go | 8 +---- handshake_client.go | 4 +-- handshake_client_tls13.go | 4 +++ handshake_server_test.go | 28 +++++----------- handshake_server_tls13.go | 7 ++-- notboring.go | 2 -- 8 files changed, 48 insertions(+), 100 deletions(-) diff --git a/boring.go b/boring.go index aad96b1..1827f76 100644 --- a/boring.go +++ b/boring.go @@ -6,10 +6,9 @@ package tls -import "crypto/internal/boring/fipstls" - -// The FIPS-only policies enforced here currently match BoringSSL's -// ssl_policy_fips_202205. +import ( + "crypto/internal/boring/fipstls" +) // needFIPS returns fipstls.Required(); it avoids a new import in common.go. func needFIPS() bool { @@ -18,19 +17,19 @@ func needFIPS() bool { // fipsMinVersion replaces c.minVersion in FIPS-only mode. func fipsMinVersion(c *Config) uint16 { - // FIPS requires TLS 1.2 or TLS 1.3. + // FIPS requires TLS 1.2. return VersionTLS12 } // fipsMaxVersion replaces c.maxVersion in FIPS-only mode. func fipsMaxVersion(c *Config) uint16 { - // FIPS requires TLS 1.2 or TLS 1.3. - return VersionTLS13 + // FIPS requires TLS 1.2. + return VersionTLS12 } // default defaultFIPSCurvePreferences is the FIPS-allowed curves, // in preference order (most preferable first). -var defaultFIPSCurvePreferences = []CurveID{CurveP256, CurveP384} +var defaultFIPSCurvePreferences = []CurveID{CurveP256, CurveP384, CurveP521} // fipsCurvePreferences replaces c.curvePreferences in FIPS-only mode. func fipsCurvePreferences(c *Config) []CurveID { @@ -55,6 +54,8 @@ var defaultCipherSuitesFIPS = []uint16{ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384, } // fipsCipherSuites replaces c.cipherSuites in FIPS-only mode. @@ -74,14 +75,8 @@ func fipsCipherSuites(c *Config) []uint16 { return list } -// defaultCipherSuitesTLS13FIPS are the FIPS-allowed cipher suites for TLS 1.3. -var defaultCipherSuitesTLS13FIPS = []uint16{ - TLS_AES_128_GCM_SHA256, - TLS_AES_256_GCM_SHA384, -} - // fipsSupportedSignatureAlgorithms currently are a subset of -// defaultSupportedSignatureAlgorithms without Ed25519, SHA-1, and P-521. +// defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1. var fipsSupportedSignatureAlgorithms = []SignatureScheme{ PSSWithSHA256, PSSWithSHA384, @@ -91,6 +86,7 @@ var fipsSupportedSignatureAlgorithms = []SignatureScheme{ PKCS1WithSHA384, ECDSAWithP384AndSHA384, PKCS1WithSHA512, + ECDSAWithP521AndSHA512, } // supportedSignatureAlgorithms returns the supported signature algorithms. diff --git a/boring_test.go b/boring_test.go index a192a65..085ff57 100644 --- a/boring_test.go +++ b/boring_test.go @@ -25,31 +25,6 @@ import ( "time" ) -func allCipherSuitesIncludingTLS13() []uint16 { - s := allCipherSuites() - for _, suite := range cipherSuitesTLS13 { - s = append(s, suite.id) - } - return s -} - -func isTLS13CipherSuite(id uint16) bool { - for _, suite := range cipherSuitesTLS13 { - if id == suite.id { - return true - } - } - return false -} - -func generateKeyShare(group CurveID) keyShare { - key, err := generateECDHEKey(rand.Reader, group) - if err != nil { - panic(err) - } - return keyShare{group: group, data: key.PublicKey().Bytes()} -} - func TestBoringServerProtocolVersion(t *testing.T) { test := func(name string, v uint16, msg string) { t.Run(name, func(t *testing.T) { @@ -58,11 +33,8 @@ func TestBoringServerProtocolVersion(t *testing.T) { clientHello := &clientHelloMsg{ vers: v, random: make([]byte, 32), - cipherSuites: allCipherSuitesIncludingTLS13(), + cipherSuites: allCipherSuites(), compressionMethods: []uint8{compressionNone}, - supportedCurves: defaultCurvePreferences, - keyShares: []keyShare{generateKeyShare(CurveP256)}, - supportedPoints: []uint8{pointFormatUncompressed}, supportedVersions: []uint16{v}, } testClientHelloFailure(t, serverConfig, clientHello, msg) @@ -76,25 +48,25 @@ func TestBoringServerProtocolVersion(t *testing.T) { fipstls.Force() defer fipstls.Abandon() - test("VersionSSL30/fipstls", VersionSSL30, "client offered only unsupported versions") - test("VersionTLS10/fipstls", VersionTLS10, "client offered only unsupported versions") - test("VersionTLS11/fipstls", VersionTLS11, "client offered only unsupported versions") - test("VersionTLS12/fipstls", VersionTLS12, "") - test("VersionTLS13/fipstls", VersionTLS13, "") + test("VersionSSL30", VersionSSL30, "client offered only unsupported versions") + test("VersionTLS10", VersionTLS10, "client offered only unsupported versions") + test("VersionTLS11", VersionTLS11, "client offered only unsupported versions") + test("VersionTLS12", VersionTLS12, "") + test("VersionTLS13", VersionTLS13, "client offered only unsupported versions") } func isBoringVersion(v uint16) bool { - return v == VersionTLS12 || v == VersionTLS13 + return v == VersionTLS12 } func isBoringCipherSuite(id uint16) bool { switch id { - case TLS_AES_128_GCM_SHA256, - TLS_AES_256_GCM_SHA384, - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384: return true } return false @@ -102,7 +74,7 @@ func isBoringCipherSuite(id uint16) bool { func isBoringCurve(id CurveID) bool { switch id { - case CurveP256, CurveP384: + case CurveP256, CurveP384, CurveP521: return true } return false @@ -114,7 +86,7 @@ func isECDSA(id uint16) bool { return suite.flags&suiteECSign == suiteECSign } } - return false // TLS 1.3 cipher suites are not tied to the signature algorithm. + panic(fmt.Sprintf("unknown cipher suite %#x", id)) } func isBoringSignatureScheme(alg SignatureScheme) bool { @@ -126,6 +98,7 @@ func isBoringSignatureScheme(alg SignatureScheme) bool { PKCS1WithSHA384, ECDSAWithP384AndSHA384, PKCS1WithSHA512, + ECDSAWithP521AndSHA512, PSSWithSHA256, PSSWithSHA384, PSSWithSHA512: @@ -136,9 +109,10 @@ func isBoringSignatureScheme(alg SignatureScheme) bool { func TestBoringServerCipherSuites(t *testing.T) { serverConfig := testConfig.Clone() + serverConfig.CipherSuites = allCipherSuites() serverConfig.Certificates = make([]Certificate, 1) - for _, id := range allCipherSuitesIncludingTLS13() { + for _, id := range allCipherSuites() { if isECDSA(id) { serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey @@ -147,19 +121,14 @@ func TestBoringServerCipherSuites(t *testing.T) { serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey } serverConfig.BuildNameToCertificate() - t.Run(fmt.Sprintf("suite=%s", CipherSuiteName(id)), func(t *testing.T) { + t.Run(fmt.Sprintf("suite=%#x", id), func(t *testing.T) { clientHello := &clientHelloMsg{ vers: VersionTLS12, random: make([]byte, 32), cipherSuites: []uint16{id}, compressionMethods: []uint8{compressionNone}, supportedCurves: defaultCurvePreferences, - keyShares: []keyShare{generateKeyShare(CurveP256)}, supportedPoints: []uint8{pointFormatUncompressed}, - supportedVersions: []uint16{VersionTLS12}, - } - if isTLS13CipherSuite(id) { - clientHello.supportedVersions = []uint16{VersionTLS13} } testClientHello(t, serverConfig, clientHello) @@ -191,9 +160,7 @@ func TestBoringServerCurves(t *testing.T) { cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, compressionMethods: []uint8{compressionNone}, supportedCurves: []CurveID{curveid}, - keyShares: []keyShare{generateKeyShare(curveid)}, supportedPoints: []uint8{pointFormatUncompressed}, - supportedVersions: []uint16{VersionTLS12}, } testClientHello(t, serverConfig, clientHello) @@ -312,7 +279,7 @@ func TestBoringClientHello(t *testing.T) { } if !isBoringVersion(hello.vers) { - t.Errorf("client vers=%#x", hello.vers) + t.Errorf("client vers=%#x, want %#x (TLS 1.2)", hello.vers, VersionTLS12) } for _, v := range hello.supportedVersions { if !isBoringVersion(v) { diff --git a/cipher_suites.go b/cipher_suites.go index 636689b..6f5bc37 100644 --- a/cipher_suites.go +++ b/cipher_suites.go @@ -556,13 +556,7 @@ func aeadAESGCMTLS13(key, nonceMask []byte) aead { if err != nil { panic(err) } - var aead cipher.AEAD - if boring.Enabled { - aead, err = boring.NewGCMTLS13(aes) - } else { - boring.Unreachable() - aead, err = cipher.NewGCM(aes) - } + aead, err := cipher.NewGCM(aes) if err != nil { panic(err) } diff --git a/handshake_client.go b/handshake_client.go index 89004c2..f016e01 100644 --- a/handshake_client.go +++ b/handshake_client.go @@ -139,9 +139,7 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, *ecdh.PrivateKey, error) { if len(hello.supportedVersions) == 1 { hello.cipherSuites = nil } - if needFIPS() { - hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13FIPS...) - } else if hasAESGCMHardwareSupport { + if hasAESGCMHardwareSupport { hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...) } else { hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13NoAES...) diff --git a/handshake_client_tls13.go b/handshake_client_tls13.go index a84cede..2f59f68 100644 --- a/handshake_client_tls13.go +++ b/handshake_client_tls13.go @@ -41,6 +41,10 @@ type clientHandshakeStateTLS13 struct { func (hs *clientHandshakeStateTLS13) handshake() error { c := hs.c + if needFIPS() { + return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode") + } + // The server must not select TLS 1.3 in a renegotiation. See RFC 8446, // sections 4.1.2 and 4.1.3. if c.handshakes > 0 { diff --git a/handshake_server_test.go b/handshake_server_test.go index c0a86a4..15db760 100644 --- a/handshake_server_test.go +++ b/handshake_server_test.go @@ -27,7 +27,6 @@ import ( ) func testClientHello(t *testing.T, serverConfig *Config, m handshakeMessage) { - t.Helper() testClientHelloFailure(t, serverConfig, m, "") } @@ -53,32 +52,23 @@ func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessa ctx := context.Background() conn := Server(s, serverConfig) ch, err := conn.readClientHello(ctx) - if err == nil && conn.vers == VersionTLS13 { - hs := serverHandshakeStateTLS13{ - c: conn, - ctx: ctx, - clientHello: ch, - } + hs := serverHandshakeState{ + c: conn, + ctx: ctx, + clientHello: ch, + } + if err == nil { err = hs.processClientHello() - } else if err == nil { - hs := serverHandshakeState{ - c: conn, - ctx: ctx, - clientHello: ch, - } - err = hs.processClientHello() - if err == nil { - err = hs.pickCipherSuite() - } + } + if err == nil { + err = hs.pickCipherSuite() } s.Close() if len(expectedSubStr) == 0 { if err != nil && err != io.EOF { - t.Helper() t.Errorf("Got error: %s; expected to succeed", err) } } else if err == nil || !strings.Contains(err.Error(), expectedSubStr) { - t.Helper() t.Errorf("Got error: %v; expected to match substring '%s'", err, expectedSubStr) } } diff --git a/handshake_server_tls13.go b/handshake_server_tls13.go index b68ff9d..21d798d 100644 --- a/handshake_server_tls13.go +++ b/handshake_server_tls13.go @@ -45,6 +45,10 @@ type serverHandshakeStateTLS13 struct { func (hs *serverHandshakeStateTLS13) handshake() error { c := hs.c + if needFIPS() { + return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode") + } + // For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2. if err := hs.processClientHello(); err != nil { return err @@ -159,9 +163,6 @@ func (hs *serverHandshakeStateTLS13) processClientHello() error { if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) { preferenceList = defaultCipherSuitesTLS13NoAES } - if needFIPS() { - preferenceList = defaultCipherSuitesTLS13FIPS - } for _, suiteID := range preferenceList { hs.suite = mutualCipherSuiteTLS13(hs.clientHello.cipherSuites, suiteID) if hs.suite != nil { diff --git a/notboring.go b/notboring.go index edccb44..7d85b39 100644 --- a/notboring.go +++ b/notboring.go @@ -18,5 +18,3 @@ func fipsCurvePreferences(c *Config) []CurveID { panic("fipsCurvePreferences") } func fipsCipherSuites(c *Config) []uint16 { panic("fipsCipherSuites") } var fipsSupportedSignatureAlgorithms []SignatureScheme - -var defaultCipherSuitesTLS13FIPS []uint16