The following weak ciphers are from now on deprecated:
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
Signed-off-by: Gaukas Wang <i@gaukas.wang>
* dicttls: update ECH-related entries
* wip: GREASE ECH extension
* new: GREASE ECH extension
* fix: GREASE ECH Read must succeed with io.EOF
* new: GREASE ECH multiple payload len
* new: parse ECH in EncryptedExtensions
* fix: ECHConfig Length always 0
* new: GREASE ECH parrots
* new: (*Config).ECHConfigs
Add (*Config).ECHConfigs for future full ECH extension.
* new: add GREASE ECH example
Add an incomplete example of using GREASE ECH extension (Chrome 120 parrot).
* fix: invalid httpGetOverConn call
fix a problem in old example where httpGetOverConn was called with uTlsConn.HandshakeState.ServerHello.AlpnProtocol, which will not be populated in case TLS 1.3 is used.
* new: possible InnerClientHello length
* Add a function `AlwaysPadToLen` to generate padding styles according to the raw clienthello.
* Add an extra step in `FromRaw` after parsing the extension list to update the padding style.
[release-branch.go1.21] crypto/tls: QUIC: fix panics when processing post-handshake messages
The check for fragmentary post-handshake messages in QUICConn.HandleData
was reversed, resulting in a potential panic when HandleData receives
a partial message.
In addition, HandleData wasn't checking the size of buffered
post-handshake messages. Produce an error when a post-handshake
message is larger than maxHandshake.
TestQUICConnectionState was using an onHandleCryptoData hook
in runTestQUICConnection that was never being called.
(I think it was inadvertently removed at some point while
the CL was in review.) Fix this test while making the hook
more general.
For #62266Fixes#62290
Change-Id: I210b70634e50beb456ab3977eb11272b8724c241
Reviewed-on: https://go-review.googlesource.com/c/go/+/522595
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Marten Seemann <martenseemann@gmail.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
(cherry picked from commit e92c0f8)
Reviewed-on: https://go-review.googlesource.com/c/go/+/523039
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Co-authored-by: Damien Neil <52544+neild@users.noreply.github.com>
Co-authored-by: GopherBot <8566911+gopherbot@users.noreply.github.com>
We should call Value as late as possible to allow programs to set
GODEBUG with os.Setenv, and IncNonDefault only when (and every time) the
GODEBUG has an effect on a connection (that we'd have regularly
rejected).
Change-Id: If7a1446de407db7ca2d904d41dda13558b684dda
Reviewed-on: https://go-review.googlesource.com/c/go/+/544335
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
According to RFC 9001 Section 4.2, the client MUST NOT offer any TLS version
older than 1.3.
Fixes#63723.
Change-Id: Ia92f98274ca784e2bc151faf236380af51f699c1
Reviewed-on: https://go-review.googlesource.com/c/go/+/537576
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Removes the RSA KEX based ciphers from the default list. This can be
reverted using the tlsrsakex GODEBUG.
Fixes#63413
Change-Id: Id221be3eb2f6c24b91039d380313f0c87d339f98
Reviewed-on: https://go-review.googlesource.com/c/go/+/541517
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Updates the default from 1.0 -> 1.2 for servers, bringing it in line
with clients. Add a GODEBUG setting, tls10server, which lets users
revert this change.
Fixes#62459
Change-Id: I2b82f85b1c2d527df1f9afefae4ab30a8f0ceb41
Reviewed-on: https://go-review.googlesource.com/c/go/+/541516
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Change-Id: Ifc669399dde7d6229c6ccdbe29611ed1f8698fb1
Reviewed-on: https://go-review.googlesource.com/c/go/+/534778
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: shuang cui <imcusg@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Ian Lance Taylor <iant@google.com>
* ci: use latest Go 1.21 build
Use `1.21.x` instead of `1.21.0` to automatically select the latest.
* fix: remove unused fipsonly package
Remove an unused package that was unintendedly introduced as a conditional dependency of upstream
* update: use boring package not global var
Align with the upstream to use `boring` as a name for a package. No functional changes.
* new: name aliasing
Create u_alias.go to hold any alias names created by version upgrades or other necessary changes (e.g., upstream breaking change) to prevent further breaking the API.
When running crypto/tls tests with GOEXPERIMENT=boringcrypto, some
tests are embedded with unreadable hexadecimal values:
=== RUN TestBoringServerSignatureAndHash/5053...3536
This corresponds to a string representation of SignatureScheme as it
implements fmt.Stringer. With this change, the above will be printed
as:
=== RUN TestBoringServerSignatureAndHash/PSSWithSHA256
Change-Id: I953c0bb35c68e77a7f01e7f1fceda203c272faf7
GitHub-Last-Rev: 19700d53a8578d335dc803ac94cc7c6c72e9920a
GitHub-Pull-Request: golang/go#63175
Reviewed-on: https://go-review.googlesource.com/c/go/+/530715
Reviewed-by: Heschi Kreinick <heschi@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Than McIntosh <thanm@google.com>
Change-Id: I8787458f9ccd3b5cdcdda820d8a45deb4f77eade
GitHub-Last-Rev: be865d67ef68815b8c1c2a9ad222fff594620e66
GitHub-Pull-Request: golang/go#63165
Reviewed-on: https://go-review.googlesource.com/c/go/+/530120
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
* uTLS: X25519Kyber768Draft00 hybrid post-quantum key agreement by cloudflare/go (#222)
* crypto/tls: Add hybrid post-quantum key agreement (#13)
* import: client-side KEM from cloudflare/go
* import: server-side KEM from cloudflare/go
* fix: modify test to get rid of CFEvents.
Note: uTLS does not promise any server-side functionality, and this change is made to be able to conduct unit tests which requires both side to be able to handle KEM Curves.
Co-authored-by: Christopher Wood <caw@heapingbits.net>
Co-Authored-By: Bas Westerbaan <bas@westerbaan.name>
----
Based on:
* crypto/tls: Add hybrid post-quantum key agreement
Adds X25519Kyber512Draft00, X25519Kyber768Draft00, and
P256Kyber768Draft00 hybrid post-quantum key agreements with temporary
group identifiers.
The hybrid post-quantum key exchanges uses plain X{25519,448} instead
of HPKE, which we assume will be more likely to be adopted. The order
is chosen to match CECPQ2.
Not enabled by default.
Adds CFEvents to detect `HelloRetryRequest`s and to signal which
key agreement was used.
Co-authored-by: Christopher Wood <caw@heapingbits.net>
[bas, 1.20.1: also adds P256Kyber768Draft00]
[pwu, 1.20.4: updated circl to v1.3.3, moved code to cfevent.go]
* crypto: add support for CIRCL signature schemes
* only partially port the commit from cloudflare/go. We would stick to the official x509 at the cost of incompatibility.
Co-Authored-By: Bas Westerbaan <bas@westerbaan.name>
Co-Authored-By: Christopher Patton <3453007+cjpatton@users.noreply.github.com>
Co-Authored-By: Peter Wu <peter@lekensteyn.nl>
* crypto/tls: add new X25519Kyber768Draft00 code point
Ported from cloudflare/go to support the upcoming new post-quantum keyshare.
----
* Point tls.X25519Kyber768Draft00 to the new 0x6399 identifier while the
old 0xfe31 identifier is available as tls.X25519Kyber768Draft00Old.
* Make sure that the kem.PrivateKey can always be mapped to the CurveID
that was linked to it. This is needed since we now have two ID
aliasing to the same scheme, and clients need to be able to detect
whether the key share presented by the server actually matches the key
share that the client originally sent.
* Update tests, add the new identifier and remove unnecessary code.
Link: https://mailarchive.ietf.org/arch/msg/tls/HAWpNpgptl--UZNSYuvsjB-Pc2k/
Link: https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00/02/
Co-Authored-By: Peter Wu <peter@lekensteyn.nl>
Co-Authored-By: Bas Westerbaan <bas@westerbaan.name>
---------
Co-authored-by: Bas Westerbaan <bas@westerbaan.name>
Co-authored-by: Christopher Patton <3453007+cjpatton@users.noreply.github.com>
Co-authored-by: Peter Wu <peter@lekensteyn.nl>
* new: enable PQ parrots (#225)
* Redesign KeySharesEcdheParameters into KeySharesParameters which supports multiple types of keys.
* Optimize program logic to prevent using unwanted keys
* new: more parrots and safety update (#227)
* new: PQ and other parrots
Add new preset parrots:
- HelloChrome_114_Padding_PSK_Shuf
- HelloChrome_115_PQ
- HelloChrome_115_PQ_PSK
* new: ShuffleChromeTLSExtensions
Implement a new function `ShuffleChromeTLSExtensions(exts []TLSExtension) []TLSExtension`.
* update: include psk parameter for parrot-related functions
Update following functions' prototype to accept an optional pskExtension (of type *FakePreSharedKeyExtension):
- `UClient(conn net.Conn, config *Config, clientHelloID ClientHelloID)` => `UClient(conn net.Conn, config *Config, clientHelloID ClientHelloID, pskExtension ...*FakePreSharedKeyExtension)`
- `UTLSIdToSpec(id ClientHelloID)` => `UTLSIdToSpec(id ClientHelloID, pskExtension ...*FakePreSharedKeyExtension)`
* new: pre-defined error from UTLSIdToSpec
Update UTLSIdToSpec to return more comprehensive errors by pre-defining them, allowing easier error comparing/unwrapping.
* new: UtlsPreSharedKeyExtension
In `u_pre_shared_key.go`, create `PreSharedKeyExtension` as an interface, with 3 implementations:
- `UtlsPreSharedKeyExtension` implements full support for `pre_shared_key` less resuming after seeing HRR.
- `FakePreSharedKeyExtension` uses CipherSuiteID, SessionSecret and Identities to calculate the corresponding binders and send them, without setting the internal states. Therefore if the server accepts the PSK and tries to resume, the connection fails.
- `HardcodedPreSharedKeyExtension` allows user to hardcode Identities and Binders to be sent in the extension without setting the internal states. Therefore if the server accepts the PSK and tries to resume, the connection fails.
TODO: Only one of FakePreSharedKeyExtension and HardcodedPreSharedKeyExtension should be kept, the other one should be just removed. We still need to learn more of the safety of hardcoding both Identities and Binders without recalculating the latter.
* update: PSK minor changes and example
* Updates PSK implementations for more comprehensible interfaces when applying preset/json/raw fingerprints.
* Revert FakePreSharedKeyExtension to the old implementation. Add binder size checking.
* Implement TLS-PSK example
New bug: setting `tls.Config.ClientSessionCache` will cause PSK to fail. Currently users must set only `tls.UtlsPreSharedKeyExtension.ClientSessionCacheOverride`.
* fix: PSK failing if config session cache set
* Fix a bug causing PSK to fail if Config.ClientSessionCache is set.
* Removed `ClientSessionCacheOverride` from `UtlsPreSharedKeyExtension`. Set the `ClientSessionCache` in `Config`!
Co-Authored-By: zeeker999 <13848632+zeeker999@users.noreply.github.com>
* Optimize tls resumption (#235)
* feat: bug fix and refactor
* feat: improve example docs: add detailed explanation about the design feat: add assertion on uApplyPatch
* fix: address comments
feat: add option `OmitEmptyPsk` and throw error on empty psk by default
feat: revert changes to public interfaces
* fix: weird residue caused by merging conflict
* fix: remove merge conflict residue code
---------
Co-authored-by: Bas Westerbaan <bas@westerbaan.name>
Co-authored-by: Christopher Patton <3453007+cjpatton@users.noreply.github.com>
Co-authored-by: Peter Wu <peter@lekensteyn.nl>
Co-authored-by: zeeker999 <13848632+zeeker999@users.noreply.github.com>
Co-authored-by: 3andne <52860475+3andne@users.noreply.github.com>
* Redesign KeySharesEcdheParameters into KeySharesParameters which supports multiple types of keys.
* Optimize program logic to prevent using unwanted keys
* crypto/tls: Add hybrid post-quantum key agreement (#13)
* import: client-side KEM from cloudflare/go
* import: server-side KEM from cloudflare/go
* fix: modify test to get rid of CFEvents.
Note: uTLS does not promise any server-side functionality, and this change is made to be able to conduct unit tests which requires both side to be able to handle KEM Curves.
Co-authored-by: Christopher Wood <caw@heapingbits.net>
Co-Authored-By: Bas Westerbaan <bas@westerbaan.name>
----
Based on:
* crypto/tls: Add hybrid post-quantum key agreement
Adds X25519Kyber512Draft00, X25519Kyber768Draft00, and
P256Kyber768Draft00 hybrid post-quantum key agreements with temporary
group identifiers.
The hybrid post-quantum key exchanges uses plain X{25519,448} instead
of HPKE, which we assume will be more likely to be adopted. The order
is chosen to match CECPQ2.
Not enabled by default.
Adds CFEvents to detect `HelloRetryRequest`s and to signal which
key agreement was used.
Co-authored-by: Christopher Wood <caw@heapingbits.net>
[bas, 1.20.1: also adds P256Kyber768Draft00]
[pwu, 1.20.4: updated circl to v1.3.3, moved code to cfevent.go]
* crypto: add support for CIRCL signature schemes
* only partially port the commit from cloudflare/go. We would stick to the official x509 at the cost of incompatibility.
Co-Authored-By: Bas Westerbaan <bas@westerbaan.name>
Co-Authored-By: Christopher Patton <3453007+cjpatton@users.noreply.github.com>
Co-Authored-By: Peter Wu <peter@lekensteyn.nl>
* crypto/tls: add new X25519Kyber768Draft00 code point
Ported from cloudflare/go to support the upcoming new post-quantum keyshare.
----
* Point tls.X25519Kyber768Draft00 to the new 0x6399 identifier while the
old 0xfe31 identifier is available as tls.X25519Kyber768Draft00Old.
* Make sure that the kem.PrivateKey can always be mapped to the CurveID
that was linked to it. This is needed since we now have two ID
aliasing to the same scheme, and clients need to be able to detect
whether the key share presented by the server actually matches the key
share that the client originally sent.
* Update tests, add the new identifier and remove unnecessary code.
Link: https://mailarchive.ietf.org/arch/msg/tls/HAWpNpgptl--UZNSYuvsjB-Pc2k/
Link: https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00/02/
Co-Authored-By: Peter Wu <peter@lekensteyn.nl>
Co-Authored-By: Bas Westerbaan <bas@westerbaan.name>
---------
Co-authored-by: Bas Westerbaan <bas@westerbaan.name>
Co-authored-by: Christopher Patton <3453007+cjpatton@users.noreply.github.com>
Co-authored-by: Peter Wu <peter@lekensteyn.nl>
The check for fragmentary post-handshake messages in QUICConn.HandleData
was reversed, resulting in a potential panic when HandleData receives
a partial message.
In addition, HandleData wasn't checking the size of buffered
post-handshake messages. Produce an error when a post-handshake
message is larger than maxHandshake.
TestQUICConnectionState was using an onHandleCryptoData hook
in runTestQUICConnection that was never being called.
(I think it was inadvertently removed at some point while
the CL was in review.) Fix this test while making the hook
more general.
Fixes#62266
Change-Id: I210b70634e50beb456ab3977eb11272b8724c241
Reviewed-on: https://go-review.googlesource.com/c/go/+/522595
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Marten Seemann <martenseemann@gmail.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
* retract v1.4.1 panic
* deps: retract v1.4.0 and update go.mod
Retract v1.4.0 which also has the same bug. Update go.mod to update the dependency while not breaking existing functionality. Refresh go.sum to remove old entries.
---------
Co-authored-by: Gaukas Wang <i@gauk.as>
Add a new GODEBUG setting, tlsmaxrsasize, which allows controlling the
maximum RSA key size we will accept during TLS handshakes.
Change-Id: I52f060be132014d219f4cd438f59990011a35c96
Reviewed-on: https://go-review.googlesource.com/c/go/+/517495
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
* sync: Go 1.21.0
* [release-branch.go1.21] crypto/tls: change SendSessionTicket to take an options struct
To allow for future evolution of the API, make
QUICConn.SendSessionTicket take a QUICSessionTicketOptions
rather than a single bool.
Change-Id: I798fd0feec5c7581e3c3574e2de99611c81df47f
Reviewed-on: https://go-review.googlesource.com/c/go/+/514997
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Marten Seemann <martenseemann@gmail.com>
(cherry picked from commit a915b99)
Reviewed-on: https://go-review.googlesource.com/c/go/+/515335
Auto-Submit: Damien Neil <dneil@google.com>
Co-Authored-By: Damien Neil <52544+neild@users.noreply.github.com>
* new: CI bump up to use Go 1.21.0 stable release
* fix: better CI streamline for multi-platform
---------
Co-authored-by: Damien Neil <52544+neild@users.noreply.github.com>
- Rename GREASE to GREASETransportParameter.
- Rename Padding to PaddingTransportParameter.
- Adding GREASE QTP ID check against `id >= 27`. Otherwise `max_ack_delay = 11` will be incorrectly recognized as a GREASE value.
