* fix: UConn Read does not trigger correct Handshake
Copy `(*Conn).Read` to `(*UConn).Read` and force it use `(*UConn).Handshake`.
Same for `handleRenegotiation` and `handlePostHandshakeMessage`.
Signed-off-by: Gaukas Wang <i@gaukas.wang>
* update: use VerifyData in RenegotiationInfoExt
This make sure the renegotiation would work in certain scenarios instead of no scenarios.
Signed-off-by: Gaukas Wang <i@gaukas.wang>
---------
Signed-off-by: Gaukas Wang <i@gaukas.wang>
* Add a function `AlwaysPadToLen` to generate padding styles according to the raw clienthello.
* Add an extra step in `FromRaw` after parsing the extension list to update the padding style.
* uTLS: X25519Kyber768Draft00 hybrid post-quantum key agreement by cloudflare/go (#222)
* crypto/tls: Add hybrid post-quantum key agreement (#13)
* import: client-side KEM from cloudflare/go
* import: server-side KEM from cloudflare/go
* fix: modify test to get rid of CFEvents.
Note: uTLS does not promise any server-side functionality, and this change is made to be able to conduct unit tests which requires both side to be able to handle KEM Curves.
Co-authored-by: Christopher Wood <caw@heapingbits.net>
Co-Authored-By: Bas Westerbaan <bas@westerbaan.name>
----
Based on:
* crypto/tls: Add hybrid post-quantum key agreement
Adds X25519Kyber512Draft00, X25519Kyber768Draft00, and
P256Kyber768Draft00 hybrid post-quantum key agreements with temporary
group identifiers.
The hybrid post-quantum key exchanges uses plain X{25519,448} instead
of HPKE, which we assume will be more likely to be adopted. The order
is chosen to match CECPQ2.
Not enabled by default.
Adds CFEvents to detect `HelloRetryRequest`s and to signal which
key agreement was used.
Co-authored-by: Christopher Wood <caw@heapingbits.net>
[bas, 1.20.1: also adds P256Kyber768Draft00]
[pwu, 1.20.4: updated circl to v1.3.3, moved code to cfevent.go]
* crypto: add support for CIRCL signature schemes
* only partially port the commit from cloudflare/go. We would stick to the official x509 at the cost of incompatibility.
Co-Authored-By: Bas Westerbaan <bas@westerbaan.name>
Co-Authored-By: Christopher Patton <3453007+cjpatton@users.noreply.github.com>
Co-Authored-By: Peter Wu <peter@lekensteyn.nl>
* crypto/tls: add new X25519Kyber768Draft00 code point
Ported from cloudflare/go to support the upcoming new post-quantum keyshare.
----
* Point tls.X25519Kyber768Draft00 to the new 0x6399 identifier while the
old 0xfe31 identifier is available as tls.X25519Kyber768Draft00Old.
* Make sure that the kem.PrivateKey can always be mapped to the CurveID
that was linked to it. This is needed since we now have two ID
aliasing to the same scheme, and clients need to be able to detect
whether the key share presented by the server actually matches the key
share that the client originally sent.
* Update tests, add the new identifier and remove unnecessary code.
Link: https://mailarchive.ietf.org/arch/msg/tls/HAWpNpgptl--UZNSYuvsjB-Pc2k/
Link: https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00/02/
Co-Authored-By: Peter Wu <peter@lekensteyn.nl>
Co-Authored-By: Bas Westerbaan <bas@westerbaan.name>
---------
Co-authored-by: Bas Westerbaan <bas@westerbaan.name>
Co-authored-by: Christopher Patton <3453007+cjpatton@users.noreply.github.com>
Co-authored-by: Peter Wu <peter@lekensteyn.nl>
* new: enable PQ parrots (#225)
* Redesign KeySharesEcdheParameters into KeySharesParameters which supports multiple types of keys.
* Optimize program logic to prevent using unwanted keys
* new: more parrots and safety update (#227)
* new: PQ and other parrots
Add new preset parrots:
- HelloChrome_114_Padding_PSK_Shuf
- HelloChrome_115_PQ
- HelloChrome_115_PQ_PSK
* new: ShuffleChromeTLSExtensions
Implement a new function `ShuffleChromeTLSExtensions(exts []TLSExtension) []TLSExtension`.
* update: include psk parameter for parrot-related functions
Update following functions' prototype to accept an optional pskExtension (of type *FakePreSharedKeyExtension):
- `UClient(conn net.Conn, config *Config, clientHelloID ClientHelloID)` => `UClient(conn net.Conn, config *Config, clientHelloID ClientHelloID, pskExtension ...*FakePreSharedKeyExtension)`
- `UTLSIdToSpec(id ClientHelloID)` => `UTLSIdToSpec(id ClientHelloID, pskExtension ...*FakePreSharedKeyExtension)`
* new: pre-defined error from UTLSIdToSpec
Update UTLSIdToSpec to return more comprehensive errors by pre-defining them, allowing easier error comparing/unwrapping.
* new: UtlsPreSharedKeyExtension
In `u_pre_shared_key.go`, create `PreSharedKeyExtension` as an interface, with 3 implementations:
- `UtlsPreSharedKeyExtension` implements full support for `pre_shared_key` less resuming after seeing HRR.
- `FakePreSharedKeyExtension` uses CipherSuiteID, SessionSecret and Identities to calculate the corresponding binders and send them, without setting the internal states. Therefore if the server accepts the PSK and tries to resume, the connection fails.
- `HardcodedPreSharedKeyExtension` allows user to hardcode Identities and Binders to be sent in the extension without setting the internal states. Therefore if the server accepts the PSK and tries to resume, the connection fails.
TODO: Only one of FakePreSharedKeyExtension and HardcodedPreSharedKeyExtension should be kept, the other one should be just removed. We still need to learn more of the safety of hardcoding both Identities and Binders without recalculating the latter.
* update: PSK minor changes and example
* Updates PSK implementations for more comprehensible interfaces when applying preset/json/raw fingerprints.
* Revert FakePreSharedKeyExtension to the old implementation. Add binder size checking.
* Implement TLS-PSK example
New bug: setting `tls.Config.ClientSessionCache` will cause PSK to fail. Currently users must set only `tls.UtlsPreSharedKeyExtension.ClientSessionCacheOverride`.
* fix: PSK failing if config session cache set
* Fix a bug causing PSK to fail if Config.ClientSessionCache is set.
* Removed `ClientSessionCacheOverride` from `UtlsPreSharedKeyExtension`. Set the `ClientSessionCache` in `Config`!
Co-Authored-By: zeeker999 <13848632+zeeker999@users.noreply.github.com>
* Optimize tls resumption (#235)
* feat: bug fix and refactor
* feat: improve example docs: add detailed explanation about the design feat: add assertion on uApplyPatch
* fix: address comments
feat: add option `OmitEmptyPsk` and throw error on empty psk by default
feat: revert changes to public interfaces
* fix: weird residue caused by merging conflict
* fix: remove merge conflict residue code
---------
Co-authored-by: Bas Westerbaan <bas@westerbaan.name>
Co-authored-by: Christopher Patton <3453007+cjpatton@users.noreply.github.com>
Co-authored-by: Peter Wu <peter@lekensteyn.nl>
Co-authored-by: zeeker999 <13848632+zeeker999@users.noreply.github.com>
Co-authored-by: 3andne <52860475+3andne@users.noreply.github.com>
* sync: Go 1.21rc3, QUIC support added (#207)
* sync: merge with upstream tag/go-1.21rc3 (#11)
* fix: all tests pass
* impl: UQUIC Transport
* deps: bump up min Go version
* new: uquic
* fix: add QUICTransportParameter
* deprecated: Go 1.19 no longer supported
Go 1.19 will fail to build or pass the test once we bump up to the new version.
* sync: crypto/tls: restrict RSA keys in certificates to <= 8192 bits (#209)
* [release-branch.go1.21] crypto/tls: restrict RSA keys in certificates to <= 8192 bits
Extremely large RSA keys in certificate chains can cause a client/server
to expend significant CPU time verifying signatures. Limit this by
restricting the size of RSA keys transmitted during handshakes to <=
8192 bits.
Based on a survey of publicly trusted RSA keys, there are currently only
three certificates in circulation with keys larger than this, and all
three appear to be test certificates that are not actively deployed. It
is possible there are larger keys in use in private PKIs, but we target
the web PKI, so causing breakage here in the interests of increasing the
default safety of users of crypto/tls seems reasonable.
Thanks to Mateusz Poliwczak for reporting this issue.
Fixes CVE-2023-29409
* build: [ci skip] boring not included
* fix: typo [ci skip]
* docs: replenish readme [ci skip]
replace old build status badge with new ones, bump up required version noted in docs, update developer contact to reflect current status.
- Shuffle Function will no longer shuffle PSK.
- Shuffle Function optimized.
- Fixed a bug in `FakePresharedKeyExtension` causing program to panic.
- Added `HelloChrome_100_PSK` and `HelloChrome_112_PSK_Shuf`. Both are beta fingerprints, use at your own risk.
* wip: staging work
* wip: staging work
* feat: ClientHello JSON Unmarshaler
Allowing unmarshalling a JSON object into a ClientHelloSpec.
* feat: ClientHello JSON Unmarshaler rev
- Revised JSON ClientHello format
- Implemented `TLSExtensionJSON` interface for some more extensions
* feat: byte to clienthellospecs conversion
* feat: specific case for GREASE and ALPS
Will automatically add "h2" to ALPS and write to log when GREASE extension is imported in `ImportTLSClientHello()`
* fix: ReadCompressionMethods
ReadCompressionMethods didn't advance the s and fails reading extensions
* fix: remove debug log
* fix: use cryptobyte for internal helper
`helper.Uint8to16()` now calls `(*cryptobyte.String).ReadUint16()`
* fix: preshared key fingerprinter test
updated fingerprinter test to test with PreSharedKey extension
* fix: naming of FakePreSharedKeyExt
It is a Fake extension since `crypto/tls` doesn't really implement PSK-based resumption and neither do we.
* feat: Properly check GREASE
Adopted from #148.
Co-Authored-By: gfw-report <gfw.report@protonmail.com>
* feat: add fakeExtensionEncryptThenMAC
And reordered `fakeExtensionDelegatedCredentials`.
The new `Fingerprinter` is expected to account for the `fakeExtensionEncryptThenMAC` using a `GenericExtension` when `allowBluntMimicry` is set.
Co-Authored-By: gfw-report <gfw.report@protonmail.com>
* fix: remove keepPSK and minor
- Removed all presence of keepPSK flag.
- Added check before using the field of a map.
---------
Co-authored-by: gfw-report <gfw.report@protonmail.com>
* refactor: split `CompressCertExtension` changes
- Split most of changes for `CompressCertExtension` made to `crypto/tls` files out and moved them to `u_` files.
- Edited some `crypto/tls` files to achieve better programmability for uTLS.
- Minor styling fix.
* feat: implement ALPS Extension draft
- Made necessary modifications to existing types to support ALPS.
- Ported `ApplicationSettingsExtension` implementation from `ulixee/utls` by @blakebyrnes with some adaptation.
Co-Authored-By: Blake Byrnes <115056+blakebyrnes@users.noreply.github.com>
* feat: utlsFakeCustomExtension in ALPS
- Introducing `utlsFakeCustomExtension` to enable implementation for custom extensions to be exchanged via ALPS.
- currently it doesn't do anything.
Co-Authored-By: Blake Byrnes <115056+blakebyrnes@users.noreply.github.com>
* fix: magic number in `StatusRequestV2Extension`
- Fixed magic number `17` in `StatusRequestV2Extension` with pre-defined enum `extensionStatusRequestV2`.
Co-authored-by: Blake Byrnes <115056+blakebyrnes@users.noreply.github.com>
* Add new ClientHellos
Also add faked support for token binding, ALPS, and delegated credentials
* Remove FakeALPSExtension in favor of existing ApplicationSettingsExtension
* Implement certificate compression
Certificate compression is defined in RFC 8879:
https://datatracker.ietf.org/doc/html/rfc8879
This implementation is client-side only, for server certificates.
* Fix missing LOC
* Add more fingerprints
* Implement ALPS extension
* Merge commit fcaacdbbe7
- At this commit, github.com/Noooste/utls remained at the original upstream LICENSE
* added HelloChrome102 and HelloFirefox102
* Randomly include ALPS in HelloRandomized
Co-authored-by: Harry Harpham <harry@getlantern.org>
Co-authored-by: Sleeyax <yourd3veloper@gmail.com>
Co-authored-by: Rod Hynes <rod-hynes@users.noreply.github.com>
SNIExtension was previously marshalling both ip addresses and empty
strings, which are not allowed. See RFC 6066, Section 3.
All of the utls specific testdata replays needed to be rebuilt to
properly accomodate this change since they had previously been including
empty server name extension values
Addresses https://github.com/refraction-networking/utls/issues/96
Renegotiation:
- Disallow specifying the body of Renegotiation extensions to
avoid assumption that it will be verified.
- Marshal the extension, if it is present in the uconn.Extensions list,
even if Renegotiation is set to Never.
Exports all unexported uTLS extension fields.
Fixes#33
Update fingerprints + add default spec version
* Adds fingerprints for Chrome 75, iOS 12.1, and Firefox 65(=Firefox 63)
* If min/max tls versions are not explicitly specified in the ClientHelloSpec,
uTLS will try to parse versions from SupportedVersions extension,
and fallback to [TLS 1.0, TLS 1.2] if SupportedVersions is absent.
* Adds mimicked FakeRecordSizeLimitExtension and FakeCertCompressionAlgsExtension
to be used instead of GenericExtension{} for clarity and extensibility
(we are ready to use those with Firefox and Chrome fps with correct values
whenever actual functionality is implemented)
* SetTLSVers: parse the right extensions + cosmetics
Adds support for following TLS 1.3 extensions:
- PSKKeyExchangeModes
- SupportedVersions
- KeyShare
and uses them to implement newest Chrome and Firefox parrots.
Tests for default Golang uTLS were regenerated because
they previously used TLS-1.2 as max version.
I tested all fingerprints and confirmed that Chrome and Firefox are
working as intended.
Android fingerprints were grossly unpopular, which could a result of
incorrect merge, but either way we'll remove them for now.
The root cause of races is that global variables supportedSignatureAlgorithms and
cipherSuites are used both to form handshake and to check whether or not
peer responded with supported algorithm.
In this patch I create separate variables for this purpose.
Updated tests for kicks.
Finally, go fmt.
