mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-04 12:37:35 +03:00
Code Issues Projects Releases Packages Wiki Activity

crypto/tls: fix PSK binder calculation

Browse source 
When server and client have mismatch in curve preference, the server will
send HelloRetryRequest during TLSv1.3 PSK resumption. There was a bug
introduced by Go1.19.6 or later and Go1.20.1 or later, that makes the client
calculate the PSK binder hash incorrectly. Server will reject the TLS
handshake by sending alert: invalid PSK binder.

Fixes #59424

Change-Id: I2ca8948474275740a36d991c057b62a13392dbb9
GitHub-Last-Rev: 1aad9bcf27f563449c1a7ed6d0dd1d247cc65713
GitHub-Pull-Request: golang/go#59425
Reviewed-on: https://go-review.googlesource.com/c/go/+/481955
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
This commit is contained in:
Tero Saarni 2023-04-12 10:07:07 +00:00 committed by Gopher Robot
parent a98b7369e3
commit e1a56dc039
2 changed files with 22 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

21
handshake_client_test.go
View file

@ -1028,6 +1028,27 @@ func testResumption(t *testing.T, version uint16) {
deleteTicket() deleteTicket()
testResumeState("WithoutSessionTicket", false) testResumeState("WithoutSessionTicket", false)
// In TLS 1.3, HelloRetryRequest is sent after incorrect key share.
// See https://www.rfc-editor.org/rfc/rfc8446#page-14.
if version == VersionTLS13 {
deleteTicket()
serverConfig = &Config{
// Use a different curve than the client to force a HelloRetryRequest.
CurvePreferences: []CurveID{CurveP521, CurveP384, CurveP256},
MaxVersion: version,
Certificates: testConfig.Certificates,
}
testResumeState("InitialHandshake", false)
testResumeState("WithHelloRetryRequest", true)
// Reset serverConfig back.
serverConfig = &Config{
MaxVersion: version,
CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA},
Certificates: testConfig.Certificates,
}
}
// Session resumption should work when using client certificates // Session resumption should work when using client certificates
deleteTicket() deleteTicket()
serverConfig.ClientCAs = rootCAs serverConfig.ClientCAs = rootCAs

2
handshake_client_tls13.go
View file

@ -259,7 +259,7 @@ func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
transcript := hs.suite.hash.New() transcript := hs.suite.hash.New()
transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
transcript.Write(chHash) transcript.Write(chHash)
if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil { if err := transcriptMsg(hs.serverHello, transcript); err != nil {
return err return err
} }
helloBytes, err := hs.hello.marshalWithoutBinders() helloBytes, err := hs.hello.marshalWithoutBinders()