From d42b2400d4715907d01ab90caf1d6bea8180498c Mon Sep 17 00:00:00 2001 From: Bas Westerbaan Date: Fri, 2 Sep 2022 13:11:31 +0200 Subject: [PATCH] tls: report CurveIDs for TLS <1.2 kexes (#132) --- src/crypto/tls/cfkem_test.go | 30 ++++++++++-------------- src/crypto/tls/handshake_client.go | 6 +++++ src/crypto/tls/handshake_client_tls13.go | 2 +- src/crypto/tls/handshake_server.go | 5 ++++ src/crypto/tls/handshake_server_tls13.go | 2 +- src/crypto/tls/tls_cf.go | 14 +++++++---- 6 files changed, 34 insertions(+), 25 deletions(-) diff --git a/src/crypto/tls/cfkem_test.go b/src/crypto/tls/cfkem_test.go index 4416143039b..033acaca55f 100644 --- a/src/crypto/tls/cfkem_test.go +++ b/src/crypto/tls/cfkem_test.go @@ -31,7 +31,7 @@ func testHybridKEX(t *testing.T, scheme kem.Scheme, clientPQ, serverPQ, } clientConfig.CFEventHandler = func(ev CFEvent) { switch e := ev.(type) { - case CFEventTLS13NegotiatedKEX: + case CFEventTLSNegotiatedNamedKEX: clientSelectedKEX = &e.KEX case CFEventTLS13HRR: retry = true @@ -75,31 +75,25 @@ func testHybridKEX(t *testing.T, scheme kem.Scheme, clientPQ, serverPQ, var expectedKEX CurveID var expectedRetry bool - if clientPQ && serverPQ { + if clientPQ && serverPQ && !clientTLS12 && !serverTLS12 { expectedKEX = kemSchemeKeyToCurveID(scheme) } else { expectedKEX = X25519 } - if clientPQ && !serverPQ { + if !clientTLS12 && clientPQ && !serverPQ { expectedRetry = true } - if !serverTLS12 && !clientTLS12 { - if clientSelectedKEX == nil { - t.Error("No TLS 1.3 KEX happened?") - } + if clientSelectedKEX == nil { + t.Error("No KEX happened?") + } - if *clientSelectedKEX != expectedKEX { - t.Errorf("failed to negotiate: expected %d, got %d", - expectedKEX, *clientSelectedKEX) - } - if expectedRetry != retry { - t.Errorf("Expected retry=%v, got retry=%v", expectedRetry, retry) - } - } else { - if clientSelectedKEX != nil { - t.Error("TLS 1.3 KEX happened?") - } + if *clientSelectedKEX != expectedKEX { + t.Errorf("failed to negotiate: expected %d, got %d", + expectedKEX, *clientSelectedKEX) + } + if expectedRetry != retry { + t.Errorf("Expected retry=%v, got retry=%v", expectedRetry, retry) } } diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go index fa00a1c091a..fc4022edb45 100644 --- a/src/crypto/tls/handshake_client.go +++ b/src/crypto/tls/handshake_client.go @@ -582,6 +582,12 @@ func (hs *clientHandshakeState) doFullHandshake() error { return err } + if eccKex, ok := keyAgreement.(*ecdheKeyAgreement); ok { + c.handleCFEvent(CFEventTLSNegotiatedNamedKEX{ + KEX: eccKex.params.CurveID(), + }) + } + msg, err = c.readHandshake() if err != nil { return err diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go index 0ee7c28252b..d35076c0b0d 100644 --- a/src/crypto/tls/handshake_client_tls13.go +++ b/src/crypto/tls/handshake_client_tls13.go @@ -518,7 +518,7 @@ func (hs *clientHandshakeStateTLS13) processServerHello() error { return errors.New("tls: server selected unsupported group") } - c.handleCFEvent(CFEventTLS13NegotiatedKEX{ + c.handleCFEvent(CFEventTLSNegotiatedNamedKEX{ KEX: hs.serverHello.serverShare.group, }) diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go index e4f75b1cb92..7ccd5ab039a 100644 --- a/src/crypto/tls/handshake_server.go +++ b/src/crypto/tls/handshake_server.go @@ -638,6 +638,11 @@ func (hs *serverHandshakeState) doFullHandshake() error { c.sendAlert(alertHandshakeFailure) return err } + if eccKex, ok := keyAgreement.(*ecdheKeyAgreement); ok { + c.handleCFEvent(CFEventTLSNegotiatedNamedKEX{ + KEX: eccKex.params.CurveID(), + }) + } hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random) if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil { c.sendAlert(alertInternalError) diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go index b01c234d851..904aa61c460 100644 --- a/src/crypto/tls/handshake_server_tls13.go +++ b/src/crypto/tls/handshake_server_tls13.go @@ -308,7 +308,7 @@ GroupSelection: } c.serverName = hs.clientHello.serverName - c.handleCFEvent(CFEventTLS13NegotiatedKEX{ + c.handleCFEvent(CFEventTLSNegotiatedNamedKEX{ KEX: selectedGroup, }) diff --git a/src/crypto/tls/tls_cf.go b/src/crypto/tls/tls_cf.go index 688a87bf150..c60ee2862d7 100644 --- a/src/crypto/tls/tls_cf.go +++ b/src/crypto/tls/tls_cf.go @@ -219,14 +219,18 @@ func (e CFEventECHPublicNameMismatch) Name() string { return "ech public name does not match outer sni" } -// CFEventTLS13NegotiatedKEX is emitted when a key agreement mechanism has been -// established. -type CFEventTLS13NegotiatedKEX struct { +// For backwards compatibility. +type CFEventTLS13NegotiatedKEX = CFEventTLSNegotiatedNamedKEX + +// CFEventTLSNegotiatedNamedKEX is emitted when a key agreement mechanism has been +// established that uses a named group. This includes all key agreements +// in TLSv1.3, but excludes RSA and DH in TLS 1.2 and earlier. +type CFEventTLSNegotiatedNamedKEX struct { KEX CurveID } -func (e CFEventTLS13NegotiatedKEX) Name() string { - return "CFEventTLS13NegotiatedKEX" +func (e CFEventTLSNegotiatedNamedKEX) Name() string { + return "CFEventTLSNegotiatedNamedKEX" } // CFEventTLS13HRR is emitted when a HRR is sent or received