external/boringssl: Sync to 58e449904e248f34bdfc2be7a609c58bcb0257b7.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/2c1523733a71166943e52da11ac2eae82b0227b8..58e449904e248f34bdfc2be7a609c58bcb0257b7
Test: BoringSSL CTS Presubmits
Change-Id: I1a825139c8c7076d09b8a3acc5f09a547a7cbe0d
diff --git a/src/ssl/handshake_client.c b/src/ssl/handshake_client.c
index 0629078..f204286 100644
--- a/src/ssl/handshake_client.c
+++ b/src/ssl/handshake_client.c
@@ -1255,11 +1255,8 @@
goto f_err;
}
hs->new_session->peer_signature_algorithm = signature_algorithm;
- } else if (hs->peer_pubkey->type == EVP_PKEY_RSA) {
- signature_algorithm = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
- } else if (hs->peer_pubkey->type == EVP_PKEY_EC) {
- signature_algorithm = SSL_SIGN_ECDSA_SHA1;
- } else {
+ } else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm,
+ hs->peer_pubkey)) {
al = SSL_AD_UNSUPPORTED_CERTIFICATE;
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
goto f_err;
diff --git a/src/ssl/handshake_server.c b/src/ssl/handshake_server.c
index 63027d6..4eaf3cb 100644
--- a/src/ssl/handshake_server.c
+++ b/src/ssl/handshake_server.c
@@ -1722,11 +1722,8 @@
goto f_err;
}
hs->new_session->peer_signature_algorithm = signature_algorithm;
- } else if (hs->peer_pubkey->type == EVP_PKEY_RSA) {
- signature_algorithm = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
- } else if (hs->peer_pubkey->type == EVP_PKEY_EC) {
- signature_algorithm = SSL_SIGN_ECDSA_SHA1;
- } else {
+ } else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm,
+ hs->peer_pubkey)) {
al = SSL_AD_UNSUPPORTED_CERTIFICATE;
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
goto f_err;
diff --git a/src/ssl/internal.h b/src/ssl/internal.h
index 1ed7e15..e7a3f7a 100644
--- a/src/ssl/internal.h
+++ b/src/ssl/internal.h
@@ -1272,6 +1272,11 @@
* error. */
int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs);
+/* tls1_get_legacy_signature_algorithm sets |*out| to the signature algorithm
+ * that should be used with |pkey| in TLS 1.1 and earlier. It returns one on
+ * success and zero if |pkey| may not be used at those versions. */
+int tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey);
+
/* tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use
* with |hs|'s private key based on the peer's preferences and the algorithms
* supported. It returns one on success and zero on error. */
diff --git a/src/ssl/ssl_test.cc b/src/ssl/ssl_test.cc
index 3296c17..80465ce 100644
--- a/src/ssl/ssl_test.cc
+++ b/src/ssl/ssl_test.cc
@@ -306,57 +306,39 @@
":X25519:P-256",
};
-static void PrintCipherPreferenceList(ssl_cipher_preference_list_st *list) {
+static std::string CipherListToString(ssl_cipher_preference_list_st *list) {
bool in_group = false;
+ std::string ret;
for (size_t i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) {
const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
if (!in_group && list->in_group_flags[i]) {
- fprintf(stderr, "\t[\n");
+ ret += "\t[\n";
in_group = true;
}
- fprintf(stderr, "\t");
+ ret += "\t";
if (in_group) {
- fprintf(stderr, " ");
+ ret += " ";
}
- fprintf(stderr, "%s\n", SSL_CIPHER_get_name(cipher));
+ ret += SSL_CIPHER_get_name(cipher);
+ ret += "\n";
if (in_group && !list->in_group_flags[i]) {
- fprintf(stderr, "\t]\n");
+ ret += "\t]\n";
in_group = false;
}
}
+ return ret;
}
-static bool TestCipherRule(const CipherTest &t) {
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
- if (!ctx) {
+static bool CipherListsEqual(ssl_cipher_preference_list_st *list,
+ const std::vector<ExpectedCipher> &expected) {
+ if (sk_SSL_CIPHER_num(list->ciphers) != expected.size()) {
return false;
}
- if (!SSL_CTX_set_cipher_list(ctx.get(), t.rule)) {
- fprintf(stderr, "Error testing cipher rule '%s'\n", t.rule);
- return false;
- }
-
- if (!SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule) != t.strict_fail) {
- fprintf(stderr, "Unexpected strict failure result testing cipher rule '%s':"
- " expected %d\n", t.rule, t.strict_fail);
- return false;
- }
-
- // Compare the two lists.
- if (sk_SSL_CIPHER_num(ctx->cipher_list->ciphers) != t.expected.size()) {
- fprintf(stderr, "Error: cipher rule '%s' evaluated to:\n", t.rule);
- PrintCipherPreferenceList(ctx->cipher_list);
- return false;
- }
-
- for (size_t i = 0; i < t.expected.size(); i++) {
- const SSL_CIPHER *cipher =
- sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i);
- if (t.expected[i].id != SSL_CIPHER_get_id(cipher) ||
- t.expected[i].in_group_flag != ctx->cipher_list->in_group_flags[i]) {
- fprintf(stderr, "Error: cipher rule '%s' evaluated to:\n", t.rule);
- PrintCipherPreferenceList(ctx->cipher_list);
+ for (size_t i = 0; i < expected.size(); i++) {
+ const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
+ if (expected[i].id != SSL_CIPHER_get_id(cipher) ||
+ expected[i].in_group_flag != list->in_group_flags[i]) {
return false;
}
}
@@ -364,99 +346,72 @@
return true;
}
-static bool TestRuleDoesNotIncludeNull(const char *rule) {
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(SSLv23_server_method()));
- if (!ctx) {
- return false;
- }
- if (!SSL_CTX_set_strict_cipher_list(ctx.get(), rule)) {
- fprintf(stderr, "Error: cipher rule '%s' failed\n", rule);
- return false;
- }
- for (size_t i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
- if (SSL_CIPHER_is_NULL(sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i))) {
- fprintf(stderr, "Error: cipher rule '%s' includes NULL\n",rule);
- return false;
- }
- }
- return true;
-}
+TEST(SSLTest, CipherRules) {
+ for (const CipherTest &t : kCipherTests) {
+ SCOPED_TRACE(t.rule);
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(ctx);
-static bool TestCipherRules() {
- for (const CipherTest &test : kCipherTests) {
- if (!TestCipherRule(test)) {
- return false;
+ // Test lax mode.
+ ASSERT_TRUE(SSL_CTX_set_cipher_list(ctx.get(), t.rule));
+ EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
+ << "Cipher rule evaluated to:\n"
+ << CipherListToString(ctx->cipher_list);
+
+ // Test strict mode.
+ if (t.strict_fail) {
+ EXPECT_FALSE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
+ } else {
+ ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), t.rule));
+ EXPECT_TRUE(CipherListsEqual(ctx->cipher_list, t.expected))
+ << "Cipher rule evaluated to:\n"
+ << CipherListToString(ctx->cipher_list);
}
}
for (const char *rule : kBadRules) {
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(SSLv23_server_method()));
- if (!ctx) {
- return false;
- }
- if (SSL_CTX_set_cipher_list(ctx.get(), rule)) {
- fprintf(stderr, "Cipher rule '%s' unexpectedly succeeded\n", rule);
- return false;
- }
+ SCOPED_TRACE(rule);
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(ctx);
+
+ EXPECT_FALSE(SSL_CTX_set_cipher_list(ctx.get(), rule));
ERR_clear_error();
}
for (const char *rule : kMustNotIncludeNull) {
- if (!TestRuleDoesNotIncludeNull(rule)) {
- return false;
+ SCOPED_TRACE(rule);
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(ctx);
+
+ ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
+ for (size_t i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
+ EXPECT_FALSE(SSL_CIPHER_is_NULL(
+ sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i)));
}
}
-
- return true;
}
-static bool TestCurveRule(const CurveTest &t) {
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
- if (!ctx) {
- return false;
- }
+TEST(SSLTest, CurveRules) {
+ for (const CurveTest &t : kCurveTests) {
+ SCOPED_TRACE(t.rule);
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(ctx);
- if (!SSL_CTX_set1_curves_list(ctx.get(), t.rule)) {
- fprintf(stderr, "Error testing curves list '%s'\n", t.rule);
- return false;
- }
-
- // Compare the two lists.
- if (ctx->supported_group_list_len != t.expected.size()) {
- fprintf(stderr, "Error testing curves list '%s': length\n", t.rule);
- return false;
- }
-
- for (size_t i = 0; i < t.expected.size(); i++) {
- if (t.expected[i] != ctx->supported_group_list[i]) {
- fprintf(stderr, "Error testing curves list '%s': mismatch\n", t.rule);
- return false;
- }
- }
-
- return true;
-}
-
-static bool TestCurveRules() {
- for (const CurveTest &test : kCurveTests) {
- if (!TestCurveRule(test)) {
- return false;
+ ASSERT_TRUE(SSL_CTX_set1_curves_list(ctx.get(), t.rule));
+ ASSERT_EQ(t.expected.size(), ctx->supported_group_list_len);
+ for (size_t i = 0; i < t.expected.size(); i++) {
+ EXPECT_EQ(t.expected[i], ctx->supported_group_list[i]);
}
}
for (const char *rule : kBadCurvesLists) {
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(SSLv23_server_method()));
- if (!ctx) {
- return false;
- }
- if (SSL_CTX_set1_curves_list(ctx.get(), rule)) {
- fprintf(stderr, "Curves list '%s' unexpectedly succeeded\n", rule);
- return false;
- }
+ SCOPED_TRACE(rule);
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(ctx);
+
+ EXPECT_FALSE(SSL_CTX_set1_curves_list(ctx.get(), rule));
ERR_clear_error();
}
-
- return true;
}
// kOpenSSLSession is a serialized SSL_SESSION.
@@ -756,31 +711,23 @@
return true;
}
-static bool TestDefaultVersion(uint16_t min_version, uint16_t max_version,
- const SSL_METHOD *(*method)(void)) {
+static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
+ const SSL_METHOD *(*method)(void)) {
bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(method()));
- if (!ctx) {
- return false;
- }
- if (ctx->min_version != min_version || ctx->max_version != max_version) {
- fprintf(stderr, "Got min %04x, max %04x; wanted min %04x, max %04x\n",
- ctx->min_version, ctx->max_version, min_version, max_version);
- return false;
- }
- return true;
+ ASSERT_TRUE(ctx);
+ EXPECT_EQ(min_version, ctx->min_version);
+ EXPECT_EQ(max_version, ctx->max_version);
}
-static bool CipherGetRFCName(std::string *out, uint16_t value) {
- const SSL_CIPHER *cipher = SSL_get_cipher_by_value(value);
- if (cipher == NULL) {
- return false;
- }
- bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
- if (!rfc_name) {
- return false;
- }
- out->assign(rfc_name.get());
- return true;
+TEST(SSLTest, DefaultVersion) {
+ // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
+ ExpectDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method);
+ ExpectDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method);
+ ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method);
+ ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method);
+ ExpectDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method);
+ ExpectDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method);
+ ExpectDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method);
}
typedef struct {
@@ -810,22 +757,17 @@
{TLS1_CK_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256"},
};
-static bool TestCipherGetRFCName(void) {
- for (size_t i = 0;
- i < OPENSSL_ARRAY_SIZE(kCipherRFCNameTests); i++) {
- const CIPHER_RFC_NAME_TEST *test = &kCipherRFCNameTests[i];
- std::string rfc_name;
- if (!CipherGetRFCName(&rfc_name, test->id & 0xffff)) {
- fprintf(stderr, "SSL_CIPHER_get_rfc_name failed\n");
- return false;
- }
- if (rfc_name != test->rfc_name) {
- fprintf(stderr, "SSL_CIPHER_get_rfc_name: got '%s', wanted '%s'\n",
- rfc_name.c_str(), test->rfc_name);
- return false;
- }
+TEST(SSLTest, CipherGetRFCName) {
+ for (const CIPHER_RFC_NAME_TEST &t : kCipherRFCNameTests) {
+ SCOPED_TRACE(t.rfc_name);
+
+ const SSL_CIPHER *cipher = SSL_get_cipher_by_value(t.id & 0xffff);
+ ASSERT_TRUE(cipher);
+ bssl::UniquePtr<char> rfc_name(SSL_CIPHER_get_rfc_name(cipher));
+ ASSERT_TRUE(rfc_name);
+
+ EXPECT_STREQ(t.rfc_name, rfc_name.get());
}
- return true;
}
// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
@@ -1014,9 +956,9 @@
out->push_back(session);
}
-// ExpectCache returns true if |ctx|'s session cache consists of |expected|, in
+// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
// order.
-static bool ExpectCache(SSL_CTX *ctx,
+static bool CacheEquals(SSL_CTX *ctx,
const std::vector<SSL_SESSION*> &expected) {
// Check the linked list.
SSL_SESSION *ptr = ctx->session_cache_head;
@@ -1064,19 +1006,15 @@
}
// Test that the internal session cache behaves as expected.
-static bool TestInternalSessionCache() {
+TEST(SSLTest, InternalSessionCache) {
bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
- if (!ctx) {
- return false;
- }
+ ASSERT_TRUE(ctx);
// Prepare 10 test sessions.
std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
for (int i = 0; i < 10; i++) {
bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
- if (!session) {
- return false;
- }
+ ASSERT_TRUE(session);
sessions.push_back(std::move(session));
}
@@ -1084,68 +1022,42 @@
// Insert all the test sessions.
for (const auto &session : sessions) {
- if (!SSL_CTX_add_session(ctx.get(), session.get())) {
- return false;
- }
+ ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
}
// Only the last five should be in the list.
- std::vector<SSL_SESSION*> expected = {
- sessions[9].get(),
- sessions[8].get(),
- sessions[7].get(),
- sessions[6].get(),
- sessions[5].get(),
- };
- if (!ExpectCache(ctx.get(), expected)) {
- return false;
- }
+ ASSERT_TRUE(CacheEquals(
+ ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
+ sessions[6].get(), sessions[5].get()}));
- // Inserting an element already in the cache should fail.
- if (SSL_CTX_add_session(ctx.get(), sessions[7].get()) ||
- !ExpectCache(ctx.get(), expected)) {
- return false;
- }
+ // Inserting an element already in the cache should fail and leave the cache
+ // unchanged.
+ ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
+ ASSERT_TRUE(CacheEquals(
+ ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
+ sessions[6].get(), sessions[5].get()}));
// Although collisions should be impossible (256-bit session IDs), the cache
// must handle them gracefully.
bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
- if (!collision || !SSL_CTX_add_session(ctx.get(), collision.get())) {
- return false;
- }
- expected = {
- collision.get(),
- sessions[9].get(),
- sessions[8].get(),
- sessions[6].get(),
- sessions[5].get(),
- };
- if (!ExpectCache(ctx.get(), expected)) {
- return false;
- }
+ ASSERT_TRUE(collision);
+ ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
+ ASSERT_TRUE(CacheEquals(
+ ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
+ sessions[6].get(), sessions[5].get()}));
// Removing sessions behaves correctly.
- if (!SSL_CTX_remove_session(ctx.get(), sessions[6].get())) {
- return false;
- }
- expected = {
- collision.get(),
- sessions[9].get(),
- sessions[8].get(),
- sessions[5].get(),
- };
- if (!ExpectCache(ctx.get(), expected)) {
- return false;
- }
+ ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
+ ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
+ sessions[8].get(), sessions[5].get()}));
// Removing sessions requires an exact match.
- if (SSL_CTX_remove_session(ctx.get(), sessions[0].get()) ||
- SSL_CTX_remove_session(ctx.get(), sessions[7].get()) ||
- !ExpectCache(ctx.get(), expected)) {
- return false;
- }
+ ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
+ ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
- return true;
+ // The cache remains unchanged.
+ ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
+ sessions[8].get(), sessions[5].get()}));
}
static uint16_t EpochFromSequence(uint64_t seq) {
@@ -3544,23 +3456,12 @@
// TODO(davidben): Convert this file to GTest properly.
TEST(SSLTest, AllTests) {
- if (!TestCipherRules() ||
- !TestCurveRules() ||
- !TestSSL_SESSIONEncoding(kOpenSSLSession) ||
+ if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||
!TestSSL_SESSIONEncoding(kCustomSession) ||
!TestSSL_SESSIONEncoding(kBoringSSLSession) ||
!TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
!TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
!TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
- // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
- !TestDefaultVersion(TLS1_VERSION, TLS1_2_VERSION, &TLS_method) ||
- !TestDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method) ||
- !TestDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method) ||
- !TestDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &TLSv1_2_method) ||
- !TestDefaultVersion(TLS1_1_VERSION, TLS1_2_VERSION, &DTLS_method) ||
- !TestDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method) ||
- !TestDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method) ||
- !TestCipherGetRFCName() ||
// Test the padding extension at TLS 1.2.
!TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) ||
// Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
@@ -3569,7 +3470,6 @@
// Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
// will be a PSK binder after the padding extension.
!TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION) ||
- !TestInternalSessionCache() ||
!ForEachVersion(TestSequenceNumber) ||
!ForEachVersion(TestOneSidedShutdown) ||
!ForEachVersion(TestGetPeerCertificate) ||
diff --git a/src/ssl/t1_lib.c b/src/ssl/t1_lib.c
index c2a5dde..000a8cd 100644
--- a/src/ssl/t1_lib.c
+++ b/src/ssl/t1_lib.c
@@ -3328,24 +3328,31 @@
return 1;
}
+int tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {
+ switch (EVP_PKEY_id(pkey)) {
+ case EVP_PKEY_RSA:
+ *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
+ return 1;
+ case EVP_PKEY_EC:
+ *out = SSL_SIGN_ECDSA_SHA1;
+ return 1;
+ default:
+ return 0;
+ }
+}
+
int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) {
SSL *const ssl = hs->ssl;
CERT *cert = ssl->cert;
/* Before TLS 1.2, the signature algorithm isn't negotiated as part of the
- * handshake. It is fixed at MD5-SHA1 for RSA and SHA1 for ECDSA. */
+ * handshake. */
if (ssl3_protocol_version(ssl) < TLS1_2_VERSION) {
- switch (EVP_PKEY_id(hs->local_pubkey)) {
- case EVP_PKEY_RSA:
- *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;
- return 1;
- case EVP_PKEY_EC:
- *out = SSL_SIGN_ECDSA_SHA1;
- return 1;
- default:
- OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
- return 0;
+ if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey)) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
+ return 0;
}
+ return 1;
}
const uint16_t *sigalgs = cert->sigalgs;
diff --git a/src/ssl/test/runner/cipher_suites.go b/src/ssl/test/runner/cipher_suites.go
index 3b2298e..2490bee 100644
--- a/src/ssl/test/runner/cipher_suites.go
+++ b/src/ssl/test/runner/cipher_suites.go
@@ -122,12 +122,6 @@
{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil},
{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
- {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, dheRSAKA, suiteTLS12 | suiteDHE, nil, nil, aeadAESGCM},
- {TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, dheRSAKA, suiteTLS12 | suiteSHA384 | suiteDHE, nil, nil, aeadAESGCM},
- {TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, ivLenAES, dheRSAKA, suiteTLS12 | suiteDHE, cipherAES, macSHA256, nil},
- {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 32, 32, ivLenAES, dheRSAKA, suiteTLS12 | suiteDHE, cipherAES, macSHA256, nil},
- {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, dheRSAKA, suiteDHE, cipherAES, macSHA1, nil},
- {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, dheRSAKA, suiteDHE, cipherAES, macSHA1, nil},
{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, ivLenAESGCM, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, ivLenAESGCM, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
{TLS_RSA_WITH_RC4_128_SHA, 16, 20, noIV, rsaKA, suiteNoDTLS, cipherRC4, macSHA1, nil},
@@ -137,7 +131,6 @@
{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, rsaKA, 0, cipherAES, macSHA1, nil},
{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, ivLenAES, rsaKA, 0, cipherAES, macSHA1, nil},
{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
- {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, dheRSAKA, suiteDHE, cipher3DES, macSHA1, nil},
{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, ivLen3DES, rsaKA, 0, cipher3DES, macSHA1, nil},
{TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 32, 0, ivLenChaCha20Poly1305, ecdhePSKKA, suiteECDHE | suitePSK | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, 16, 20, ivLenAES, ecdhePSKKA, suiteECDHE | suitePSK, cipherAES, macSHA1, nil},
@@ -419,15 +412,6 @@
}
}
-func dheRSAKA(version uint16) keyAgreement {
- return &dheKeyAgreement{
- auth: &signedKeyAgreement{
- keyType: keyTypeRSA,
- version: version,
- },
- }
-}
-
func pskKA(version uint16) keyAgreement {
return &pskKeyAgreement{
base: &nilKeyAgreement{},
@@ -469,22 +453,15 @@
TLS_RSA_WITH_RC4_128_MD5 uint16 = 0x0004
TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x0016
TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0x0033
TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0039
TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c
TLS_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x003d
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x0067
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x006b
TLS_PSK_WITH_RC4_128_SHA uint16 = 0x008a
TLS_PSK_WITH_AES_128_CBC_SHA uint16 = 0x008c
TLS_PSK_WITH_AES_256_CBC_SHA uint16 = 0x008d
TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009e
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009f
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
diff --git a/src/ssl/test/runner/common.go b/src/ssl/test/runner/common.go
index 0f54800..052f879 100644
--- a/src/ssl/test/runner/common.go
+++ b/src/ssl/test/runner/common.go
@@ -879,10 +879,6 @@
// BadFinished, if true, causes the Finished hash to be broken.
BadFinished bool
- // DHGroupPrime, if not nil, is used to define the (finite field)
- // Diffie-Hellman group. The generator used is always two.
- DHGroupPrime *big.Int
-
// PackHandshakeFragments, if true, causes handshake fragments in DTLS
// to be packed into individual handshake records, up to the specified
// record size.
@@ -1005,11 +1001,6 @@
// message. This only makes sense for a server.
SendHelloRequestBeforeEveryHandshakeMessage bool
- // RequireDHPublicValueLen causes a fatal error if the length (in
- // bytes) of the server's Diffie-Hellman public value is not equal to
- // this.
- RequireDHPublicValueLen int
-
// BadChangeCipherSpec, if not nil, is the body to be sent in
// ChangeCipherSpec records instead of {1}.
BadChangeCipherSpec []byte
diff --git a/src/ssl/test/runner/key_agreement.go b/src/ssl/test/runner/key_agreement.go
index 3936d88..e33557b 100644
--- a/src/ssl/test/runner/key_agreement.go
+++ b/src/ssl/test/runner/key_agreement.go
@@ -7,7 +7,6 @@
import (
"crypto/ecdsa"
"crypto/elliptic"
- "crypto/rand"
"crypto/rsa"
"crypto/subtle"
"crypto/x509"
@@ -545,147 +544,6 @@
return 0
}
-// dheRSAKeyAgreement implements a TLS key agreement where the server generates
-// an ephemeral Diffie-Hellman public/private key pair and signs it. The
-// pre-master secret is then calculated using Diffie-Hellman.
-type dheKeyAgreement struct {
- auth keyAgreementAuthentication
- p, g *big.Int
- yTheirs *big.Int
- xOurs *big.Int
-}
-
-func (ka *dheKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
- var q *big.Int
- if p := config.Bugs.DHGroupPrime; p != nil {
- ka.p = p
- ka.g = big.NewInt(2)
- q = p
- } else {
- // 2048-bit MODP Group with 256-bit Prime Order Subgroup (RFC
- // 5114, Section 2.3)
- ka.p, _ = new(big.Int).SetString("87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597", 16)
- ka.g, _ = new(big.Int).SetString("3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC41659", 16)
- q, _ = new(big.Int).SetString("8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F5FBD3", 16)
- }
-
- var err error
- ka.xOurs, err = rand.Int(config.rand(), q)
- if err != nil {
- return nil, err
- }
- yOurs := new(big.Int).Exp(ka.g, ka.xOurs, ka.p)
-
- // http://tools.ietf.org/html/rfc5246#section-7.4.3
- pBytes := ka.p.Bytes()
- gBytes := ka.g.Bytes()
- yBytes := yOurs.Bytes()
- serverDHParams := make([]byte, 0, 2+len(pBytes)+2+len(gBytes)+2+len(yBytes))
- serverDHParams = append(serverDHParams, byte(len(pBytes)>>8), byte(len(pBytes)))
- serverDHParams = append(serverDHParams, pBytes...)
- serverDHParams = append(serverDHParams, byte(len(gBytes)>>8), byte(len(gBytes)))
- serverDHParams = append(serverDHParams, gBytes...)
- serverDHParams = append(serverDHParams, byte(len(yBytes)>>8), byte(len(yBytes)))
- serverDHParams = append(serverDHParams, yBytes...)
-
- return ka.auth.signParameters(config, cert, clientHello, hello, serverDHParams)
-}
-
-func (ka *dheKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
- if len(ckx.ciphertext) < 2 {
- return nil, errClientKeyExchange
- }
- yLen := (int(ckx.ciphertext[0]) << 8) | int(ckx.ciphertext[1])
- if yLen != len(ckx.ciphertext)-2 {
- return nil, errClientKeyExchange
- }
- yTheirs := new(big.Int).SetBytes(ckx.ciphertext[2:])
- if yTheirs.Sign() <= 0 || yTheirs.Cmp(ka.p) >= 0 {
- return nil, errClientKeyExchange
- }
- return new(big.Int).Exp(yTheirs, ka.xOurs, ka.p).Bytes(), nil
-}
-
-func (ka *dheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error {
- // Read dh_p
- k := skx.key
- if len(k) < 2 {
- return errServerKeyExchange
- }
- pLen := (int(k[0]) << 8) | int(k[1])
- k = k[2:]
- if len(k) < pLen {
- return errServerKeyExchange
- }
- ka.p = new(big.Int).SetBytes(k[:pLen])
- k = k[pLen:]
-
- // Read dh_g
- if len(k) < 2 {
- return errServerKeyExchange
- }
- gLen := (int(k[0]) << 8) | int(k[1])
- k = k[2:]
- if len(k) < gLen {
- return errServerKeyExchange
- }
- ka.g = new(big.Int).SetBytes(k[:gLen])
- k = k[gLen:]
-
- // Read dh_Ys
- if len(k) < 2 {
- return errServerKeyExchange
- }
- yLen := (int(k[0]) << 8) | int(k[1])
- k = k[2:]
- if len(k) < yLen {
- return errServerKeyExchange
- }
- ka.yTheirs = new(big.Int).SetBytes(k[:yLen])
- k = k[yLen:]
- if ka.yTheirs.Sign() <= 0 || ka.yTheirs.Cmp(ka.p) >= 0 {
- return errServerKeyExchange
- }
-
- if l := config.Bugs.RequireDHPublicValueLen; l != 0 && l != yLen {
- return fmt.Errorf("RequireDHPublicValueLen set to %d, but server's public value was %d bytes on the wire and %d bytes if minimal", l, yLen, (ka.yTheirs.BitLen()+7)/8)
- }
-
- sig := k
- serverDHParams := skx.key[:len(skx.key)-len(sig)]
-
- return ka.auth.verifyParameters(config, clientHello, serverHello, cert, serverDHParams, sig)
-}
-
-func (ka *dheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) {
- if ka.p == nil || ka.g == nil || ka.yTheirs == nil {
- return nil, nil, errors.New("missing ServerKeyExchange message")
- }
-
- xOurs, err := rand.Int(config.rand(), ka.p)
- if err != nil {
- return nil, nil, err
- }
- preMasterSecret := new(big.Int).Exp(ka.yTheirs, xOurs, ka.p).Bytes()
-
- yOurs := new(big.Int).Exp(ka.g, xOurs, ka.p)
- yBytes := yOurs.Bytes()
- ckx := new(clientKeyExchangeMsg)
- ckx.ciphertext = make([]byte, 2+len(yBytes))
- ckx.ciphertext[0] = byte(len(yBytes) >> 8)
- ckx.ciphertext[1] = byte(len(yBytes))
- copy(ckx.ciphertext[2:], yBytes)
-
- return preMasterSecret, ckx, nil
-}
-
-func (ka *dheKeyAgreement) peerSignatureAlgorithm() signatureAlgorithm {
- if auth, ok := ka.auth.(*signedKeyAgreement); ok {
- return auth.peerSignatureAlgorithm
- }
- return 0
-}
-
// nilKeyAgreement is a fake key agreement used to implement the plain PSK key
// exchange.
type nilKeyAgreement struct{}
diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go
index 378ac57..55e22b6 100644
--- a/src/ssl/test/runner/runner.go
+++ b/src/ssl/test/runner/runner.go
@@ -1106,10 +1106,7 @@
}
if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
- lines := strings.Split(stderr, "\n")
- if len(lines) != 2 || lines[1] != "" || !strings.Contains(lines[0], "The kernel entropy pool contains too few bits") {
- return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
- }
+ return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
}
if *useValgrind && isValgrindError {
@@ -3644,8 +3641,7 @@
MaxVersion: VersionTLS13,
MinVersion: VersionTLS13,
Bugs: ProtocolBugs{
- SendEarlyData: [][]byte{bytes.Repeat([]byte{1},
- 14336 + 1)},
+ SendEarlyData: [][]byte{bytes.Repeat([]byte{1}, 14336+1)},
ExpectEarlyDataAccepted: true,
},
},