crypto/tls: implement TLS 1.3 record layer and cipher suites

Updates #9671 Change-Id: I1ea7b724975c0841d01f4536eebb23956b30d5ea Reviewed-on: https://go-review.googlesource.com/c/145297Reviewed-by: Adam Langley <agl@golang.org>

crypto/tls: implement TLS 1.3 record layer and cipher suites
Updates #9671 Change-Id: I1ea7b724975c0841d01f4536eebb23956b30d5ea Reviewed-on: https://go-review.googlesource.com/c/145297Reviewed-by: Adam Langley <agl@golang.org>
ef21689a · Filippo Valsorda · 7aee7990 · ef21689a · ef21689a · ef21689a
Commit ef21689a authored Oct 27, 2018 by Filippo Valsorda
4 changed files
--- a/src/crypto/tls/cipher_suites.go
+++ b/src/crypto/tls/cipher_suites.go
@@ -5,6 +5,7 @@
 package tls

 import (
+	"crypto"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/des"
@@ -58,8 +59,7 @@ const (
 	suiteDefaultOff
 )

-// A cipherSuite is a specific combination of key agreement, cipher and MAC
-// function. All cipher suites currently assume RSA key agreement.
+// A cipherSuite is a specific combination of key agreement, cipher and MAC function.
 type cipherSuite struct {
 	id uint16
 	// the lengths, in bytes, of the key material needed for each component.
@@ -71,7 +71,7 @@ type cipherSuite struct {
 	flags  int
 	cipher func(key, iv []byte, isRead bool) interface{}
 	mac    func(version uint16, macKey []byte) macFunction
-	aead   func(key, fixedNonce []byte) cipher.AEAD
+	aead   func(key, fixedNonce []byte) aead
 }

 var cipherSuites = []*cipherSuite{
@@ -103,6 +103,21 @@ var cipherSuites = []*cipherSuite{
 	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil},
 }

+// A cipherSuiteTLS13 defines only the pair of the AEAD algorithm and hash
+// algorithm to be used with HKDF. See RFC 8446, Appendix B.4.
+type cipherSuiteTLS13 struct {
+	id     uint16
+	keyLen int
+	aead   func(key, fixedNonce []byte) aead
+	hash   crypto.Hash
+}
+
+var cipherSuitesTLS13 = []*cipherSuiteTLS13{
+	{TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256},
+	{TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256},
+	{TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384},
+}
+
 func cipherRC4(key, iv []byte, isRead bool) interface{} {
 	cipher, _ := rc4.NewCipher(key)
 	return cipher
@@ -161,36 +176,41 @@ type aead interface {
 	explicitNonceLen() int
 }

-// fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
+const (
+	aeadNonceLength   = 12
+	noncePrefixLength = 4
+)
+
+// prefixNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
 // each call.
-type fixedNonceAEAD struct {
+type prefixNonceAEAD struct {
 	// nonce contains the fixed part of the nonce in the first four bytes.
-	nonce [12]byte
+	nonce [aeadNonceLength]byte
 	aead  cipher.AEAD
 }

-func (f *fixedNonceAEAD) NonceSize() int        { return 8 }
-func (f *fixedNonceAEAD) Overhead() int         { return f.aead.Overhead() }
-func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 }
+func (f *prefixNonceAEAD) NonceSize() int        { return aeadNonceLength - noncePrefixLength }
+func (f *prefixNonceAEAD) Overhead() int         { return f.aead.Overhead() }
+func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() }

-func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
+func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
 	copy(f.nonce[4:], nonce)
 	return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)
 }

-func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
+func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
 	copy(f.nonce[4:], nonce)
-	return f.aead.Open(out, f.nonce[:], plaintext, additionalData)
+	return f.aead.Open(out, f.nonce[:], ciphertext, additionalData)
 }

 // xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce
 // before each call.
 type xorNonceAEAD struct {
-	nonceMask [12]byte
+	nonceMask [aeadNonceLength]byte
 	aead      cipher.AEAD
 }

-func (f *xorNonceAEAD) NonceSize() int        { return 8 }
+func (f *xorNonceAEAD) NonceSize() int        { return 8 } // 64-bit sequence number
 func (f *xorNonceAEAD) Overhead() int         { return f.aead.Overhead() }
 func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }

@@ -206,11 +226,11 @@ func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte
 	return result
 }

-func (f *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
+func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) {
 	for i, b := range nonce {
 		f.nonceMask[4+i] ^= b
 	}
-	result, err := f.aead.Open(out, f.nonceMask[:], plaintext, additionalData)
+	result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData)
 	for i, b := range nonce {
 		f.nonceMask[4+i] ^= b
 	}
@@ -218,7 +238,10 @@ func (f *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byt
 	return result, err
 }

-func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
+func aeadAESGCM(key, noncePrefix []byte) aead {
+	if len(noncePrefix) != noncePrefixLength {
+		panic("tls: internal error: wrong nonce length")
+	}
 	aes, err := aes.NewCipher(key)
 	if err != nil {
 		panic(err)
@@ -228,19 +251,40 @@ func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
 		panic(err)
 	}

-	ret := &fixedNonceAEAD{aead: aead}
-	copy(ret.nonce[:], fixedNonce)
+	ret := &prefixNonceAEAD{aead: aead}
+	copy(ret.nonce[:], noncePrefix)
 	return ret
 }

-func aeadChaCha20Poly1305(key, fixedNonce []byte) cipher.AEAD {
+func aeadAESGCMTLS13(key, nonceMask []byte) aead {
+	if len(nonceMask) != aeadNonceLength {
+		panic("tls: internal error: wrong nonce length")
+	}
+	aes, err := aes.NewCipher(key)
+	if err != nil {
+		panic(err)
+	}
+	aead, err := cipher.NewGCM(aes)
+	if err != nil {
+		panic(err)
+	}
+
+	ret := &xorNonceAEAD{aead: aead}
+	copy(ret.nonceMask[:], nonceMask)
+	return ret
+}
+
+func aeadChaCha20Poly1305(key, nonceMask []byte) aead {
+	if len(nonceMask) != aeadNonceLength {
+		panic("tls: internal error: wrong nonce length")
+	}
 	aead, err := chacha20poly1305.New(key)
 	if err != nil {
 		panic(err)
 	}

 	ret := &xorNonceAEAD{aead: aead}
-	copy(ret.nonceMask[:], fixedNonce)
+	copy(ret.nonceMask[:], nonceMask)
 	return ret
 }

@@ -371,6 +415,7 @@ func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
 //
 // Taken from https://www.iana.org/assignments/tls-parameters/tls-parameters.xml
 const (
+	// TLS 1.0 - 1.2 cipher suites.
 	TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
 	TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
 	TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
@@ -394,6 +439,11 @@ const (
 	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    uint16 = 0xcca8
 	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305  uint16 = 0xcca9

+	// TLS 1.3 cipher suites.
+	TLS_AES_128_GCM_SHA256       uint16 = 0x1301
+	TLS_AES_256_GCM_SHA384       uint16 = 0x1302
+	TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303
+
 	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
 	// that the client is doing version fallback. See RFC 7507.
 	TLS_FALLBACK_SCSV uint16 = 0x5600

--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -26,14 +26,19 @@ const (
 	VersionTLS10 = 0x0301
 	VersionTLS11 = 0x0302
 	VersionTLS12 = 0x0303
+
+	// VersionTLS13 is under development in this library and can't be selected
+	// nor negotiated yet on either side.
+	VersionTLS13 = 0x0304
 )

 const (
-	maxPlaintext      = 16384        // maximum plaintext payload length
-	maxCiphertext     = 16384 + 2048 // maximum ciphertext payload length
-	recordHeaderLen   = 5            // record header length
-	maxHandshake      = 65536        // maximum handshake we support (protocol max is 16 MB)
-	maxWarnAlertCount = 5            // maximum number of consecutive warning alerts
+	maxPlaintext       = 16384        // maximum plaintext payload length
+	maxCiphertext      = 16384 + 2048 // maximum ciphertext payload length
+	maxCiphertextTLS13 = 16384 + 256  // maximum ciphertext length in TLS 1.3
+	recordHeaderLen    = 5            // record header length
+	maxHandshake       = 65536        // maximum handshake we support (protocol max is 16 MB)
+	maxUselessRecords  = 5            // maximum number of consecutive non-advancing records

 	minVersion = VersionTLS10
 	maxVersion = VersionTLS12
@@ -942,8 +947,9 @@ func defaultConfig() *Config {
 }

 var (
-	once                   sync.Once
-	varDefaultCipherSuites []uint16
+	once                        sync.Once
+	varDefaultCipherSuites      []uint16
+	varDefaultCipherSuitesTLS13 []uint16
 )

 func defaultCipherSuites() []uint16 {
@@ -951,19 +957,24 @@ func defaultCipherSuites() []uint16 {
 	return varDefaultCipherSuites
 }

+func defaultCipherSuitesTLS13() []uint16 {
+	once.Do(initDefaultCipherSuites)
+	return varDefaultCipherSuitesTLS13
+}
+
 func initDefaultCipherSuites() {
 	var topCipherSuites []uint16

 	// Check the cpu flags for each platform that has optimized GCM implementations.
-	// Worst case, these variables will just all be false
-	hasGCMAsmAMD64 := cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
+	// Worst case, these variables will just all be false.
+	var (
+		hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
+		hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
+		// Keep in sync with crypto/aes/cipher_s390x.go.
+		hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)

-	hasGCMAsmARM64 := cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
-
-	// Keep in sync with crypto/aes/cipher_s390x.go.
-	hasGCMAsmS390X := cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
-
-	hasGCMAsm := hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
+		hasGCMAsm = hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
+	)

 	if hasGCMAsm {
 		// If AES-GCM hardware is provided then prioritise AES-GCM
@@ -976,6 +987,11 @@ func initDefaultCipherSuites() {
 			TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
 			TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
 		}
+		varDefaultCipherSuitesTLS13 = []uint16{
+			TLS_AES_128_GCM_SHA256,
+			TLS_CHACHA20_POLY1305_SHA256,
+			TLS_AES_256_GCM_SHA384,
+		}
 	} else {
 		// Without AES-GCM hardware, we put the ChaCha20-Poly1305
 		// cipher suites first.
@@ -987,6 +1003,11 @@ func initDefaultCipherSuites() {
 			TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 			TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 		}
+		varDefaultCipherSuitesTLS13 = []uint16{
+			TLS_CHACHA20_POLY1305_SHA256,
+			TLS_AES_128_GCM_SHA256,
+			TLS_AES_256_GCM_SHA384,
+		}
 	}

 	varDefaultCipherSuites = make([]uint16, 0, len(cipherSuites))

--- a/src/crypto/tls/conn.go
+++ b/src/crypto/tls/conn.go
--- a/src/crypto/tls/tls_test.go
+++ b/src/crypto/tls/tls_test.go
@@ -589,7 +589,7 @@ func TestWarningAlertFlood(t *testing.T) {
 		if err == nil {
 			return errors.New("unexpected lack of error from server")
 		}
-		const expected = "too many warn"
+		const expected = "too many ignored"
 		if str := err.Error(); !strings.Contains(str, expected) {
 			return fmt.Errorf("expected error containing %q, but saw: %s", expected, str)
 		}
@@ -610,7 +610,7 @@ func TestWarningAlertFlood(t *testing.T) {
 		t.Fatal(err)
 	}

-	for i := 0; i < maxWarnAlertCount+1; i++ {
+	for i := 0; i < maxUselessRecords+1; i++ {
 		conn.sendAlert(alertNoRenegotiation)
 	}