From: Filippo Valsorda Date: Wed, 27 Feb 2019 20:39:47 +0000 (-0500) Subject: [dev.boringcrypto] all: merge master into dev.boringcrypto X-Git-Tag: go1.19beta1~484^2~119 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=a10558f870524965d720a3fee92ed0f0b8d096df;p=gostls13.git [dev.boringcrypto] all: merge master into dev.boringcrypto This effectively reverts the golang.org/cl/161699 merge. Change-Id: I7c982a97f3ae0015e2e148d4831912d058d682f8 --- a10558f870524965d720a3fee92ed0f0b8d096df diff --cc src/crypto/tls/boring.go index cd74495aa6,0000000000..f6d922c673 mode 100644,000000..100644 --- a/src/crypto/tls/boring.go +++ b/src/crypto/tls/boring.go @@@ -1,124 -1,0 +1,121 @@@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "crypto/ecdsa" + "crypto/internal/boring/fipstls" + "crypto/rsa" + "crypto/x509" +) + +// needFIPS returns fipstls.Required(); it avoids a new import in common.go. +func needFIPS() bool { + return fipstls.Required() +} + +// fipsMinVersion replaces c.minVersion in FIPS-only mode. +func fipsMinVersion(c *Config) uint16 { + // FIPS requires TLS 1.2. + return VersionTLS12 +} + +// fipsMaxVersion replaces c.maxVersion in FIPS-only mode. +func fipsMaxVersion(c *Config) uint16 { + // FIPS requires TLS 1.2. + return VersionTLS12 +} + +// default defaultFIPSCurvePreferences is the FIPS-allowed curves, +// in preference order (most preferable first). +var defaultFIPSCurvePreferences = []CurveID{CurveP256, CurveP384, CurveP521} + +// fipsCurvePreferences replaces c.curvePreferences in FIPS-only mode. +func fipsCurvePreferences(c *Config) []CurveID { + if c == nil || len(c.CurvePreferences) == 0 { + return defaultFIPSCurvePreferences + } + var list []CurveID + for _, id := range c.CurvePreferences { + for _, allowed := range defaultFIPSCurvePreferences { + if id == allowed { + list = append(list, id) + break + } + } + } + return list +} + +// default FIPSCipherSuites is the FIPS-allowed cipher suites, +// in preference order (most preferable first). +var defaultFIPSCipherSuites = []uint16{ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384, +} + +// fipsCipherSuites replaces c.cipherSuites in FIPS-only mode. +func fipsCipherSuites(c *Config) []uint16 { + if c == nil || c.CipherSuites == nil { + return defaultFIPSCipherSuites + } + var list []uint16 + for _, id := range c.CipherSuites { + for _, allowed := range defaultFIPSCipherSuites { + if id == allowed { + list = append(list, id) + break + } + } + } + return list +} + +// isBoringCertificate reports whether a certificate may be used +// when constructing a verified chain. +// It is called for each leaf, intermediate, and root certificate. +func isBoringCertificate(c *x509.Certificate) bool { + if !needFIPS() { + // Everything is OK if we haven't forced FIPS-only mode. + return true + } + + // Otherwise the key must be RSA 2048, RSA 3072, or ECDSA P-256. + switch k := c.PublicKey.(type) { + default: + return false + case *rsa.PublicKey: + if size := k.N.BitLen(); size != 2048 && size != 3072 { + return false + } + case *ecdsa.PublicKey: + if name := k.Curve.Params().Name; name != "P-256" && name != "P-384" { + return false + } + } + + return true +} + +// supportedSignatureAlgorithms returns the supported signature algorithms. +// It knows that the FIPS-allowed ones are all at the beginning of +// defaultSupportedSignatureAlgorithms. - func supportedSignatureAlgorithms(version uint16) []SignatureScheme { ++func supportedSignatureAlgorithms() []SignatureScheme { + all := defaultSupportedSignatureAlgorithms - if version < VersionTLS13 { - all = defaultSupportedSignatureAlgorithmsTLS12 - } + if !needFIPS() { + return all + } + i := 0 + for i < len(all) && all[i] != PKCS1WithSHA1 { + i++ + } + return all[:i] +} + +var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme diff --cc src/crypto/tls/handshake_client.go index 44acdbaf2d,31bd069bbc..b8d6e93264 --- a/src/crypto/tls/handshake_client.go +++ b/src/crypto/tls/handshake_client.go @@@ -114,16 -113,7 +113,10 @@@ func (c *Conn) makeClientHello() (*clie } if hello.vers >= VersionTLS12 { - // The non-BoringCrypto behavior here is to use the full set of - // signature algorithms, even if TLS 1.3 is not being negotiated. It's - // debatable if this is correct or not, because on one hand it allows - // RSA-PSS as a client with TLS 1.2, but on the other hand we can't - // predict what the server will pick when we do advertise TLS 1.3, so we - // might end up with TLS 1.2 + RSA-PSS anyway. Anyway, it will go away soon. - hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms(VersionTLS13) - hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms ++ hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms() + } + if testingOnlyForceClientHelloSignatureAlgorithms != nil { + hello.supportedSignatureAlgorithms = testingOnlyForceClientHelloSignatureAlgorithms } var params ecdheParameters diff --cc src/crypto/tls/handshake_client_tls13.go index 0ffa7d6edf,85715b721c..186275b12e --- a/src/crypto/tls/handshake_client_tls13.go +++ b/src/crypto/tls/handshake_client_tls13.go @@@ -452,7 -448,7 +452,7 @@@ func (hs *clientHandshakeStateTLS13) re } // See RFC 8446, Section 4.4.3. - if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms(VersionTLS13)) { - if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms) { ++ if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) { c.sendAlert(alertIllegalParameter) return errors.New("tls: invalid certificate signature algorithm") } diff --cc src/crypto/tls/handshake_messages_test.go index ec8dea43fe,21beb8ef2d..1f08f6ac0e --- a/src/crypto/tls/handshake_messages_test.go +++ b/src/crypto/tls/handshake_messages_test.go @@@ -151,10 -151,10 +151,10 @@@ func (*clientHelloMsg) Generate(rand *r } } if rand.Intn(10) > 5 { - m.supportedSignatureAlgorithms = supportedSignatureAlgorithms(VersionTLS13) - m.supportedSignatureAlgorithms = supportedSignatureAlgorithms ++ m.supportedSignatureAlgorithms = supportedSignatureAlgorithms() } if rand.Intn(10) > 5 { - m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms(VersionTLS13) - m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms ++ m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms() } for i := 0; i < rand.Intn(5); i++ { m.alpnProtocols = append(m.alpnProtocols, randomString(rand.Intn(20)+1, rand)) @@@ -386,10 -386,10 +386,10 @@@ func (*certificateRequestMsgTLS13) Gene m.scts = true } if rand.Intn(10) > 5 { - m.supportedSignatureAlgorithms = supportedSignatureAlgorithms(VersionTLS13) - m.supportedSignatureAlgorithms = supportedSignatureAlgorithms ++ m.supportedSignatureAlgorithms = supportedSignatureAlgorithms() } if rand.Intn(10) > 5 { - m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms(VersionTLS13) - m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms ++ m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms() } if rand.Intn(10) > 5 { m.certificateAuthorities = make([][]byte, 3) diff --cc src/crypto/tls/handshake_server.go index f82d5392c1,2745f3313f..909430facb --- a/src/crypto/tls/handshake_server.go +++ b/src/crypto/tls/handshake_server.go @@@ -463,7 -463,7 +463,7 @@@ func (hs *serverHandshakeState) doFullH } if c.vers >= VersionTLS12 { certReq.hasSignatureAlgorithm = true - certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms(c.vers) - certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms ++ certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms() } // An empty list of certificateAuthorities signals to @@@ -559,7 -559,7 +559,7 @@@ } // Determine the signature type. - _, sigType, hashFunc, err := pickSignatureAlgorithm(pub, []SignatureScheme{certVerify.signatureAlgorithm}, supportedSignatureAlgorithms(c.vers), c.vers) - _, sigType, hashFunc, err := pickSignatureAlgorithm(pub, []SignatureScheme{certVerify.signatureAlgorithm}, supportedSignatureAlgorithms, c.vers) ++ _, sigType, hashFunc, err := pickSignatureAlgorithm(pub, []SignatureScheme{certVerify.signatureAlgorithm}, supportedSignatureAlgorithms(), c.vers) if err != nil { c.sendAlert(alertIllegalParameter) return err diff --cc src/crypto/tls/handshake_server_tls13.go index 99d335e1ee,fd65ac1190..4dfb365f8d --- a/src/crypto/tls/handshake_server_tls13.go +++ b/src/crypto/tls/handshake_server_tls13.go @@@ -599,7 -595,7 +599,7 @@@ func (hs *serverHandshakeStateTLS13) se certReq := new(certificateRequestMsgTLS13) certReq.ocspStapling = true certReq.scts = true - certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms(VersionTLS13) - certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms ++ certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms() if c.config.ClientCAs != nil { certReq.certificateAuthorities = c.config.ClientCAs.Subjects() } @@@ -805,7 -801,7 +805,7 @@@ func (hs *serverHandshakeStateTLS13) re } // See RFC 8446, Section 4.4.3. - if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms(VersionTLS13)) { - if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms) { ++ if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) { c.sendAlert(alertIllegalParameter) return errors.New("tls: invalid certificate signature algorithm") } diff --cc src/crypto/tls/key_agreement.go index 91f5cde5c3,628e578e48..681ba83c06 --- a/src/crypto/tls/key_agreement.go +++ b/src/crypto/tls/key_agreement.go @@@ -177,7 -177,7 +177,7 @@@ NextCandidate return nil, errors.New("tls: certificate private key does not implement crypto.Signer") } - signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithms(ka.version), ka.version) - signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithms, ka.version) ++ signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithms(), ka.version) if err != nil { return nil, err }