package tls
-import (
- "crypto/internal/boring/fipstls"
-)
+import "crypto/internal/boring/fipstls"
+
+// The FIPS-only policies enforced here currently match BoringSSL's
+// ssl_policy_fips_202205.
// needFIPS returns fipstls.Required(); it avoids a new import in common.go.
func needFIPS() bool {
// fipsMinVersion replaces c.minVersion in FIPS-only mode.
func fipsMinVersion(c *Config) uint16 {
- // FIPS requires TLS 1.2.
+ // FIPS requires TLS 1.2 or TLS 1.3.
return VersionTLS12
}
// fipsMaxVersion replaces c.maxVersion in FIPS-only mode.
func fipsMaxVersion(c *Config) uint16 {
- // FIPS requires TLS 1.2.
- return VersionTLS12
+ // FIPS requires TLS 1.2 or TLS 1.3.
+ return VersionTLS13
}
// default defaultFIPSCurvePreferences is the FIPS-allowed curves,
// in preference order (most preferable first).
-var defaultFIPSCurvePreferences = []CurveID{CurveP256, CurveP384, CurveP521}
+var defaultFIPSCurvePreferences = []CurveID{CurveP256, CurveP384}
// fipsCurvePreferences replaces c.curvePreferences in FIPS-only mode.
func fipsCurvePreferences(c *Config) []CurveID {
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS_RSA_WITH_AES_128_GCM_SHA256,
- TLS_RSA_WITH_AES_256_GCM_SHA384,
}
// fipsCipherSuites replaces c.cipherSuites in FIPS-only mode.
return list
}
+// defaultCipherSuitesTLS13FIPS are the FIPS-allowed cipher suites for TLS 1.3.
+var defaultCipherSuitesTLS13FIPS = []uint16{
+ TLS_AES_128_GCM_SHA256,
+ TLS_AES_256_GCM_SHA384,
+}
+
// fipsSupportedSignatureAlgorithms currently are a subset of
-// defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1.
+// defaultSupportedSignatureAlgorithms without Ed25519, SHA-1, and P-521.
var fipsSupportedSignatureAlgorithms = []SignatureScheme{
PSSWithSHA256,
PSSWithSHA384,
PKCS1WithSHA384,
ECDSAWithP384AndSHA384,
PKCS1WithSHA512,
- ECDSAWithP521AndSHA512,
}
// supportedSignatureAlgorithms returns the supported signature algorithms.
"time"
)
+func allCipherSuitesIncludingTLS13() []uint16 {
+ s := allCipherSuites()
+ for _, suite := range cipherSuitesTLS13 {
+ s = append(s, suite.id)
+ }
+ return s
+}
+
+func isTLS13CipherSuite(id uint16) bool {
+ for _, suite := range cipherSuitesTLS13 {
+ if id == suite.id {
+ return true
+ }
+ }
+ return false
+}
+
+func generateKeyShare(group CurveID) keyShare {
+ key, err := generateECDHEKey(rand.Reader, group)
+ if err != nil {
+ panic(err)
+ }
+ return keyShare{group: group, data: key.PublicKey().Bytes()}
+}
+
func TestBoringServerProtocolVersion(t *testing.T) {
test := func(name string, v uint16, msg string) {
t.Run(name, func(t *testing.T) {
clientHello := &clientHelloMsg{
vers: v,
random: make([]byte, 32),
- cipherSuites: allCipherSuites(),
+ cipherSuites: allCipherSuitesIncludingTLS13(),
compressionMethods: []uint8{compressionNone},
+ supportedCurves: defaultCurvePreferences,
+ keyShares: []keyShare{generateKeyShare(CurveP256)},
+ supportedPoints: []uint8{pointFormatUncompressed},
supportedVersions: []uint16{v},
}
testClientHelloFailure(t, serverConfig, clientHello, msg)
fipstls.Force()
defer fipstls.Abandon()
- test("VersionSSL30", VersionSSL30, "client offered only unsupported versions")
- test("VersionTLS10", VersionTLS10, "client offered only unsupported versions")
- test("VersionTLS11", VersionTLS11, "client offered only unsupported versions")
- test("VersionTLS12", VersionTLS12, "")
- test("VersionTLS13", VersionTLS13, "client offered only unsupported versions")
+ test("VersionSSL30/fipstls", VersionSSL30, "client offered only unsupported versions")
+ test("VersionTLS10/fipstls", VersionTLS10, "client offered only unsupported versions")
+ test("VersionTLS11/fipstls", VersionTLS11, "client offered only unsupported versions")
+ test("VersionTLS12/fipstls", VersionTLS12, "")
+ test("VersionTLS13/fipstls", VersionTLS13, "")
}
func isBoringVersion(v uint16) bool {
- return v == VersionTLS12
+ return v == VersionTLS12 || v == VersionTLS13
}
func isBoringCipherSuite(id uint16) bool {
switch id {
- case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ case TLS_AES_128_GCM_SHA256,
+ TLS_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS_RSA_WITH_AES_128_GCM_SHA256,
- TLS_RSA_WITH_AES_256_GCM_SHA384:
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
return true
}
return false
func isBoringCurve(id CurveID) bool {
switch id {
- case CurveP256, CurveP384, CurveP521:
+ case CurveP256, CurveP384:
return true
}
return false
return suite.flags&suiteECSign == suiteECSign
}
}
- panic(fmt.Sprintf("unknown cipher suite %#x", id))
+ return false // TLS 1.3 cipher suites are not tied to the signature algorithm.
}
func isBoringSignatureScheme(alg SignatureScheme) bool {
PKCS1WithSHA384,
ECDSAWithP384AndSHA384,
PKCS1WithSHA512,
- ECDSAWithP521AndSHA512,
PSSWithSHA256,
PSSWithSHA384,
PSSWithSHA512:
func TestBoringServerCipherSuites(t *testing.T) {
serverConfig := testConfig.Clone()
- serverConfig.CipherSuites = allCipherSuites()
serverConfig.Certificates = make([]Certificate, 1)
- for _, id := range allCipherSuites() {
+ for _, id := range allCipherSuitesIncludingTLS13() {
if isECDSA(id) {
serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate}
serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey
serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey
}
serverConfig.BuildNameToCertificate()
- t.Run(fmt.Sprintf("suite=%#x", id), func(t *testing.T) {
+ t.Run(fmt.Sprintf("suite=%s", CipherSuiteName(id)), func(t *testing.T) {
clientHello := &clientHelloMsg{
vers: VersionTLS12,
random: make([]byte, 32),
cipherSuites: []uint16{id},
compressionMethods: []uint8{compressionNone},
supportedCurves: defaultCurvePreferences,
+ keyShares: []keyShare{generateKeyShare(CurveP256)},
supportedPoints: []uint8{pointFormatUncompressed},
+ supportedVersions: []uint16{VersionTLS12},
+ }
+ if isTLS13CipherSuite(id) {
+ clientHello.supportedVersions = []uint16{VersionTLS13}
}
testClientHello(t, serverConfig, clientHello)
cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
compressionMethods: []uint8{compressionNone},
supportedCurves: []CurveID{curveid},
+ keyShares: []keyShare{generateKeyShare(curveid)},
supportedPoints: []uint8{pointFormatUncompressed},
+ supportedVersions: []uint16{VersionTLS12},
}
testClientHello(t, serverConfig, clientHello)
}
if !isBoringVersion(hello.vers) {
- t.Errorf("client vers=%#x, want %#x (TLS 1.2)", hello.vers, VersionTLS12)
+ t.Errorf("client vers=%#x", hello.vers)
}
for _, v := range hello.supportedVersions {
if !isBoringVersion(v) {