external/boringssl: Sync to d89d65ba12e28e543df4fd9dfbc687bb8be1dba7.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/45210dd4e21ace9d28cb76b3f83303fcdd2efcce..d89d65ba12e28e543df4fd9dfbc687bb8be1dba7
Test: BoringSSL CTS Presubmits.
Change-Id: I2dc13b549eac1f345553da07b7fb66824fc77204
diff --git a/src/ssl/d1_both.cc b/src/ssl/d1_both.cc
index c219f5a..f561332 100644
--- a/src/ssl/d1_both.cc
+++ b/src/ssl/d1_both.cc
@@ -1,6 +1,6 @@
/*
* DTLS implementation written by Nagendra Modadugu
- * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
*/
/* ====================================================================
* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
diff --git a/src/ssl/dtls_method.cc b/src/ssl/dtls_method.cc
index d0416ad..8d40edf 100644
--- a/src/ssl/dtls_method.cc
+++ b/src/ssl/dtls_method.cc
@@ -1,6 +1,6 @@
/*
* DTLS implementation written by Nagendra Modadugu
- * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
*/
/* ====================================================================
* Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
diff --git a/src/ssl/handshake_client.cc b/src/ssl/handshake_client.cc
index e8dd0d3..0b352c2 100644
--- a/src/ssl/handshake_client.cc
+++ b/src/ssl/handshake_client.cc
@@ -339,50 +339,21 @@
return ssl->method->add_message(ssl, std::move(msg));
}
-static int parse_server_version(SSL_HANDSHAKE *hs, uint16_t *out,
- const SSLMessage &msg) {
+static bool parse_supported_versions(SSL_HANDSHAKE *hs, uint16_t *version,
+ const CBS *in) {
+ // If the outer version is not TLS 1.2, or there is no extensions block, use
+ // the outer version.
+ if (*version != TLS1_2_VERSION || CBS_len(in) == 0) {
+ return true;
+ }
+
SSL *const ssl = hs->ssl;
- if (msg.type != SSL3_MT_SERVER_HELLO &&
- msg.type != SSL3_MT_HELLO_RETRY_REQUEST) {
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
- return 0;
- }
-
- CBS server_hello = msg.body;
- if (!CBS_get_u16(&server_hello, out)) {
+ CBS copy = *in, extensions;
+ if (!CBS_get_u16_length_prefixed(©, &extensions) ||
+ CBS_len(©) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return 0;
- }
-
- // The server version may also be in the supported_versions extension if
- // applicable.
- if (msg.type != SSL3_MT_SERVER_HELLO || *out != TLS1_2_VERSION) {
- return 1;
- }
-
- uint8_t sid_length;
- if (!CBS_skip(&server_hello, SSL3_RANDOM_SIZE) ||
- !CBS_get_u8(&server_hello, &sid_length) ||
- !CBS_skip(&server_hello, sid_length + 2 /* cipher_suite */ +
- 1 /* compression_method */)) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return 0;
- }
-
- // The extensions block may not be present.
- if (CBS_len(&server_hello) == 0) {
- return 1;
- }
-
- CBS extensions;
- if (!CBS_get_u16_length_prefixed(&server_hello, &extensions) ||
- CBS_len(&server_hello) != 0) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return 0;
+ return false;
}
bool have_supported_versions;
@@ -397,17 +368,18 @@
OPENSSL_ARRAY_SIZE(ext_types),
1 /* ignore unknown */)) {
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
- return 0;
+ return false;
}
+ // Override the outer version with the extension, if present.
if (have_supported_versions &&
- (!CBS_get_u16(&supported_versions, out) ||
+ (!CBS_get_u16(&supported_versions, version) ||
CBS_len(&supported_versions) != 0)) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return 0;
+ return false;
}
- return 1;
+ return true;
}
static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
@@ -567,8 +539,26 @@
return ssl_hs_read_server_hello;
}
- uint16_t server_version;
- if (!parse_server_version(hs, &server_version, msg)) {
+ if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
+ return ssl_hs_error;
+ }
+
+ CBS server_hello = msg.body, server_random, session_id;
+ uint16_t server_version, cipher_suite;
+ uint8_t compression_method;
+ if (!CBS_get_u16(&server_hello, &server_version) ||
+ !CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE) ||
+ !CBS_get_u8_length_prefixed(&server_hello, &session_id) ||
+ CBS_len(&session_id) > SSL3_SESSION_ID_SIZE ||
+ !CBS_get_u16(&server_hello, &cipher_suite) ||
+ !CBS_get_u8(&server_hello, &compression_method)) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+ ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+ return ssl_hs_error;
+ }
+
+ // Use the supported_versions extension if applicable.
+ if (!parse_supported_versions(hs, &server_version, &server_hello)) {
return ssl_hs_error;
}
@@ -609,24 +599,6 @@
return ssl_hs_error;
}
- if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
- return ssl_hs_error;
- }
-
- CBS server_hello = msg.body, server_random, session_id;
- uint16_t cipher_suite;
- uint8_t compression_method;
- if (!CBS_skip(&server_hello, 2 /* version */) ||
- !CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE) ||
- !CBS_get_u8_length_prefixed(&server_hello, &session_id) ||
- CBS_len(&session_id) > SSL3_SESSION_ID_SIZE ||
- !CBS_get_u16(&server_hello, &cipher_suite) ||
- !CBS_get_u8(&server_hello, &compression_method)) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return ssl_hs_error;
- }
-
// Copy over the server random.
OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
SSL3_RANDOM_SIZE);
diff --git a/src/ssl/internal.h b/src/ssl/internal.h
index b67637d..d13d5f2 100644
--- a/src/ssl/internal.h
+++ b/src/ssl/internal.h
@@ -1514,6 +1514,11 @@
// grease_seed is the entropy for GREASE values. It is valid if
// |grease_seeded| is true.
uint8_t grease_seed[ssl_grease_last_index + 1] = {0};
+
+ // dummy_pq_padding_len, in a server, is the length of the extension that
+ // should be echoed in a ServerHello, or zero if no extension should be
+ // echoed.
+ uint16_t dummy_pq_padding_len = 0;
};
UniquePtr<SSL_HANDSHAKE> ssl_handshake_new(SSL *ssl);
@@ -2670,6 +2675,11 @@
// returns |SSL_HANDOFF|. This is copied in |SSL_new| from the |SSL_CTX|
// element of the same name and may be cleared if the handoff is declined.
bool handoff:1;
+
+ // did_dummy_pq_padding is only valid for a client. In that context, it is
+ // true iff the client observed the server echoing a dummy PQ padding
+ // extension.
+ bool did_dummy_pq_padding:1;
};
// From draft-ietf-tls-tls13-18, used in determining PSK modes.
diff --git a/src/ssl/ssl_cipher.cc b/src/ssl/ssl_cipher.cc
index 87dc7cd..32e6c2c 100644
--- a/src/ssl/ssl_cipher.cc
+++ b/src/ssl/ssl_cipher.cc
@@ -4,21 +4,21 @@
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -33,10 +33,10 @@
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +48,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
@@ -62,7 +62,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -109,7 +109,7 @@
*/
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * ECC cipher suite support in OpenSSL originally developed by
+ * ECC cipher suite support in OpenSSL originally developed by
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
*/
/* ====================================================================
@@ -1774,4 +1774,8 @@
const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
+const char *SSL_COMP_get0_name(const SSL_COMP *comp) { return comp->name; }
+
+int SSL_COMP_get_id(const SSL_COMP *comp) { return comp->id; }
+
void SSL_COMP_free_compression_methods(void) {}
diff --git a/src/ssl/ssl_key_share.cc b/src/ssl/ssl_key_share.cc
index a5ae578..4d76bb2 100644
--- a/src/ssl/ssl_key_share.cc
+++ b/src/ssl/ssl_key_share.cc
@@ -97,8 +97,10 @@
return false;
}
- if (!EC_POINT_oct2point(group.get(), peer_point.get(), peer_key.data(),
+ if (peer_key.empty() || peer_key[0] != POINT_CONVERSION_UNCOMPRESSED ||
+ !EC_POINT_oct2point(group.get(), peer_point.get(), peer_key.data(),
peer_key.size(), bn_ctx.get())) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
*out_alert = SSL_AD_DECODE_ERROR;
return false;
}
diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
index 2fd3beb..ef79831 100644
--- a/src/ssl/ssl_lib.cc
+++ b/src/ssl/ssl_lib.cc
@@ -4,21 +4,21 @@
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -33,10 +33,10 @@
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +48,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
@@ -62,7 +62,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -109,7 +109,7 @@
*/
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * ECC cipher suite support in OpenSSL originally developed by
+ * ECC cipher suite support in OpenSSL originally developed by
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
*/
/* ====================================================================
@@ -581,12 +581,9 @@
ret->mode = SSL_MODE_NO_AUTO_CHAIN;
// Lock the SSL_CTX to the specified version, for compatibility with legacy
- // uses of SSL_METHOD, but we do not set the minimum version for
- // |SSLv3_method|.
+ // uses of SSL_METHOD.
if (!SSL_CTX_set_max_proto_version(ret, method->version) ||
- !SSL_CTX_set_min_proto_version(ret, method->version == SSL3_VERSION
- ? 0 // default
- : method->version)) {
+ !SSL_CTX_set_min_proto_version(ret, method->version)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err2;
}
@@ -2443,6 +2440,14 @@
return 1;
}
+int SSL_dummy_pq_padding_used(SSL *ssl) {
+ if (ssl->server) {
+ return 0;
+ }
+
+ return ssl->did_dummy_pq_padding;
+}
+
void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
void (*cb)(int write_p, int version,
int content_type, const void *buf,
diff --git a/src/ssl/ssl_stat.cc b/src/ssl/ssl_stat.cc
index 01153e9..e1677f0 100644
--- a/src/ssl/ssl_stat.cc
+++ b/src/ssl/ssl_stat.cc
@@ -4,21 +4,21 @@
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -33,10 +33,10 @@
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +48,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
diff --git a/src/ssl/ssl_test.cc b/src/ssl/ssl_test.cc
index 0f2a33c..9f77f14 100644
--- a/src/ssl/ssl_test.cc
+++ b/src/ssl/ssl_test.cc
@@ -3535,40 +3535,6 @@
ssl_test_ticket_aead_open_soft_fail,
ssl_test_ticket_aead_open_hard_fail)));
-TEST(SSLTest, SSL3Method) {
- bssl::UniquePtr<X509> cert = GetTestCertificate();
- ASSERT_TRUE(cert);
-
- // For compatibility, SSLv3_method should work up to SSL_CTX_new and SSL_new.
- bssl::UniquePtr<SSL_CTX> ssl3_ctx(SSL_CTX_new(SSLv3_method()));
- ASSERT_TRUE(ssl3_ctx);
- ASSERT_TRUE(SSL_CTX_use_certificate(ssl3_ctx.get(), cert.get()));
- bssl::UniquePtr<SSL> ssl(SSL_new(ssl3_ctx.get()));
- EXPECT_TRUE(ssl);
-
- // Create a normal TLS context to test against.
- bssl::UniquePtr<SSL_CTX> tls_ctx(SSL_CTX_new(TLS_method()));
- ASSERT_TRUE(tls_ctx);
- ASSERT_TRUE(SSL_CTX_use_certificate(tls_ctx.get(), cert.get()));
-
- // However, handshaking an SSLv3_method server should fail to resolve the
- // version range. Explicit calls to SSL_CTX_set_min_proto_version are the only
- // way to enable SSL 3.0.
- bssl::UniquePtr<SSL> client, server;
- EXPECT_FALSE(ConnectClientAndServer(&client, &server, tls_ctx.get(),
- ssl3_ctx.get()));
- uint32_t err = ERR_get_error();
- EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
- EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
-
- // Likewise for SSLv3_method clients.
- EXPECT_FALSE(ConnectClientAndServer(&client, &server, ssl3_ctx.get(),
- tls_ctx.get()));
- err = ERR_get_error();
- EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
- EXPECT_EQ(SSL_R_NO_SUPPORTED_VERSIONS_ENABLED, ERR_GET_REASON(err));
-}
-
TEST(SSLTest, SelectNextProto) {
uint8_t *result;
uint8_t result_len;
diff --git a/src/ssl/t1_lib.cc b/src/ssl/t1_lib.cc
index 02ed22b..97c0c4b 100644
--- a/src/ssl/t1_lib.cc
+++ b/src/ssl/t1_lib.cc
@@ -4,21 +4,21 @@
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -33,10 +33,10 @@
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +48,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
@@ -62,7 +62,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -557,11 +557,6 @@
return true;
}
-static bool ignore_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
- CBS *contents) {
- return true;
-}
-
static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
return true;
}
@@ -2324,12 +2319,7 @@
// key-exchange and so enable measurement of the latency impact of the
// additional bandwidth.
-static bool ext_dummy_pq_padding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
- const size_t len = hs->ssl->dummy_pq_padding_len;
- if (len == 0) {
- return true;
- }
-
+static bool ext_dummy_pq_padding_add(CBB *out, size_t len) {
CBB contents;
uint8_t *buffer;
if (!CBB_add_u16(out, TLSEXT_TYPE_dummy_pq_padding) ||
@@ -2351,6 +2341,48 @@
return CBB_flush(out);
}
+static bool ext_dummy_pq_padding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
+ const size_t len = hs->ssl->dummy_pq_padding_len;
+ if (len == 0) {
+ return true;
+ }
+
+ return ext_dummy_pq_padding_add(out, len);
+}
+
+static bool ext_dummy_pq_padding_parse_serverhello(SSL_HANDSHAKE *hs,
+ uint8_t *out_alert,
+ CBS *contents) {
+ if (contents == nullptr) {
+ return true;
+ }
+
+ if (CBS_len(contents) != hs->ssl->dummy_pq_padding_len) {
+ return false;
+ }
+
+ hs->ssl->did_dummy_pq_padding = true;
+ return true;
+}
+
+static bool ext_dummy_pq_padding_parse_clienthello(SSL_HANDSHAKE *hs,
+ uint8_t *out_alert,
+ CBS *contents) {
+ if (contents != nullptr &&
+ 0 < CBS_len(contents) && CBS_len(contents) < (1 << 12)) {
+ hs->dummy_pq_padding_len = CBS_len(contents);
+ }
+
+ return true;
+}
+
+static bool ext_dummy_pq_padding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
+ if (!hs->dummy_pq_padding_len) {
+ return true;
+ }
+
+ return ext_dummy_pq_padding_add(out, hs->dummy_pq_padding_len);
+}
// Negotiated Groups
//
@@ -2794,9 +2826,9 @@
TLSEXT_TYPE_dummy_pq_padding,
NULL,
ext_dummy_pq_padding_add_clienthello,
- ignore_parse_serverhello,
- ignore_parse_clienthello,
- dont_add_serverhello,
+ ext_dummy_pq_padding_parse_serverhello,
+ ext_dummy_pq_padding_parse_clienthello,
+ ext_dummy_pq_padding_add_serverhello,
},
{
TLSEXT_TYPE_quic_transport_parameters,
diff --git a/src/ssl/test/bssl_shim.cc b/src/ssl/test/bssl_shim.cc
index 5790dc3..ae26ded 100644
--- a/src/ssl/test/bssl_shim.cc
+++ b/src/ssl/test/bssl_shim.cc
@@ -1862,6 +1862,15 @@
if (config->expect_draft_downgrade != !!SSL_is_draft_downgrade(ssl)) {
fprintf(stderr, "Got %sdraft downgrade signal, but wanted the opposite.\n",
SSL_is_draft_downgrade(ssl) ? "" : "no ");
+ return false;
+ }
+
+ const bool did_dummy_pq_padding = !!SSL_dummy_pq_padding_used(ssl);
+ if (config->expect_dummy_pq_padding != did_dummy_pq_padding) {
+ fprintf(stderr,
+ "Dummy PQ padding %s observed, but expected the opposite.\n",
+ did_dummy_pq_padding ? "was" : "was not");
+ return false;
}
return true;
diff --git a/src/ssl/test/runner/common.go b/src/ssl/test/runner/common.go
index fef5129..16f4dd7 100644
--- a/src/ssl/test/runner/common.go
+++ b/src/ssl/test/runner/common.go
@@ -1551,6 +1551,14 @@
// require that the client sent a dummy PQ padding extension of this
// length.
ExpectDummyPQPaddingLength int
+
+ // SendDummyPQPaddingLength causes a client to send a dummy PQ padding
+ // extension of the given length in the ClientHello.
+ SendDummyPQPaddingLength int
+
+ // SendCompressedCoordinates, if true, causes ECDH key shares over NIST
+ // curves to use compressed coordinates.
+ SendCompressedCoordinates bool
}
func (c *Config) serverInit() {
diff --git a/src/ssl/test/runner/handshake_client.go b/src/ssl/test/runner/handshake_client.go
index 1140269..d74c953 100644
--- a/src/ssl/test/runner/handshake_client.go
+++ b/src/ssl/test/runner/handshake_client.go
@@ -100,6 +100,7 @@
pskBinderFirst: c.config.Bugs.PSKBinderFirst,
omitExtensions: c.config.Bugs.OmitExtensions,
emptyExtensions: c.config.Bugs.EmptyExtensions,
+ dummyPQPaddingLen: c.config.Bugs.SendDummyPQPaddingLength,
}
if maxVersion >= VersionTLS13 {
@@ -168,7 +169,7 @@
if !curvesToSend[curveID] {
continue
}
- curve, ok := curveForCurveID(curveID)
+ curve, ok := curveForCurveID(curveID, c.config)
if !ok {
continue
}
@@ -341,6 +342,18 @@
}
}
+ // Request compatibility mode from the client by sending a fake session
+ // ID. Although BoringSSL always enables compatibility mode, other
+ // implementations make it conditional on the ClientHello. We test
+ // BoringSSL's expected behavior with SendClientHelloSessionID.
+ if len(hello.sessionId) == 0 && maxVersion >= VersionTLS13 {
+ hello.sessionId = make([]byte, 32)
+ if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
+ c.sendAlert(alertInternalError)
+ return errors.New("tls: short read from Rand: " + err.Error())
+ }
+ }
+
if c.config.Bugs.SendCipherSuites != nil {
hello.cipherSuites = c.config.Bugs.SendCipherSuites
}
@@ -523,7 +536,7 @@
c.sendAlert(alertHandshakeFailure)
return errors.New("tls: received invalid HelloRetryRequest")
}
- curve, ok := curveForCurveID(group)
+ curve, ok := curveForCurveID(group, c.config)
if !ok {
return errors.New("tls: Unable to get curve requested in HelloRetryRequest")
}
@@ -1492,6 +1505,11 @@
}
c.quicTransportParams = serverExtensions.quicTransportParams
}
+
+ if l := c.config.Bugs.ExpectDummyPQPaddingLength; l != 0 && serverExtensions.dummyPQPaddingLen != l {
+ return fmt.Errorf("tls: expected %d-byte dummy PQ padding extension, but got %d bytes", l, serverExtensions.dummyPQPaddingLen)
+ }
+
return nil
}
diff --git a/src/ssl/test/runner/handshake_messages.go b/src/ssl/test/runner/handshake_messages.go
index b19506d..b9fb89d 100644
--- a/src/ssl/test/runner/handshake_messages.go
+++ b/src/ssl/test/runner/handshake_messages.go
@@ -571,6 +571,11 @@
customExt := extensions.addU16LengthPrefixed()
customExt.addBytes([]byte(m.customExtension))
}
+ if l := m.dummyPQPaddingLen; l != 0 {
+ extensions.addU16(extensionDummyPQPadding)
+ body := extensions.addU16LengthPrefixed()
+ body.addBytes(make([]byte, l))
+ }
// The PSK extension must be last (draft-ietf-tls-tls13-18 section 4.2.6).
if len(m.pskIdentities) > 0 && !m.pskBinderFirst {
extensions.addU16(extensionPreSharedKey)
@@ -1144,6 +1149,7 @@
supportedCurves []CurveID
quicTransportParams []byte
serverNameAck bool
+ dummyPQPaddingLen int
}
func (m *serverExtensions) marshal(extensions *byteBuilder) {
@@ -1278,6 +1284,11 @@
extensions.addU16(extensionServerName)
extensions.addU16(0) // zero length
}
+ if l := m.dummyPQPaddingLen; l != 0 {
+ extensions.addU16(extensionDummyPQPadding)
+ body := extensions.addU16LengthPrefixed()
+ body.addBytes(make([]byte, l))
+ }
}
func (m *serverExtensions) unmarshal(data byteReader, version uint16) bool {
@@ -1382,6 +1393,8 @@
return false
}
m.hasEarlyData = true
+ case extensionDummyPQPadding:
+ m.dummyPQPaddingLen = len(body)
default:
// Unknown extensions are illegal from the server.
return false
diff --git a/src/ssl/test/runner/handshake_server.go b/src/ssl/test/runner/handshake_server.go
index caa66ed..0c24592 100644
--- a/src/ssl/test/runner/handshake_server.go
+++ b/src/ssl/test/runner/handshake_server.go
@@ -735,7 +735,7 @@
// Once a curve has been selected and a key share identified,
// the server needs to generate a public value and send it in
// the ServerHello.
- curve, ok := curveForCurveID(selectedCurve)
+ curve, ok := curveForCurveID(selectedCurve, config)
if !ok {
panic("tls: server failed to look up curve ID")
}
@@ -745,7 +745,7 @@
if config.Bugs.SkipHelloRetryRequest {
// If skipping HelloRetryRequest, use a random key to
// avoid crashing.
- curve2, _ := curveForCurveID(selectedCurve)
+ curve2, _ := curveForCurveID(selectedCurve, config)
var err error
peerKey, err = curve2.offer(config.rand())
if err != nil {
@@ -1386,6 +1386,10 @@
return errors.New("tls: no GREASE extension found")
}
+ if l := hs.clientHello.dummyPQPaddingLen; l != 0 {
+ serverExtensions.dummyPQPaddingLen = l
+ }
+
serverExtensions.serverNameAck = c.config.Bugs.SendServerNameAck
return nil
diff --git a/src/ssl/test/runner/key_agreement.go b/src/ssl/test/runner/key_agreement.go
index 5071985..1b4dfc4 100644
--- a/src/ssl/test/runner/key_agreement.go
+++ b/src/ssl/test/runner/key_agreement.go
@@ -252,8 +252,9 @@
// ellipticECDHCurve implements ecdhCurve with an elliptic.Curve.
type ellipticECDHCurve struct {
- curve elliptic.Curve
- privateKey []byte
+ curve elliptic.Curve
+ privateKey []byte
+ sendCompressed bool
}
func (e *ellipticECDHCurve) offer(rand io.Reader) (publicKey []byte, err error) {
@@ -262,7 +263,15 @@
if err != nil {
return nil, err
}
- return elliptic.Marshal(e.curve, x, y), nil
+ ret := elliptic.Marshal(e.curve, x, y)
+ if e.sendCompressed {
+ l := (len(ret) - 1) / 2
+ tmp := make([]byte, 1+l)
+ tmp[0] = byte(2 | y.Bit(0))
+ copy(tmp[1:], ret[1:1+l])
+ ret = tmp
+ }
+ return ret, nil
}
func (e *ellipticECDHCurve) accept(rand io.Reader, peerKey []byte) (publicKey []byte, preMasterSecret []byte, err error) {
@@ -334,16 +343,16 @@
return out[:], nil
}
-func curveForCurveID(id CurveID) (ecdhCurve, bool) {
+func curveForCurveID(id CurveID, config *Config) (ecdhCurve, bool) {
switch id {
case CurveP224:
- return &ellipticECDHCurve{curve: elliptic.P224()}, true
+ return &ellipticECDHCurve{curve: elliptic.P224(), sendCompressed: config.Bugs.SendCompressedCoordinates}, true
case CurveP256:
- return &ellipticECDHCurve{curve: elliptic.P256()}, true
+ return &ellipticECDHCurve{curve: elliptic.P256(), sendCompressed: config.Bugs.SendCompressedCoordinates}, true
case CurveP384:
- return &ellipticECDHCurve{curve: elliptic.P384()}, true
+ return &ellipticECDHCurve{curve: elliptic.P384(), sendCompressed: config.Bugs.SendCompressedCoordinates}, true
case CurveP521:
- return &ellipticECDHCurve{curve: elliptic.P521()}, true
+ return &ellipticECDHCurve{curve: elliptic.P521(), sendCompressed: config.Bugs.SendCompressedCoordinates}, true
case CurveX25519:
return &x25519ECDHCurve{}, true
default:
@@ -507,7 +516,7 @@
}
var ok bool
- if ka.curve, ok = curveForCurveID(curveid); !ok {
+ if ka.curve, ok = curveForCurveID(curveid, config); !ok {
return nil, errors.New("tls: preferredCurves includes unsupported curve")
}
ka.curveID = curveid
@@ -552,7 +561,7 @@
ka.curveID = curveid
var ok bool
- if ka.curve, ok = curveForCurveID(curveid); !ok {
+ if ka.curve, ok = curveForCurveID(curveid, config); !ok {
return errors.New("tls: server selected unsupported curve")
}
diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go
index 430e3d9..308f3c6 100644
--- a/src/ssl/test/runner/runner.go
+++ b/src/ssl/test/runner/runner.go
@@ -7343,23 +7343,40 @@
continue
}
- for _, paddingLen := range []int{1, 9700} {
- flags := []string{
- "-max-version", version.shimFlag(tls),
- "-dummy-pq-padding-len", strconv.Itoa(paddingLen),
- }
-
+ for _, paddingLen := range []int{400, 1100} {
testCases = append(testCases, testCase{
- name: fmt.Sprintf("DummyPQPadding-%d-%s", paddingLen, version.name),
- testType: clientTest,
- tls13Variant: version.tls13Variant,
+ name: fmt.Sprintf("DummyPQPadding-%d-%s", paddingLen, version.name),
+ testType: clientTest,
+ tls13Variant: version.tls13Variant,
+ resumeSession: true,
config: Config{
MaxVersion: version.version,
Bugs: ProtocolBugs{
ExpectDummyPQPaddingLength: paddingLen,
},
},
- flags: flags,
+ flags: []string{
+ "-max-version", version.shimFlag(tls),
+ "-dummy-pq-padding-len", strconv.Itoa(paddingLen),
+ "-expect-dummy-pq-padding",
+ },
+ })
+
+ testCases = append(testCases, testCase{
+ name: fmt.Sprintf("DummyPQPadding-Server-%d-%s", paddingLen, version.name),
+ testType: serverTest,
+ tls13Variant: version.tls13Variant,
+ resumeSession: true,
+ config: Config{
+ MaxVersion: version.version,
+ Bugs: ProtocolBugs{
+ SendDummyPQPaddingLength: paddingLen,
+ ExpectDummyPQPaddingLength: paddingLen,
+ },
+ },
+ flags: []string{
+ "-max-version", version.shimFlag(tls),
+ },
})
}
}
@@ -10443,58 +10460,94 @@
func addCurveTests() {
for _, curve := range testCurves {
- testCases = append(testCases, testCase{
- name: "CurveTest-Client-" + curve.name,
- config: Config{
- MaxVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
- CurvePreferences: []CurveID{curve.id},
- },
- flags: []string{
- "-enable-all-curves",
- "-expect-curve-id", strconv.Itoa(int(curve.id)),
- },
- expectedCurveID: curve.id,
- })
- testCases = append(testCases, testCase{
- name: "CurveTest-Client-" + curve.name + "-TLS13",
- config: Config{
- MaxVersion: VersionTLS13,
- CurvePreferences: []CurveID{curve.id},
- },
- flags: []string{
- "-enable-all-curves",
- "-expect-curve-id", strconv.Itoa(int(curve.id)),
- },
- expectedCurveID: curve.id,
- })
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "CurveTest-Server-" + curve.name,
- config: Config{
- MaxVersion: VersionTLS12,
- CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
- CurvePreferences: []CurveID{curve.id},
- },
- flags: []string{
- "-enable-all-curves",
- "-expect-curve-id", strconv.Itoa(int(curve.id)),
- },
- expectedCurveID: curve.id,
- })
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "CurveTest-Server-" + curve.name + "-TLS13",
- config: Config{
- MaxVersion: VersionTLS13,
- CurvePreferences: []CurveID{curve.id},
- },
- flags: []string{
- "-enable-all-curves",
- "-expect-curve-id", strconv.Itoa(int(curve.id)),
- },
- expectedCurveID: curve.id,
- })
+ for _, ver := range tlsVersions {
+ // SSL 3.0 cannot reliably negotiate curves.
+ if ver.version == VersionSSL30 {
+ continue
+ }
+
+ suffix := curve.name + "-" + ver.name
+
+ testCases = append(testCases, testCase{
+ name: "CurveTest-Client-" + suffix,
+ config: Config{
+ MaxVersion: ver.version,
+ CipherSuites: []uint16{
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_AES_128_GCM_SHA256,
+ },
+ CurvePreferences: []CurveID{curve.id},
+ },
+ tls13Variant: ver.tls13Variant,
+ flags: []string{
+ "-enable-all-curves",
+ "-expect-curve-id", strconv.Itoa(int(curve.id)),
+ },
+ expectedCurveID: curve.id,
+ })
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "CurveTest-Server-" + suffix,
+ config: Config{
+ MaxVersion: ver.version,
+ CipherSuites: []uint16{
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_AES_128_GCM_SHA256,
+ },
+ CurvePreferences: []CurveID{curve.id},
+ },
+ tls13Variant: ver.tls13Variant,
+ flags: []string{
+ "-enable-all-curves",
+ "-expect-curve-id", strconv.Itoa(int(curve.id)),
+ },
+ expectedCurveID: curve.id,
+ })
+
+ if curve.id != CurveX25519 {
+ testCases = append(testCases, testCase{
+ name: "CurveTest-Client-Compressed-" + suffix,
+ config: Config{
+ MaxVersion: ver.version,
+ CipherSuites: []uint16{
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_AES_128_GCM_SHA256,
+ },
+ CurvePreferences: []CurveID{curve.id},
+ Bugs: ProtocolBugs{
+ SendCompressedCoordinates: true,
+ },
+ },
+ tls13Variant: ver.tls13Variant,
+ flags: []string{"-enable-all-curves"},
+ shouldFail: true,
+ expectedError: ":BAD_ECPOINT:",
+ })
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "CurveTest-Server-Compressed-" + suffix,
+ config: Config{
+ MaxVersion: ver.version,
+ CipherSuites: []uint16{
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_AES_128_GCM_SHA256,
+ },
+ CurvePreferences: []CurveID{curve.id},
+ Bugs: ProtocolBugs{
+ SendCompressedCoordinates: true,
+ },
+ },
+ tls13Variant: ver.tls13Variant,
+ flags: []string{"-enable-all-curves"},
+ shouldFail: true,
+ expectedError: ":BAD_ECPOINT:",
+ })
+ }
+ }
}
// The server must be tolerant to bogus curves.
@@ -10630,7 +10683,7 @@
},
},
shouldFail: true,
- expectedError: ":INVALID_ENCODING:",
+ expectedError: ":BAD_ECPOINT:",
})
testCases = append(testCases, testCase{
name: "InvalidECDHPoint-Client-TLS13",
@@ -10642,7 +10695,7 @@
},
},
shouldFail: true,
- expectedError: ":INVALID_ENCODING:",
+ expectedError: ":BAD_ECPOINT:",
})
testCases = append(testCases, testCase{
testType: serverTest,
@@ -10656,7 +10709,7 @@
},
},
shouldFail: true,
- expectedError: ":INVALID_ENCODING:",
+ expectedError: ":BAD_ECPOINT:",
})
testCases = append(testCases, testCase{
testType: serverTest,
@@ -10669,7 +10722,7 @@
},
},
shouldFail: true,
- expectedError: ":INVALID_ENCODING:",
+ expectedError: ":BAD_ECPOINT:",
})
// The previous curve ID should be reported on TLS 1.2 resumption.
@@ -11930,7 +11983,10 @@
})
// Test that the server correctly echoes back session IDs of
- // various lengths.
+ // various lengths. The first test additionally asserts that
+ // BoringSSL always sends the ChangeCipherSpec messages for
+ // compatibility mode, rather than negotiating it based on the
+ // ClientHello.
testCases = append(testCases, testCase{
testType: serverTest,
name: "EmptySessionID-" + name,
diff --git a/src/ssl/test/test_config.cc b/src/ssl/test/test_config.cc
index 1125aef..f50251d 100644
--- a/src/ssl/test/test_config.cc
+++ b/src/ssl/test/test_config.cc
@@ -132,6 +132,7 @@
&TestConfig::allow_false_start_without_alpn },
{ "-expect-draft-downgrade", &TestConfig::expect_draft_downgrade },
{ "-handoff", &TestConfig::handoff },
+ { "-expect-dummy-pq-padding", &TestConfig::expect_dummy_pq_padding },
};
const Flag<std::string> kStringFlags[] = {
diff --git a/src/ssl/test/test_config.h b/src/ssl/test/test_config.h
index 8768654..fb479d1 100644
--- a/src/ssl/test/test_config.h
+++ b/src/ssl/test/test_config.h
@@ -153,6 +153,7 @@
bool expect_draft_downgrade = false;
int dummy_pq_padding_len = 0;
bool handoff = false;
+ bool expect_dummy_pq_padding = false;
};
bool ParseConfig(int argc, char **argv, TestConfig *out_initial,
diff --git a/src/ssl/tls_method.cc b/src/ssl/tls_method.cc
index 4eacf64..2ad2817 100644
--- a/src/ssl/tls_method.cc
+++ b/src/ssl/tls_method.cc
@@ -231,15 +231,6 @@
return &kMethod;
}
-const SSL_METHOD *SSLv3_method(void) {
- static const SSL_METHOD kMethod = {
- SSL3_VERSION,
- &kTLSProtocolMethod,
- &ssl_crypto_x509_method,
- };
- return &kMethod;
-}
-
// Legacy side-specific methods.
const SSL_METHOD *TLSv1_2_server_method(void) {
@@ -254,10 +245,6 @@
return TLSv1_method();
}
-const SSL_METHOD *SSLv3_server_method(void) {
- return SSLv3_method();
-}
-
const SSL_METHOD *TLSv1_2_client_method(void) {
return TLSv1_2_method();
}
@@ -270,10 +257,6 @@
return TLSv1_method();
}
-const SSL_METHOD *SSLv3_client_method(void) {
- return SSLv3_method();
-}
-
const SSL_METHOD *SSLv23_server_method(void) {
return SSLv23_method();
}