From f91dfda8c370983f2aa3ba10d2175838375f8db7 Mon Sep 17 00:00:00 2001 From: Marten Seemann Date: Sat, 1 Feb 2020 15:58:40 +0700 Subject: [PATCH] make the TLS cipher suites configurable --- Changelog.md | 1 + client.go | 2 ++ go.mod | 2 +- go.sum | 4 +-- integrationtests/self/handshake_test.go | 43 +++++++++++++++++++++++++ server.go | 1 + 6 files changed, 50 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index 258c49131..2363cfb6b 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,7 @@ - Add support for 0-RTT. - Remove `Session.Close()`. Applications need to pass an application error code to the transport using `Session.CloseWithError()`. +- Make the TLS Cipher Suites configurable (via `tls.Config.CipherSuites`). ## v0.14.0 (2019-12-04) diff --git a/client.go b/client.go index c8df798d5..e115acac4 100644 --- a/client.go +++ b/client.go @@ -59,6 +59,7 @@ var ( // DialAddr establishes a new QUIC connection to a server. // It uses a new UDP connection and closes this connection when the QUIC session is closed. // The hostname for SNI is taken from the given address. +// The tls.Config.CipherSuites allows setting of TLS 1.3 cipher suites. func DialAddr( addr string, tlsConf *tls.Config, @@ -70,6 +71,7 @@ func DialAddr( // DialAddrEarly establishes a new 0-RTT QUIC connection to a server. // It uses a new UDP connection and closes this connection when the QUIC session is closed. // The hostname for SNI is taken from the given address. +// The tls.Config.CipherSuites allows setting of TLS 1.3 cipher suites. func DialAddrEarly( addr string, tlsConf *tls.Config, diff --git a/go.mod b/go.mod index 958db607c..42e5ecee7 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,7 @@ require ( github.com/golang/protobuf v1.3.0 github.com/marten-seemann/chacha20 v0.2.0 github.com/marten-seemann/qpack v0.1.0 - github.com/marten-seemann/qtls v0.6.1 + github.com/marten-seemann/qtls v0.7.0 github.com/onsi/ginkgo v1.11.0 github.com/onsi/gomega v1.8.1 golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472 diff --git a/go.sum b/go.sum index e25142b0a..7a15410fc 100644 --- a/go.sum +++ b/go.sum @@ -15,8 +15,8 @@ github.com/marten-seemann/chacha20 v0.2.0 h1:f40vqzzx+3GdOmzQoItkLX5WLvHgPgyYqFF github.com/marten-seemann/chacha20 v0.2.0/go.mod h1:HSdjFau7GzYRj+ahFNwsO3ouVJr1HFkWoEwNDb4TMtE= github.com/marten-seemann/qpack v0.1.0 h1:/0M7lkda/6mus9B8u34Asqm8ZhHAAt9Ho0vniNuVSVg= github.com/marten-seemann/qpack v0.1.0/go.mod h1:LFt1NU/Ptjip0C2CPkhimBz5CGE3WGDAUWqna+CNTrI= -github.com/marten-seemann/qtls v0.6.1 h1:N82hlQA7hMhikLjmx6BCJ/ey4zMc9ioHQmjXWwNu6is= -github.com/marten-seemann/qtls v0.6.1/go.mod h1:pxVXcHHw1pNIt8Qo0pwSYQEoZ8yYOOPXTCZLQQunvRc= +github.com/marten-seemann/qtls v0.7.0 h1:5orVe49aOr4ykvip1sxSEnN37nNjgxB7xTCrySLwN3E= +github.com/marten-seemann/qtls v0.7.0/go.mod h1:pxVXcHHw1pNIt8Qo0pwSYQEoZ8yYOOPXTCZLQQunvRc= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw= diff --git a/integrationtests/self/handshake_test.go b/integrationtests/self/handshake_test.go index aa0b6e70e..728cd8379 100644 --- a/integrationtests/self/handshake_test.go +++ b/integrationtests/self/handshake_test.go @@ -4,6 +4,7 @@ import ( "context" "crypto/tls" "fmt" + "io/ioutil" "net" "time" @@ -135,6 +136,48 @@ var _ = Describe("Handshake tests", func() { }) } + Context("using different cipher suites", func() { + for n, id := range map[string]uint16{ + "TLS_AES_128_GCM_SHA256": tls.TLS_AES_128_GCM_SHA256, + "TLS_AES_256_GCM_SHA384": tls.TLS_AES_256_GCM_SHA384, + "TLS_CHACHA20_POLY1305_SHA256": tls.TLS_CHACHA20_POLY1305_SHA256, + } { + name := n + suiteID := id + + It(fmt.Sprintf("using %s", name), func() { + tlsServerConf.CipherSuites = []uint16{suiteID} + ln, err := quic.ListenAddr("localhost:0", tlsServerConf, serverConfig) + Expect(err).ToNot(HaveOccurred()) + + go func() { + defer GinkgoRecover() + sess, err := ln.Accept(context.Background()) + Expect(err).ToNot(HaveOccurred()) + str, err := sess.OpenStream() + Expect(err).ToNot(HaveOccurred()) + defer str.Close() + _, err = str.Write(PRData) + Expect(err).ToNot(HaveOccurred()) + }() + + sess, err := quic.DialAddr( + fmt.Sprintf("localhost:%d", ln.Addr().(*net.UDPAddr).Port), + getTLSClientConfig(), + nil, + ) + Expect(err).ToNot(HaveOccurred()) + str, err := sess.AcceptStream(context.Background()) + Expect(err).ToNot(HaveOccurred()) + data, err := ioutil.ReadAll(str) + Expect(err).ToNot(HaveOccurred()) + Expect(data).To(Equal(PRData)) + Expect(sess.ConnectionState().CipherSuite).To(Equal(suiteID)) + Expect(sess.CloseWithError(0, "")).To(Succeed()) + }) + } + }) + Context("Certifiate validation", func() { for _, v := range protocol.SupportedVersions { version := v diff --git a/server.go b/server.go index 3e2f30a0a..1b952ad80 100644 --- a/server.go +++ b/server.go @@ -132,6 +132,7 @@ func listenAddr(addr string, tlsConf *tls.Config, config *Config, acceptEarly bo // The PacketConn can be used for simultaneous calls to Dial. // QUIC connection IDs are used for demultiplexing the different connections. // The tls.Config must not be nil and must contain a certificate configuration. +// The tls.Config.CipherSuites allows setting of TLS 1.3 cipher suites. // Furthermore, it must define an application control (using NextProtos). // The quic.Config may be nil, in that case the default values will be used. func Listen(conn net.PacketConn, tlsConf *tls.Config, config *Config) (Listener, error) {