Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge TLS1.3 Feature Branch into Main #406

Draft
wants to merge 43 commits into
base: master
Choose a base branch
from
Draft

Merge TLS1.3 Feature Branch into Main #406

wants to merge 43 commits into from

Conversation

developStorm
Copy link
Member

@developStorm developStorm commented Feb 18, 2025
edited
Loading

  • Passes Go unit tests
  • ZGrab works with this branch and negotiates TLS13 correctly
  • Larger scale test with Censys

dissoupov and others added 30 commits July 15, 2021 10:17
@dissoupov
Port TLS 1.3 from Go (#300)
a6d702c
@dissoupov
tls 1.3: added missing ciphers (#305)
dc3e3bd
@dissoupov
tls 1.3: common.go: ported missing fields in Config (#306)
62d29d3
@dissoupov
TLS 1.3: Handshake logs (#307)
54fce8d 
* [DRAFT] Handshake logs

* Removed heartbleed

* Added handshake logs for ZGrab2

* Added handshake logs for ZGrab2

* TLS1.3: added cert logs

* TLS1.3: adding keyAgreement logs

* TLS1.3: log SignatureAndHashes

* TLS1.3: log SupportedCurves

* TLS1.3: log ServerKeyExchange

* TLS 1.3: adding legacy Key Agreement algs
@dissoupov
Merge from master (#312)
61204b5
@dissoupov
TLS 1.3: Add handshake tests (#315)
82767f2
@dissoupov
TLS 1.3: fix exception in processServerKeyExchange (#316)
e5a0c22
@dissoupov
TLS1.3: added test for negociated Cipher Suite (#318)
11cb43a 
Co-authored-by: Denis Issoupov <dissoupov@dissoupov-ltl.internal.salesforce.com>
@codyprime
TLS1.3 Feature Branch: Add back in SessionTicket support (#323)
794a43c 
* Extract and output session ticket lifetime hint

This restores the functionality from commit db98bd3, on the TLSv13
branch

* tls: support ForceSessionTicketExt for ticketSupported
@codyprime
TLS 1.3: don't create skx log if processing server key exchange failed (
d265230 
#326)
@codyprime
tls 1.3: Add support for SupportedVersions Extension in log (#327)
d08a277 
For TLS 1.3 connections, SupportedVersions.SelectedVersions will be
present, and be 0x0304.  Add this to the HandshakeLog, if present.
@codyprime
TLS 1.3, X509: stub out darwin root stores (#328)
52b63a6
handshake_client: do not overwrite server certs (#329)
5590405 
Do not overwrite collected server certs when we are asked for a client cert.
@nakulbajaj
Added extension identifiers for Server Hello messages to Handshake Log (
e5412fa 
#331)

* Added extension IDs for Server Hello messages to handshake log

* Added marshalling capabilities for unknown extensions with empty data

* Switched to extension extract function on serverHelloMsg

* Re-added whitespace break
@nakulbajaj
Updated TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 = 0xD001 = 53249 (#333)
dbbfb1c
Make jsonifyExtensions public and add grouped CertificatesPolicies Us…
1b9a864 
…erNotice (#334)

* x509: make jsonifyExtensions() public

* Certificate Policies: add grouped user notices field

The separate fields for NoticeReferencNumbers, NoticeRefOrganization,
and ExplicitTexts introduce ambiguity since these fields are structured
and optional in the source data.

A certificate with a mixture of UserNotices that have only one of
ExplicitText or NoticeReference would previously be impossible to
reconstruct.

Add a new field, UserNotices, which preserved the original grouping of
values, leaving the old format exposed in place, so that this case can
be reconstructed without breaking existing usage.
@elliotcubit
standardize unsupported elliptic curve error
817b9ce
@elliotcubit
ct: allow publishing certificates with parsing errors
e7d0b65
@elliotcubit
Merge pull request #344 from elliotcubit/ecubit/elliptic-curve
3fbd2be 
Add option for CT log client to emit unparseable certs
@codyprime
tls: perform type assertion on cert publickey (#345)
1912d07 
Prior to the TLS 1.3 backport, there was a type assertion to make sure
that cert.PublicKey.(*rsa.PublicKey) was true.  This was lost in the
backport work, and while very rare we did recently hit a case where
this assertion is not true.  Doing it inline in the call leads to a
panic.

This restores the prior type assertion check, and returns err if it
fails.
@elliotcubit
Expose 'validSignature' field
894d0f8
@elliotcubit
Merge pull request #348 from elliotcubit/ecubit/expose-valid-signature
4c02f2b 
Expose 'validSignature' field
@elliotcubit
verifier: set ValidSignature field
a3f90a5 
The x509 package sets this field true when it finds a valid signature
while validating certificates; copy the behavior here for consistency.
@elliotcubit
run go fmt
2ba506e
@elliotcubit
Merge pull request #350 from elliotcubit/ecubit/verifier-valid-signature
4eadde1 
verifier: set ValidSignature field
@elliotcubit
Merge pull request #351 from elliotcubit/ecubit/gofmt
0f155df 
Run go fmt to fix CI
@elliotcubit
verifier: add AppendFromPEMErr method
b1f1309
@elliotcubit
Merge pull request #358 from elliotcubit/ecubit/verifier-errors
13ae606 
verifier: add AppendFromPEMErr method
@elliotcubit
verifier: set ValidSignature for certificates in the graph
f9aa5b9
@elliotcubit
Merge pull request #360 from elliotcubit/ecubit/intermediates-signatures
c6c18cc 
verifier: set ValidSignature for certificates in the graph
elliotcubit and others added 13 commits September 7, 2023 14:26
@elliotcubit
pkix: marshal nonstandard name attributes only once
84259cd
@elliotcubit
Merge pull request #365 from elliotcubit/ecubit/dupe-dn-fields
4ba27e9 
pkix: marshal nonstandard name attributes only once
@iJustErikk
make extension parsing more permissive (#387)
c093b7d 
* make extension parsing more permissive

* allow permissive errros through on server certs
@iJustErikk
ignore permissive errors
7fe312f
@elliotcubit
Merge pull request #388 from iJustErikk/erik/just-ignore-permissive
8ea4fd6 
ignore permissive errors
@developStorm
fix: regenerate ECDSA test flows
90dd94c 
A change in ECDSA signature generation made old flow data incompatible with newer Go versions: golang/go@08f2091
@developStorm
Merge branch 'feature/TLSv1.3' into refactor/tls13-merge-attempt-3
5413c5e
@developStorm
fix: configurable server random w/ downgrade canary
d5e1856
@developStorm
fix: Config.Time in tests using expired certificates
d3e579a 
Adopted from golang/go@d1d9312
@developStorm
Revert "fix: regenerate ECDSA test flows"
3f733db 
This reverts commit 90dd94c.
@developStorm
fix: regenerate ECDSA test flows
e0d9751 
A change in ECDSA signature generation made old flow data incompatible with newer Go versions: golang/go@08f2091
@developStorm
Merge branch 'feature/TLSv1.3' into refactor/tls13-merge-attempt-3
e9e96f1
@developStorm
style: reformat merged file
97e834c
@developStorm developStorm self-assigned this Feb 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@phillip-stephens phillip-stephens Awaiting requested review from phillip-stephens

At least 1 approving review is required to merge this pull request.

Assignees

@developStorm developStorm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@developStorm @dissoupov @codyprime @nakulbajaj @elliotcubit @iJustErikk