mirror of
https://github.com/golang/go
synced 2024-11-26 02:57:57 -07:00
crypto/tls: disable ExportKeyingMaterial without EMS
Fixes #43922 Change-Id: Idaad7daa6784807ae3a5e4d944e88e13d01fd0b2 Reviewed-on: https://go-review.googlesource.com/c/go/+/544155 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org>
This commit is contained in:
parent
78d037b0e0
commit
8eecf26e3f
@ -159,6 +159,12 @@ Go 1.22 changed the default TLS cipher suites used by clients and servers when
|
||||
not explicitly configured, removing the cipher suites which used RSA based key
|
||||
exchange. The default can be revert using the [`tlsrsakex` setting](/pkg/crypto/tls/#Config).
|
||||
|
||||
Go 1.22 disabled
|
||||
[`ConnectionState.ExportKeyingMaterial`](/pkg/crypto/tls/#ConnectionState.ExportKeyingMaterial)
|
||||
when the connection supports neither TLS 1.3 nor Extended Master Secret
|
||||
(implemented in Go 1.21). It can be reenabled with the [`tlsunsafeekm`
|
||||
setting](/pkg/crypto/tls/#ConnectionState.ExportKeyingMaterial).
|
||||
|
||||
### Go 1.21
|
||||
|
||||
Go 1.21 made it a run-time error to call `panic` with a nil interface value,
|
||||
|
@ -304,11 +304,13 @@ type ConnectionState struct {
|
||||
// ExportKeyingMaterial returns length bytes of exported key material in a new
|
||||
// slice as defined in RFC 5705. If context is nil, it is not used as part of
|
||||
// the seed. If the connection was set to allow renegotiation via
|
||||
// Config.Renegotiation, this function will return an error.
|
||||
// Config.Renegotiation, or if the connections supports neither TLS 1.3 nor
|
||||
// Extended Master Secret, this function will return an error.
|
||||
//
|
||||
// There are conditions in which the returned values might not be unique to a
|
||||
// connection. See the Security Considerations sections of RFC 5705 and RFC 7627,
|
||||
// and https://mitls.org/pages/attacks/3SHAKE#channelbindings.
|
||||
// Exporting key material without Extended Master Secret or TLS 1.3 was disabled
|
||||
// in Go 1.22 due to security issues (see the Security Considerations sections
|
||||
// of RFC 5705 and RFC 7627), but can be re-enabled with the GODEBUG setting
|
||||
// tlsunsafeekm=1.
|
||||
func (cs *ConnectionState) ExportKeyingMaterial(label string, context []byte, length int) ([]byte, error) {
|
||||
return cs.ekm(label, context, length)
|
||||
}
|
||||
|
@ -15,6 +15,7 @@ import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"hash"
|
||||
"internal/godebug"
|
||||
"io"
|
||||
"net"
|
||||
"sync"
|
||||
@ -1599,6 +1600,8 @@ func (c *Conn) ConnectionState() ConnectionState {
|
||||
return c.connectionStateLocked()
|
||||
}
|
||||
|
||||
var ekmgodebug = godebug.New("tlsunsafeekm")
|
||||
|
||||
func (c *Conn) connectionStateLocked() ConnectionState {
|
||||
var state ConnectionState
|
||||
state.HandshakeComplete = c.isHandshakeComplete.Load()
|
||||
@ -1620,7 +1623,15 @@ func (c *Conn) connectionStateLocked() ConnectionState {
|
||||
}
|
||||
}
|
||||
if c.config.Renegotiation != RenegotiateNever {
|
||||
state.ekm = noExportedKeyingMaterial
|
||||
state.ekm = noEKMBecauseRenegotiation
|
||||
} else if c.vers != VersionTLS13 && !c.extMasterSecret {
|
||||
state.ekm = func(label string, context []byte, length int) ([]byte, error) {
|
||||
if ekmgodebug.Value() == "1" {
|
||||
ekmgodebug.IncNonDefault()
|
||||
return c.ekm(label, context, length)
|
||||
}
|
||||
return noEKMBecauseNoEMS(label, context, length)
|
||||
}
|
||||
} else {
|
||||
state.ekm = c.ekm
|
||||
}
|
||||
|
@ -252,13 +252,20 @@ func (h *finishedHash) discardHandshakeBuffer() {
|
||||
h.buffer = nil
|
||||
}
|
||||
|
||||
// noExportedKeyingMaterial is used as a value of
|
||||
// noEKMBecauseRenegotiation is used as a value of
|
||||
// ConnectionState.ekm when renegotiation is enabled and thus
|
||||
// we wish to fail all key-material export requests.
|
||||
func noExportedKeyingMaterial(label string, context []byte, length int) ([]byte, error) {
|
||||
func noEKMBecauseRenegotiation(label string, context []byte, length int) ([]byte, error) {
|
||||
return nil, errors.New("crypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled")
|
||||
}
|
||||
|
||||
// noEKMBecauseNoEMS is used as a value of ConnectionState.ekm when Extended
|
||||
// Master Secret is not negotiated and thus we wish to fail all key-material
|
||||
// export requests.
|
||||
func noEKMBecauseNoEMS(label string, context []byte, length int) ([]byte, error) {
|
||||
return nil, errors.New("crypto/tls: ExportKeyingMaterial is unavailable when neither TLS 1.3 nor Extended Master Secret are negotiated; override with GODEBUG=tlsunsafeekm=1")
|
||||
}
|
||||
|
||||
// ekmFromMasterSecret generates exported keying material as defined in RFC 5705.
|
||||
func ekmFromMasterSecret(version uint16, suite *cipherSuite, masterSecret, clientRandom, serverRandom []byte) func(string, []byte, int) ([]byte, error) {
|
||||
return func(label string, context []byte, length int) ([]byte, error) {
|
||||
|
@ -48,6 +48,7 @@ var All = []Info{
|
||||
{Name: "tls10server", Package: "crypto/tls", Changed: 22, Old: "1"},
|
||||
{Name: "tlsmaxrsasize", Package: "crypto/tls"},
|
||||
{Name: "tlsrsakex", Package: "crypto/tls", Changed: 22, Old: "1"},
|
||||
{Name: "tlsunsafeekm", Package: "crypto/tls", Changed: 22, Old: "1"},
|
||||
{Name: "x509sha1", Package: "crypto/x509"},
|
||||
{Name: "x509usefallbackroots", Package: "crypto/x509"},
|
||||
{Name: "zipinsecurepath", Package: "archive/zip"},
|
||||
|
@ -314,6 +314,10 @@ Below is the full list of supported metrics, ordered lexicographically.
|
||||
The number of non-default behaviors executed by the crypto/tls
|
||||
package due to a non-default GODEBUG=tlsrsakex=... setting.
|
||||
|
||||
/godebug/non-default-behavior/tlsunsafeekm:events
|
||||
The number of non-default behaviors executed by the crypto/tls
|
||||
package due to a non-default GODEBUG=tlsunsafeekm=... setting.
|
||||
|
||||
/godebug/non-default-behavior/x509sha1:events
|
||||
The number of non-default behaviors executed by the crypto/x509
|
||||
package due to a non-default GODEBUG=x509sha1=... setting.
|
||||
|
Loading…
Reference in New Issue
Block a user