mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-05 13:07:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

Revert "crypto/internal/boring: upgrade module to fips-20220613" +1

Browse source 
This reverts commit 7383b2a4db5dc93c9b875b42d5add73d27cc4b9f
("crypto/internal/boring: upgrade module to fips-20220613") and commit
4106de901a8efe914cda6f6c4e8d45ff8c115da4 ("crypto/tls: align FIPS-only
mode with BoringSSL policy").

Fixes #65321
Updates #64717
Updates #62372

Change-Id: I0938b97e5b4904e6532448b8ae76e920d03d0508
Reviewed-on: https://go-review.googlesource.com/c/go/+/558796
Reviewed-by: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This commit is contained in:
Filippo Valsorda 2024-01-26 23:22:45 +01:00 committed by Gopher Robot
parent 035b9d2bbf
commit c3aeef03b3
8 changed files with 48 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

26
boring.go
View file

@ -6,10 +6,9 @@
package tls package tls
import "crypto/internal/boring/fipstls" import (
"crypto/internal/boring/fipstls"
// The FIPS-only policies enforced here currently match BoringSSL's )
// ssl_policy_fips_202205.
// needFIPS returns fipstls.Required(); it avoids a new import in common.go. // needFIPS returns fipstls.Required(); it avoids a new import in common.go.
func needFIPS() bool { func needFIPS() bool {
@ -18,19 +17,19 @@ func needFIPS() bool {
// fipsMinVersion replaces c.minVersion in FIPS-only mode. // fipsMinVersion replaces c.minVersion in FIPS-only mode.
func fipsMinVersion(c *Config) uint16 { func fipsMinVersion(c *Config) uint16 {
// FIPS requires TLS 1.2 or TLS 1.3. // FIPS requires TLS 1.2.
return VersionTLS12 return VersionTLS12
} }
// fipsMaxVersion replaces c.maxVersion in FIPS-only mode. // fipsMaxVersion replaces c.maxVersion in FIPS-only mode.
func fipsMaxVersion(c *Config) uint16 { func fipsMaxVersion(c *Config) uint16 {
// FIPS requires TLS 1.2 or TLS 1.3. // FIPS requires TLS 1.2.
return VersionTLS13 return VersionTLS12
} }
// default defaultFIPSCurvePreferences is the FIPS-allowed curves, // default defaultFIPSCurvePreferences is the FIPS-allowed curves,
// in preference order (most preferable first). // in preference order (most preferable first).
var defaultFIPSCurvePreferences = []CurveID{CurveP256, CurveP384} var defaultFIPSCurvePreferences = []CurveID{CurveP256, CurveP384, CurveP521}
// fipsCurvePreferences replaces c.curvePreferences in FIPS-only mode. // fipsCurvePreferences replaces c.curvePreferences in FIPS-only mode.
func fipsCurvePreferences(c *Config) []CurveID { func fipsCurvePreferences(c *Config) []CurveID {
@ -55,6 +54,8 @@ var defaultCipherSuitesFIPS = []uint16{
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384,
} }
// fipsCipherSuites replaces c.cipherSuites in FIPS-only mode. // fipsCipherSuites replaces c.cipherSuites in FIPS-only mode.
@ -74,14 +75,8 @@ func fipsCipherSuites(c *Config) []uint16 {
return list return list
} }
// defaultCipherSuitesTLS13FIPS are the FIPS-allowed cipher suites for TLS 1.3.
var defaultCipherSuitesTLS13FIPS = []uint16{
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,
}
// fipsSupportedSignatureAlgorithms currently are a subset of // fipsSupportedSignatureAlgorithms currently are a subset of
// defaultSupportedSignatureAlgorithms without Ed25519, SHA-1, and P-521. // defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
var fipsSupportedSignatureAlgorithms = []SignatureScheme{ var fipsSupportedSignatureAlgorithms = []SignatureScheme{
PSSWithSHA256, PSSWithSHA256,
PSSWithSHA384, PSSWithSHA384,
@ -91,6 +86,7 @@ var fipsSupportedSignatureAlgorithms = []SignatureScheme{
PKCS1WithSHA384, PKCS1WithSHA384,
ECDSAWithP384AndSHA384, ECDSAWithP384AndSHA384,
PKCS1WithSHA512, PKCS1WithSHA512,
ECDSAWithP521AndSHA512,
} }
// supportedSignatureAlgorithms returns the supported signature algorithms. // supportedSignatureAlgorithms returns the supported signature algorithms.

69
boring_test.go
View file

@ -25,31 +25,6 @@ import (
"time" "time"
) )
func allCipherSuitesIncludingTLS13() []uint16 {
s := allCipherSuites()
for _, suite := range cipherSuitesTLS13 {
s = append(s, suite.id)
}
return s
}
func isTLS13CipherSuite(id uint16) bool {
for _, suite := range cipherSuitesTLS13 {
if id == suite.id {
return true
}
}
return false
}
func generateKeyShare(group CurveID) keyShare {
key, err := generateECDHEKey(rand.Reader, group)
if err != nil {
panic(err)
}
return keyShare{group: group, data: key.PublicKey().Bytes()}
}
func TestBoringServerProtocolVersion(t *testing.T) { func TestBoringServerProtocolVersion(t *testing.T) {
test := func(name string, v uint16, msg string) { test := func(name string, v uint16, msg string) {
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
@ -58,11 +33,8 @@ func TestBoringServerProtocolVersion(t *testing.T) {
clientHello := &clientHelloMsg{ clientHello := &clientHelloMsg{
vers: v, vers: v,
random: make([]byte, 32), random: make([]byte, 32),
cipherSuites: allCipherSuitesIncludingTLS13(), cipherSuites: allCipherSuites(),
compressionMethods: []uint8{compressionNone}, compressionMethods: []uint8{compressionNone},
supportedCurves: defaultCurvePreferences,
keyShares: []keyShare{generateKeyShare(CurveP256)},
supportedPoints: []uint8{pointFormatUncompressed},
supportedVersions: []uint16{v}, supportedVersions: []uint16{v},
} }
testClientHelloFailure(t, serverConfig, clientHello, msg) testClientHelloFailure(t, serverConfig, clientHello, msg)
@ -76,25 +48,25 @@ func TestBoringServerProtocolVersion(t *testing.T) {
fipstls.Force() fipstls.Force()
defer fipstls.Abandon() defer fipstls.Abandon()
test("VersionSSL30/fipstls", VersionSSL30, "client offered only unsupported versions") test("VersionSSL30", VersionSSL30, "client offered only unsupported versions")
test("VersionTLS10/fipstls", VersionTLS10, "client offered only unsupported versions") test("VersionTLS10", VersionTLS10, "client offered only unsupported versions")
test("VersionTLS11/fipstls", VersionTLS11, "client offered only unsupported versions") test("VersionTLS11", VersionTLS11, "client offered only unsupported versions")
test("VersionTLS12/fipstls", VersionTLS12, "") test("VersionTLS12", VersionTLS12, "")
test("VersionTLS13/fipstls", VersionTLS13, "") test("VersionTLS13", VersionTLS13, "client offered only unsupported versions")
} }
func isBoringVersion(v uint16) bool { func isBoringVersion(v uint16) bool {
return v == VersionTLS12 || v == VersionTLS13 return v == VersionTLS12
} }
func isBoringCipherSuite(id uint16) bool { func isBoringCipherSuite(id uint16) bool {
switch id { switch id {
case TLS_AES_128_GCM_SHA256, case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_GCM_SHA384:
return true return true
} }
return false return false
@ -102,7 +74,7 @@ func isBoringCipherSuite(id uint16) bool {
func isBoringCurve(id CurveID) bool { func isBoringCurve(id CurveID) bool {
switch id { switch id {
case CurveP256, CurveP384: case CurveP256, CurveP384, CurveP521:
return true return true
} }
return false return false
@ -114,7 +86,7 @@ func isECDSA(id uint16) bool {
return suite.flags&suiteECSign == suiteECSign return suite.flags&suiteECSign == suiteECSign
} }
} }
return false // TLS 1.3 cipher suites are not tied to the signature algorithm. panic(fmt.Sprintf("unknown cipher suite %#x", id))
} }
func isBoringSignatureScheme(alg SignatureScheme) bool { func isBoringSignatureScheme(alg SignatureScheme) bool {
@ -126,6 +98,7 @@ func isBoringSignatureScheme(alg SignatureScheme) bool {
PKCS1WithSHA384, PKCS1WithSHA384,
ECDSAWithP384AndSHA384, ECDSAWithP384AndSHA384,
PKCS1WithSHA512, PKCS1WithSHA512,
ECDSAWithP521AndSHA512,
PSSWithSHA256, PSSWithSHA256,
PSSWithSHA384, PSSWithSHA384,
PSSWithSHA512: PSSWithSHA512:
@ -136,9 +109,10 @@ func isBoringSignatureScheme(alg SignatureScheme) bool {
func TestBoringServerCipherSuites(t *testing.T) { func TestBoringServerCipherSuites(t *testing.T) {
serverConfig := testConfig.Clone() serverConfig := testConfig.Clone()
serverConfig.CipherSuites = allCipherSuites()
serverConfig.Certificates = make([]Certificate, 1) serverConfig.Certificates = make([]Certificate, 1)
for _, id := range allCipherSuitesIncludingTLS13() { for _, id := range allCipherSuites() {
if isECDSA(id) { if isECDSA(id) {
serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
@ -147,19 +121,14 @@ func TestBoringServerCipherSuites(t *testing.T) {
serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey
} }
serverConfig.BuildNameToCertificate() serverConfig.BuildNameToCertificate()
t.Run(fmt.Sprintf("suite=%s", CipherSuiteName(id)), func(t *testing.T) { t.Run(fmt.Sprintf("suite=%#x", id), func(t *testing.T) {
clientHello := &clientHelloMsg{ clientHello := &clientHelloMsg{
vers: VersionTLS12, vers: VersionTLS12,
random: make([]byte, 32), random: make([]byte, 32),
cipherSuites: []uint16{id}, cipherSuites: []uint16{id},
compressionMethods: []uint8{compressionNone}, compressionMethods: []uint8{compressionNone},
supportedCurves: defaultCurvePreferences, supportedCurves: defaultCurvePreferences,
keyShares: []keyShare{generateKeyShare(CurveP256)},
supportedPoints: []uint8{pointFormatUncompressed}, supportedPoints: []uint8{pointFormatUncompressed},
supportedVersions: []uint16{VersionTLS12},
}
if isTLS13CipherSuite(id) {
clientHello.supportedVersions = []uint16{VersionTLS13}
} }
testClientHello(t, serverConfig, clientHello) testClientHello(t, serverConfig, clientHello)
@ -191,9 +160,7 @@ func TestBoringServerCurves(t *testing.T) {
cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
compressionMethods: []uint8{compressionNone}, compressionMethods: []uint8{compressionNone},
supportedCurves: []CurveID{curveid}, supportedCurves: []CurveID{curveid},
keyShares: []keyShare{generateKeyShare(curveid)},
supportedPoints: []uint8{pointFormatUncompressed}, supportedPoints: []uint8{pointFormatUncompressed},
supportedVersions: []uint16{VersionTLS12},
} }
testClientHello(t, serverConfig, clientHello) testClientHello(t, serverConfig, clientHello)
@ -312,7 +279,7 @@ func TestBoringClientHello(t *testing.T) {
} }
if !isBoringVersion(hello.vers) { if !isBoringVersion(hello.vers) {
t.Errorf("client vers=%#x", hello.vers) t.Errorf("client vers=%#x, want %#x (TLS 1.2)", hello.vers, VersionTLS12)
} }
for _, v := range hello.supportedVersions { for _, v := range hello.supportedVersions {
if !isBoringVersion(v) { if !isBoringVersion(v) {

8
cipher_suites.go
View file

@ -556,13 +556,7 @@ func aeadAESGCMTLS13(key, nonceMask []byte) aead {
if err != nil { if err != nil {
panic(err) panic(err)
} }
var aead cipher.AEAD aead, err := cipher.NewGCM(aes)
if boring.Enabled {
aead, err = boring.NewGCMTLS13(aes)
} else {
boring.Unreachable()
aead, err = cipher.NewGCM(aes)
}
if err != nil { if err != nil {
panic(err) panic(err)
} }

4
handshake_client.go
View file

@ -139,9 +139,7 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, *ecdh.PrivateKey, error) {
if len(hello.supportedVersions) == 1 { if len(hello.supportedVersions) == 1 {
hello.cipherSuites = nil hello.cipherSuites = nil
} }
if needFIPS() { if hasAESGCMHardwareSupport {
hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13FIPS...)
} else if hasAESGCMHardwareSupport {
hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...) hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...)
} else { } else {
hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13NoAES...) hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13NoAES...)

4
handshake_client_tls13.go
View file

@ -41,6 +41,10 @@ type clientHandshakeStateTLS13 struct {
func (hs *clientHandshakeStateTLS13) handshake() error { func (hs *clientHandshakeStateTLS13) handshake() error {
c := hs.c c := hs.c
if needFIPS() {
return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
}
// The server must not select TLS 1.3 in a renegotiation. See RFC 8446, // The server must not select TLS 1.3 in a renegotiation. See RFC 8446,
// sections 4.1.2 and 4.1.3. // sections 4.1.2 and 4.1.3.
if c.handshakes > 0 { if c.handshakes > 0 {

28
handshake_server_test.go
View file

@ -27,7 +27,6 @@ import (
) )
func testClientHello(t *testing.T, serverConfig *Config, m handshakeMessage) { func testClientHello(t *testing.T, serverConfig *Config, m handshakeMessage) {
t.Helper()
testClientHelloFailure(t, serverConfig, m, "") testClientHelloFailure(t, serverConfig, m, "")
} }
@ -53,32 +52,23 @@ func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessa
ctx := context.Background() ctx := context.Background()
conn := Server(s, serverConfig) conn := Server(s, serverConfig)
ch, err := conn.readClientHello(ctx) ch, err := conn.readClientHello(ctx)
if err == nil && conn.vers == VersionTLS13 { hs := serverHandshakeState{
hs := serverHandshakeStateTLS13{ c: conn,
c: conn, ctx: ctx,
ctx: ctx, clientHello: ch,
clientHello: ch, }
} if err == nil {
err = hs.processClientHello() err = hs.processClientHello()
} else if err == nil { }
hs := serverHandshakeState{ if err == nil {
c: conn, err = hs.pickCipherSuite()
ctx: ctx,
clientHello: ch,
}
err = hs.processClientHello()
if err == nil {
err = hs.pickCipherSuite()
}
} }
s.Close() s.Close()
if len(expectedSubStr) == 0 { if len(expectedSubStr) == 0 {
if err != nil && err != io.EOF { if err != nil && err != io.EOF {
t.Helper()
t.Errorf("Got error: %s; expected to succeed", err) t.Errorf("Got error: %s; expected to succeed", err)
} }
} else if err == nil || !strings.Contains(err.Error(), expectedSubStr) { } else if err == nil || !strings.Contains(err.Error(), expectedSubStr) {
t.Helper()
t.Errorf("Got error: %v; expected to match substring '%s'", err, expectedSubStr) t.Errorf("Got error: %v; expected to match substring '%s'", err, expectedSubStr)
} }
} }

7
handshake_server_tls13.go
View file

@ -45,6 +45,10 @@ type serverHandshakeStateTLS13 struct {
func (hs *serverHandshakeStateTLS13) handshake() error { func (hs *serverHandshakeStateTLS13) handshake() error {
c := hs.c c := hs.c
if needFIPS() {
return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
}
// For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2. // For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2.
if err := hs.processClientHello(); err != nil { if err := hs.processClientHello(); err != nil {
return err return err
@ -159,9 +163,6 @@ func (hs *serverHandshakeStateTLS13) processClientHello() error {
if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) { if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
preferenceList = defaultCipherSuitesTLS13NoAES preferenceList = defaultCipherSuitesTLS13NoAES
} }
if needFIPS() {
preferenceList = defaultCipherSuitesTLS13FIPS
}
for _, suiteID := range preferenceList { for _, suiteID := range preferenceList {
hs.suite = mutualCipherSuiteTLS13(hs.clientHello.cipherSuites, suiteID) hs.suite = mutualCipherSuiteTLS13(hs.clientHello.cipherSuites, suiteID)
if hs.suite != nil { if hs.suite != nil {

2
notboring.go
View file

@ -18,5 +18,3 @@ func fipsCurvePreferences(c *Config) []CurveID { panic("fipsCurvePreferences") }
func fipsCipherSuites(c *Config) []uint16 { panic("fipsCipherSuites") } func fipsCipherSuites(c *Config) []uint16 { panic("fipsCipherSuites") }
var fipsSupportedSignatureAlgorithms []SignatureScheme var fipsSupportedSignatureAlgorithms []SignatureScheme
var defaultCipherSuitesTLS13FIPS []uint16