mirror of
https://github.com/refraction-networking/utls.git
synced 2025-04-04 20:47:36 +03:00
crypto/tls: implement TLS 1.3 PSK authentication (client side)
Also check original certificate validity when resuming TLS 1.0–1.2. Will refuse to resume a session if the certificate is expired or if the original connection had InsecureSkipVerify and the resumed one doesn't. Support only PSK+DHE to protect forward secrecy even with lack of a strong session ticket rotation story. Tested with NSS because s_server does not provide any way of getting the same session ticket key across invocations. Will self-test like TLS 1.0–1.2 once server side is implemented. Incorporates CL 128477 by @santoshankr. Fixes #24919 Updates #9671 Change-Id: Id3eaa5b6c77544a1357668bf9ff255f3420ecc34 Reviewed-on: https://go-review.googlesource.com/c/147420 Reviewed-by: Adam Langley <agl@golang.org>
This commit is contained in:
Filippo Valsorda
parent
5b79a7c982
commit
dc9021e679
11 changed files with 444 additions and 158 deletions
|
|
@ -18,6 +18,7 @@ import (
|
|||
"strconv"
|
||||
"strings"
|
||||
"sync/atomic"
|
||||
"time"
|
||||
)
|
||||
|
||||
type clientHandshakeState struct {
|
||||
|
|
@ -134,7 +135,7 @@ NextCipherSuite:
|
|||
return hello, params, nil
|
||||
}
|
||||
|
||||
func (c *Conn) clientHandshake() error {
|
||||
func (c *Conn) clientHandshake() (err error) {
|
||||
if c.config == nil {
|
||||
c.config = defaultConfig()
|
||||
}
|
||||
|
|
@ -148,8 +149,20 @@ func (c *Conn) clientHandshake() error {
|
|||
return err
|
||||
}
|
||||
|
||||
var newSession *ClientSessionState
|
||||
cacheKey, session := c.loadSession(hello)
|
||||
cacheKey, session, earlySecret, binderKey := c.loadSession(hello)
|
||||
if cacheKey != "" && session != nil {
|
||||
defer func() {
|
||||
// If we got a handshake failure when resuming a session, throw away
|
||||
// the session ticket. See RFC 5077, Section 3.2.
|
||||
//
|
||||
// RFC 8446 makes no mention of dropping tickets on failure, but it
|
||||
// does require servers to abort on invalid binders, so we need to
|
||||
// delete tickets to recover from a corrupted PSK.
|
||||
if err != nil {
|
||||
c.config.ClientSessionCache.Put(cacheKey, nil)
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
if _, err := c.writeRecord(recordTypeHandshake, hello.marshal()); err != nil {
|
||||
return err
|
||||
|
|
@ -177,81 +190,147 @@ func (c *Conn) clientHandshake() error {
|
|||
hello: hello,
|
||||
ecdheParams: ecdheParams,
|
||||
session: session,
|
||||
earlySecret: earlySecret,
|
||||
binderKey: binderKey,
|
||||
}
|
||||
|
||||
if err := hs.handshake(); err != nil {
|
||||
return err
|
||||
}
|
||||
// In TLS 1.3, session tickets are delivered after the handshake.
|
||||
return hs.handshake()
|
||||
}
|
||||
|
||||
newSession = hs.session
|
||||
} else {
|
||||
hs := &clientHandshakeState{
|
||||
c: c,
|
||||
serverHello: serverHello,
|
||||
hello: hello,
|
||||
session: session,
|
||||
}
|
||||
hs := &clientHandshakeState{
|
||||
c: c,
|
||||
serverHello: serverHello,
|
||||
hello: hello,
|
||||
session: session,
|
||||
}
|
||||
|
||||
if err := hs.handshake(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
newSession = hs.session
|
||||
if err := hs.handshake(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// If we had a successful handshake and hs.session is different from
|
||||
// the one already cached - cache a new one.
|
||||
if hello.ticketSupported && newSession != nil && session != newSession {
|
||||
c.config.ClientSessionCache.Put(cacheKey, newSession)
|
||||
if cacheKey != "" && hs.session != nil && session != hs.session {
|
||||
c.config.ClientSessionCache.Put(cacheKey, hs.session)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *Conn) loadSession(hello *clientHelloMsg) (cacheKey string, session *ClientSessionState) {
|
||||
func (c *Conn) loadSession(hello *clientHelloMsg) (cacheKey string,
|
||||
session *ClientSessionState, earlySecret, binderKey []byte) {
|
||||
if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil {
|
||||
return
|
||||
return "", nil, nil, nil
|
||||
}
|
||||
|
||||
hello.ticketSupported = true
|
||||
|
||||
if hello.supportedVersions[0] == VersionTLS13 {
|
||||
// Require DHE on resumption as it guarantees forward secrecy against
|
||||
// compromise of the session ticket key. See RFC 8446, Section 4.2.9.
|
||||
hello.pskModes = []uint8{pskModeDHE}
|
||||
}
|
||||
|
||||
// Session resumption is not allowed if renegotiating because
|
||||
// renegotiation is primarily used to allow a client to send a client
|
||||
// certificate, which would be skipped if session resumption occurred.
|
||||
if c.handshakes != 0 {
|
||||
return
|
||||
return "", nil, nil, nil
|
||||
}
|
||||
|
||||
// Try to resume a previously negotiated TLS session, if available.
|
||||
cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
|
||||
candidateSession, ok := c.config.ClientSessionCache.Get(cacheKey)
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
|
||||
// Check that the ciphersuite and version used for the previous session
|
||||
// are still valid.
|
||||
cipherSuiteOk := false
|
||||
for _, id := range hello.cipherSuites {
|
||||
if id == candidateSession.cipherSuite {
|
||||
cipherSuiteOk = true
|
||||
break
|
||||
}
|
||||
session, ok := c.config.ClientSessionCache.Get(cacheKey)
|
||||
if !ok || session == nil {
|
||||
return cacheKey, nil, nil, nil
|
||||
}
|
||||
|
||||
// Check that version used for the previous session is still valid.
|
||||
versOk := false
|
||||
for _, v := range hello.supportedVersions {
|
||||
if v == candidateSession.vers {
|
||||
if v == session.vers {
|
||||
versOk = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if versOk && cipherSuiteOk {
|
||||
session = candidateSession
|
||||
hello.sessionTicket = session.sessionTicket
|
||||
if !versOk {
|
||||
return cacheKey, nil, nil, nil
|
||||
}
|
||||
|
||||
// Check that the cached server certificate is not expired, and that it's
|
||||
// valid for the ServerName. This should be ensured by the cache key, but
|
||||
// protect the application from a faulty ClientSessionCache implementation.
|
||||
if !c.config.InsecureSkipVerify {
|
||||
if len(session.verifiedChains) == 0 {
|
||||
// The original connection had InsecureSkipVerify, while this doesn't.
|
||||
return cacheKey, nil, nil, nil
|
||||
}
|
||||
serverCert := session.serverCertificates[0]
|
||||
if c.config.time().After(serverCert.NotAfter) {
|
||||
// Expired certificate, delete the entry.
|
||||
c.config.ClientSessionCache.Put(cacheKey, nil)
|
||||
return cacheKey, nil, nil, nil
|
||||
}
|
||||
if err := serverCert.VerifyHostname(c.config.ServerName); err != nil {
|
||||
return cacheKey, nil, nil, nil
|
||||
}
|
||||
}
|
||||
|
||||
if session.vers != VersionTLS13 {
|
||||
// In TLS 1.2 the cipher suite must match the resumed session. Ensure we
|
||||
// are still offering it.
|
||||
if mutualCipherSuite(hello.cipherSuites, session.cipherSuite) == nil {
|
||||
return cacheKey, nil, nil, nil
|
||||
}
|
||||
|
||||
hello.sessionTicket = session.sessionTicket
|
||||
return
|
||||
}
|
||||
|
||||
// Check that the session ticket is not expired.
|
||||
if c.config.time().After(session.useBy) {
|
||||
c.config.ClientSessionCache.Put(cacheKey, nil)
|
||||
return cacheKey, nil, nil, nil
|
||||
}
|
||||
|
||||
// In TLS 1.3 the KDF hash must match the resumed session. Ensure we
|
||||
// offer at least one cipher suite with that hash.
|
||||
cipherSuite := cipherSuiteTLS13ByID(session.cipherSuite)
|
||||
if cipherSuite == nil {
|
||||
return cacheKey, nil, nil, nil
|
||||
}
|
||||
cipherSuiteOk := false
|
||||
for _, offeredID := range hello.cipherSuites {
|
||||
offeredSuite := cipherSuiteTLS13ByID(offeredID)
|
||||
if offeredSuite != nil && offeredSuite.hash == cipherSuite.hash {
|
||||
cipherSuiteOk = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !cipherSuiteOk {
|
||||
return cacheKey, nil, nil, nil
|
||||
}
|
||||
|
||||
// Set the pre_shared_key extension. See RFC 8446, Section 4.2.11.1.
|
||||
ticketAge := uint32(c.config.time().Sub(session.receivedAt) / time.Millisecond)
|
||||
identity := pskIdentity{
|
||||
label: session.sessionTicket,
|
||||
obfuscatedTicketAge: ticketAge + session.ageAdd,
|
||||
}
|
||||
hello.pskIdentities = []pskIdentity{identity}
|
||||
hello.pskBinders = [][]byte{make([]byte, cipherSuite.hash.Size())}
|
||||
|
||||
// Compute the PSK binders. See RFC 8446, Section 4.2.11.2.
|
||||
psk := cipherSuite.expandLabel(session.masterSecret, "resumption",
|
||||
session.nonce, cipherSuite.hash.Size())
|
||||
earlySecret = cipherSuite.extract(psk, nil)
|
||||
binderKey = cipherSuite.deriveSecret(earlySecret, resumptionBinderLabel, nil)
|
||||
transcript := cipherSuite.hash.New()
|
||||
transcript.Write(hello.marshalWithoutBinders())
|
||||
pskBinders := [][]byte{cipherSuite.finishedHash(binderKey, transcript)}
|
||||
hello.updateBinders(pskBinders)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
|
|
@ -275,8 +354,8 @@ func (c *Conn) pickTLSVersion(serverHello *serverHelloMsg) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
// Does the handshake, either a full one or resumes old session.
|
||||
// Requires hs.c, hs.hello, and, optionally, hs.session to be set.
|
||||
// Does the handshake, either a full one or resumes old session. Requires hs.c,
|
||||
// hs.hello, hs.serverHello, and, optionally, hs.session to be set.
|
||||
func (hs *clientHandshakeState) handshake() error {
|
||||
c := hs.c
|
||||
|
||||
|
|
@ -692,6 +771,7 @@ func (hs *clientHandshakeState) readSessionTicket() error {
|
|||
masterSecret: hs.masterSecret,
|
||||
serverCertificates: c.peerCertificates,
|
||||
verifiedChains: c.verifiedChains,
|
||||
receivedAt: c.config.time(),
|
||||
}
|
||||
|
||||
return nil
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue