Revert "Revert "Revert "external/boringssl: Sync to 81080a729af568f7b5fde92b9170cc17065027c9."""
This reverts commit a5c947b7c91bac52eeb5086507b67e52a59ef980.
Reason for revert: Breaks blueline target on qt-dev-plus-aosp and pi-dev-plus-aosp
Change-Id: Ib3f71674ce7f7114e5925043ead7e8e51e9bc31e
diff --git a/src/ssl/CMakeLists.txt b/src/ssl/CMakeLists.txt
index 0fb532e..dc89dca 100644
--- a/src/ssl/CMakeLists.txt
+++ b/src/ssl/CMakeLists.txt
@@ -50,7 +50,6 @@
span_test.cc
ssl_test.cc
- ssl_c_test.c
$<TARGET_OBJECTS:boringssl_gtest_main>
)
diff --git a/src/ssl/d1_pkt.cc b/src/ssl/d1_pkt.cc
index dfb8a67..be595b0 100644
--- a/src/ssl/d1_pkt.cc
+++ b/src/ssl/d1_pkt.cc
@@ -256,7 +256,7 @@
if (ret <= 0) {
return ret;
}
- ssl->s3->alert_dispatch = false;
+ ssl->s3->alert_dispatch = 0;
// If the alert is fatal, flush the BIO now.
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
diff --git a/src/ssl/handoff.cc b/src/ssl/handoff.cc
index db5886a..0928015 100644
--- a/src/ssl/handoff.cc
+++ b/src/ssl/handoff.cc
@@ -450,10 +450,6 @@
s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
s3->hs->cert_request = cert_request;
- // TODO(davidben): When handoff for TLS 1.3 is added, serialize
- // |early_data_reason| and stabilize the constants.
- s3->early_data_reason = ssl_early_data_protocol_version;
-
Array<uint8_t> key_block;
if ((type == handback_after_session_resumption ||
type == handback_after_handshake) &&
diff --git a/src/ssl/handshake.cc b/src/ssl/handshake.cc
index b8e0070..89be48f 100644
--- a/src/ssl/handshake.cc
+++ b/src/ssl/handshake.cc
@@ -648,7 +648,6 @@
return -1;
case ssl_hs_early_data_rejected:
- assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
ssl->s3->rwstate = SSL_EARLY_DATA_REJECTED;
// Cause |SSL_write| to start failing immediately.
hs->can_early_write = false;
diff --git a/src/ssl/handshake_client.cc b/src/ssl/handshake_client.cc
index a53e430..b0de670 100644
--- a/src/ssl/handshake_client.cc
+++ b/src/ssl/handshake_client.cc
@@ -1071,8 +1071,13 @@
return ssl_hs_error;
}
- if (!ssl_public_key_verify(ssl, signature, signature_algorithm,
- hs->peer_pubkey.get(), transcript_data)) {
+ bool sig_ok = ssl_public_key_verify(ssl, signature, signature_algorithm,
+ hs->peer_pubkey.get(), transcript_data);
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+ sig_ok = true;
+ ERR_clear_error();
+#endif
+ if (!sig_ok) {
// bad signature
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
diff --git a/src/ssl/handshake_server.cc b/src/ssl/handshake_server.cc
index 36aa560..4622ad0 100644
--- a/src/ssl/handshake_server.cc
+++ b/src/ssl/handshake_server.cc
@@ -503,54 +503,6 @@
return true;
}
-static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert,
- const SSL_CLIENT_HELLO *client_hello) {
- SSL *const ssl = hs->ssl;
- CBS sni;
- if (!ssl_client_hello_get_extension(client_hello, &sni,
- TLSEXT_TYPE_server_name)) {
- // No SNI extension to parse.
- return true;
- }
-
- CBS server_name_list, host_name;
- uint8_t name_type;
- if (!CBS_get_u16_length_prefixed(&sni, &server_name_list) ||
- !CBS_get_u8(&server_name_list, &name_type) ||
- // Although the server_name extension was intended to be extensible to
- // new name types and multiple names, OpenSSL 1.0.x had a bug which meant
- // different name types will cause an error. Further, RFC 4366 originally
- // defined syntax inextensibly. RFC 6066 corrected this mistake, but
- // adding new name types is no longer feasible.
- //
- // Act as if the extensibility does not exist to simplify parsing.
- !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
- CBS_len(&server_name_list) != 0 ||
- CBS_len(&sni) != 0) {
- *out_alert = SSL_AD_DECODE_ERROR;
- return false;
- }
-
- if (name_type != TLSEXT_NAMETYPE_host_name ||
- CBS_len(&host_name) == 0 ||
- CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
- CBS_contains_zero_byte(&host_name)) {
- *out_alert = SSL_AD_UNRECOGNIZED_NAME;
- return false;
- }
-
- // Copy the hostname as a string.
- char *raw = nullptr;
- if (!CBS_strdup(&host_name, &raw)) {
- *out_alert = SSL_AD_INTERNAL_ERROR;
- return false;
- }
- ssl->s3->hostname.reset(raw);
-
- hs->should_ack_sni = true;
- return true;
-}
-
static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
@@ -574,12 +526,6 @@
return ssl_hs_handoff;
}
- uint8_t alert = SSL_AD_DECODE_ERROR;
- if (!extract_sni(hs, &alert, &client_hello)) {
- ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
- return ssl_hs_error;
- }
-
// Run the early callback.
if (ssl->ctx->select_certificate_cb != NULL) {
switch (ssl->ctx->select_certificate_cb(&client_hello)) {
@@ -607,6 +553,7 @@
hs->apply_jdk11_workaround = true;
}
+ uint8_t alert = SSL_AD_DECODE_ERROR;
if (!negotiate_version(hs, &alert, &client_hello)) {
ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
@@ -688,8 +635,6 @@
return ssl_hs_ok;
}
- ssl->s3->early_data_reason = ssl_early_data_protocol_version;
-
SSL_CLIENT_HELLO client_hello;
if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
return ssl_hs_error;
@@ -1463,8 +1408,14 @@
return ssl_hs_error;
}
- if (!ssl_public_key_verify(ssl, signature, signature_algorithm,
- hs->peer_pubkey.get(), hs->transcript.buffer())) {
+ bool sig_ok =
+ ssl_public_key_verify(ssl, signature, signature_algorithm,
+ hs->peer_pubkey.get(), hs->transcript.buffer());
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+ sig_ok = true;
+ ERR_clear_error();
+#endif
+ if (!sig_ok) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
return ssl_hs_error;
diff --git a/src/ssl/internal.h b/src/ssl/internal.h
index b355c7f..ee2952a 100644
--- a/src/ssl/internal.h
+++ b/src/ssl/internal.h
@@ -465,9 +465,6 @@
#define SSL_HANDSHAKE_MAC_SHA256 0x2
#define SSL_HANDSHAKE_MAC_SHA384 0x4
-// SSL_MAX_MD_SIZE is size of the largest hash function used in TLS, SHA-384.
-#define SSL_MAX_MD_SIZE 48
-
// An SSLCipherPreferenceList contains a list of SSL_CIPHERs with equal-
// preference groups. For TLS clients, the groups are moot because the server
// picks the cipher and groups cannot be expressed on the wire. However, for
@@ -563,12 +560,6 @@
// it returns zero.
size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher);
-// ssl_choose_tls13_cipher returns an |SSL_CIPHER| corresponding with the best
-// available from |cipher_suites| compatible with |version| and |group_id|. It
-// returns NULL if there isn't a compatible cipher.
-const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, uint16_t version,
- uint16_t group_id);
-
// Transcript layer.
@@ -1455,13 +1446,13 @@
uint16_t max_version = 0;
size_t hash_len = 0;
- uint8_t secret[SSL_MAX_MD_SIZE] = {0};
- uint8_t early_traffic_secret[SSL_MAX_MD_SIZE] = {0};
- uint8_t client_handshake_secret[SSL_MAX_MD_SIZE] = {0};
- uint8_t server_handshake_secret[SSL_MAX_MD_SIZE] = {0};
- uint8_t client_traffic_secret_0[SSL_MAX_MD_SIZE] = {0};
- uint8_t server_traffic_secret_0[SSL_MAX_MD_SIZE] = {0};
- uint8_t expected_client_finished[SSL_MAX_MD_SIZE] = {0};
+ uint8_t secret[EVP_MAX_MD_SIZE] = {0};
+ uint8_t early_traffic_secret[EVP_MAX_MD_SIZE] = {0};
+ uint8_t client_handshake_secret[EVP_MAX_MD_SIZE] = {0};
+ uint8_t server_handshake_secret[EVP_MAX_MD_SIZE] = {0};
+ uint8_t client_traffic_secret_0[EVP_MAX_MD_SIZE] = {0};
+ uint8_t server_traffic_secret_0[EVP_MAX_MD_SIZE] = {0};
+ uint8_t expected_client_finished[EVP_MAX_MD_SIZE] = {0};
union {
// sent is a bitset where the bits correspond to elements of kExtensions
@@ -2038,7 +2029,7 @@
// check_client_CA_list returns one if |names| is a good list of X.509
// distinguished names and zero otherwise. This is used to ensure that we can
// reject unparsable values at handshake time when using crypto/x509.
- bool (*check_client_CA_list)(STACK_OF(CRYPTO_BUFFER) *names);
+ int (*check_client_CA_list)(STACK_OF(CRYPTO_BUFFER) *names);
// cert_clear frees and NULLs all X509 certificate-related state.
void (*cert_clear)(CERT *cert);
@@ -2055,35 +2046,35 @@
// session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain|
// from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns
- // true on success or false on error.
- bool (*session_cache_objects)(SSL_SESSION *session);
+ // one on success or zero on error.
+ int (*session_cache_objects)(SSL_SESSION *session);
// session_dup duplicates any needed fields from |session| to |new_session|.
- // It returns true on success or false on error.
- bool (*session_dup)(SSL_SESSION *new_session, const SSL_SESSION *session);
+ // It returns one on success or zero on error.
+ int (*session_dup)(SSL_SESSION *new_session, const SSL_SESSION *session);
// session_clear frees any X509-related state from |session|.
void (*session_clear)(SSL_SESSION *session);
// session_verify_cert_chain verifies the certificate chain in |session|,
- // sets |session->verify_result| and returns true on success or false on
+ // sets |session->verify_result| and returns one on success or zero on
// error.
- bool (*session_verify_cert_chain)(SSL_SESSION *session, SSL_HANDSHAKE *ssl,
- uint8_t *out_alert);
+ int (*session_verify_cert_chain)(SSL_SESSION *session, SSL_HANDSHAKE *ssl,
+ uint8_t *out_alert);
// hs_flush_cached_ca_names drops any cached |X509_NAME|s from |hs|.
void (*hs_flush_cached_ca_names)(SSL_HANDSHAKE *hs);
- // ssl_new does any necessary initialisation of |hs|. It returns true on
- // success or false on error.
- bool (*ssl_new)(SSL_HANDSHAKE *hs);
+ // ssl_new does any neccessary initialisation of |hs|. It returns one on
+ // success or zero on error.
+ int (*ssl_new)(SSL_HANDSHAKE *hs);
// ssl_free frees anything created by |ssl_new|.
void (*ssl_config_free)(SSL_CONFIG *cfg);
// ssl_flush_cached_client_CA drops any cached |X509_NAME|s from |ssl|.
void (*ssl_flush_cached_client_CA)(SSL_CONFIG *cfg);
// ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if
// necessary. On success, it updates |ssl|'s certificate configuration as
- // needed and returns true. Otherwise, it returns false.
- bool (*ssl_auto_chain_if_needed)(SSL_HANDSHAKE *hs);
- // ssl_ctx_new does any necessary initialisation of |ctx|. It returns true on
- // success or false on error.
- bool (*ssl_ctx_new)(SSL_CTX *ctx);
+ // needed and returns one. Otherwise, it returns zero.
+ int (*ssl_auto_chain_if_needed)(SSL_HANDSHAKE *hs);
+ // ssl_ctx_new does any neccessary initialisation of |ctx|. It returns one on
+ // success or zero on error.
+ int (*ssl_ctx_new)(SSL_CTX *ctx);
// ssl_ctx_free frees anything created by |ssl_ctx_new|.
void (*ssl_ctx_free)(SSL_CTX *ctx);
// ssl_ctx_flush_cached_client_CA drops any cached |X509_NAME|s from |ctx|.
@@ -2173,6 +2164,8 @@
// the receive half of the connection.
UniquePtr<ERR_SAVE_STATE> read_error;
+ int alert_dispatch = 0;
+
int total_renegotiations = 0;
// This holds a variable that indicates what we were doing when a 0 or -1 is
@@ -2228,10 +2221,6 @@
// session_reused indicates whether a session was resumed.
bool session_reused : 1;
- // delegated_credential_used is whether we presented a delegated credential to
- // the peer.
- bool delegated_credential_used : 1;
-
bool send_connection_binding : 1;
// In a client, this means that the server supported Channel ID and that a
@@ -2255,13 +2244,6 @@
// token_binding_negotiated is set if Token Binding was negotiated.
bool token_binding_negotiated : 1;
- // pq_experimental_signal_seen is true if the peer was observed
- // sending/echoing the post-quantum experiment signal.
- bool pq_experiment_signal_seen : 1;
-
- // alert_dispatch is true there is an alert in |send_alert| to be sent.
- bool alert_dispatch : 1;
-
// hs_buf is the buffer of handshake data to process.
UniquePtr<BUF_MEM> hs_buf;
@@ -2284,9 +2266,6 @@
// which resumed a session.
int32_t ticket_age_skew = 0;
- // ssl_early_data_reason stores details on why 0-RTT was accepted or rejected.
- enum ssl_early_data_reason_t early_data_reason = ssl_early_data_unknown;
-
// aead_read_ctx is the current read cipher state.
UniquePtr<SSLAEADContext> aead_read_ctx;
@@ -2297,12 +2276,14 @@
// one.
UniquePtr<SSL_HANDSHAKE> hs;
- uint8_t write_traffic_secret[SSL_MAX_MD_SIZE] = {0};
- uint8_t read_traffic_secret[SSL_MAX_MD_SIZE] = {0};
- uint8_t exporter_secret[SSL_MAX_MD_SIZE] = {0};
+ uint8_t write_traffic_secret[EVP_MAX_MD_SIZE] = {0};
+ uint8_t read_traffic_secret[EVP_MAX_MD_SIZE] = {0};
+ uint8_t exporter_secret[EVP_MAX_MD_SIZE] = {0};
+ uint8_t early_exporter_secret[EVP_MAX_MD_SIZE] = {0};
uint8_t write_traffic_secret_len = 0;
uint8_t read_traffic_secret_len = 0;
uint8_t exporter_secret_len = 0;
+ uint8_t early_exporter_secret_len = 0;
// Connection binding to prevent renegotiation attacks
uint8_t previous_client_finished[12] = {0};
@@ -2693,8 +2674,7 @@
void ssl_update_cache(SSL_HANDSHAKE *hs, int mode);
-void ssl_send_alert(SSL *ssl, int level, int desc);
-int ssl_send_alert_impl(SSL *ssl, int level, int desc);
+int ssl_send_alert(SSL *ssl, int level, int desc);
bool ssl3_get_message(const SSL *ssl, SSLMessage *out);
ssl_open_record_t ssl3_open_handshake(SSL *ssl, size_t *out_consumed,
uint8_t *out_alert, Span<uint8_t> in);
@@ -3190,11 +3170,6 @@
// If enable_early_data is true, early data can be sent and accepted.
bool enable_early_data : 1;
- // pq_experiment_signal indicates that an empty extension should be sent
- // (for clients) or echoed (for servers) to indicate participation in an
- // experiment of post-quantum key exchanges.
- bool pq_experiment_signal : 1;
-
private:
~ssl_ctx_st();
friend void SSL_CTX_free(SSL_CTX *);
diff --git a/src/ssl/s3_both.cc b/src/ssl/s3_both.cc
index 842ec67..27e9454 100644
--- a/src/ssl/s3_both.cc
+++ b/src/ssl/s3_both.cc
@@ -116,8 +116,6 @@
#include <limits.h>
#include <string.h>
-#include <tuple>
-
#include <openssl/buf.h>
#include <openssl/bytestring.h>
#include <openssl/err.h>
@@ -654,72 +652,4 @@
}
}
-// CipherScorer produces a "score" for each possible cipher suite offered by
-// the client.
-class CipherScorer {
- public:
- CipherScorer(uint16_t group_id)
- : aes_is_fine_(EVP_has_aes_hardware()),
- security_128_is_fine_(group_id != SSL_CURVE_CECPQ2 &&
- group_id != SSL_CURVE_CECPQ2b) {}
-
- typedef std::tuple<bool, bool, bool> Score;
-
- // MinScore returns a |Score| that will compare less than the score of all
- // cipher suites.
- Score MinScore() const {
- return Score(false, false, false);
- }
-
- Score Evaluate(const SSL_CIPHER *a) const {
- return Score(
- // Something is always preferable to nothing.
- true,
- // Either 128-bit is fine, or 256-bit is preferred.
- security_128_is_fine_ || a->algorithm_enc != SSL_AES128GCM,
- // Either AES is fine, or else ChaCha20 is preferred.
- aes_is_fine_ || a->algorithm_enc == SSL_CHACHA20POLY1305);
- }
-
- private:
- const bool aes_is_fine_;
- const bool security_128_is_fine_;
-};
-
-const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, uint16_t version,
- uint16_t group_id) {
- if (CBS_len(&cipher_suites) % 2 != 0) {
- return nullptr;
- }
-
- const SSL_CIPHER *best = nullptr;
- CipherScorer scorer(group_id);
- CipherScorer::Score best_score = scorer.MinScore();
-
- while (CBS_len(&cipher_suites) > 0) {
- uint16_t cipher_suite;
- if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
- return nullptr;
- }
-
- // Limit to TLS 1.3 ciphers we know about.
- const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
- if (candidate == nullptr ||
- SSL_CIPHER_get_min_version(candidate) > version ||
- SSL_CIPHER_get_max_version(candidate) < version) {
- continue;
- }
-
- const CipherScorer::Score candidate_score = scorer.Evaluate(candidate);
- // |candidate_score| must be larger to displace the current choice. That way
- // the client's order controls between ciphers with an equal score.
- if (candidate_score > best_score) {
- best = candidate;
- best_score = candidate_score;
- }
- }
-
- return best;
-}
-
BSSL_NAMESPACE_END
diff --git a/src/ssl/s3_lib.cc b/src/ssl/s3_lib.cc
index 41dd588..0e0770c 100644
--- a/src/ssl/s3_lib.cc
+++ b/src/ssl/s3_lib.cc
@@ -172,16 +172,13 @@
has_message(false),
initial_handshake_complete(false),
session_reused(false),
- delegated_credential_used(false),
send_connection_binding(false),
channel_id_valid(false),
key_update_pending(false),
wpend_pending(false),
early_data_accepted(false),
tls13_downgrade(false),
- token_binding_negotiated(false),
- pq_experiment_signal_seen(false),
- alert_dispatch(false) {}
+ token_binding_negotiated(false) {}
SSL3_STATE::~SSL3_STATE() {}
diff --git a/src/ssl/s3_pkt.cc b/src/ssl/s3_pkt.cc
index a54bb00..abc6798 100644
--- a/src/ssl/s3_pkt.cc
+++ b/src/ssl/s3_pkt.cc
@@ -118,7 +118,6 @@
#include <openssl/mem.h>
#include <openssl/rand.h>
-#include "../crypto/err/internal.h"
#include "../crypto/internal.h"
#include "internal.h"
@@ -382,24 +381,7 @@
return ssl_open_record_success;
}
-void ssl_send_alert(SSL *ssl, int level, int desc) {
- // This function is called in response to a fatal error from the peer. Ignore
- // any failures writing the alert and report only the original error. In
- // particular, if the transport uses |SSL_write|, our existing error will be
- // clobbered so we must save and restore the error queue. See
- // https://crbug.com/959305.
- //
- // TODO(davidben): Return the alert out of the handshake, rather than calling
- // this function internally everywhere.
- //
- // TODO(davidben): This does not allow retrying if the alert hit EAGAIN. See
- // https://crbug.com/boringssl/130.
- UniquePtr<ERR_SAVE_STATE> err_state(ERR_save_state());
- ssl_send_alert_impl(ssl, level, desc);
- ERR_restore_state(err_state.get());
-}
-
-int ssl_send_alert_impl(SSL *ssl, int level, int desc) {
+int ssl_send_alert(SSL *ssl, int level, int desc) {
// It is illegal to send an alert when we've already sent a closing one.
if (ssl->s3->write_shutdown != ssl_shutdown_none) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
@@ -414,7 +396,7 @@
ssl->s3->write_shutdown = ssl_shutdown_error;
}
- ssl->s3->alert_dispatch = true;
+ ssl->s3->alert_dispatch = 1;
ssl->s3->send_alert[0] = level;
ssl->s3->send_alert[1] = desc;
if (ssl->s3->write_buffer.empty()) {
@@ -441,7 +423,7 @@
}
}
- ssl->s3->alert_dispatch = false;
+ ssl->s3->alert_dispatch = 0;
// If the alert is fatal, flush the BIO now.
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
diff --git a/src/ssl/ssl_c_test.c b/src/ssl/ssl_c_test.c
deleted file mode 100644
index 02f8655..0000000
--- a/src/ssl/ssl_c_test.c
+++ /dev/null
@@ -1,15 +0,0 @@
-#include <openssl/ssl.h>
-
-int BORINGSSL_enum_c_type_test(void);
-
-int BORINGSSL_enum_c_type_test(void) {
-#if defined(__cplusplus)
-#error "This is testing the behaviour of the C compiler."
-#error "It's pointless to build it in C++ mode."
-#endif
-
- // In C++, the enums in ssl.h are explicitly typed as ints to allow them to
- // be predeclared. This function confirms that the C compiler believes them
- // to be the same size as ints. They may differ in signedness, however.
- return sizeof(enum ssl_private_key_result_t) == sizeof(int);
-}
diff --git a/src/ssl/ssl_cert.cc b/src/ssl/ssl_cert.cc
index b565a35..54df38f 100644
--- a/src/ssl/ssl_cert.cc
+++ b/src/ssl/ssl_cert.cc
@@ -1010,7 +1010,3 @@
return cert_set_dc(ssl->config->cert.get(), dc, pkey, key_method);
}
-
-int SSL_delegated_credential_used(const SSL *ssl) {
- return ssl->s3->delegated_credential_used;
-}
diff --git a/src/ssl/ssl_key_share.cc b/src/ssl/ssl_key_share.cc
index 826fb1a..78d2aa1 100644
--- a/src/ssl/ssl_key_share.cc
+++ b/src/ssl/ssl_key_share.cc
@@ -31,7 +31,7 @@
#include "internal.h"
#include "../crypto/internal.h"
-#include "../third_party/sike/sike.h"
+
BSSL_NAMESPACE_BEGIN
@@ -300,87 +300,6 @@
HRSS_private_key hrss_private_key_;
};
-class CECPQ2bKeyShare : public SSLKeyShare {
- public:
- uint16_t GroupID() const override { return SSL_CURVE_CECPQ2b; }
-
- bool Offer(CBB *out) override {
- uint8_t public_x25519[32] = {0};
- X25519_keypair(public_x25519, private_x25519_);
- if (!SIKE_keypair(private_sike_, public_sike_)) {
- return false;
- }
-
- return CBB_add_bytes(out, public_x25519, sizeof(public_x25519)) &&
- CBB_add_bytes(out, public_sike_, sizeof(public_sike_));
- }
-
- bool Accept(CBB *out_public_key, Array<uint8_t> *out_secret,
- uint8_t *out_alert, Span<const uint8_t> peer_key) override {
- uint8_t public_x25519[32];
- uint8_t private_x25519[32];
- uint8_t sike_ciphertext[SIKE_CT_BYTESZ] = {0};
-
- *out_alert = SSL_AD_INTERNAL_ERROR;
-
- if (peer_key.size() != sizeof(public_x25519) + SIKE_PUB_BYTESZ) {
- *out_alert = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
- return false;
- }
-
- Array<uint8_t> secret;
- if (!secret.Init(sizeof(private_x25519_) + SIKE_SS_BYTESZ)) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return false;
- }
-
- X25519_keypair(public_x25519, private_x25519);
- if (!X25519(secret.data(), private_x25519, peer_key.data())) {
- *out_alert = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
- return false;
- }
-
- SIKE_encaps(secret.data() + sizeof(private_x25519_), sike_ciphertext,
- peer_key.data() + sizeof(public_x25519));
- *out_secret = std::move(secret);
-
- return CBB_add_bytes(out_public_key, public_x25519,
- sizeof(public_x25519)) &&
- CBB_add_bytes(out_public_key, sike_ciphertext,
- sizeof(sike_ciphertext));
- }
-
- bool Finish(Array<uint8_t> *out_secret, uint8_t *out_alert,
- Span<const uint8_t> peer_key) override {
- *out_alert = SSL_AD_INTERNAL_ERROR;
-
- Array<uint8_t> secret;
- if (!secret.Init(sizeof(private_x25519_) + SIKE_SS_BYTESZ)) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return false;
- }
-
- if (peer_key.size() != 32 + SIKE_CT_BYTESZ ||
- !X25519(secret.data(), private_x25519_, peer_key.data())) {
- *out_alert = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);
- return false;
- }
-
- SIKE_decaps(secret.data() + sizeof(private_x25519_), peer_key.data() + 32,
- public_sike_, private_sike_);
- *out_secret = std::move(secret);
- return true;
- }
-
- private:
- uint8_t private_x25519_[32];
- uint8_t private_sike_[SIKE_PRV_BYTESZ];
- uint8_t public_sike_[SIKE_PUB_BYTESZ];
-};
-
CONSTEXPR_ARRAY NamedGroup kNamedGroups[] = {
{NID_secp224r1, SSL_CURVE_SECP224R1, "P-224", "secp224r1"},
{NID_X9_62_prime256v1, SSL_CURVE_SECP256R1, "P-256", "prime256v1"},
@@ -388,7 +307,6 @@
{NID_secp521r1, SSL_CURVE_SECP521R1, "P-521", "secp521r1"},
{NID_X25519, SSL_CURVE_X25519, "X25519", "x25519"},
{NID_CECPQ2, SSL_CURVE_CECPQ2, "CECPQ2", "CECPQ2"},
- {NID_CECPQ2b, SSL_CURVE_CECPQ2b, "CECPQ2b", "CECPQ2b"},
};
} // namespace
@@ -415,8 +333,6 @@
return UniquePtr<SSLKeyShare>(New<X25519KeyShare>());
case SSL_CURVE_CECPQ2:
return UniquePtr<SSLKeyShare>(New<CECPQ2KeyShare>());
- case SSL_CURVE_CECPQ2b:
- return UniquePtr<SSLKeyShare>(New<CECPQ2bKeyShare>());
default:
return nullptr;
}
diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
index 00ee7da..f9910f7 100644
--- a/src/ssl/ssl_lib.cc
+++ b/src/ssl/ssl_lib.cc
@@ -569,8 +569,7 @@
false_start_allowed_without_alpn(false),
ignore_tls13_downgrade(false),
handoff(false),
- enable_early_data(false),
- pq_experiment_signal(false) {
+ enable_early_data(false) {
CRYPTO_MUTEX_init(&lock);
CRYPTO_new_ex_data(&ex_data);
}
@@ -1196,7 +1195,7 @@
if (ssl->s3->write_shutdown != ssl_shutdown_close_notify) {
// Send a close_notify.
- if (ssl_send_alert_impl(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) {
+ if (ssl_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) {
return -1;
}
} else if (ssl->s3->alert_dispatch) {
@@ -1243,15 +1242,7 @@
return ssl->method->dispatch_alert(ssl);
}
- return ssl_send_alert_impl(ssl, SSL3_AL_FATAL, alert);
-}
-
-void SSL_CTX_enable_pq_experiment_signal(SSL_CTX *ctx) {
- ctx->pq_experiment_signal = true;
-}
-
-int SSL_pq_experiment_signal_seen(const SSL *ssl) {
- return ssl->s3->pq_experiment_signal_seen;
+ return ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
}
int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,
@@ -1303,10 +1294,6 @@
ssl->s3->wpend_pending = false;
}
-enum ssl_early_data_reason_t SSL_get_early_data_reason(const SSL *ssl) {
- return ssl->s3->early_data_reason;
-}
-
static int bio_retry_reason_to_error(int reason) {
switch (reason) {
case BIO_RR_CONNECT:
diff --git a/src/ssl/ssl_privkey.cc b/src/ssl/ssl_privkey.cc
index 23f8d12..1ddb1b1 100644
--- a/src/ssl/ssl_privkey.cc
+++ b/src/ssl/ssl_privkey.cc
@@ -236,16 +236,9 @@
uint16_t sigalg, EVP_PKEY *pkey,
Span<const uint8_t> in) {
ScopedEVP_MD_CTX ctx;
- if (!setup_ctx(ssl, ctx.get(), pkey, sigalg, true /* verify */)) {
- return false;
- }
- bool ok = EVP_DigestVerify(ctx.get(), signature.data(), signature.size(),
- in.data(), in.size());
-#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
- ok = true;
- ERR_clear_error();
-#endif
- return ok;
+ return setup_ctx(ssl, ctx.get(), pkey, sigalg, true /* verify */) &&
+ EVP_DigestVerify(ctx.get(), signature.data(), signature.size(),
+ in.data(), in.size());
}
enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
diff --git a/src/ssl/ssl_session.cc b/src/ssl/ssl_session.cc
index bb04b1a..927dd1b 100644
--- a/src/ssl/ssl_session.cc
+++ b/src/ssl/ssl_session.cc
@@ -1044,11 +1044,6 @@
}
}
-int SSL_SESSION_early_data_capable(const SSL_SESSION *session) {
- return ssl_session_protocol_version(session) >= TLS1_3_VERSION &&
- session->ticket_max_early_data != 0;
-}
-
SSL_SESSION *SSL_magic_pending_session_ptr(void) {
return (SSL_SESSION *)&g_pending_session_magic;
}
diff --git a/src/ssl/ssl_test.cc b/src/ssl/ssl_test.cc
index 6f180c7..d01b649 100644
--- a/src/ssl/ssl_test.cc
+++ b/src/ssl/ssl_test.cc
@@ -737,77 +737,103 @@
return true;
}
-TEST(SSLTest, SessionEncoding) {
- for (const char *input_b64 : {
- kOpenSSLSession,
- kCustomSession,
- kBoringSSLSession,
- }) {
- SCOPED_TRACE(std::string(input_b64));
- // Decode the input.
- std::vector<uint8_t> input;
- ASSERT_TRUE(DecodeBase64(&input, input_b64));
+static bool TestSSL_SESSIONEncoding(const char *input_b64) {
+ const uint8_t *cptr;
+ uint8_t *ptr;
- // Verify the SSL_SESSION decodes.
- bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
- ASSERT_TRUE(ssl_ctx);
- bssl::UniquePtr<SSL_SESSION> session(
- SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
- ASSERT_TRUE(session) << "SSL_SESSION_from_bytes failed";
-
- // Verify the SSL_SESSION encoding round-trips.
- size_t encoded_len;
- bssl::UniquePtr<uint8_t> encoded;
- uint8_t *encoded_raw;
- ASSERT_TRUE(SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len))
- << "SSL_SESSION_to_bytes failed";
- encoded.reset(encoded_raw);
- EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
- << "SSL_SESSION_to_bytes did not round-trip";
-
- // Verify the SSL_SESSION also decodes with the legacy API.
- const uint8_t *cptr = input.data();
- session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
- ASSERT_TRUE(session) << "d2i_SSL_SESSION failed";
- EXPECT_EQ(cptr, input.data() + input.size());
-
- // Verify the SSL_SESSION encoding round-trips via the legacy API.
- int len = i2d_SSL_SESSION(session.get(), NULL);
- ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
- ASSERT_EQ(static_cast<size_t>(len), input.size())
- << "i2d_SSL_SESSION(NULL) returned invalid length";
-
- encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
- ASSERT_TRUE(encoded);
-
- uint8_t *ptr = encoded.get();
- len = i2d_SSL_SESSION(session.get(), &ptr);
- ASSERT_GT(len, 0) << "i2d_SSL_SESSION failed";
- ASSERT_EQ(static_cast<size_t>(len), input.size())
- << "i2d_SSL_SESSION(NULL) returned invalid length";
- ASSERT_EQ(ptr, encoded.get() + input.size())
- << "i2d_SSL_SESSION did not advance ptr correctly";
- EXPECT_EQ(Bytes(encoded.get(), encoded_len), Bytes(input))
- << "SSL_SESSION_to_bytes did not round-trip";
+ // Decode the input.
+ std::vector<uint8_t> input;
+ if (!DecodeBase64(&input, input_b64)) {
+ return false;
}
- for (const char *input_b64 : {
- kBadSessionExtraField,
- kBadSessionVersion,
- kBadSessionTrailingData,
- }) {
- SCOPED_TRACE(std::string(input_b64));
- std::vector<uint8_t> input;
- ASSERT_TRUE(DecodeBase64(&input, input_b64));
-
- // Verify that the SSL_SESSION fails to decode.
- bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
- ASSERT_TRUE(ssl_ctx);
- bssl::UniquePtr<SSL_SESSION> session(
- SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
- EXPECT_FALSE(session) << "SSL_SESSION_from_bytes unexpectedly succeeded";
- ERR_clear_error();
+ // Verify the SSL_SESSION decodes.
+ bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
+ if (!ssl_ctx) {
+ return false;
}
+ bssl::UniquePtr<SSL_SESSION> session(
+ SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
+ if (!session) {
+ fprintf(stderr, "SSL_SESSION_from_bytes failed\n");
+ return false;
+ }
+
+ // Verify the SSL_SESSION encoding round-trips.
+ size_t encoded_len;
+ bssl::UniquePtr<uint8_t> encoded;
+ uint8_t *encoded_raw;
+ if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) {
+ fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
+ return false;
+ }
+ encoded.reset(encoded_raw);
+ if (encoded_len != input.size() ||
+ OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
+ fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
+ hexdump(stderr, "Before: ", input.data(), input.size());
+ hexdump(stderr, "After: ", encoded_raw, encoded_len);
+ return false;
+ }
+
+ // Verify the SSL_SESSION also decodes with the legacy API.
+ cptr = input.data();
+ session.reset(d2i_SSL_SESSION(NULL, &cptr, input.size()));
+ if (!session || cptr != input.data() + input.size()) {
+ fprintf(stderr, "d2i_SSL_SESSION failed\n");
+ return false;
+ }
+
+ // Verify the SSL_SESSION encoding round-trips via the legacy API.
+ int len = i2d_SSL_SESSION(session.get(), NULL);
+ if (len < 0 || (size_t)len != input.size()) {
+ fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
+ return false;
+ }
+
+ encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
+ if (!encoded) {
+ fprintf(stderr, "malloc failed\n");
+ return false;
+ }
+
+ ptr = encoded.get();
+ len = i2d_SSL_SESSION(session.get(), &ptr);
+ if (len < 0 || (size_t)len != input.size()) {
+ fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
+ return false;
+ }
+ if (ptr != encoded.get() + input.size()) {
+ fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
+ return false;
+ }
+ if (OPENSSL_memcmp(input.data(), encoded.get(), input.size()) != 0) {
+ fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
+ return false;
+ }
+
+ return true;
+}
+
+static bool TestBadSSL_SESSIONEncoding(const char *input_b64) {
+ std::vector<uint8_t> input;
+ if (!DecodeBase64(&input, input_b64)) {
+ return false;
+ }
+
+ // Verify that the SSL_SESSION fails to decode.
+ bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
+ if (!ssl_ctx) {
+ return false;
+ }
+ bssl::UniquePtr<SSL_SESSION> session(
+ SSL_SESSION_from_bytes(input.data(), input.size(), ssl_ctx.get()));
+ if (session) {
+ fprintf(stderr, "SSL_SESSION_from_bytes unexpectedly succeeded\n");
+ return false;
+ }
+ ERR_clear_error();
+ return true;
}
static void ExpectDefaultVersion(uint16_t min_version, uint16_t max_version,
@@ -1061,67 +1087,63 @@
return client_hello.size() - SSL3_RT_HEADER_LENGTH;
}
-TEST(SSLTest, Padding) {
- struct PaddingVersions {
- uint16_t max_version, session_version;
- };
- static const PaddingVersions kPaddingVersions[] = {
- // Test the padding extension at TLS 1.2.
- {TLS1_2_VERSION, TLS1_2_VERSION},
- // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
- // will be no PSK binder after the padding extension.
- {TLS1_3_VERSION, TLS1_2_VERSION},
- // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
- // will be a PSK binder after the padding extension.
- {TLS1_3_VERSION, TLS1_3_VERSION},
+struct PaddingTest {
+ size_t input_len, padded_len;
+};
- };
+static const PaddingTest kPaddingTests[] = {
+ // ClientHellos of length below 0x100 do not require padding.
+ {0xfe, 0xfe},
+ {0xff, 0xff},
+ // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
+ {0x100, 0x200},
+ {0x123, 0x200},
+ {0x1fb, 0x200},
+ // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
+ // padding extension takes a minimum of four bytes plus one required content
+ // byte. (To work around yet more server bugs, we avoid empty final
+ // extensions.)
+ {0x1fc, 0x201},
+ {0x1fd, 0x202},
+ {0x1fe, 0x203},
+ {0x1ff, 0x204},
+ // Finally, larger ClientHellos need no padding.
+ {0x200, 0x200},
+ {0x201, 0x201},
+};
- struct PaddingTest {
- size_t input_len, padded_len;
- };
- static const PaddingTest kPaddingTests[] = {
- // ClientHellos of length below 0x100 do not require padding.
- {0xfe, 0xfe},
- {0xff, 0xff},
- // ClientHellos of length 0x100 through 0x1fb are padded up to 0x200.
- {0x100, 0x200},
- {0x123, 0x200},
- {0x1fb, 0x200},
- // ClientHellos of length 0x1fc through 0x1ff get padded beyond 0x200. The
- // padding extension takes a minimum of four bytes plus one required
- // content
- // byte. (To work around yet more server bugs, we avoid empty final
- // extensions.)
- {0x1fc, 0x201},
- {0x1fd, 0x202},
- {0x1fe, 0x203},
- {0x1ff, 0x204},
- // Finally, larger ClientHellos need no padding.
- {0x200, 0x200},
- {0x201, 0x201},
- };
+static bool TestPaddingExtension(uint16_t max_version,
+ uint16_t session_version) {
+ // Sample a baseline length.
+ size_t base_len = GetClientHelloLen(max_version, session_version, 1);
+ if (base_len == 0) {
+ return false;
+ }
- for (const PaddingVersions &versions : kPaddingVersions) {
- SCOPED_TRACE(versions.max_version);
- SCOPED_TRACE(versions.session_version);
+ for (const PaddingTest &test : kPaddingTests) {
+ if (base_len > test.input_len) {
+ fprintf(stderr,
+ "Baseline ClientHello too long (max_version = %04x, "
+ "session_version = %04x).\n",
+ max_version, session_version);
+ return false;
+ }
- // Sample a baseline length.
- size_t base_len =
- GetClientHelloLen(versions.max_version, versions.session_version, 1);
- ASSERT_NE(base_len, 0u) << "Baseline length could not be sampled";
-
- for (const PaddingTest &test : kPaddingTests) {
- SCOPED_TRACE(test.input_len);
- ASSERT_LE(base_len, test.input_len) << "Baseline ClientHello too long";
-
- size_t padded_len =
- GetClientHelloLen(versions.max_version, versions.session_version,
- 1 + test.input_len - base_len);
- EXPECT_EQ(padded_len, test.padded_len)
- << "ClientHello was not padded to expected length";
+ size_t padded_len = GetClientHelloLen(max_version, session_version,
+ 1 + test.input_len - base_len);
+ if (padded_len != test.padded_len) {
+ fprintf(stderr,
+ "%u-byte ClientHello padded to %u bytes, not %u (max_version = "
+ "%04x, session_version = %04x).\n",
+ static_cast<unsigned>(test.input_len),
+ static_cast<unsigned>(padded_len),
+ static_cast<unsigned>(test.padded_len), max_version,
+ session_version);
+ return false;
}
}
+
+ return true;
}
static bssl::UniquePtr<X509> GetTestCertificate() {
@@ -1528,37 +1550,6 @@
return true;
}
-static bool FlushNewSessionTickets(SSL *client, SSL *server) {
- // NewSessionTickets are deferred on the server to |SSL_write|, and clients do
- // not pick them up until |SSL_read|.
- for (;;) {
- int server_ret = SSL_write(server, nullptr, 0);
- int server_err = SSL_get_error(server, server_ret);
- // The server may either succeed (|server_ret| is zero) or block on write
- // (|server_ret| is -1 and |server_err| is |SSL_ERROR_WANT_WRITE|).
- if (server_ret > 0 ||
- (server_ret < 0 && server_err != SSL_ERROR_WANT_WRITE)) {
- fprintf(stderr, "Unexpected server result: %d %d\n", server_ret,
- server_err);
- return false;
- }
-
- int client_ret = SSL_read(client, nullptr, 0);
- int client_err = SSL_get_error(client, client_ret);
- // The client must always block on read.
- if (client_ret != -1 || client_err != SSL_ERROR_WANT_READ) {
- fprintf(stderr, "Unexpected client result: %d %d\n", client_ret,
- client_err);
- return false;
- }
-
- // The server flushed everything it had to write.
- if (server_ret == 0) {
- return true;
- }
- }
-}
-
struct ClientConfig {
SSL_SESSION *session = nullptr;
std::string servername;
@@ -1670,7 +1661,9 @@
// Drain any post-handshake messages to ensure there are no unread records
// on either end.
- ASSERT_TRUE(FlushNewSessionTickets(client_.get(), server_.get()));
+ uint8_t byte = 0;
+ ASSERT_LE(SSL_read(client_.get(), &byte, 1), 0);
+ ASSERT_LE(SSL_read(server_.get(), &byte, 1), 0);
uint64_t client_read_seq = SSL_get_read_sequence(client_.get());
uint64_t client_write_seq = SSL_get_write_sequence(client_.get());
@@ -1694,7 +1687,6 @@
}
// Send a record from client to server.
- uint8_t byte = 0;
EXPECT_EQ(SSL_write(client_.get(), &byte, 1), 1);
EXPECT_EQ(SSL_read(server_.get(), &byte, 1), 1);
@@ -2092,12 +2084,14 @@
// Connect client and server to get a session.
bssl::UniquePtr<SSL> client, server;
if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
- config) ||
- !FlushNewSessionTickets(client.get(), server.get())) {
+ config)) {
fprintf(stderr, "Failed to connect client and server.\n");
return nullptr;
}
+ // Run the read loop to account for post-handshake tickets in TLS 1.3.
+ SSL_read(client.get(), nullptr, 0);
+
SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
if (!g_last_session) {
@@ -2131,8 +2125,7 @@
ClientConfig config;
config.session = session;
if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
- config) ||
- !FlushNewSessionTickets(client.get(), server.get())) {
+ config)) {
fprintf(stderr, "Failed to connect client and server.\n");
return nullptr;
}
@@ -2147,6 +2140,9 @@
return nullptr;
}
+ // Run the read loop to account for post-handshake tickets in TLS 1.3.
+ SSL_read(client.get(), nullptr, 0);
+
SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
if (!g_last_session) {
@@ -3059,82 +3055,6 @@
EXPECT_FALSE(CreateClientSession(client_ctx_.get(), server_ctx_.get()));
}
-// Test that all versions survive tiny write buffers. In particular, TLS 1.3
-// NewSessionTickets are written post-handshake. Servers that block
-// |SSL_do_handshake| on writing them will deadlock if clients are not draining
-// the buffer. Test that we do not do this.
-TEST_P(SSLVersionTest, SmallBuffer) {
- // DTLS is a datagram protocol and requires packet-sized buffers.
- if (is_dtls()) {
- return;
- }
-
- // Test both flushing NewSessionTickets with a zero-sized write and
- // non-zero-sized write.
- for (bool use_zero_write : {false, true}) {
- SCOPED_TRACE(use_zero_write);
-
- g_last_session = nullptr;
- SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
- SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
-
- bssl::UniquePtr<SSL> client(SSL_new(client_ctx_.get())),
- server(SSL_new(server_ctx_.get()));
- ASSERT_TRUE(client);
- ASSERT_TRUE(server);
- SSL_set_connect_state(client.get());
- SSL_set_accept_state(server.get());
-
- // Use a tiny buffer.
- BIO *bio1, *bio2;
- ASSERT_TRUE(BIO_new_bio_pair(&bio1, 1, &bio2, 1));
-
- // SSL_set_bio takes ownership.
- SSL_set_bio(client.get(), bio1, bio1);
- SSL_set_bio(server.get(), bio2, bio2);
-
- ASSERT_TRUE(CompleteHandshakes(client.get(), server.get()));
- if (version() >= TLS1_3_VERSION) {
- // The post-handshake ticket should not have been processed yet.
- EXPECT_FALSE(g_last_session);
- }
-
- if (use_zero_write) {
- ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
- EXPECT_TRUE(g_last_session);
- }
-
- // Send some data from server to client. If |use_zero_write| is false, this
- // will also flush the NewSessionTickets.
- static const char kMessage[] = "hello world";
- char buf[sizeof(kMessage)];
- for (;;) {
- int server_ret = SSL_write(server.get(), kMessage, sizeof(kMessage));
- int server_err = SSL_get_error(server.get(), server_ret);
- int client_ret = SSL_read(client.get(), buf, sizeof(buf));
- int client_err = SSL_get_error(client.get(), client_ret);
-
- // The server will write a single record, so every iteration should see
- // |SSL_ERROR_WANT_WRITE| and |SSL_ERROR_WANT_READ|, until the final
- // iteration, where both will complete.
- if (server_ret > 0) {
- EXPECT_EQ(server_ret, static_cast<int>(sizeof(kMessage)));
- EXPECT_EQ(client_ret, static_cast<int>(sizeof(kMessage)));
- EXPECT_EQ(Bytes(buf), Bytes(kMessage));
- break;
- }
-
- ASSERT_EQ(server_ret, -1);
- ASSERT_EQ(server_err, SSL_ERROR_WANT_WRITE);
- ASSERT_EQ(client_ret, -1);
- ASSERT_EQ(client_err, SSL_ERROR_WANT_READ);
- }
-
- // The NewSessionTickets should have been flushed and processed.
- EXPECT_TRUE(g_last_session);
- }
-}
-
TEST(SSLTest, AddChainCertHack) {
// Ensure that we don't accidently break the hack that we have in place to
// keep curl and serf happy when they use an |X509| even after transfering
@@ -3594,7 +3514,9 @@
EXPECT_FALSE(SSL_session_reused(client.get()));
EXPECT_FALSE(SSL_session_reused(server.get()));
- ASSERT_TRUE(FlushNewSessionTickets(client.get(), server.get()));
+ // Run the read loop to account for post-handshake tickets in TLS 1.3.
+ SSL_read(client.get(), nullptr, 0);
+
bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
ConnectClientAndServerWithTicketMethod(&client, &server, client_ctx.get(),
server_ctx.get(), retry_count,
@@ -4684,7 +4606,7 @@
thread.join();
}
}
-#endif // OPENSSL_THREADS
+#endif
constexpr size_t kNumQUICLevels = 4;
static_assert(ssl_encryption_initial < kNumQUICLevels,
@@ -5341,101 +5263,23 @@
EXPECT_EQ(SSL_process_quic_post_handshake(client_.get()), 0);
}
-extern "C" {
-int BORINGSSL_enum_c_type_test(void);
-}
-
-TEST(SSLTest, EnumTypes) {
- EXPECT_EQ(sizeof(int), sizeof(ssl_private_key_result_t));
- EXPECT_EQ(1, BORINGSSL_enum_c_type_test());
-}
-
-TEST_P(SSLVersionTest, DoubleSSLError) {
- // Connect the inner SSL connections.
- ASSERT_TRUE(Connect());
-
- // Make a pair of |BIO|s which wrap |client_| and |server_|.
- UniquePtr<BIO_METHOD> bio_method(BIO_meth_new(0, nullptr));
- ASSERT_TRUE(bio_method);
- ASSERT_TRUE(BIO_meth_set_read(
- bio_method.get(), [](BIO *bio, char *out, int len) -> int {
- SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
- int ret = SSL_read(ssl, out, len);
- int ssl_ret = SSL_get_error(ssl, ret);
- if (ssl_ret == SSL_ERROR_WANT_READ) {
- BIO_set_retry_read(bio);
- }
- return ret;
- }));
- ASSERT_TRUE(BIO_meth_set_write(
- bio_method.get(), [](BIO *bio, const char *in, int len) -> int {
- SSL *ssl = static_cast<SSL *>(BIO_get_data(bio));
- int ret = SSL_write(ssl, in, len);
- int ssl_ret = SSL_get_error(ssl, ret);
- if (ssl_ret == SSL_ERROR_WANT_WRITE) {
- BIO_set_retry_write(bio);
- }
- return ret;
- }));
- ASSERT_TRUE(BIO_meth_set_ctrl(
- bio_method.get(), [](BIO *bio, int cmd, long larg, void *parg) -> long {
- // |SSL| objects require |BIO_flush| support.
- if (cmd == BIO_CTRL_FLUSH) {
- return 1;
- }
- return 0;
- }));
-
- UniquePtr<BIO> client_bio(BIO_new(bio_method.get()));
- ASSERT_TRUE(client_bio);
- BIO_set_data(client_bio.get(), client_.get());
- BIO_set_init(client_bio.get(), 1);
-
- UniquePtr<BIO> server_bio(BIO_new(bio_method.get()));
- ASSERT_TRUE(server_bio);
- BIO_set_data(server_bio.get(), server_.get());
- BIO_set_init(server_bio.get(), 1);
-
- // Wrap the inner connections in another layer of SSL.
- UniquePtr<SSL> client_outer(SSL_new(client_ctx_.get()));
- ASSERT_TRUE(client_outer);
- SSL_set_connect_state(client_outer.get());
- SSL_set_bio(client_outer.get(), client_bio.get(), client_bio.get());
- client_bio.release(); // |SSL_set_bio| takes ownership.
-
- UniquePtr<SSL> server_outer(SSL_new(server_ctx_.get()));
- ASSERT_TRUE(server_outer);
- SSL_set_accept_state(server_outer.get());
- SSL_set_bio(server_outer.get(), server_bio.get(), server_bio.get());
- server_bio.release(); // |SSL_set_bio| takes ownership.
-
- // Configure |client_outer| to reject the server certificate.
- SSL_set_custom_verify(
- client_outer.get(), SSL_VERIFY_PEER,
- [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
- return ssl_verify_invalid;
- });
-
- for (;;) {
- int client_ret = SSL_do_handshake(client_outer.get());
- int client_err = SSL_get_error(client_outer.get(), client_ret);
- if (client_err != SSL_ERROR_WANT_READ &&
- client_err != SSL_ERROR_WANT_WRITE) {
- // The client handshake should terminate on a certificate verification
- // error.
- EXPECT_EQ(SSL_ERROR_SSL, client_err);
- uint32_t err = ERR_peek_error();
- EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
- EXPECT_EQ(SSL_R_CERTIFICATE_VERIFY_FAILED, ERR_GET_REASON(err));
- break;
- }
-
- // Run the server handshake and continue.
- int server_ret = SSL_do_handshake(server_outer.get());
- int server_err = SSL_get_error(server_outer.get(), server_ret);
- ASSERT_TRUE(server_err == SSL_ERROR_NONE ||
- server_err == SSL_ERROR_WANT_READ ||
- server_err == SSL_ERROR_WANT_WRITE);
+// TODO(davidben): Convert this file to GTest properly.
+TEST(SSLTest, AllTests) {
+ if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||
+ !TestSSL_SESSIONEncoding(kCustomSession) ||
+ !TestSSL_SESSIONEncoding(kBoringSSLSession) ||
+ !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
+ !TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
+ !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
+ // Test the padding extension at TLS 1.2.
+ !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) ||
+ // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
+ // will be no PSK binder after the padding extension.
+ !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) ||
+ // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
+ // will be a PSK binder after the padding extension.
+ !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_VERSION)) {
+ ADD_FAILURE() << "Tests failed";
}
}
diff --git a/src/ssl/ssl_x509.cc b/src/ssl/ssl_x509.cc
index cda7611..841482f 100644
--- a/src/ssl/ssl_x509.cc
+++ b/src/ssl/ssl_x509.cc
@@ -200,19 +200,19 @@
// forms of elements of |chain|. It returns one on success or zero on error, in
// which case no change to |cert->chain| is made. It preverses the existing
// leaf from |cert->chain|, if any.
-static bool ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
+static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
UniquePtr<STACK_OF(CRYPTO_BUFFER)> new_chain;
if (cert->chain != nullptr) {
new_chain.reset(sk_CRYPTO_BUFFER_new_null());
if (!new_chain) {
- return false;
+ return 0;
}
// |leaf| might be NULL if it's a “leafless” chain.
CRYPTO_BUFFER *leaf = sk_CRYPTO_BUFFER_value(cert->chain.get(), 0);
if (!PushToStack(new_chain.get(), UpRef(leaf))) {
- return false;
+ return 0;
}
}
@@ -220,32 +220,32 @@
if (!new_chain) {
new_chain = new_leafless_chain();
if (!new_chain) {
- return false;
+ return 0;
}
}
UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x509);
if (!buffer ||
!PushToStack(new_chain.get(), std::move(buffer))) {
- return false;
+ return 0;
}
}
cert->chain = std::move(new_chain);
- return true;
+ return 1;
}
static void ssl_crypto_x509_cert_flush_cached_leaf(CERT *cert) {
X509_free(cert->x509_leaf);
- cert->x509_leaf = nullptr;
+ cert->x509_leaf = NULL;
}
static void ssl_crypto_x509_cert_flush_cached_chain(CERT *cert) {
sk_X509_pop_free(cert->x509_chain, X509_free);
- cert->x509_chain = nullptr;
+ cert->x509_chain = NULL;
}
-static bool ssl_crypto_x509_check_client_CA_list(
+static int ssl_crypto_x509_check_client_CA_list(
STACK_OF(CRYPTO_BUFFER) *names) {
for (const CRYPTO_BUFFER *buffer : names) {
const uint8_t *inp = CRYPTO_BUFFER_data(buffer);
@@ -253,11 +253,11 @@
d2i_X509_NAME(nullptr, &inp, CRYPTO_BUFFER_len(buffer)));
if (name == nullptr ||
inp != CRYPTO_BUFFER_data(buffer) + CRYPTO_BUFFER_len(buffer)) {
- return false;
+ return 0;
}
}
- return true;
+ return 1;
}
static void ssl_crypto_x509_cert_clear(CERT *cert) {
@@ -265,7 +265,7 @@
ssl_crypto_x509_cert_flush_cached_chain(cert);
X509_free(cert->x509_stash);
- cert->x509_stash = nullptr;
+ cert->x509_stash = NULL;
}
static void ssl_crypto_x509_cert_free(CERT *cert) {
@@ -274,19 +274,19 @@
}
static void ssl_crypto_x509_cert_dup(CERT *new_cert, const CERT *cert) {
- if (cert->verify_store != nullptr) {
+ if (cert->verify_store != NULL) {
X509_STORE_up_ref(cert->verify_store);
new_cert->verify_store = cert->verify_store;
}
}
-static bool ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
+static int ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
bssl::UniquePtr<STACK_OF(X509)> chain, chain_without_leaf;
if (sk_CRYPTO_BUFFER_num(sess->certs.get()) > 0) {
chain.reset(sk_X509_new_null());
if (!chain) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return false;
+ return 0;
}
if (sess->is_server) {
// chain_without_leaf is only needed for server sessions. See
@@ -294,7 +294,7 @@
chain_without_leaf.reset(sk_X509_new_null());
if (!chain_without_leaf) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return false;
+ return 0;
}
}
}
@@ -304,18 +304,18 @@
UniquePtr<X509> x509(X509_parse_from_buffer(cert));
if (!x509) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- return false;
+ return 0;
}
if (leaf == nullptr) {
leaf = UpRef(x509);
} else if (chain_without_leaf &&
!PushToStack(chain_without_leaf.get(), UpRef(x509))) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return false;
+ return 0;
}
if (!PushToStack(chain.get(), std::move(x509))) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return false;
+ return 0;
}
}
@@ -327,76 +327,80 @@
X509_free(sess->x509_peer);
sess->x509_peer = leaf.release();
- return true;
+ return 1;
}
-static bool ssl_crypto_x509_session_dup(SSL_SESSION *new_session,
- const SSL_SESSION *session) {
+static int ssl_crypto_x509_session_dup(SSL_SESSION *new_session,
+ const SSL_SESSION *session) {
new_session->x509_peer = UpRef(session->x509_peer).release();
if (session->x509_chain != nullptr) {
new_session->x509_chain = X509_chain_up_ref(session->x509_chain);
if (new_session->x509_chain == nullptr) {
- return false;
+ return 0;
}
}
if (session->x509_chain_without_leaf != nullptr) {
new_session->x509_chain_without_leaf =
X509_chain_up_ref(session->x509_chain_without_leaf);
if (new_session->x509_chain_without_leaf == nullptr) {
- return false;
+ return 0;
}
}
- return true;
+ return 1;
}
static void ssl_crypto_x509_session_clear(SSL_SESSION *session) {
X509_free(session->x509_peer);
- session->x509_peer = nullptr;
+ session->x509_peer = NULL;
sk_X509_pop_free(session->x509_chain, X509_free);
- session->x509_chain = nullptr;
+ session->x509_chain = NULL;
sk_X509_pop_free(session->x509_chain_without_leaf, X509_free);
- session->x509_chain_without_leaf = nullptr;
+ session->x509_chain_without_leaf = NULL;
}
-static bool ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
- SSL_HANDSHAKE *hs,
- uint8_t *out_alert) {
+static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
+ SSL_HANDSHAKE *hs,
+ uint8_t *out_alert) {
*out_alert = SSL_AD_INTERNAL_ERROR;
STACK_OF(X509) *const cert_chain = session->x509_chain;
- if (cert_chain == nullptr || sk_X509_num(cert_chain) == 0) {
- return false;
+ if (cert_chain == NULL || sk_X509_num(cert_chain) == 0) {
+ return 0;
}
SSL_CTX *ssl_ctx = hs->ssl->ctx.get();
X509_STORE *verify_store = ssl_ctx->cert_store;
- if (hs->config->cert->verify_store != nullptr) {
+ if (hs->config->cert->verify_store != NULL) {
verify_store = hs->config->cert->verify_store;
}
X509 *leaf = sk_X509_value(cert_chain, 0);
ScopedX509_STORE_CTX ctx;
- if (!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) ||
- !X509_STORE_CTX_set_ex_data(
- ctx.get(), SSL_get_ex_data_X509_STORE_CTX_idx(), hs->ssl) ||
- // We need to inherit the verify parameters. These can be determined by
- // the context: if its a server it will verify SSL client certificates or
- // vice versa.
- !X509_STORE_CTX_set_default(
- ctx.get(), hs->ssl->server ? "ssl_client" : "ssl_server") ||
- // Anything non-default in "param" should overwrite anything in the ctx.
- !X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()),
- hs->config->param)) {
+ if (!X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
- return false;
+ return 0;
}
+ if (!X509_STORE_CTX_set_ex_data(
+ ctx.get(), SSL_get_ex_data_X509_STORE_CTX_idx(), hs->ssl)) {
+ return 0;
+ }
+
+ // We need to inherit the verify parameters. These can be determined by the
+ // context: if its a server it will verify SSL client certificates or vice
+ // versa.
+ X509_STORE_CTX_set_default(ctx.get(),
+ hs->ssl->server ? "ssl_client" : "ssl_server");
+
+ // Anything non-default in "param" should overwrite anything in the ctx.
+ X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()),
+ hs->config->param);
if (hs->config->verify_callback) {
X509_STORE_CTX_set_verify_cb(ctx.get(), hs->config->verify_callback);
}
int verify_ret;
- if (ssl_ctx->app_verify_callback != nullptr) {
+ if (ssl_ctx->app_verify_callback != NULL) {
verify_ret =
ssl_ctx->app_verify_callback(ctx.get(), ssl_ctx->app_verify_arg);
} else {
@@ -408,59 +412,59 @@
// If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.
if (verify_ret <= 0 && hs->config->verify_mode != SSL_VERIFY_NONE) {
*out_alert = SSL_alert_from_verify_result(ctx->error);
- return false;
+ return 0;
}
ERR_clear_error();
- return true;
+ return 1;
}
static void ssl_crypto_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE *hs) {
sk_X509_NAME_pop_free(hs->cached_x509_ca_names, X509_NAME_free);
- hs->cached_x509_ca_names = nullptr;
+ hs->cached_x509_ca_names = NULL;
}
-static bool ssl_crypto_x509_ssl_new(SSL_HANDSHAKE *hs) {
+static int ssl_crypto_x509_ssl_new(SSL_HANDSHAKE *hs) {
hs->config->param = X509_VERIFY_PARAM_new();
- if (hs->config->param == nullptr) {
- return false;
+ if (hs->config->param == NULL) {
+ return 0;
}
X509_VERIFY_PARAM_inherit(hs->config->param, hs->ssl->ctx->param);
- return true;
+ return 1;
}
static void ssl_crypto_x509_ssl_flush_cached_client_CA(SSL_CONFIG *cfg) {
sk_X509_NAME_pop_free(cfg->cached_x509_client_CA, X509_NAME_free);
- cfg->cached_x509_client_CA = nullptr;
+ cfg->cached_x509_client_CA = NULL;
}
static void ssl_crypto_x509_ssl_config_free(SSL_CONFIG *cfg) {
sk_X509_NAME_pop_free(cfg->cached_x509_client_CA, X509_NAME_free);
- cfg->cached_x509_client_CA = nullptr;
+ cfg->cached_x509_client_CA = NULL;
X509_VERIFY_PARAM_free(cfg->param);
}
-static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
+static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
// Only build a chain if there are no intermediates configured and the feature
// isn't disabled.
if ((hs->ssl->mode & SSL_MODE_NO_AUTO_CHAIN) ||
!ssl_has_certificate(hs) || hs->config->cert->chain == NULL ||
sk_CRYPTO_BUFFER_num(hs->config->cert->chain.get()) > 1) {
- return true;
+ return 1;
}
UniquePtr<X509> leaf(X509_parse_from_buffer(
sk_CRYPTO_BUFFER_value(hs->config->cert->chain.get(), 0)));
if (!leaf) {
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
- return false;
+ return 0;
}
ScopedX509_STORE_CTX ctx;
if (!X509_STORE_CTX_init(ctx.get(), hs->ssl->ctx->cert_store, leaf.get(),
NULL)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
- return false;
+ return 0;
}
// Attempt to build a chain, ignoring the result.
@@ -471,23 +475,23 @@
X509_free(sk_X509_shift(ctx->chain));
if (!ssl_cert_set_chain(hs->config->cert.get(), ctx->chain)) {
- return false;
+ return 0;
}
ssl_crypto_x509_cert_flush_cached_chain(hs->config->cert.get());
- return true;
+ return 1;
}
static void ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {
sk_X509_NAME_pop_free(ctx->cached_x509_client_CA, X509_NAME_free);
- ctx->cached_x509_client_CA = nullptr;
+ ctx->cached_x509_client_CA = NULL;
}
-static bool ssl_crypto_x509_ssl_ctx_new(SSL_CTX *ctx) {
+static int ssl_crypto_x509_ssl_ctx_new(SSL_CTX *ctx) {
ctx->cert_store = X509_STORE_new();
ctx->param = X509_VERIFY_PARAM_new();
- return (ctx->cert_store != nullptr && ctx->param != nullptr);
+ return (ctx->cert_store != NULL && ctx->param != NULL);
}
static void ssl_crypto_x509_ssl_ctx_free(SSL_CTX *ctx) {
diff --git a/src/ssl/t1_enc.cc b/src/ssl/t1_enc.cc
index 4c2fffb..c6b2844 100644
--- a/src/ssl/t1_enc.cc
+++ b/src/ssl/t1_enc.cc
@@ -359,3 +359,27 @@
MakeConstSpan(session->master_key, session->master_key_length),
MakeConstSpan(label, label_len), seed, {});
}
+
+int SSL_export_early_keying_material(
+ SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len,
+ const uint8_t *context, size_t context_len) {
+ if (!SSL_in_early_data(ssl) &&
+ (!ssl->s3->have_version ||
+ ssl_protocol_version(ssl) < TLS1_3_VERSION)) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
+ return 0;
+ }
+
+ // The early exporter only exists if we accepted early data or offered it as
+ // a client.
+ if (!SSL_in_early_data(ssl) && !SSL_early_data_accepted(ssl)) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_EARLY_DATA_NOT_IN_USE);
+ return 0;
+ }
+
+ return tls13_export_keying_material(
+ ssl, MakeSpan(out, out_len),
+ MakeConstSpan(ssl->s3->early_exporter_secret,
+ ssl->s3->early_exporter_secret_len),
+ MakeConstSpan(label, label_len), MakeConstSpan(context, context_len));
+}
diff --git a/src/ssl/t1_lib.cc b/src/ssl/t1_lib.cc
index c1c41a8..87f1888 100644
--- a/src/ssl/t1_lib.cc
+++ b/src/ssl/t1_lib.cc
@@ -199,10 +199,6 @@
return true;
}
-static bool is_post_quantum_group(uint16_t id) {
- return id == SSL_CURVE_CECPQ2 || id == SSL_CURVE_CECPQ2b;
-}
-
bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,
const SSLMessage &msg) {
OPENSSL_memset(out, 0, sizeof(*out));
@@ -329,10 +325,10 @@
for (uint16_t pref_group : pref) {
for (uint16_t supp_group : supp) {
if (pref_group == supp_group &&
- // CECPQ2(b) doesn't fit in the u8-length-prefixed ECPoint field in
- // TLS 1.2 and below.
+ // CECPQ2 doesn't fit in the u8-length-prefixed ECPoint field in TLS
+ // 1.2 and below.
(ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
- !is_post_quantum_group(pref_group))) {
+ pref_group != SSL_CURVE_CECPQ2)) {
*out_group_id = pref_group;
return true;
}
@@ -394,9 +390,9 @@
}
bool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {
- if (is_post_quantum_group(group_id) &&
+ if (group_id == SSL_CURVE_CECPQ2 &&
ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
- // CECPQ2(b) requires TLS 1.3.
+ // CECPQ2 requires TLS 1.3.
return false;
}
@@ -633,7 +629,45 @@
static bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
CBS *contents) {
- // SNI has already been parsed earlier in the handshake. See |extract_sni|.
+ SSL *const ssl = hs->ssl;
+ if (contents == NULL) {
+ return true;
+ }
+
+ CBS server_name_list, host_name;
+ uint8_t name_type;
+ if (!CBS_get_u16_length_prefixed(contents, &server_name_list) ||
+ !CBS_get_u8(&server_name_list, &name_type) ||
+ // Although the server_name extension was intended to be extensible to
+ // new name types and multiple names, OpenSSL 1.0.x had a bug which meant
+ // different name types will cause an error. Further, RFC 4366 originally
+ // defined syntax inextensibly. RFC 6066 corrected this mistake, but
+ // adding new name types is no longer feasible.
+ //
+ // Act as if the extensibility does not exist to simplify parsing.
+ !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
+ CBS_len(&server_name_list) != 0 ||
+ CBS_len(contents) != 0) {
+ return false;
+ }
+
+ if (name_type != TLSEXT_NAMETYPE_host_name ||
+ CBS_len(&host_name) == 0 ||
+ CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
+ CBS_contains_zero_byte(&host_name)) {
+ *out_alert = SSL_AD_UNRECOGNIZED_NAME;
+ return false;
+ }
+
+ // Copy the hostname as a string.
+ char *raw = nullptr;
+ if (!CBS_strdup(&host_name, &raw)) {
+ *out_alert = SSL_AD_INTERNAL_ERROR;
+ return false;
+ }
+ ssl->s3->hostname.reset(raw);
+
+ hs->should_ack_sni = true;
return true;
}
@@ -1756,7 +1790,7 @@
}
static bool ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
- // The point format extension is unnecessary in TLS 1.3.
+ // The point format extension is unneccessary in TLS 1.3.
if (hs->min_version >= TLS1_3_VERSION) {
return true;
}
@@ -2023,46 +2057,20 @@
static bool ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- // The second ClientHello never offers early data, and we must have already
- // filled in |early_data_reason| by this point.
- if (hs->received_hello_retry_request) {
- assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
+ if (!ssl->enable_early_data ||
+ // Session must be 0-RTT capable.
+ ssl->session == nullptr ||
+ ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
+ ssl->session->ticket_max_early_data == 0 ||
+ // The second ClientHello never offers early data.
+ hs->received_hello_retry_request ||
+ // In case ALPN preferences changed since this session was established,
+ // avoid reporting a confusing value in |SSL_get0_alpn_selected|.
+ (!ssl->session->early_alpn.empty() &&
+ !ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn))) {
return true;
}
- if (!ssl->enable_early_data) {
- ssl->s3->early_data_reason = ssl_early_data_disabled;
- return true;
- }
-
- if (hs->max_version < TLS1_3_VERSION) {
- // We discard inapplicable sessions, so this is redundant with the session
- // checks below, but we check give a more useful reason.
- ssl->s3->early_data_reason = ssl_early_data_protocol_version;
- return true;
- }
-
- if (ssl->session == nullptr) {
- ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
- return true;
- }
-
- if (ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
- ssl->session->ticket_max_early_data == 0) {
- ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
- return true;
- }
-
- // In case ALPN preferences changed since this session was established, avoid
- // reporting a confusing value in |SSL_get0_alpn_selected| and sending early
- // data we know will be rejected.
- if (!ssl->session->early_alpn.empty() &&
- !ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn)) {
- ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;
- return true;
- }
-
- // |early_data_reason| will be filled in later when the server responds.
hs->early_data_offered = true;
if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
@@ -2075,27 +2083,12 @@
}
static bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,
- uint8_t *out_alert,
- CBS *contents) {
+ uint8_t *out_alert, CBS *contents) {
SSL *const ssl = hs->ssl;
if (contents == NULL) {
- if (hs->early_data_offered && !hs->received_hello_retry_request) {
- ssl->s3->early_data_reason = ssl->s3->session_reused
- ? ssl_early_data_peer_declined
- : ssl_early_data_session_not_resumed;
- } else {
- // We already filled in |early_data_reason| when declining to offer 0-RTT
- // or handling the implicit HelloRetryRequest reject.
- assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
- }
return true;
}
- // If we received an HRR, the second ClientHello never offers early data, so
- // the extensions logic will automatically reject early data extensions as
- // unsolicited. This covered by the ServerAcceptsEarlyDataOnHRR test.
- assert(!hs->received_hello_retry_request);
-
if (CBS_len(contents) != 0) {
*out_alert = SSL_AD_DECODE_ERROR;
return false;
@@ -2107,7 +2100,6 @@
return false;
}
- ssl->s3->early_data_reason = ssl_early_data_accepted;
ssl->s3->early_data_accepted = true;
return true;
}
@@ -2194,8 +2186,8 @@
group_id = groups[0];
- if (is_post_quantum_group(group_id) && groups.size() >= 2) {
- // CECPQ2(b) is not sent as the only initial key share. We'll include the
+ if (group_id == SSL_CURVE_CECPQ2 && groups.size() >= 2) {
+ // CECPQ2 is not sent as the only initial key share. We'll include the
// 2nd preference group too to avoid round-trips.
second_group_id = groups[1];
assert(second_group_id != group_id);
@@ -2432,7 +2424,7 @@
}
for (uint16_t group : tls1_get_grouplist(hs)) {
- if (is_post_quantum_group(group) &&
+ if (group == SSL_CURVE_CECPQ2 &&
hs->max_version < TLS1_3_VERSION) {
continue;
}
@@ -2848,67 +2840,6 @@
return true;
}
-
-// Post-quantum experiment signal
-//
-// This extension may be used in order to identify a control group for
-// experimenting with post-quantum key exchange algorithms.
-
-static bool ext_pq_experiment_signal_add_clienthello(SSL_HANDSHAKE *hs,
- CBB *out) {
- if (hs->ssl->ctx->pq_experiment_signal &&
- (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
- !CBB_add_u16(out, 0))) {
- return false;
- }
-
- return true;
-}
-
-static bool ext_pq_experiment_signal_parse_serverhello(SSL_HANDSHAKE *hs,
- uint8_t *out_alert,
- CBS *contents) {
- if (contents == nullptr) {
- return true;
- }
-
- if (!hs->ssl->ctx->pq_experiment_signal || CBS_len(contents) != 0) {
- return false;
- }
-
- hs->ssl->s3->pq_experiment_signal_seen = true;
- return true;
-}
-
-static bool ext_pq_experiment_signal_parse_clienthello(SSL_HANDSHAKE *hs,
- uint8_t *out_alert,
- CBS *contents) {
- if (contents == nullptr) {
- return true;
- }
-
- if (CBS_len(contents) != 0) {
- return false;
- }
-
- if (hs->ssl->ctx->pq_experiment_signal) {
- hs->ssl->s3->pq_experiment_signal_seen = true;
- }
-
- return true;
-}
-
-static bool ext_pq_experiment_signal_add_serverhello(SSL_HANDSHAKE *hs,
- CBB *out) {
- if (hs->ssl->s3->pq_experiment_signal_seen &&
- (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
- !CBB_add_u16(out, 0))) {
- return false;
- }
-
- return true;
-}
-
// kExtensions contains all the supported extensions.
static const struct tls_extension kExtensions[] = {
{
@@ -3097,14 +3028,6 @@
ext_delegated_credential_parse_clienthello,
dont_add_serverhello,
},
- {
- TLSEXT_TYPE_pq_experiment_signal,
- NULL,
- ext_pq_experiment_signal_add_clienthello,
- ext_pq_experiment_signal_parse_serverhello,
- ext_pq_experiment_signal_parse_clienthello,
- ext_pq_experiment_signal_add_serverhello,
- },
};
#define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
@@ -3138,9 +3061,6 @@
return false;
}
- // Note we may send multiple ClientHellos for DTLS HelloVerifyRequest and TLS
- // 1.3 HelloRetryRequest. For the latter, the extensions may change, so it is
- // important to reset this value.
hs->extensions.sent = 0;
for (size_t i = 0; i < kNumExtensions; i++) {
diff --git a/src/ssl/test/bssl_shim.cc b/src/ssl/test/bssl_shim.cc
index f58c151..62db076 100644
--- a/src/ssl/test/bssl_shim.cc
+++ b/src/ssl/test/bssl_shim.cc
@@ -279,23 +279,23 @@
// after a renegotiation, that authentication-related properties match |config|.
static bool CheckAuthProperties(SSL *ssl, bool is_resume,
const TestConfig *config) {
- if (!config->expect_ocsp_response.empty()) {
+ if (!config->expected_ocsp_response.empty()) {
const uint8_t *data;
size_t len;
SSL_get0_ocsp_response(ssl, &data, &len);
- if (config->expect_ocsp_response.size() != len ||
- OPENSSL_memcmp(config->expect_ocsp_response.data(), data, len) != 0) {
+ if (config->expected_ocsp_response.size() != len ||
+ OPENSSL_memcmp(config->expected_ocsp_response.data(), data, len) != 0) {
fprintf(stderr, "OCSP response mismatch\n");
return false;
}
}
- if (!config->expect_signed_cert_timestamps.empty()) {
+ if (!config->expected_signed_cert_timestamps.empty()) {
const uint8_t *data;
size_t len;
SSL_get0_signed_cert_timestamp_list(ssl, &data, &len);
- if (config->expect_signed_cert_timestamps.size() != len ||
- OPENSSL_memcmp(config->expect_signed_cert_timestamps.data(), data,
+ if (config->expected_signed_cert_timestamps.size() != len ||
+ OPENSSL_memcmp(config->expected_signed_cert_timestamps.data(), data,
len) != 0) {
fprintf(stderr, "SCT list mismatch\n");
return false;
@@ -389,39 +389,6 @@
return true;
}
-static const char *EarlyDataReasonToString(ssl_early_data_reason_t reason) {
- switch (reason) {
- case ssl_early_data_unknown:
- return "unknown";
- case ssl_early_data_disabled:
- return "disabled";
- case ssl_early_data_accepted:
- return "accepted";
- case ssl_early_data_protocol_version:
- return "protocol_version";
- case ssl_early_data_peer_declined:
- return "peer_declined";
- case ssl_early_data_no_session_offered:
- return "no_session_offered";
- case ssl_early_data_session_not_resumed:
- return "session_not_resumed";
- case ssl_early_data_unsupported_for_session:
- return "unsupported_for_session";
- case ssl_early_data_hello_retry_request:
- return "hello_retry_request";
- case ssl_early_data_alpn_mismatch:
- return "alpn_mismatch";
- case ssl_early_data_channel_id:
- return "channel_id";
- case ssl_early_data_token_binding:
- return "token_binding";
- case ssl_early_data_ticket_age_skew:
- return "ticket_age_skew";
- }
-
- abort();
-}
-
// CheckHandshakeProperties checks, immediately after |ssl| completes its
// initial handshake (or False Starts), whether all the properties are
// consistent with the test configuration and invariants.
@@ -492,23 +459,23 @@
return false;
}
- if (!config->expect_server_name.empty()) {
+ if (!config->expected_server_name.empty()) {
const char *server_name =
SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
if (server_name == nullptr ||
- server_name != config->expect_server_name) {
+ server_name != config->expected_server_name) {
fprintf(stderr, "servername mismatch (got %s; want %s)\n",
- server_name, config->expect_server_name.c_str());
+ server_name, config->expected_server_name.c_str());
return false;
}
}
- if (!config->expect_next_proto.empty()) {
+ if (!config->expected_next_proto.empty()) {
const uint8_t *next_proto;
unsigned next_proto_len;
SSL_get0_next_proto_negotiated(ssl, &next_proto, &next_proto_len);
- if (next_proto_len != config->expect_next_proto.size() ||
- OPENSSL_memcmp(next_proto, config->expect_next_proto.data(),
+ if (next_proto_len != config->expected_next_proto.size() ||
+ OPENSSL_memcmp(next_proto, config->expected_next_proto.data(),
next_proto_len) != 0) {
fprintf(stderr, "negotiated next proto mismatch\n");
return false;
@@ -519,48 +486,48 @@
const uint8_t *alpn_proto;
unsigned alpn_proto_len;
SSL_get0_alpn_selected(ssl, &alpn_proto, &alpn_proto_len);
- if (alpn_proto_len != config->expect_alpn.size() ||
- OPENSSL_memcmp(alpn_proto, config->expect_alpn.data(),
+ if (alpn_proto_len != config->expected_alpn.size() ||
+ OPENSSL_memcmp(alpn_proto, config->expected_alpn.data(),
alpn_proto_len) != 0) {
fprintf(stderr, "negotiated alpn proto mismatch\n");
return false;
}
}
- if (!config->expect_quic_transport_params.empty()) {
+ if (!config->expected_quic_transport_params.empty()) {
const uint8_t *peer_params;
size_t peer_params_len;
SSL_get_peer_quic_transport_params(ssl, &peer_params, &peer_params_len);
- if (peer_params_len != config->expect_quic_transport_params.size() ||
+ if (peer_params_len != config->expected_quic_transport_params.size() ||
OPENSSL_memcmp(peer_params,
- config->expect_quic_transport_params.data(),
+ config->expected_quic_transport_params.data(),
peer_params_len) != 0) {
fprintf(stderr, "QUIC transport params mismatch\n");
return false;
}
}
- if (!config->expect_channel_id.empty()) {
+ if (!config->expected_channel_id.empty()) {
uint8_t channel_id[64];
if (!SSL_get_tls_channel_id(ssl, channel_id, sizeof(channel_id))) {
fprintf(stderr, "no channel id negotiated\n");
return false;
}
- if (config->expect_channel_id.size() != 64 ||
- OPENSSL_memcmp(config->expect_channel_id.data(), channel_id, 64) !=
+ if (config->expected_channel_id.size() != 64 ||
+ OPENSSL_memcmp(config->expected_channel_id.data(), channel_id, 64) !=
0) {
fprintf(stderr, "channel id mismatch\n");
return false;
}
}
- if (config->expect_token_binding_param != -1) {
+ if (config->expected_token_binding_param != -1) {
if (!SSL_is_token_binding_negotiated(ssl)) {
fprintf(stderr, "no Token Binding negotiated\n");
return false;
}
if (SSL_get_negotiated_token_binding_param(ssl) !=
- static_cast<uint8_t>(config->expect_token_binding_param)) {
+ static_cast<uint8_t>(config->expected_token_binding_param)) {
fprintf(stderr, "Token Binding param mismatch\n");
return false;
}
@@ -620,8 +587,7 @@
return false;
}
- // The early data status is only applicable after the handshake is confirmed.
- if (!SSL_in_early_data(ssl)) {
+ if (is_resume && !SSL_in_early_data(ssl)) {
if ((config->expect_accept_early_data && !SSL_early_data_accepted(ssl)) ||
(config->expect_reject_early_data && SSL_early_data_accepted(ssl))) {
fprintf(stderr,
@@ -629,15 +595,6 @@
SSL_early_data_accepted(ssl) ? "" : " not");
return false;
}
-
- const char *early_data_reason =
- EarlyDataReasonToString(SSL_get_early_data_reason(ssl));
- if (!config->expect_early_data_reason.empty() &&
- config->expect_early_data_reason != early_data_reason) {
- fprintf(stderr, "Early data reason was \"%s\", expected \"%s\"\n",
- early_data_reason, config->expect_early_data_reason.c_str());
- return false;
- }
}
if (!config->psk.empty()) {
@@ -665,21 +622,6 @@
return false;
}
- if (config->expect_delegated_credential_used !=
- !!SSL_delegated_credential_used(ssl)) {
- fprintf(stderr,
- "Got %s delegated credential usage, but wanted opposite. \n",
- SSL_delegated_credential_used(ssl) ? "" : "no");
- return false;
- }
-
- if (config->expect_pq_experiment_signal !=
- !!SSL_pq_experiment_signal_seen(ssl)) {
- fprintf(stderr, "Got %sPQ experiment signal, but wanted opposite. \n",
- SSL_pq_experiment_signal_seen(ssl) ? "" : "no ");
- return false;
- }
-
return true;
}
@@ -759,16 +701,6 @@
return false;
}
- // Client pre- and post-0-RTT reject states are considered logically
- // different connections with different test expections. Check that the test
- // did not mistakenly configure reason expectations on the wrong one.
- if (!config->expect_early_data_reason.empty()) {
- fprintf(stderr,
- "Test error: client reject -expect-early-data-reason flags "
- "should be configured with -on-retry, not -on-resume.\n");
- return false;
- }
-
// Reset the connection and try again at 1-RTT.
SSL_reset_early_data_reject(ssl.get());
GetTestState(ssl.get())->cert_verified = false;
@@ -872,6 +804,22 @@
GetTestState(ssl)->got_new_session = false;
}
+ if (config->export_early_keying_material > 0) {
+ std::vector<uint8_t> result(
+ static_cast<size_t>(config->export_early_keying_material));
+ if (!SSL_export_early_keying_material(
+ ssl, result.data(), result.size(), config->export_label.data(),
+ config->export_label.size(),
+ reinterpret_cast<const uint8_t *>(config->export_context.data()),
+ config->export_context.size())) {
+ fprintf(stderr, "failed to export keying material\n");
+ return false;
+ }
+ if (WriteAll(ssl, result.data(), result.size()) < 0) {
+ return false;
+ }
+ }
+
if (config->export_keying_material > 0) {
std::vector<uint8_t> result(
static_cast<size_t>(config->export_keying_material));
diff --git a/src/ssl/test/runner/common.go b/src/ssl/test/runner/common.go
index b56b9b3..bbcacf5 100644
--- a/src/ssl/test/runner/common.go
+++ b/src/ssl/test/runner/common.go
@@ -126,7 +126,6 @@
extensionQUICTransportParams uint16 = 0xffa5 // draft-ietf-quic-tls-13
extensionChannelID uint16 = 30032 // not IANA assigned
extensionDelegatedCredentials uint16 = 0xff02 // not IANA assigned
- extensionPQExperimentSignal uint16 = 54538
)
// TLS signaling cipher suite values
@@ -145,13 +144,12 @@
type CurveID uint16
const (
- CurveP224 CurveID = 21
- CurveP256 CurveID = 23
- CurveP384 CurveID = 24
- CurveP521 CurveID = 25
- CurveX25519 CurveID = 29
- CurveCECPQ2 CurveID = 16696
- CurveCECPQ2b CurveID = 65074
+ CurveP224 CurveID = 21
+ CurveP256 CurveID = 23
+ CurveP384 CurveID = 24
+ CurveP521 CurveID = 25
+ CurveX25519 CurveID = 29
+ CurveCECPQ2 CurveID = 16696
)
// TLS Elliptic Curve Point Formats
@@ -501,11 +499,6 @@
CertCompressionAlgs map[uint16]CertCompressionAlg
- // PQExperimentSignal instructs a client to send a non-IANA defined extension
- // that signals participation in an experiment of post-quantum key exchange
- // methods.
- PQExperimentSignal bool
-
// Bugs specifies optional misbehaviour to be used for testing other
// implementations.
Bugs ProtocolBugs
@@ -1326,6 +1319,21 @@
// it was accepted.
SendEarlyDataExtension bool
+ // ExpectEarlyKeyingMaterial, if non-zero, causes a TLS 1.3 server to
+ // read an application data record after the ClientHello before it sends
+ // a ServerHello. The record's contents have the specified length and
+ // match the corresponding early exporter value. This is used to test
+ // the client using the early exporter in the 0-RTT state.
+ ExpectEarlyKeyingMaterial int
+
+ // ExpectEarlyKeyingLabel is the label to use with
+ // ExpectEarlyKeyingMaterial.
+ ExpectEarlyKeyingLabel string
+
+ // ExpectEarlyKeyingContext is the context string to use with
+ // ExpectEarlyKeyingMaterial
+ ExpectEarlyKeyingContext string
+
// ExpectEarlyData causes a TLS 1.3 server to read application
// data after the ClientHello (assuming the server is able to
// derive the key under which the data is encrypted) before it
@@ -1641,10 +1649,6 @@
// DisableDelegatedCredentials, if true, disables client support for delegated
// credentials.
DisableDelegatedCredentials bool
-
- // ExpectPQExperimentSignal specifies whether or not the post-quantum
- // experiment signal should be received by a client or server.
- ExpectPQExperimentSignal bool
}
func (c *Config) serverInit() {
@@ -1724,7 +1728,7 @@
return ret
}
-var defaultCurvePreferences = []CurveID{CurveCECPQ2b, CurveCECPQ2, CurveX25519, CurveP256, CurveP384, CurveP521}
+var defaultCurvePreferences = []CurveID{CurveCECPQ2, CurveX25519, CurveP256, CurveP384, CurveP521}
func (c *Config) curvePreferences() []CurveID {
if c == nil || len(c.CurvePreferences) == 0 {
diff --git a/src/ssl/test/runner/ecdsa_p224_key.pem b/src/ssl/test/runner/ecdsa_p224_key.pem
index d62594b..cfe411b 100644
--- a/src/ssl/test/runner/ecdsa_p224_key.pem
+++ b/src/ssl/test/runner/ecdsa_p224_key.pem
@@ -1,5 +1,5 @@
------BEGIN PRIVATE KEY-----
-MHgCAQAwEAYHKoZIzj0CAQYFK4EEACEEYTBfAgEBBBxovqzS4voByapkUbXZSwTs
-NVmL+x/1Z5WBgGdPoTwDOgAE6dul6dL0+CyooFiKK4V+EYNYPbMZoLTxRcjRgrw3
-db6QzBAviDSxKADTVuyRmaVC74Mf6boBHDk=
------END PRIVATE KEY-----
+-----BEGIN EC PRIVATE KEY-----
+MGgCAQEEHGi+rNLi+gHJqmRRtdlLBOw1WYv7H/VnlYGAZ0+gBwYFK4EEACGhPAM6
+AATp26Xp0vT4LKigWIorhX4Rg1g9sxmgtPFFyNGCvDd1vpDMEC+INLEoANNW7JGZ
+pULvgx/pugEcOQ==
+-----END EC PRIVATE KEY-----
diff --git a/src/ssl/test/runner/fuzzer_mode.json b/src/ssl/test/runner/fuzzer_mode.json
index 0a50722..1a154c2 100644
--- a/src/ssl/test/runner/fuzzer_mode.json
+++ b/src/ssl/test/runner/fuzzer_mode.json
@@ -18,6 +18,9 @@
"BadECDSA-*": "Fuzzer mode always accepts a signature.",
"*-InvalidSignature-*": "Fuzzer mode always accepts a signature.",
+ "*Auth-Verify-RSA-PKCS1-*-TLS13*": "Fuzzer mode always accepts a signature.",
+ "*Auth-Verify-ECDSA-SHA1-TLS13*": "Fuzzer mode always accepts a signature.",
+ "*Auth-Verify-ECDSA-P224-*-TLS13*": "Fuzzer mode always accepts a signature.",
"Verify-*Auth-SignatureType*": "Fuzzer mode always accepts a signature.",
"ECDSACurveMismatch-Verify-TLS13*": "Fuzzer mode always accepts a signature.",
"InvalidChannelIDSignature-*": "Fuzzer mode always accepts a signature.",
@@ -27,7 +30,6 @@
"Resume-Server-DeclineCrossVersion*": "Fuzzer mode does not encrypt tickets.",
"TicketCallback-SingleCall-*": "Fuzzer mode does not encrypt tickets.",
"CorruptTicket-*": "Fuzzer mode does not encrypt tickets.",
- "*RejectTicket-Server-*": "Fuzzer mode does not encrypt tickets.",
"ShimTicketRewritable*": "Fuzzer mode does not encrypt tickets.",
"Resume-Server-*Binder*": "Fuzzer mode does not check binders.",
@@ -44,7 +46,6 @@
"*-EarlyData-RejectUnfinishedWrite-Client-*": "Trial decryption does not work with the NULL cipher.",
"EarlyData-Reject*-Client-*": "Trial decryption does not work with the NULL cipher.",
"CustomExtensions-Server-EarlyDataOffered": "Trial decryption does not work with the NULL cipher.",
- "*-TicketAgeSkew-*-Reject": "Trial decryption does not work with the NULL cipher.",
"Renegotiate-Client-BadExt*": "Fuzzer mode does not check renegotiation_info.",
diff --git a/src/ssl/test/runner/handshake_client.go b/src/ssl/test/runner/handshake_client.go
index 2574ec3..45dc75d 100644
--- a/src/ssl/test/runner/handshake_client.go
+++ b/src/ssl/test/runner/handshake_client.go
@@ -129,7 +129,6 @@
omitExtensions: c.config.Bugs.OmitExtensions,
emptyExtensions: c.config.Bugs.EmptyExtensions,
delegatedCredentials: !c.config.Bugs.DisableDelegatedCredentials,
- pqExperimentSignal: c.config.PQExperimentSignal,
}
if maxVersion >= VersionTLS13 {
@@ -1667,10 +1666,6 @@
c.quicTransportParams = serverExtensions.quicTransportParams
}
- if c.config.Bugs.ExpectPQExperimentSignal != serverExtensions.pqExperimentSignal {
- return fmt.Errorf("tls: PQ experiment signal presence (%t) was not what was expected", serverExtensions.pqExperimentSignal)
- }
-
return nil
}
diff --git a/src/ssl/test/runner/handshake_messages.go b/src/ssl/test/runner/handshake_messages.go
index ac52eed..f12ca1a 100644
--- a/src/ssl/test/runner/handshake_messages.go
+++ b/src/ssl/test/runner/handshake_messages.go
@@ -298,7 +298,6 @@
pad int
compressedCertAlgs []uint16
delegatedCredentials bool
- pqExperimentSignal bool
}
func (m *clientHelloMsg) equal(i interface{}) bool {
@@ -353,8 +352,7 @@
m.emptyExtensions == m1.emptyExtensions &&
m.pad == m1.pad &&
eqUint16s(m.compressedCertAlgs, m1.compressedCertAlgs) &&
- m.delegatedCredentials == m1.delegatedCredentials &&
- m.pqExperimentSignal == m1.pqExperimentSignal
+ m.delegatedCredentials == m1.delegatedCredentials
}
func (m *clientHelloMsg) marshalKeyShares(bb *byteBuilder) {
@@ -600,11 +598,6 @@
extensions.addU16(extensionDelegatedCredentials)
extensions.addU16(0) // Length is always 0
}
- if m.pqExperimentSignal {
- extensions.addU16(extensionPQExperimentSignal)
- extensions.addU16(0) // Length is always 0
- }
-
// The PSK extension must be last. See https://tools.ietf.org/html/rfc8446#section-4.2.11
if len(m.pskIdentities) > 0 && !m.pskBinderFirst {
extensions.addU16(extensionPreSharedKey)
@@ -731,7 +724,6 @@
m.extendedMasterSecret = false
m.customExtension = ""
m.delegatedCredentials = false
- m.pqExperimentSignal = false
if len(reader) == 0 {
// ClientHello is optionally followed by extension data
@@ -967,11 +959,6 @@
return false
}
m.delegatedCredentials = true
- case extensionPQExperimentSignal:
- if len(body) != 0 {
- return false
- }
- m.pqExperimentSignal = true
}
if isGREASEValue(extension) {
@@ -1239,7 +1226,6 @@
supportedCurves []CurveID
quicTransportParams []byte
serverNameAck bool
- pqExperimentSignal bool
}
func (m *serverExtensions) marshal(extensions *byteBuilder) {
@@ -1374,10 +1360,6 @@
extensions.addU16(extensionServerName)
extensions.addU16(0) // zero length
}
- if m.pqExperimentSignal {
- extensions.addU16(extensionPQExperimentSignal)
- extensions.addU16(0) // zero length
- }
}
func (m *serverExtensions) unmarshal(data byteReader, version uint16) bool {
@@ -1486,11 +1468,6 @@
return false
}
m.hasEarlyData = true
- case extensionPQExperimentSignal:
- if len(body) != 0 {
- return false
- }
- m.pqExperimentSignal = true
default:
// Unknown extensions are illegal from the server.
return false
diff --git a/src/ssl/test/runner/handshake_server.go b/src/ssl/test/runner/handshake_server.go
index 3a6c810..d2ef9b4 100644
--- a/src/ssl/test/runner/handshake_server.go
+++ b/src/ssl/test/runner/handshake_server.go
@@ -210,8 +210,8 @@
if config.Bugs.FailIfCECPQ2Offered {
for _, offeredCurve := range hs.clientHello.supportedCurves {
- if isPqGroup(offeredCurve) {
- return errors.New("tls: CECPQ2 or CECPQ2b was offered")
+ if offeredCurve == CurveCECPQ2 {
+ return errors.New("tls: CECPQ2 was offered")
}
}
}
@@ -228,10 +228,6 @@
}
}
- if c.config.Bugs.ExpectPQExperimentSignal != hs.clientHello.pqExperimentSignal {
- return fmt.Errorf("tls: PQ experiment signal presence (%t) was not what was expected", hs.clientHello.pqExperimentSignal)
- }
-
c.clientVersion = hs.clientHello.vers
// Use the versions extension if supplied, otherwise use the legacy ClientHello version.
@@ -726,7 +722,16 @@
}
c.earlyCipherSuite = hs.suite
- for _, expectedMsg := range config.Bugs.ExpectEarlyData {
+ expectEarlyData := config.Bugs.ExpectEarlyData
+ if n := config.Bugs.ExpectEarlyKeyingMaterial; n > 0 {
+ exporter, err := c.ExportEarlyKeyingMaterial(n, []byte(config.Bugs.ExpectEarlyKeyingLabel), []byte(config.Bugs.ExpectEarlyKeyingContext))
+ if err != nil {
+ return err
+ }
+ expectEarlyData = append([][]byte{exporter}, expectEarlyData...)
+ }
+
+ for _, expectedMsg := range expectEarlyData {
if err := c.readRecord(recordTypeApplicationData); err != nil {
return err
}
@@ -1227,8 +1232,8 @@
preferredCurves := config.curvePreferences()
Curves:
for _, curve := range hs.clientHello.supportedCurves {
- if isPqGroup(curve) && c.vers < VersionTLS13 {
- // CECPQ2 and CECPQ2b is TLS 1.3-only.
+ if curve == CurveCECPQ2 && c.vers < VersionTLS13 {
+ // CECPQ2 is TLS 1.3-only.
continue
}
@@ -1451,7 +1456,6 @@
}
serverExtensions.serverNameAck = c.config.Bugs.SendServerNameAck
- serverExtensions.pqExperimentSignal = hs.clientHello.pqExperimentSignal
return nil
}
diff --git a/src/ssl/test/runner/key_agreement.go b/src/ssl/test/runner/key_agreement.go
index f4789b6..13e78bc 100644
--- a/src/ssl/test/runner/key_agreement.go
+++ b/src/ssl/test/runner/key_agreement.go
@@ -19,7 +19,6 @@
"boringssl.googlesource.com/boringssl/ssl/test/runner/curve25519"
"boringssl.googlesource.com/boringssl/ssl/test/runner/ed25519"
"boringssl.googlesource.com/boringssl/ssl/test/runner/hrss"
- "boringssl.googlesource.com/boringssl/ssl/test/runner/sike"
)
type keyType int
@@ -434,98 +433,6 @@
return preMasterSecret, nil
}
-// cecpq2BCurve implements CECPQ2b, which is SIKE combined with X25519.
-type cecpq2BCurve struct {
- // Both public key and shared secret size
- x25519PrivateKey [32]byte
- sikePrivateKey *sike.PrivateKey
-}
-
-func (e *cecpq2BCurve) offer(rand io.Reader) (publicKey []byte, err error) {
- if _, err = io.ReadFull(rand, e.x25519PrivateKey[:]); err != nil {
- return nil, err
- }
-
- var x25519Public [32]byte
- curve25519.ScalarBaseMult(&x25519Public, &e.x25519PrivateKey)
-
- e.sikePrivateKey = sike.NewPrivateKey(sike.KeyVariant_SIKE)
- if err = e.sikePrivateKey.Generate(rand); err != nil {
- return nil, err
- }
-
- sikePublic := e.sikePrivateKey.GeneratePublicKey().Export()
- var ret []byte
- ret = append(ret, x25519Public[:]...)
- ret = append(ret, sikePublic...)
- return ret, nil
-}
-
-func (e *cecpq2BCurve) accept(rand io.Reader, peerKey []byte) (publicKey []byte, preMasterSecret []byte, err error) {
- if len(peerKey) != 32+sike.Params.PublicKeySize {
- return nil, nil, errors.New("tls: bad length CECPQ2b offer")
- }
-
- if _, err = io.ReadFull(rand, e.x25519PrivateKey[:]); err != nil {
- return nil, nil, err
- }
-
- var x25519Shared, x25519PeerKey, x25519Public [32]byte
- copy(x25519PeerKey[:], peerKey)
- curve25519.ScalarBaseMult(&x25519Public, &e.x25519PrivateKey)
- curve25519.ScalarMult(&x25519Shared, &e.x25519PrivateKey, &x25519PeerKey)
-
- // Per RFC 7748, reject the all-zero value in constant time.
- var zeros [32]byte
- if subtle.ConstantTimeCompare(zeros[:], x25519Shared[:]) == 1 {
- return nil, nil, errors.New("tls: X25519 value with wrong order")
- }
-
- var sikePubKey = sike.NewPublicKey(sike.KeyVariant_SIKE)
- if err = sikePubKey.Import(peerKey[32:]); err != nil {
- // should never happen as size was already checked
- return nil, nil, errors.New("tls: implementation error")
- }
- sikeCiphertext, sikeShared, err := sike.Encapsulate(rand, sikePubKey)
- if err != nil {
- return nil, nil, err
- }
-
- publicKey = append(publicKey, x25519Public[:]...)
- publicKey = append(publicKey, sikeCiphertext...)
- preMasterSecret = append(preMasterSecret, x25519Shared[:]...)
- preMasterSecret = append(preMasterSecret, sikeShared...)
-
- return publicKey, preMasterSecret, nil
-}
-
-func (e *cecpq2BCurve) finish(peerKey []byte) (preMasterSecret []byte, err error) {
- if len(peerKey) != 32+(sike.Params.PublicKeySize+sike.Params.MsgLen) {
- return nil, errors.New("tls: bad length CECPQ2b reply")
- }
-
- var x25519Shared, x25519PeerKey [32]byte
- copy(x25519PeerKey[:], peerKey)
- curve25519.ScalarMult(&x25519Shared, &e.x25519PrivateKey, &x25519PeerKey)
-
- // Per RFC 7748, reject the all-zero value in constant time.
- var zeros [32]byte
- if subtle.ConstantTimeCompare(zeros[:], x25519Shared[:]) == 1 {
- return nil, errors.New("tls: X25519 value with wrong order")
- }
-
- var sikePubKey = e.sikePrivateKey.GeneratePublicKey()
- sikeShared, err := sike.Decapsulate(e.sikePrivateKey, sikePubKey, peerKey[32:])
- if err != nil {
- return nil, errors.New("tls: invalid SIKE ciphertext")
- }
-
- preMasterSecret = append(preMasterSecret, x25519Shared[:]...)
- preMasterSecret = append(preMasterSecret, sikeShared...)
-
- return preMasterSecret, nil
-}
-
func curveForCurveID(id CurveID, config *Config) (ecdhCurve, bool) {
switch id {
case CurveP224:
@@ -540,8 +447,6 @@
return &x25519ECDHCurve{setHighBit: config.Bugs.SetX25519HighBit}, true
case CurveCECPQ2:
return &cecpq2Curve{}, true
- case CurveCECPQ2b:
- return &cecpq2BCurve{}, true
default:
return nil, false
}
@@ -689,8 +594,8 @@
NextCandidate:
for _, candidate := range preferredCurves {
- if isPqGroup(candidate) && version < VersionTLS13 {
- // CECPQ2 and CECPQ2b is TLS 1.3-only.
+ if candidate == CurveCECPQ2 && version < VersionTLS13 {
+ // CECPQ2 is TLS 1.3-only.
continue
}
diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go
index 877a239..8461bd8 100644
--- a/src/ssl/test/runner/runner.go
+++ b/src/ssl/test/runner/runner.go
@@ -589,6 +589,9 @@
exportLabel string
exportContext string
useExportContext bool
+ // exportEarlyKeyingMaterial, if non-zero, behaves like
+ // exportKeyingMaterial, but for the early exporter.
+ exportEarlyKeyingMaterial int
// flags, if not empty, contains a list of command-line flags that will
// be passed to the shim program.
flags []string
@@ -878,6 +881,20 @@
}
}
+ if isResume && test.exportEarlyKeyingMaterial > 0 {
+ actual := make([]byte, test.exportEarlyKeyingMaterial)
+ if _, err := io.ReadFull(tlsConn, actual); err != nil {
+ return err
+ }
+ expected, err := tlsConn.ExportEarlyKeyingMaterial(test.exportEarlyKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext))
+ if err != nil {
+ return err
+ }
+ if !bytes.Equal(actual, expected) {
+ return fmt.Errorf("early keying material mismatch; got %x, wanted %x", actual, expected)
+ }
+ }
+
if test.exportKeyingMaterial > 0 {
actual := make([]byte, test.exportKeyingMaterial)
if _, err := io.ReadFull(tlsConn, actual); err != nil {
@@ -1255,7 +1272,10 @@
flags = append(flags, "-use-export-context")
}
}
- if test.exportKeyingMaterial > 0 {
+ if test.exportEarlyKeyingMaterial > 0 {
+ flags = append(flags, "-on-resume-export-early-keying-material", strconv.Itoa(test.exportEarlyKeyingMaterial))
+ }
+ if test.exportKeyingMaterial > 0 || test.exportEarlyKeyingMaterial > 0 {
flags = append(flags, "-export-label", test.exportLabel)
flags = append(flags, "-export-context", test.exportContext)
}
@@ -1549,34 +1569,34 @@
}
var testCipherSuites = []testCipherSuite{
- {"RSA_WITH_3DES_EDE_CBC_SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
- {"RSA_WITH_AES_128_GCM_SHA256", TLS_RSA_WITH_AES_128_GCM_SHA256},
- {"RSA_WITH_AES_128_CBC_SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
- {"RSA_WITH_AES_256_GCM_SHA384", TLS_RSA_WITH_AES_256_GCM_SHA384},
- {"RSA_WITH_AES_256_CBC_SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
- {"ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
- {"ECDHE_ECDSA_WITH_AES_128_CBC_SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
- {"ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
- {"ECDHE_ECDSA_WITH_AES_256_CBC_SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
- {"ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
- {"ECDHE_RSA_WITH_AES_128_GCM_SHA256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
- {"ECDHE_RSA_WITH_AES_128_CBC_SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
- {"ECDHE_RSA_WITH_AES_256_GCM_SHA384", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
- {"ECDHE_RSA_WITH_AES_256_CBC_SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
- {"ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
- {"PSK_WITH_AES_128_CBC_SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
- {"PSK_WITH_AES_256_CBC_SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
- {"ECDHE_PSK_WITH_AES_128_CBC_SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
- {"ECDHE_PSK_WITH_AES_256_CBC_SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
- {"ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
- {"CHACHA20_POLY1305_SHA256", TLS_CHACHA20_POLY1305_SHA256},
- {"AES_128_GCM_SHA256", TLS_AES_128_GCM_SHA256},
- {"AES_256_GCM_SHA384", TLS_AES_256_GCM_SHA384},
- {"RSA_WITH_NULL_SHA", TLS_RSA_WITH_NULL_SHA},
+ {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
+ {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
+ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
+ {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
+ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
+ {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
+ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
+ {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
+ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
+ {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
+ {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
+ {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
+ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
+ {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
+ {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
+ {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
+ {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
+ {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
+ {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
+ {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
+ {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
+ {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
+ {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
}
func hasComponent(suiteName, component string) bool {
- return strings.Contains("_"+suiteName+"_", "_"+component+"_")
+ return strings.Contains("-"+suiteName+"-", "-"+component+"-")
}
func isTLS12Only(suiteName string) bool {
@@ -1587,7 +1607,7 @@
}
func isTLS13Suite(suiteName string) bool {
- return !hasComponent(suiteName, "WITH")
+ return strings.HasPrefix(suiteName, "AEAD-")
}
func bigFromHex(hex string) *big.Int {
@@ -4446,8 +4466,6 @@
},
resumeSession: true,
resumeRenewedSession: true,
- // 0-RTT being disabled overrides all other 0-RTT reasons.
- flags: []string{"-expect-early-data-reason", "disabled"},
})
tests = append(tests, testCase{
@@ -4459,13 +4477,9 @@
},
resumeSession: true,
resumeRenewedSession: true,
- flags: []string{
- // TLS 1.3 uses tickets, so the session should not be
- // cached statefully.
- "-expect-no-session-id",
- // 0-RTT being disabled overrides all other 0-RTT reasons.
- "-expect-early-data-reason", "disabled",
- },
+ // TLS 1.3 uses tickets, so the session should not be
+ // cached statefully.
+ flags: []string{"-expect-no-session-id"},
})
tests = append(tests, testCase{
@@ -4518,7 +4532,7 @@
flags: []string{
"-enable-early-data",
"-expect-ticket-supports-early-data",
- "-on-resume-expect-accept-early-data",
+ "-expect-accept-early-data",
"-on-resume-shim-writes-first",
},
})
@@ -4547,7 +4561,7 @@
flags: []string{
"-enable-early-data",
"-expect-ticket-supports-early-data",
- "-on-resume-expect-accept-early-data",
+ "-expect-accept-early-data",
"-on-resume-read-with-unfinished-write",
"-on-resume-shim-writes-first",
},
@@ -4598,7 +4612,7 @@
resumeSession: true,
flags: []string{
"-enable-early-data",
- "-on-resume-expect-accept-early-data",
+ "-expect-accept-early-data",
},
shouldFail: true,
expectedError: ":TOO_MUCH_READ_EARLY_DATA:",
@@ -6649,7 +6663,7 @@
flags: []string{
"-token-binding-params",
base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
- "-expect-token-binding-param",
+ "-expected-token-binding-param",
"2",
},
})
@@ -6698,7 +6712,7 @@
flags: []string{
"-token-binding-params",
base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
- "-expect-token-binding-param",
+ "-expected-token-binding-param",
"2",
},
})
@@ -6734,7 +6748,7 @@
flags: []string{
"-token-binding-params",
base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
- "-expect-token-binding-param",
+ "-expected-token-binding-param",
"2",
},
})
@@ -6752,7 +6766,7 @@
flags: []string{
"-token-binding-params",
base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
- "-expect-token-binding-param",
+ "-expected-token-binding-param",
"2",
},
})
@@ -6783,7 +6797,7 @@
flags: []string{
"-token-binding-params",
base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
- "-expect-token-binding-param",
+ "-expected-token-binding-param",
"2",
},
shouldFail: true,
@@ -6803,7 +6817,7 @@
flags: []string{
"-token-binding-params",
base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
- "-expect-token-binding-param",
+ "-expected-token-binding-param",
"2",
},
shouldFail: true,
@@ -6823,7 +6837,7 @@
flags: []string{
"-token-binding-params",
base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
- "-expect-token-binding-param",
+ "-expected-token-binding-param",
"2",
},
shouldFail: true,
@@ -6859,7 +6873,7 @@
flags: []string{
"-token-binding-params",
base64.StdEncoding.EncodeToString([]byte{0, 1, 2}),
- "-expect-token-binding-param",
+ "-expected-token-binding-param",
"2",
},
})
@@ -7004,8 +7018,6 @@
"-expect-ticket-supports-early-data",
"-token-binding-params",
base64.StdEncoding.EncodeToString([]byte{2, 1, 0}),
- "-expect-reject-early-data",
- "-on-retry-expect-early-data-reason", "token_binding",
},
})
}
@@ -7024,7 +7036,7 @@
flags: []string{
"-quic-transport-params",
base64.StdEncoding.EncodeToString([]byte{3, 4}),
- "-expect-quic-transport-params",
+ "-expected-quic-transport-params",
base64.StdEncoding.EncodeToString([]byte{1, 2}),
},
expectedQUICTransportParams: []byte{3, 4},
@@ -7041,7 +7053,7 @@
flags: []string{
"-quic-transport-params",
base64.StdEncoding.EncodeToString([]byte{3, 4}),
- "-expect-quic-transport-params",
+ "-expected-quic-transport-params",
base64.StdEncoding.EncodeToString([]byte{1, 2}),
},
expectedQUICTransportParams: []byte{3, 4},
@@ -7085,7 +7097,7 @@
QUICTransportParams: []byte{1, 2},
},
flags: []string{
- "-expect-quic-transport-params",
+ "-expected-quic-transport-params",
base64.StdEncoding.EncodeToString([]byte{1, 2}),
},
shouldFail: true,
@@ -8700,21 +8712,21 @@
id signatureAlgorithm
cert testCert
}{
- {"RSA_PKCS1_SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
- {"RSA_PKCS1_SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
- {"RSA_PKCS1_SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
- {"RSA_PKCS1_SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
- {"ECDSA_SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
+ {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
+ {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
+ {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
+ {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
+ {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
// The “P256” in the following line is not a mistake. In TLS 1.2 the
// hash function doesn't have to match the curve and so the same
// signature algorithm works with P-224.
- {"ECDSA_P224_SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
- {"ECDSA_P256_SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
- {"ECDSA_P384_SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
- {"ECDSA_P521_SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
- {"RSA_PSS_SHA256", signatureRSAPSSWithSHA256, testCertRSA},
- {"RSA_PSS_SHA384", signatureRSAPSSWithSHA384, testCertRSA},
- {"RSA_PSS_SHA512", signatureRSAPSSWithSHA512, testCertRSA},
+ {"ECDSA-P224-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP224},
+ {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
+ {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
+ {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
+ {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
+ {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
+ {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
{"Ed25519", signatureEd25519, testCertEd25519},
// Tests for key types prior to TLS 1.2.
{"RSA", 0, testCertRSA},
@@ -10117,7 +10129,7 @@
flags: []string{
"-enable-early-data",
"-expect-ticket-supports-early-data",
- "-on-resume-expect-accept-early-data",
+ "-expect-accept-early-data",
"-on-resume-export-keying-material", "1024",
"-on-resume-export-label", "label",
"-on-resume-export-context", "context",
@@ -10126,6 +10138,106 @@
expectedError: ":HANDSHAKE_NOT_COMPLETE:",
})
+ // Test the early exporter works while the client is
+ // sending 0-RTT data. This data arrives during the
+ // server handshake, so we test it with ProtocolBugs.
+ testCases = append(testCases, testCase{
+ name: "ExportEarlyKeyingMaterial-Client-InEarlyData-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ MaxEarlyDataSize: 16384,
+ },
+ resumeConfig: &Config{
+ MaxVersion: vers.version,
+ MaxEarlyDataSize: 16384,
+ Bugs: ProtocolBugs{
+ ExpectEarlyKeyingMaterial: 1024,
+ ExpectEarlyKeyingLabel: "label",
+ ExpectEarlyKeyingContext: "context",
+ },
+ },
+ resumeSession: true,
+ flags: []string{
+ "-enable-early-data",
+ "-expect-ticket-supports-early-data",
+ "-expect-accept-early-data",
+ "-on-resume-export-early-keying-material", "1024",
+ "-on-resume-export-label", "label",
+ "-on-resume-export-context", "context",
+ },
+ })
+
+ // Test the early exporter still works on the client
+ // after the handshake is confirmed. This arrives after
+ // the server handshake, so the normal hooks work.
+ testCases = append(testCases, testCase{
+ name: "ExportEarlyKeyingMaterial-Client-EarlyDataAccept-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ MaxEarlyDataSize: 16384,
+ },
+ resumeConfig: &Config{
+ MaxVersion: vers.version,
+ MaxEarlyDataSize: 16384,
+ },
+ resumeSession: true,
+ exportEarlyKeyingMaterial: 1024,
+ exportLabel: "label",
+ exportContext: "context",
+ flags: []string{
+ "-enable-early-data",
+ "-expect-ticket-supports-early-data",
+ "-expect-accept-early-data",
+ // Handshake twice on the client to force
+ // handshake confirmation.
+ "-handshake-twice",
+ },
+ })
+
+ // Test the early exporter does not work on the client
+ // if 0-RTT was not offered.
+ testCases = append(testCases, testCase{
+ name: "NoExportEarlyKeyingMaterial-Client-Initial-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ },
+ flags: []string{"-export-early-keying-material", "1024"},
+ shouldFail: true,
+ expectedError: ":EARLY_DATA_NOT_IN_USE:",
+ })
+ testCases = append(testCases, testCase{
+ name: "NoExportEarlyKeyingMaterial-Client-Resume-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ },
+ resumeSession: true,
+ flags: []string{"-on-resume-export-early-keying-material", "1024"},
+ shouldFail: true,
+ expectedError: ":EARLY_DATA_NOT_IN_USE:",
+ })
+
+ // Test the early exporter does not work on the client
+ // after a 0-RTT reject.
+ testCases = append(testCases, testCase{
+ name: "NoExportEarlyKeyingMaterial-Client-EarlyDataReject-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ MaxEarlyDataSize: 16384,
+ Bugs: ProtocolBugs{
+ AlwaysRejectEarlyData: true,
+ },
+ },
+ resumeSession: true,
+ flags: []string{
+ "-enable-early-data",
+ "-expect-ticket-supports-early-data",
+ "-expect-reject-early-data",
+ "-on-retry-export-early-keying-material", "1024",
+ },
+ shouldFail: true,
+ expectedError: ":EARLY_DATA_NOT_IN_USE:",
+ })
+
// Test the normal exporter on the server in half-RTT.
testCases = append(testCases, testCase{
testType: serverTest,
@@ -10144,6 +10256,75 @@
useExportContext: true,
flags: []string{"-enable-early-data"},
})
+
+ // Test the early exporter works on the server in half-RTT.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "ExportEarlyKeyingMaterial-Server-HalfRTT-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ Bugs: ProtocolBugs{
+ SendEarlyData: [][]byte{},
+ ExpectEarlyDataAccepted: true,
+ },
+ },
+ resumeSession: true,
+ exportEarlyKeyingMaterial: 1024,
+ exportLabel: "label",
+ exportContext: "context",
+ flags: []string{"-enable-early-data"},
+ })
+
+ // Test the early exporter does not work on the server
+ // if 0-RTT was not offered.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "NoExportEarlyKeyingMaterial-Server-Initial-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ },
+ flags: []string{"-export-early-keying-material", "1024"},
+ shouldFail: true,
+ expectedError: ":EARLY_DATA_NOT_IN_USE:",
+ })
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "NoExportEarlyKeyingMaterial-Server-Resume-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ },
+ resumeSession: true,
+ flags: []string{"-on-resume-export-early-keying-material", "1024"},
+ shouldFail: true,
+ expectedError: ":EARLY_DATA_NOT_IN_USE:",
+ })
+ } else {
+ // Test the early exporter fails before TLS 1.3.
+ testCases = append(testCases, testCase{
+ name: "NoExportEarlyKeyingMaterial-Client-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ },
+ resumeSession: true,
+ exportEarlyKeyingMaterial: 1024,
+ exportLabel: "label",
+ exportContext: "context",
+ shouldFail: true,
+ expectedError: ":WRONG_SSL_VERSION:",
+ })
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "NoExportEarlyKeyingMaterial-Server-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ },
+ resumeSession: true,
+ exportEarlyKeyingMaterial: 1024,
+ exportLabel: "label",
+ exportContext: "context",
+ shouldFail: true,
+ expectedError: ":WRONG_SSL_VERSION:",
+ })
}
}
@@ -10399,19 +10580,14 @@
{"P-521", CurveP521},
{"X25519", CurveX25519},
{"CECPQ2", CurveCECPQ2},
- {"CECPQ2b", CurveCECPQ2b},
}
const bogusCurve = 0x1234
-func isPqGroup(r CurveID) bool {
- return r == CurveCECPQ2 || r == CurveCECPQ2b
-}
-
func addCurveTests() {
for _, curve := range testCurves {
for _, ver := range tlsVersions {
- if isPqGroup(curve.id) && ver.version < VersionTLS13 {
+ if curve.id == CurveCECPQ2 && ver.version < VersionTLS13 {
continue
}
@@ -10453,7 +10629,7 @@
expectedCurveID: curve.id,
})
- if curve.id != CurveX25519 && !isPqGroup(curve.id) {
+ if curve.id != CurveX25519 && curve.id != CurveCECPQ2 {
testCases = append(testCases, testCase{
name: "CurveTest-Client-Compressed-" + suffix,
config: Config{
@@ -10878,21 +11054,6 @@
},
})
- // CECPQ2b should not be offered by a TLS < 1.3 client.
- testCases = append(testCases, testCase{
- name: "CECPQ2bNotInTLS12",
- config: Config{
- Bugs: ProtocolBugs{
- FailIfCECPQ2Offered: true,
- },
- },
- flags: []string{
- "-max-version", strconv.Itoa(VersionTLS12),
- "-curves", strconv.Itoa(int(CurveCECPQ2b)),
- "-curves", strconv.Itoa(int(CurveX25519)),
- },
- })
-
// CECPQ2 should not crash a TLS < 1.3 client if the server mistakenly
// selects it.
testCases = append(testCases, testCase{
@@ -10911,24 +11072,6 @@
expectedError: ":WRONG_CURVE:",
})
- // CECPQ2b should not crash a TLS < 1.3 client if the server mistakenly
- // selects it.
- testCases = append(testCases, testCase{
- name: "CECPQ2bNotAcceptedByTLS12Client",
- config: Config{
- Bugs: ProtocolBugs{
- SendCurve: CurveCECPQ2b,
- },
- },
- flags: []string{
- "-max-version", strconv.Itoa(VersionTLS12),
- "-curves", strconv.Itoa(int(CurveCECPQ2b)),
- "-curves", strconv.Itoa(int(CurveX25519)),
- },
- shouldFail: true,
- expectedError: ":WRONG_CURVE:",
- })
-
// CECPQ2 should not be offered by default as a client.
testCases = append(testCases, testCase{
name: "CECPQ2NotEnabledByDefaultInClients",
@@ -10940,17 +11083,6 @@
},
})
- // CECPQ2b should not be offered by default as a client.
- testCases = append(testCases, testCase{
- name: "CECPQ2bNotEnabledByDefaultInClients",
- config: Config{
- MinVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- FailIfCECPQ2Offered: true,
- },
- },
- })
-
// If CECPQ2 is offered, both X25519 and CECPQ2 should have a key-share.
testCases = append(testCases, testCase{
name: "NotJustCECPQ2KeyShare",
@@ -10983,38 +11115,6 @@
},
})
- // If CECPQ2b is offered, both X25519 and CECPQ2b should have a key-share.
- testCases = append(testCases, testCase{
- name: "NotJustCECPQ2bKeyShare",
- config: Config{
- MinVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- ExpectedKeyShares: []CurveID{CurveCECPQ2b, CurveX25519},
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveCECPQ2b)),
- "-curves", strconv.Itoa(int(CurveX25519)),
- "-expect-curve-id", strconv.Itoa(int(CurveCECPQ2b)),
- },
- })
-
- // ... but only if CECPQ2b is listed first.
- testCases = append(testCases, testCase{
- name: "CECPQ2bKeyShareNotIncludedSecond",
- config: Config{
- MinVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- ExpectedKeyShares: []CurveID{CurveX25519},
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveX25519)),
- "-curves", strconv.Itoa(int(CurveCECPQ2b)),
- "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
- },
- })
-
// If CECPQ2 is the only configured curve, the key share is sent.
testCases = append(testCases, testCase{
name: "JustConfiguringCECPQ2Works",
@@ -11030,21 +11130,6 @@
},
})
- // If CECPQ2b is the only configured curve, the key share is sent.
- testCases = append(testCases, testCase{
- name: "JustConfiguringCECPQ2bWorks",
- config: Config{
- MinVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- ExpectedKeyShares: []CurveID{CurveCECPQ2b},
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveCECPQ2b)),
- "-expect-curve-id", strconv.Itoa(int(CurveCECPQ2b)),
- },
- })
-
// As a server, CECPQ2 is not yet supported by default.
testCases = append(testCases, testCase{
testType: serverTest,
@@ -11059,21 +11144,6 @@
"-expect-curve-id", strconv.Itoa(int(CurveX25519)),
},
})
-
- // As a server, CECPQ2b is not yet supported by default.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "CECPQ2bNotEnabledByDefaultForAServer",
- config: Config{
- MinVersion: VersionTLS13,
- CurvePreferences: []CurveID{CurveCECPQ2b, CurveX25519},
- DefaultCurves: []CurveID{CurveCECPQ2b},
- },
- flags: []string{
- "-server-preference",
- "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
- },
- })
}
func addTLS13RecordTests() {
@@ -11252,99 +11322,9 @@
},
})
- // Test that ticket age skew up to 60 seconds in either direction is accepted.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-TicketAgeSkew-Forward-60-Accept",
- config: Config{
- MaxVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- SendTicketAge: 70 * time.Second,
- SendEarlyData: [][]byte{{1, 2, 3, 4}},
- ExpectEarlyDataAccepted: true,
- ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
- },
- },
- resumeSession: true,
- flags: []string{
- "-resumption-delay", "10",
- "-expect-ticket-age-skew", "60",
- // 0-RTT is accepted.
- "-enable-early-data",
- "-on-resume-expect-accept-early-data",
- "-on-resume-expect-early-data-reason", "accept",
- },
- })
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-TicketAgeSkew-Backward-60-Accept",
- config: Config{
- MaxVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- SendTicketAge: 10 * time.Second,
- SendEarlyData: [][]byte{{1, 2, 3, 4}},
- ExpectEarlyDataAccepted: true,
- ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
- },
- },
- resumeSession: true,
- flags: []string{
- "-resumption-delay", "70",
- "-expect-ticket-age-skew", "-60",
- // 0-RTT is accepted.
- "-enable-early-data",
- "-on-resume-expect-accept-early-data",
- "-on-resume-expect-early-data-reason", "accept",
- },
- })
-
- // Test that ticket age skew beyond 60 seconds in either direction is rejected.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-TicketAgeSkew-Forward-61-Reject",
- config: Config{
- MaxVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- SendTicketAge: 71 * time.Second,
- SendEarlyData: [][]byte{{1, 2, 3, 4}},
- ExpectEarlyDataAccepted: false,
- },
- },
- resumeSession: true,
- flags: []string{
- "-resumption-delay", "10",
- "-expect-ticket-age-skew", "61",
- // 0-RTT is rejected.
- "-enable-early-data",
- "-expect-reject-early-data",
- "-on-resume-expect-early-data-reason", "ticket_age_skew",
- },
- })
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-TicketAgeSkew-Backward-61-Reject",
- config: Config{
- MaxVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- SendTicketAge: 10 * time.Second,
- SendEarlyData: [][]byte{{1, 2, 3, 4}},
- ExpectEarlyDataAccepted: false,
- },
- },
- resumeSession: true,
- flags: []string{
- "-resumption-delay", "71",
- "-expect-ticket-age-skew", "-61",
- // 0-RTT is rejected.
- "-enable-early-data",
- "-expect-reject-early-data",
- "-on-resume-expect-early-data-reason", "ticket_age_skew",
- },
- })
-
testCases = append(testCases, testCase{
testType: clientTest,
- name: "TLS13-SendTicketEarlyDataSupport",
+ name: "TLS13-SendTicketEarlyDataInfo",
config: Config{
MaxVersion: VersionTLS13,
MaxEarlyDataSize: 16384,
@@ -11355,22 +11335,19 @@
},
})
- // Test that 0-RTT tickets are still recorded as such when early data is disabled overall.
+ // Test that 0-RTT tickets are ignored in clients unless opted in.
testCases = append(testCases, testCase{
testType: clientTest,
- name: "TLS13-SendTicketEarlyDataSupport-Disabled",
+ name: "TLS13-SendTicketEarlyDataInfo-Disabled",
config: Config{
MaxVersion: VersionTLS13,
MaxEarlyDataSize: 16384,
},
- flags: []string{
- "-expect-ticket-supports-early-data",
- },
})
testCases = append(testCases, testCase{
testType: clientTest,
- name: "TLS13-DuplicateTicketEarlyDataSupport",
+ name: "TLS13-DuplicateTicketEarlyDataInfo",
config: Config{
MaxVersion: VersionTLS13,
MaxEarlyDataSize: 16384,
@@ -11385,7 +11362,7 @@
testCases = append(testCases, testCase{
testType: serverTest,
- name: "TLS13-ExpectTicketEarlyDataSupport",
+ name: "TLS13-ExpectTicketEarlyDataInfo",
config: Config{
MaxVersion: VersionTLS13,
Bugs: ProtocolBugs{
@@ -12352,9 +12329,7 @@
flags: []string{
"-enable-early-data",
"-expect-ticket-supports-early-data",
- "-on-initial-expect-early-data-reason", "no_session_offered",
- "-on-resume-expect-accept-early-data",
- "-on-resume-expect-early-data-reason", "accept",
+ "-expect-accept-early-data",
"-on-resume-shim-writes-first",
},
})
@@ -12379,7 +12354,6 @@
"-expect-ticket-supports-early-data",
"-expect-reject-early-data",
"-on-resume-shim-writes-first",
- "-on-retry-expect-early-data-reason", "peer_declined",
},
})
@@ -12399,14 +12373,10 @@
resumeSession: true,
flags: []string{
"-enable-early-data",
- "-on-initial-expect-early-data-reason", "no_session_offered",
- "-on-resume-expect-accept-early-data",
- "-on-resume-expect-early-data-reason", "accept",
+ "-expect-accept-early-data",
},
})
- // The above tests the most recent ticket. Additionally test that 0-RTT
- // works on the first ticket issued by the server.
testCases = append(testCases, testCase{
testType: serverTest,
name: "EarlyData-FirstTicket-Server-TLS13",
@@ -12424,8 +12394,7 @@
resumeSession: true,
flags: []string{
"-enable-early-data",
- "-on-resume-expect-accept-early-data",
- "-on-resume-expect-early-data-reason", "accept",
+ "-expect-accept-early-data",
},
})
@@ -12494,9 +12463,6 @@
},
DefaultCurves: []CurveID{},
},
- // Though the session is not resumed and we send HelloRetryRequest,
- // early data being disabled takes priority as the reject reason.
- flags: []string{"-expect-early-data-reason", "disabled"},
})
testCases = append(testCases, testCase{
@@ -13013,8 +12979,6 @@
},
},
})
-
- // Test the client handles 0-RTT being rejected by a full handshake.
testCases = append(testCases, testCase{
testType: clientTest,
name: "EarlyData-RejectTicket-Client-TLS13",
@@ -13036,9 +13000,6 @@
"-expect-ticket-supports-early-data",
"-expect-reject-early-data",
"-on-resume-shim-writes-first",
- "-on-retry-expect-early-data-reason", "session_not_resumed",
- // Test the peer certificate is reported correctly in each of the
- // three logical connections.
"-on-initial-expect-peer-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-on-resume-expect-peer-cert-file", path.Join(*resourceDir, rsaCertificateFile),
"-on-retry-expect-peer-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
@@ -13047,34 +13008,6 @@
},
})
- // Test the server rejects 0-RTT if it does not recognize the ticket.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "EarlyData-RejectTicket-Server-TLS13",
- config: Config{
- MaxVersion: VersionTLS13,
- MinVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- SendEarlyData: [][]byte{{1, 2, 3, 4}},
- ExpectEarlyDataAccepted: false,
- // Corrupt the ticket.
- FilterTicket: func(in []byte) ([]byte, error) {
- in[len(in)-1] ^= 1
- return in, nil
- },
- },
- },
- messageCount: 2,
- resumeSession: true,
- expectResumeRejected: true,
- flags: []string{
- "-enable-early-data",
- "-on-resume-expect-reject-early-data",
- "-on-resume-expect-early-data-reason", "session_not_resumed",
- },
- })
-
- // Test the client handles 0-RTT being rejected via a HelloRetryRequest.
testCases = append(testCases, testCase{
testType: clientTest,
name: "EarlyData-HRR-Client-TLS13",
@@ -13094,99 +13027,6 @@
"-enable-early-data",
"-expect-ticket-supports-early-data",
"-expect-reject-early-data",
- "-on-retry-expect-early-data-reason", "hello_retry_request",
- },
- })
-
- // Test the server rejects 0-RTT if it needs to send a HelloRetryRequest.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "EarlyData-HRR-Server-TLS13",
- config: Config{
- MaxVersion: VersionTLS13,
- MinVersion: VersionTLS13,
- // Require a HelloRetryRequest for every curve.
- DefaultCurves: []CurveID{},
- Bugs: ProtocolBugs{
- SendEarlyData: [][]byte{{1, 2, 3, 4}},
- ExpectEarlyDataAccepted: false,
- },
- },
- messageCount: 2,
- resumeSession: true,
- flags: []string{
- "-enable-early-data",
- "-on-resume-expect-reject-early-data",
- "-on-resume-expect-early-data-reason", "hello_retry_request",
- },
- })
-
- // Test the client handles a 0-RTT reject from both ticket rejection and
- // HelloRetryRequest.
- testCases = append(testCases, testCase{
- testType: clientTest,
- name: "EarlyData-HRR-RejectTicket-Client-TLS13",
- config: Config{
- MaxVersion: VersionTLS13,
- MaxEarlyDataSize: 16384,
- Certificates: []Certificate{rsaCertificate},
- },
- resumeConfig: &Config{
- MaxVersion: VersionTLS13,
- MaxEarlyDataSize: 16384,
- Certificates: []Certificate{ecdsaP256Certificate},
- SessionTicketsDisabled: true,
- Bugs: ProtocolBugs{
- SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
- },
- },
- resumeSession: true,
- expectResumeRejected: true,
- flags: []string{
- "-enable-early-data",
- "-expect-ticket-supports-early-data",
- "-expect-reject-early-data",
- // The client sees HelloRetryRequest before the resumption result,
- // though neither value is inherently preferable.
- "-on-retry-expect-early-data-reason", "hello_retry_request",
- // Test the peer certificate is reported correctly in each of the
- // three logical connections.
- "-on-initial-expect-peer-cert-file", path.Join(*resourceDir, rsaCertificateFile),
- "-on-resume-expect-peer-cert-file", path.Join(*resourceDir, rsaCertificateFile),
- "-on-retry-expect-peer-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
- // Session tickets are disabled, so the runner will not send a ticket.
- "-on-retry-expect-no-session",
- },
- })
-
- // Test the server rejects 0-RTT if it needs to send a HelloRetryRequest.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "EarlyData-HRR-RejectTicket-Server-TLS13",
- config: Config{
- MaxVersion: VersionTLS13,
- MinVersion: VersionTLS13,
- // Require a HelloRetryRequest for every curve.
- DefaultCurves: []CurveID{},
- Bugs: ProtocolBugs{
- SendEarlyData: [][]byte{{1, 2, 3, 4}},
- ExpectEarlyDataAccepted: false,
- // Corrupt the ticket.
- FilterTicket: func(in []byte) ([]byte, error) {
- in[len(in)-1] ^= 1
- return in, nil
- },
- },
- },
- messageCount: 2,
- resumeSession: true,
- expectResumeRejected: true,
- flags: []string{
- "-enable-early-data",
- "-on-resume-expect-reject-early-data",
- // The server sees the missed resumption before HelloRetryRequest,
- // though neither value is inherently preferable.
- "-on-resume-expect-early-data-reason", "session_not_resumed",
},
})
@@ -13352,10 +13192,6 @@
"-enable-early-data",
"-expect-ticket-supports-early-data",
"-expect-reject-early-data",
- // The client does not learn ALPN was the cause.
- "-on-retry-expect-early-data-reason", "peer_declined",
- // In the 0-RTT state, we surface the predicted ALPN. After
- // processing the reject, we surface the real one.
"-on-initial-expect-alpn", "foo",
"-on-resume-expect-alpn", "foo",
"-on-retry-expect-alpn", "bar",
@@ -13382,10 +13218,6 @@
"-enable-early-data",
"-expect-ticket-supports-early-data",
"-expect-reject-early-data",
- // The client does not learn ALPN was the cause.
- "-on-retry-expect-early-data-reason", "peer_declined",
- // In the 0-RTT state, we surface the predicted ALPN. After
- // processing the reject, we surface the real one.
"-on-initial-expect-alpn", "",
"-on-resume-expect-alpn", "",
"-on-retry-expect-alpn", "foo",
@@ -13413,10 +13245,6 @@
"-enable-early-data",
"-expect-ticket-supports-early-data",
"-expect-reject-early-data",
- // The client does not learn ALPN was the cause.
- "-on-retry-expect-early-data-reason", "peer_declined",
- // In the 0-RTT state, we surface the predicted ALPN. After
- // processing the reject, we surface the real one.
"-on-initial-expect-alpn", "foo",
"-on-resume-expect-alpn", "foo",
"-on-retry-expect-alpn", "",
@@ -13471,31 +13299,10 @@
"-enable-early-data",
"-expect-ticket-supports-early-data",
"-expect-no-offer-early-data",
- // Offer different ALPN values in the initial and resumption.
"-on-initial-advertise-alpn", "\x03foo",
- "-on-initial-expect-alpn", "foo",
"-on-resume-advertise-alpn", "\x03bar",
+ "-on-initial-expect-alpn", "foo",
"-on-resume-expect-alpn", "bar",
- // The ALPN mismatch comes from the client, so it reports it as the
- // reason.
- "-on-resume-expect-early-data-reason", "alpn_mismatch",
- },
- })
-
- // Test that the client does not offer 0-RTT to servers which never
- // advertise it.
- testCases = append(testCases, testCase{
- testType: clientTest,
- name: "EarlyData-NonZeroRTTSession-Client-TLS13",
- config: Config{
- MaxVersion: VersionTLS13,
- },
- resumeSession: true,
- flags: []string{
- "-enable-early-data",
- "-on-resume-expect-no-offer-early-data",
- // The client declines to offer 0-RTT because of the session.
- "-on-resume-expect-early-data-reason", "unsupported_for_session",
},
})
@@ -13518,8 +13325,6 @@
flags: []string{
"-on-resume-enable-early-data",
"-expect-reject-early-data",
- // The server rejects 0-RTT because of the session.
- "-on-resume-expect-early-data-reason", "unsupported_for_session",
},
})
@@ -13545,7 +13350,6 @@
"-enable-early-data",
"-on-initial-select-alpn", "",
"-on-resume-select-alpn", "foo",
- "-on-resume-expect-early-data-reason", "alpn_mismatch",
},
})
@@ -13571,7 +13375,6 @@
"-enable-early-data",
"-on-initial-select-alpn", "foo",
"-on-resume-select-alpn", "",
- "-on-resume-expect-early-data-reason", "alpn_mismatch",
},
})
@@ -13596,7 +13399,6 @@
"-enable-early-data",
"-on-initial-select-alpn", "foo",
"-on-resume-select-alpn", "bar",
- "-on-resume-expect-early-data-reason", "alpn_mismatch",
},
})
@@ -13641,8 +13443,6 @@
"-expect-ticket-supports-early-data",
"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
"-expect-reject-early-data",
- // The client never learns the reason was Channel ID.
- "-on-retry-expect-early-data-reason", "peer_declined",
},
})
@@ -13660,8 +13460,7 @@
"-enable-early-data",
"-expect-ticket-supports-early-data",
"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
- "-on-resume-expect-accept-early-data",
- "-on-resume-expect-early-data-reason", "accept",
+ "-expect-accept-early-data",
},
})
@@ -13685,7 +13484,6 @@
"-expect-reject-early-data",
"-expect-channel-id",
base64.StdEncoding.EncodeToString(channelIDBytes),
- "-on-resume-expect-early-data-reason", "channel_id",
},
})
@@ -13706,9 +13504,8 @@
expectChannelID: false,
flags: []string{
"-enable-early-data",
- "-on-resume-expect-accept-early-data",
+ "-expect-accept-early-data",
"-enable-channel-id",
- "-on-resume-expect-early-data-reason", "accept",
},
})
@@ -13768,7 +13565,7 @@
flags: []string{
"-enable-early-data",
"-expect-ticket-supports-early-data",
- "-on-resume-expect-accept-early-data",
+ "-expect-accept-early-data",
"-expect-version", strconv.Itoa(VersionTLS13),
},
})
@@ -13793,7 +13590,7 @@
flags: []string{
"-enable-early-data",
"-expect-ticket-supports-early-data",
- "-on-resume-expect-accept-early-data",
+ "-expect-accept-early-data",
},
shouldFail: true,
expectedError: ":DIGEST_CHECK_FAILED:",
@@ -13817,7 +13614,7 @@
resumeSession: true,
flags: []string{
"-enable-early-data",
- "-on-resume-expect-accept-early-data",
+ "-expect-accept-early-data",
},
shouldFail: true,
expectedError: ":DIGEST_CHECK_FAILED:",
@@ -13842,7 +13639,7 @@
flags: []string{
"-enable-early-data",
"-expect-ticket-supports-early-data",
- "-on-resume-expect-accept-early-data",
+ "-expect-accept-early-data",
},
shouldFail: true,
expectedError: ":DECODE_ERROR:",
@@ -13890,45 +13687,6 @@
expectedLocalError: "remote error: unexpected message",
})
- // If the client or server has 0-RTT enabled but disabled TLS 1.3, it should
- // report a reason of protocol_version.
- testCases = append(testCases, testCase{
- testType: clientTest,
- name: "EarlyDataEnabled-Client-MaxTLS12",
- expectedVersion: VersionTLS12,
- flags: []string{
- "-enable-early-data",
- "-max-version", strconv.Itoa(VersionTLS12),
- "-expect-early-data-reason", "protocol_version",
- },
- })
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "EarlyDataEnabled-Server-MaxTLS12",
- expectedVersion: VersionTLS12,
- flags: []string{
- "-enable-early-data",
- "-max-version", strconv.Itoa(VersionTLS12),
- "-expect-early-data-reason", "protocol_version",
- },
- })
-
- // The server additionally reports protocol_version if it enabled TLS 1.3,
- // but the peer negotiated TLS 1.2. (The corresponding situation does not
- // exist on the client because negotiating TLS 1.2 with a 0-RTT ClientHello
- // is a fatal error.)
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "EarlyDataEnabled-Server-NegotiateTLS12",
- config: Config{
- MaxVersion: VersionTLS12,
- },
- expectedVersion: VersionTLS12,
- flags: []string{
- "-enable-early-data",
- "-expect-early-data-reason", "protocol_version",
- },
- })
}
func addTLS13CipherPreferenceTests() {
@@ -13998,22 +13756,6 @@
"-curves", strconv.Itoa(int(CurveCECPQ2)),
},
})
-
- // CECPQ2b prefers 256-bit ciphers but will use AES-128 if there's nothing else.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-CipherPreference-CECPQ2b-AES128Only",
- config: Config{
- MaxVersion: VersionTLS13,
- CipherSuites: []uint16{
- TLS_AES_128_GCM_SHA256,
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveCECPQ2b)),
- },
- })
-
// When a 256-bit cipher is offered, even if not in first place, it should be
// picked.
testCases = append(testCases, testCase{
@@ -14048,40 +13790,6 @@
expectedCipher: TLS_AES_128_GCM_SHA256,
})
- // When a 256-bit cipher is offered, even if not in first place, it should be
- // picked.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-CipherPreference-CECPQ2b-AES256Preferred",
- config: Config{
- MaxVersion: VersionTLS13,
- CipherSuites: []uint16{
- TLS_AES_128_GCM_SHA256,
- TLS_AES_256_GCM_SHA384,
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveCECPQ2b)),
- },
- expectedCipher: TLS_AES_256_GCM_SHA384,
- })
- // ... but when CECPQ2b isn't being used, the client's preference controls.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-CipherPreference-CECPQ2b-AES128PreferredOtherwise",
- config: Config{
- MaxVersion: VersionTLS13,
- CipherSuites: []uint16{
- TLS_AES_128_GCM_SHA256,
- TLS_AES_256_GCM_SHA384,
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveX25519)),
- },
- expectedCipher: TLS_AES_128_GCM_SHA256,
- })
-
// Test that CECPQ2 continues to honor AES vs ChaCha20 logic.
testCases = append(testCases, testCase{
testType: serverTest,
@@ -14117,42 +13825,6 @@
"-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
},
})
-
- // Test that CECPQ2b continues to honor AES vs ChaCha20 logic.
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-CipherPreference-CECPQ2b-AES128-ChaCha20-AES256",
- config: Config{
- MaxVersion: VersionTLS13,
- CipherSuites: []uint16{
- TLS_AES_128_GCM_SHA256,
- TLS_CHACHA20_POLY1305_SHA256,
- TLS_AES_256_GCM_SHA384,
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveCECPQ2b)),
- "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
- "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
- },
- })
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "TLS13-CipherPreference-CECPQ2b-AES128-AES256-ChaCha20",
- config: Config{
- MaxVersion: VersionTLS13,
- CipherSuites: []uint16{
- TLS_AES_128_GCM_SHA256,
- TLS_AES_256_GCM_SHA384,
- TLS_CHACHA20_POLY1305_SHA256,
- },
- },
- flags: []string{
- "-curves", strconv.Itoa(int(CurveCECPQ2b)),
- "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_256_GCM_SHA384)),
- "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
- },
- })
}
func addPeekTests() {
@@ -14718,7 +14390,7 @@
flags: []string{
"-async",
"-enable-early-data",
- "-on-resume-expect-accept-early-data",
+ "-expect-accept-early-data",
"-no-op-extra-handshake",
},
})
@@ -15291,7 +14963,6 @@
},
flags: []string{
"-delegated-credential", ecdsaFlagValue,
- "-expect-delegated-credential-used",
},
})
@@ -15342,67 +15013,6 @@
})
}
-func addPQExperimentSignalTests() {
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "PQExperimentSignal-Server-NoEchoIfNotConfigured",
- config: Config{
- MinVersion: VersionTLS13,
- MaxVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- ExpectPQExperimentSignal: false,
- },
- PQExperimentSignal: true,
- },
- })
-
- testCases = append(testCases, testCase{
- testType: serverTest,
- name: "PQExperimentSignal-Server-Echo",
- config: Config{
- MinVersion: VersionTLS13,
- MaxVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- ExpectPQExperimentSignal: true,
- },
- PQExperimentSignal: true,
- },
- flags: []string{
- "-enable-pq-experiment-signal",
- "-expect-pq-experiment-signal",
- },
- })
-
- testCases = append(testCases, testCase{
- testType: clientTest,
- name: "PQExperimentSignal-Client-NotDefault",
- config: Config{
- MinVersion: VersionTLS13,
- MaxVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- ExpectPQExperimentSignal: false,
- },
- PQExperimentSignal: true,
- },
- })
-
- testCases = append(testCases, testCase{
- testType: clientTest,
- name: "PQExperimentSignal-Client",
- config: Config{
- MinVersion: VersionTLS13,
- MaxVersion: VersionTLS13,
- Bugs: ProtocolBugs{
- ExpectPQExperimentSignal: true,
- },
- },
- flags: []string{
- "-enable-pq-experiment-signal",
- "-expect-pq-experiment-signal",
- },
- })
-}
-
func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
defer wg.Done()
@@ -15540,7 +15150,6 @@
addCertCompressionTests()
addJDK11WorkaroundTests()
addDelegatedCredentialTests()
- addPQExperimentSignalTests()
testCases = append(testCases, convertToSplitHandshakeTests(testCases)...)
diff --git a/src/ssl/test/runner/sike/arith.go b/src/ssl/test/runner/sike/arith.go
deleted file mode 100644
index 10a2ca6..0000000
--- a/src/ssl/test/runner/sike/arith.go
+++ /dev/null
@@ -1,374 +0,0 @@
-// Copyright (c) 2019, Cloudflare Inc.
-//
-// Permission to use, copy, modify, and/or distribute this software for any
-// purpose with or without fee is hereby granted, provided that the above
-// copyright notice and this permission notice appear in all copies.
-//
-// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
-// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-package sike
-
-import (
- "math/bits"
-)
-
-// Compute z = x + y (mod 2*p).
-func fpAddRdc(z, x, y *Fp) {
- var carry uint64
-
- // z=x+y % p
- for i := 0; i < FP_WORDS; i++ {
- z[i], carry = bits.Add64(x[i], y[i], carry)
- }
-
- // z = z - pX2
- carry = 0
- for i := 0; i < FP_WORDS; i++ {
- z[i], carry = bits.Sub64(z[i], pX2[i], carry)
- }
-
- // if z<0 add pX2 back
- mask := uint64(0 - carry)
- carry = 0
- for i := 0; i < FP_WORDS; i++ {
- z[i], carry = bits.Add64(z[i], pX2[i]&mask, carry)
- }
-}
-
-// Compute z = x - y (mod 2*p).
-func fpSubRdc(z, x, y *Fp) {
- var borrow uint64
-
- // z = z - pX2
- for i := 0; i < FP_WORDS; i++ {
- z[i], borrow = bits.Sub64(x[i], y[i], borrow)
- }
-
- // if z<0 add pX2 back
- mask := uint64(0 - borrow)
- borrow = 0
- for i := 0; i < FP_WORDS; i++ {
- z[i], borrow = bits.Add64(z[i], pX2[i]&mask, borrow)
- }
-}
-
-// Reduce a field element in [0, 2*p) to one in [0,p).
-func fpRdcP(x *Fp) {
- var borrow, mask uint64
- for i := 0; i < FP_WORDS; i++ {
- x[i], borrow = bits.Sub64(x[i], p[i], borrow)
- }
-
- // Sets all bits if borrow = 1
- mask = 0 - borrow
- borrow = 0
- for i := 0; i < FP_WORDS; i++ {
- x[i], borrow = bits.Add64(x[i], p[i]&mask, borrow)
- }
-}
-
-// Implementation doesn't actually depend on a prime field.
-func fpSwapCond(x, y *Fp, mask uint8) {
- if mask != 0 {
- var tmp Fp
- copy(tmp[:], y[:])
- copy(y[:], x[:])
- copy(x[:], tmp[:])
- }
-}
-
-// Compute z = x * y.
-func fpMul(z *FpX2, x, y *Fp) {
- var carry, t, u, v uint64
- var hi, lo uint64
-
- for i := uint64(0); i < FP_WORDS; i++ {
- for j := uint64(0); j <= i; j++ {
- hi, lo = bits.Mul64(x[j], y[i-j])
- v, carry = bits.Add64(lo, v, 0)
- u, carry = bits.Add64(hi, u, carry)
- t += carry
- }
- z[i] = v
- v = u
- u = t
- t = 0
- }
-
- for i := FP_WORDS; i < (2*FP_WORDS)-1; i++ {
- for j := i - FP_WORDS + 1; j < FP_WORDS; j++ {
- hi, lo = bits.Mul64(x[j], y[i-j])
- v, carry = bits.Add64(lo, v, 0)
- u, carry = bits.Add64(hi, u, carry)
- t += carry
- }
- z[i] = v
- v = u
- u = t
- t = 0
- }
- z[2*FP_WORDS-1] = v
-}
-
-// Perform Montgomery reduction: set z = x R^{-1} (mod 2*p)
-// with R=2^512. Destroys the input value.
-func fpMontRdc(z *Fp, x *FpX2) {
- var carry, t, u, v uint64
- var hi, lo uint64
- var count int
-
- count = 3 // number of 0 digits in the least significat part of p + 1
-
- for i := 0; i < FP_WORDS; i++ {
- for j := 0; j < i; j++ {
- if j < (i - count + 1) {
- hi, lo = bits.Mul64(z[j], p1[i-j])
- v, carry = bits.Add64(lo, v, 0)
- u, carry = bits.Add64(hi, u, carry)
- t += carry
- }
- }
- v, carry = bits.Add64(v, x[i], 0)
- u, carry = bits.Add64(u, 0, carry)
- t += carry
-
- z[i] = v
- v = u
- u = t
- t = 0
- }
-
- for i := FP_WORDS; i < 2*FP_WORDS-1; i++ {
- if count > 0 {
- count--
- }
- for j := i - FP_WORDS + 1; j < FP_WORDS; j++ {
- if j < (FP_WORDS - count) {
- hi, lo = bits.Mul64(z[j], p1[i-j])
- v, carry = bits.Add64(lo, v, 0)
- u, carry = bits.Add64(hi, u, carry)
- t += carry
- }
- }
- v, carry = bits.Add64(v, x[i], 0)
- u, carry = bits.Add64(u, 0, carry)
-
- t += carry
- z[i-FP_WORDS] = v
- v = u
- u = t
- t = 0
- }
- v, carry = bits.Add64(v, x[2*FP_WORDS-1], 0)
- z[FP_WORDS-1] = v
-}
-
-// Compute z = x + y, without reducing mod p.
-func fp2Add(z, x, y *FpX2) {
- var carry uint64
- for i := 0; i < 2*FP_WORDS; i++ {
- z[i], carry = bits.Add64(x[i], y[i], carry)
- }
-}
-
-// Compute z = x - y, without reducing mod p.
-func fp2Sub(z, x, y *FpX2) {
- var borrow, mask uint64
- for i := 0; i < 2*FP_WORDS; i++ {
- z[i], borrow = bits.Sub64(x[i], y[i], borrow)
- }
-
- // Sets all bits if borrow = 1
- mask = 0 - borrow
- borrow = 0
- for i := FP_WORDS; i < 2*FP_WORDS; i++ {
- z[i], borrow = bits.Add64(z[i], p[i-FP_WORDS]&mask, borrow)
- }
-}
-
-// Montgomery multiplication. Input values must be already
-// in Montgomery domain.
-func fpMulRdc(dest, lhs, rhs *Fp) {
- a := lhs // = a*R
- b := rhs // = b*R
-
- var ab FpX2
- fpMul(&ab, a, b) // = a*b*R*R
- fpMontRdc(dest, &ab) // = a*b*R mod p
-}
-
-// Set dest = x^((p-3)/4). If x is square, this is 1/sqrt(x).
-// Uses variation of sliding-window algorithm from with window size
-// of 5 and least to most significant bit sliding (left-to-right)
-// See HAC 14.85 for general description.
-//
-// Allowed to overlap x with dest.
-// All values in Montgomery domains
-// Set dest = x^(2^k), for k >= 1, by repeated squarings.
-func p34(dest, x *Fp) {
- var lookup [16]Fp
-
- // This performs sum(powStrategy) + 1 squarings and len(lookup) + len(mulStrategy)
- // multiplications.
- powStrategy := []uint8{
- 0x03, 0x0A, 0x07, 0x05, 0x06, 0x05, 0x03, 0x08, 0x04, 0x07,
- 0x05, 0x06, 0x04, 0x05, 0x09, 0x06, 0x03, 0x0B, 0x05, 0x05,
- 0x02, 0x08, 0x04, 0x07, 0x07, 0x08, 0x05, 0x06, 0x04, 0x08,
- 0x05, 0x02, 0x0A, 0x06, 0x05, 0x04, 0x08, 0x05, 0x05, 0x05,
- 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05,
- 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05,
- 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05,
- 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x05, 0x01}
- mulStrategy := []uint8{
- 0x02, 0x0F, 0x09, 0x08, 0x0E, 0x0C, 0x02, 0x08, 0x05, 0x0F,
- 0x08, 0x0F, 0x06, 0x06, 0x03, 0x02, 0x00, 0x0A, 0x09, 0x0D,
- 0x01, 0x0C, 0x03, 0x07, 0x01, 0x0A, 0x08, 0x0B, 0x02, 0x0F,
- 0x0E, 0x01, 0x0B, 0x0C, 0x0E, 0x03, 0x0B, 0x0F, 0x0F, 0x0F,
- 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
- 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
- 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F,
- 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x00}
- initialMul := uint8(8)
-
- // Precompute lookup table of odd multiples of x for window
- // size k=5.
- var xx Fp
- fpMulRdc(&xx, x, x)
- lookup[0] = *x
- for i := 1; i < 16; i++ {
- fpMulRdc(&lookup[i], &lookup[i-1], &xx)
- }
-
- // Now lookup = {x, x^3, x^5, ... }
- // so that lookup[i] = x^{2*i + 1}
- // so that lookup[k/2] = x^k, for odd k
- *dest = lookup[initialMul]
- for i := uint8(0); i < uint8(len(powStrategy)); i++ {
- fpMulRdc(dest, dest, dest)
- for j := uint8(1); j < powStrategy[i]; j++ {
- fpMulRdc(dest, dest, dest)
- }
- fpMulRdc(dest, dest, &lookup[mulStrategy[i]])
- }
-}
-
-func add(dest, lhs, rhs *Fp2) {
- fpAddRdc(&dest.A, &lhs.A, &rhs.A)
- fpAddRdc(&dest.B, &lhs.B, &rhs.B)
-}
-
-func sub(dest, lhs, rhs *Fp2) {
- fpSubRdc(&dest.A, &lhs.A, &rhs.A)
- fpSubRdc(&dest.B, &lhs.B, &rhs.B)
-}
-
-func mul(dest, lhs, rhs *Fp2) {
- // Let (a,b,c,d) = (lhs.a,lhs.b,rhs.a,rhs.b).
- a := &lhs.A
- b := &lhs.B
- c := &rhs.A
- d := &rhs.B
-
- // We want to compute
- //
- // (a + bi)*(c + di) = (a*c - b*d) + (a*d + b*c)i
- //
- // Use Karatsuba's trick: note that
- //
- // (b - a)*(c - d) = (b*c + a*d) - a*c - b*d
- //
- // so (a*d + b*c) = (b-a)*(c-d) + a*c + b*d.
-
- var ac, bd FpX2
- fpMul(&ac, a, c) // = a*c*R*R
- fpMul(&bd, b, d) // = b*d*R*R
-
- var b_minus_a, c_minus_d Fp
- fpSubRdc(&b_minus_a, b, a) // = (b-a)*R
- fpSubRdc(&c_minus_d, c, d) // = (c-d)*R
-
- var ad_plus_bc FpX2
- fpMul(&ad_plus_bc, &b_minus_a, &c_minus_d) // = (b-a)*(c-d)*R*R
- fp2Add(&ad_plus_bc, &ad_plus_bc, &ac) // = ((b-a)*(c-d) + a*c)*R*R
- fp2Add(&ad_plus_bc, &ad_plus_bc, &bd) // = ((b-a)*(c-d) + a*c + b*d)*R*R
-
- fpMontRdc(&dest.B, &ad_plus_bc) // = (a*d + b*c)*R mod p
-
- var ac_minus_bd FpX2
- fp2Sub(&ac_minus_bd, &ac, &bd) // = (a*c - b*d)*R*R
- fpMontRdc(&dest.A, &ac_minus_bd) // = (a*c - b*d)*R mod p
-}
-
-func inv(dest, x *Fp2) {
- var a2PlusB2 Fp
- var asq, bsq FpX2
- var ac FpX2
- var minusB Fp
- var minusBC FpX2
-
- a := &x.A
- b := &x.B
-
- // We want to compute
- //
- // 1 1 (a - bi) (a - bi)
- // -------- = -------- -------- = -----------
- // (a + bi) (a + bi) (a - bi) (a^2 + b^2)
- //
- // Letting c = 1/(a^2 + b^2), this is
- //
- // 1/(a+bi) = a*c - b*ci.
-
- fpMul(&asq, a, a) // = a*a*R*R
- fpMul(&bsq, b, b) // = b*b*R*R
- fp2Add(&asq, &asq, &bsq) // = (a^2 + b^2)*R*R
- fpMontRdc(&a2PlusB2, &asq) // = (a^2 + b^2)*R mod p
- // Now a2PlusB2 = a^2 + b^2
-
- inv := a2PlusB2
- fpMulRdc(&inv, &a2PlusB2, &a2PlusB2)
- p34(&inv, &inv)
- fpMulRdc(&inv, &inv, &inv)
- fpMulRdc(&inv, &inv, &a2PlusB2)
-
- fpMul(&ac, a, &inv)
- fpMontRdc(&dest.A, &ac)
-
- fpSubRdc(&minusB, &minusB, b)
- fpMul(&minusBC, &minusB, &inv)
- fpMontRdc(&dest.B, &minusBC)
-}
-
-func sqr(dest, x *Fp2) {
- var a2, aPlusB, aMinusB Fp
- var a2MinB2, ab2 FpX2
-
- a := &x.A
- b := &x.B
-
- // (a + bi)*(a + bi) = (a^2 - b^2) + 2abi.
- fpAddRdc(&a2, a, a) // = a*R + a*R = 2*a*R
- fpAddRdc(&aPlusB, a, b) // = a*R + b*R = (a+b)*R
- fpSubRdc(&aMinusB, a, b) // = a*R - b*R = (a-b)*R
- fpMul(&a2MinB2, &aPlusB, &aMinusB) // = (a+b)*(a-b)*R*R = (a^2 - b^2)*R*R
- fpMul(&ab2, &a2, b) // = 2*a*b*R*R
- fpMontRdc(&dest.A, &a2MinB2) // = (a^2 - b^2)*R mod p
- fpMontRdc(&dest.B, &ab2) // = 2*a*b*R mod p
-}
-
-// In case choice == 1, performs following swap in constant time:
-// xPx <-> xQx
-// xPz <-> xQz
-// Otherwise returns xPx, xPz, xQx, xQz unchanged
-func condSwap(xPx, xPz, xQx, xQz *Fp2, choice uint8) {
- fpSwapCond(&xPx.A, &xQx.A, choice)
- fpSwapCond(&xPx.B, &xQx.B, choice)
- fpSwapCond(&xPz.A, &xQz.A, choice)
- fpSwapCond(&xPz.B, &xQz.B, choice)
-}
diff --git a/src/ssl/test/runner/sike/consts.go b/src/ssl/test/runner/sike/consts.go
deleted file mode 100644
index 9d68a4f..0000000
--- a/src/ssl/test/runner/sike/consts.go
+++ /dev/null
@@ -1,317 +0,0 @@
-// Copyright (c) 2019, Cloudflare Inc.
-//
-// Permission to use, copy, modify, and/or distribute this software for any
-// purpose with or without fee is hereby granted, provided that the above
-// copyright notice and this permission notice appear in all copies.
-//
-// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
-// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-package sike
-
-// I keep it bool in order to be able to apply logical NOT
-type KeyVariant uint
-
-// Representation of an element of the base field F_p.
-//
-// No particular meaning is assigned to the representation -- it could represent
-// an element in Montgomery form, or not. Tracking the meaning of the field
-// element is left to higher types.
-type Fp [FP_WORDS]uint64
-
-// Represents an intermediate product of two elements of the base field F_p.
-type FpX2 [2 * FP_WORDS]uint64
-
-// Represents an element of the extended field Fp^2 = Fp(x+i)
-type Fp2 struct {
- A Fp
- B Fp
-}
-
-type DomainParams struct {
- // P, Q and R=P-Q base points
- Affine_P, Affine_Q, Affine_R Fp2
- // Size of a compuatation strategy for x-torsion group
- IsogenyStrategy []uint32
- // Max size of secret key for x-torsion group
- SecretBitLen uint
- // Max size of secret key for x-torsion group
- SecretByteLen uint
-}
-
-type SidhParams struct {
- Id uint8
- // Bytelen of P
- Bytelen int
- // The public key size, in bytes.
- PublicKeySize int
- // The shared secret size, in bytes.
- SharedSecretSize int
- // Defines A,C constant for starting curve Cy^2 = x^3 + Ax^2 + x
- InitCurve ProjectiveCurveParameters
- // 2- and 3-torsion group parameter definitions
- A, B DomainParams
- // Precomputed 1/2 in the Fp2 in Montgomery domain
- HalfFp2 Fp2
- // Precomputed identity element in the Fp2 in Montgomery domain
- OneFp2 Fp2
- // Length of SIKE secret message. Must be one of {24,32,40},
- // depending on size of prime field used (see [SIKE], 1.4 and 5.1)
- MsgLen int
- // Length of SIKE ephemeral KEM key (see [SIKE], 1.4 and 5.1)
- KemSize int
- // Size of a ciphertext returned by encapsulation in bytes
- CiphertextSize int
-}
-
-// Stores curve projective parameters equivalent to A/C. Meaning of the
-// values depends on the context. When working with isogenies over
-// subgroup that are powers of:
-// * three then (A:C) ~ (A+2C:A-2C)
-// * four then (A:C) ~ (A+2C: 4C)
-// See Appendix A of SIKE for more details
-type CurveCoefficientsEquiv struct {
- A Fp2
- C Fp2
-}
-
-// A point on the projective line P^1(F_{p^2}).
-//
-// This represents a point on the Kummer line of a Montgomery curve. The
-// curve is specified by a ProjectiveCurveParameters struct.
-type ProjectivePoint struct {
- X Fp2
- Z Fp2
-}
-
-// Base type for public and private key. Used mainly to carry domain
-// parameters.
-type key struct {
- // Domain parameters of the algorithm to be used with a key
- params *SidhParams
- // Flag indicates whether corresponds to 2-, 3-torsion group or SIKE
- keyVariant KeyVariant
-}
-
-// Defines operations on private key
-type PrivateKey struct {
- key
- // Secret key
- Scalar []byte
- // Used only by KEM
- S []byte
-}
-
-// Defines operations on public key
-type PublicKey struct {
- key
- affine_xP Fp2
- affine_xQ Fp2
- affine_xQmP Fp2
-}
-
-// A point on the projective line P^1(F_{p^2}).
-//
-// This is used to work projectively with the curve coefficients.
-type ProjectiveCurveParameters struct {
- A Fp2
- C Fp2
-}
-
-const (
- // First 2 bits identify SIDH variant third bit indicates
- // whether key is a SIKE variant (set) or SIDH (not set)
-
- // 001 - SIDH: corresponds to 2-torsion group
- KeyVariant_SIDH_A KeyVariant = 1 << 0
- // 010 - SIDH: corresponds to 3-torsion group
- KeyVariant_SIDH_B = 1 << 1
- // 110 - SIKE
- KeyVariant_SIKE = 1<<2 | KeyVariant_SIDH_B
- // Number of uint64 limbs used to store field element
- FP_WORDS = 7
-)
-
-// Used internally by this package
-// -------------------------------
-
-var (
- p = Fp{
- 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFDC1767AE2FFFFFF,
- 0x7BC65C783158AEA3, 0x6CFC5FD681C52056, 0x2341F27177344,
- }
-
- // 2*p434
- pX2 = Fp{
- 0xFFFFFFFFFFFFFFFE, 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF, 0xFB82ECF5C5FFFFFF,
- 0xF78CB8F062B15D47, 0xD9F8BFAD038A40AC, 0x4683E4E2EE688,
- }
-
- // p434 + 1
- p1 = Fp{
- 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0xFDC1767AE3000000,
- 0x7BC65C783158AEA3, 0x6CFC5FD681C52056, 0x0002341F27177344,
- }
-
- // R^2=(2^448)^2 mod p
- R2 = Fp{
- 0x28E55B65DCD69B30, 0xACEC7367768798C2, 0xAB27973F8311688D, 0x175CC6AF8D6C7C0B,
- 0xABCD92BF2DDE347E, 0x69E16A61C7686D9A, 0x000025A89BCDD12A,
- }
-
- // 1/2 * R mod p
- half = Fp2{
- A: Fp{
- 0x0000000000003A16, 0x0000000000000000, 0x0000000000000000, 0x5C87FA027E000000,
- 0x6C00D27DAACFD66A, 0x74992A2A2FBBA086, 0x0000767753DE976D},
- }
-
- // 1*R mod p
- one = Fp2{
- A: Fp{
- 0x000000000000742C, 0x0000000000000000, 0x0000000000000000, 0xB90FF404FC000000,
- 0xD801A4FB559FACD4, 0xE93254545F77410C, 0x0000ECEEA7BD2EDA},
- }
-
- // 6*R mod p
- six = Fp2{
- A: Fp{
- 0x000000000002B90A, 0x0000000000000000, 0x0000000000000000, 0x5ADCCB2822000000,
- 0x187D24F39F0CAFB4, 0x9D353A4D394145A0, 0x00012559A0403298},
- }
-
- Params SidhParams
-)
-
-func init() {
- Params = SidhParams{
- // SIDH public key byte size.
- PublicKeySize: 330,
- // SIDH shared secret byte size.
- SharedSecretSize: 110,
- InitCurve: ProjectiveCurveParameters{
- A: six,
- C: one,
- },
- A: DomainParams{
- // The x-coordinate of PA
- Affine_P: Fp2{
- A: Fp{
- 0x05ADF455C5C345BF, 0x91935C5CC767AC2B, 0xAFE4E879951F0257, 0x70E792DC89FA27B1,
- 0xF797F526BB48C8CD, 0x2181DB6131AF621F, 0x00000A1C08B1ECC4,
- },
- B: Fp{
- 0x74840EB87CDA7788, 0x2971AA0ECF9F9D0B, 0xCB5732BDF41715D5, 0x8CD8E51F7AACFFAA,
- 0xA7F424730D7E419F, 0xD671EB919A179E8C, 0x0000FFA26C5A924A,
- },
- },
- // The x-coordinate of QA
- Affine_Q: Fp2{
- A: Fp{
- 0xFEC6E64588B7273B, 0xD2A626D74CBBF1C6, 0xF8F58F07A78098C7, 0xE23941F470841B03,
- 0x1B63EDA2045538DD, 0x735CFEB0FFD49215, 0x0001C4CB77542876,
- },
- B: Fp{
- 0xADB0F733C17FFDD6, 0x6AFFBD037DA0A050, 0x680EC43DB144E02F, 0x1E2E5D5FF524E374,
- 0xE2DDA115260E2995, 0xA6E4B552E2EDE508, 0x00018ECCDDF4B53E,
- },
- },
- // The x-coordinate of RA = PA-QA
- Affine_R: Fp2{
- A: Fp{
- 0x01BA4DB518CD6C7D, 0x2CB0251FE3CC0611, 0x259B0C6949A9121B, 0x60E17AC16D2F82AD,
- 0x3AA41F1CE175D92D, 0x413FBE6A9B9BC4F3, 0x00022A81D8D55643,
- },
- B: Fp{
- 0xB8ADBC70FC82E54A, 0xEF9CDDB0D5FADDED, 0x5820C734C80096A0, 0x7799994BAA96E0E4,
- 0x044961599E379AF8, 0xDB2B94FBF09F27E2, 0x0000B87FC716C0C6,
- },
- },
- // Max size of secret key for 2-torsion group, corresponds to 2^e2 - 1
- SecretBitLen: 216,
- // SecretBitLen in bytes.
- SecretByteLen: 27,
- // 2-torsion group computation strategy
- IsogenyStrategy: []uint32{
- 0x30, 0x1C, 0x10, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01,
- 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x08, 0x04,
- 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01,
- 0x02, 0x01, 0x01, 0x0D, 0x07, 0x04, 0x02, 0x01, 0x01, 0x02,
- 0x01, 0x01, 0x03, 0x02, 0x01, 0x01, 0x01, 0x01, 0x05, 0x04,
- 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x01,
- 0x15, 0x0C, 0x07, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01,
- 0x03, 0x02, 0x01, 0x01, 0x01, 0x01, 0x05, 0x03, 0x02, 0x01,
- 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x01, 0x09, 0x05, 0x03,
- 0x02, 0x01, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x01, 0x04,
- 0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01},
- },
- B: DomainParams{
- // The x-coordinate of PB
- Affine_P: Fp2{
- A: Fp{
- 0x6E5497556EDD48A3, 0x2A61B501546F1C05, 0xEB919446D049887D, 0x5864A4A69D450C4F,
- 0xB883F276A6490D2B, 0x22CC287022D5F5B9, 0x0001BED4772E551F,
- },
- B: Fp{
- 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
- 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
- },
- },
- // The x-coordinate of QB
- Affine_Q: Fp2{
- A: Fp{
- 0xFAE2A3F93D8B6B8E, 0x494871F51700FE1C, 0xEF1A94228413C27C, 0x498FF4A4AF60BD62,
- 0xB00AD2A708267E8A, 0xF4328294E017837F, 0x000034080181D8AE,
- },
- B: Fp{
- 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
- 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,
- },
- },
- // The x-coordinate of RB = PB - QB
- Affine_R: Fp2{
- A: Fp{
- 0x283B34FAFEFDC8E4, 0x9208F44977C3E647, 0x7DEAE962816F4E9A, 0x68A2BA8AA262EC9D,
- 0x8176F112EA43F45B, 0x02106D022634F504, 0x00007E8A50F02E37,
- },
- B: Fp{
- 0xB378B7C1DA22CCB1, 0x6D089C99AD1D9230, 0xEBE15711813E2369, 0x2B35A68239D48A53,
- 0x445F6FD138407C93, 0xBEF93B29A3F6B54B, 0x000173FA910377D3,
- },
- },
- // Size of secret key for 3-torsion group, corresponds to log_2(3^e3) - 1.
- SecretBitLen: 217,
- // SecretBitLen in bytes.
- SecretByteLen: 28,
- // 3-torsion group computation strategy
- IsogenyStrategy: []uint32{
- 0x42, 0x21, 0x11, 0x09, 0x05, 0x03, 0x02, 0x01, 0x01, 0x01,
- 0x01, 0x02, 0x01, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x01,
- 0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x01, 0x02,
- 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x10,
- 0x08, 0x04, 0x02, 0x01, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04,
- 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x08, 0x04, 0x02, 0x01,
- 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01,
- 0x01, 0x20, 0x10, 0x08, 0x04, 0x03, 0x01, 0x01, 0x01, 0x01,
- 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01,
- 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04, 0x02,
- 0x01, 0x01, 0x02, 0x01, 0x01, 0x10, 0x08, 0x04, 0x02, 0x01,
- 0x01, 0x02, 0x01, 0x01, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01,
- 0x01, 0x08, 0x04, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01, 0x04,
- 0x02, 0x01, 0x01, 0x02, 0x01, 0x01},
- },
- OneFp2: one,
- HalfFp2: half,
- MsgLen: 16,
- // SIKEp434 provides 128 bit of classical security ([SIKE], 5.1)
- KemSize: 16,
- // ceil(434+7/8)
- Bytelen: 55,
- CiphertextSize: 16 + 330,
- }
-}
diff --git a/src/ssl/test/runner/sike/curve.go b/src/ssl/test/runner/sike/curve.go
deleted file mode 100644
index 8172546..0000000
--- a/src/ssl/test/runner/sike/curve.go
+++ /dev/null
@@ -1,422 +0,0 @@
-// Copyright (c) 2019, Cloudflare Inc.
-//
-// Permission to use, copy, modify, and/or distribute this software for any
-// purpose with or without fee is hereby granted, provided that the above
-// copyright notice and this permission notice appear in all copies.
-//
-// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
-// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-package sike
-
-// Interface for working with isogenies.
-type isogeny interface {
- // Given a torsion point on a curve computes isogenous curve.
- // Returns curve coefficients (A:C), so that E_(A/C) = E_(A/C)/<P>,
- // where P is a provided projective point. Sets also isogeny constants
- // that are needed for isogeny evaluation.
- GenerateCurve(*ProjectivePoint) CurveCoefficientsEquiv
- // Evaluates isogeny at caller provided point. Requires isogeny curve constants
- // to be earlier computed by GenerateCurve.
- EvaluatePoint(*ProjectivePoint) ProjectivePoint
-}
-
-// Stores isogeny 3 curve constants
-type isogeny3 struct {
- K1 Fp2
- K2 Fp2
-}
-
-// Stores isogeny 4 curve constants
-type isogeny4 struct {
- isogeny3
- K3 Fp2
-}
-
-// Constructs isogeny3 objects
-func NewIsogeny3() isogeny {
- return &isogeny3{}
-}
-
-// Constructs isogeny4 objects
-func NewIsogeny4() isogeny {
- return &isogeny4{}
-}
-
-// Helper function for RightToLeftLadder(). Returns A+2C / 4.
-func calcAplus2Over4(cparams *ProjectiveCurveParameters) (ret Fp2) {
- var tmp Fp2
-
- // 2C
- add(&tmp, &cparams.C, &cparams.C)
- // A+2C
- add(&ret, &cparams.A, &tmp)
- // 1/4C
- add(&tmp, &tmp, &tmp)
- inv(&tmp, &tmp)
- // A+2C/4C
- mul(&ret, &ret, &tmp)
- return
-}
-
-// Converts values in x.A and x.B to Montgomery domain
-// x.A = x.A * R mod p
-// x.B = x.B * R mod p
-// Performs v = v*R^2*R^(-1) mod p, for both x.A and x.B
-func toMontDomain(x *Fp2) {
- var aRR FpX2
-
- // convert to montgomery domain
- fpMul(&aRR, &x.A, &R2) // = a*R*R
- fpMontRdc(&x.A, &aRR) // = a*R mod p
- fpMul(&aRR, &x.B, &R2)
- fpMontRdc(&x.B, &aRR)
-}
-
-// Converts values in x.A and x.B from Montgomery domain
-// a = x.A mod p
-// b = x.B mod p
-//
-// After returning from the call x is not modified.
-func fromMontDomain(x *Fp2, out *Fp2) {
- var aR FpX2
-
- // convert from montgomery domain
- copy(aR[:], x.A[:])
- fpMontRdc(&out.A, &aR) // = a mod p in [0, 2p)
- fpRdcP(&out.A) // = a mod p in [0, p)
- for i := range aR {
- aR[i] = 0
- }
- copy(aR[:], x.B[:])
- fpMontRdc(&out.B, &aR)
- fpRdcP(&out.B)
-}
-
-// Computes j-invariant for a curve y2=x3+A/Cx+x with A,C in F_(p^2). Result
-// is returned in 'j'. Implementation corresponds to Algorithm 9 from SIKE.
-func Jinvariant(cparams *ProjectiveCurveParameters, j *Fp2) {
- var t0, t1 Fp2
-
- sqr(j, &cparams.A) // j = A^2
- sqr(&t1, &cparams.C) // t1 = C^2
- add(&t0, &t1, &t1) // t0 = t1 + t1
- sub(&t0, j, &t0) // t0 = j - t0
- sub(&t0, &t0, &t1) // t0 = t0 - t1
- sub(j, &t0, &t1) // t0 = t0 - t1
- sqr(&t1, &t1) // t1 = t1^2
- mul(j, j, &t1) // j = j * t1
- add(&t0, &t0, &t0) // t0 = t0 + t0
- add(&t0, &t0, &t0) // t0 = t0 + t0
- sqr(&t1, &t0) // t1 = t0^2
- mul(&t0, &t0, &t1) // t0 = t0 * t1
- add(&t0, &t0, &t0) // t0 = t0 + t0
- add(&t0, &t0, &t0) // t0 = t0 + t0
- inv(j, j) // j = 1/j
- mul(j, &t0, j) // j = t0 * j
-}
-
-// Given affine points x(P), x(Q) and x(Q-P) in a extension field F_{p^2}, function
-// recorvers projective coordinate A of a curve. This is Algorithm 10 from SIKE.
-func RecoverCoordinateA(curve *ProjectiveCurveParameters, xp, xq, xr *Fp2) {
- var t0, t1 Fp2
-
- add(&t1, xp, xq) // t1 = Xp + Xq
- mul(&t0, xp, xq) // t0 = Xp * Xq
- mul(&curve.A, xr, &t1) // A = X(q-p) * t1
- add(&curve.A, &curve.A, &t0) // A = A + t0
- mul(&t0, &t0, xr) // t0 = t0 * X(q-p)
- sub(&curve.A, &curve.A, &Params.OneFp2) // A = A - 1
- add(&t0, &t0, &t0) // t0 = t0 + t0
- add(&t1, &t1, xr) // t1 = t1 + X(q-p)
- add(&t0, &t0, &t0) // t0 = t0 + t0
- sqr(&curve.A, &curve.A) // A = A^2
- inv(&t0, &t0) // t0 = 1/t0
- mul(&curve.A, &curve.A, &t0) // A = A * t0
- sub(&curve.A, &curve.A, &t1) // A = A - t1
-}
-
-// Computes equivalence (A:C) ~ (A+2C : A-2C)
-func CalcCurveParamsEquiv3(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv {
- var coef CurveCoefficientsEquiv
- var c2 Fp2
-
- add(&c2, &cparams.C, &cparams.C)
- // A24p = A+2*C
- add(&coef.A, &cparams.A, &c2)
- // A24m = A-2*C
- sub(&coef.C, &cparams.A, &c2)
- return coef
-}
-
-// Computes equivalence (A:C) ~ (A+2C : 4C)
-func CalcCurveParamsEquiv4(cparams *ProjectiveCurveParameters) CurveCoefficientsEquiv {
- var coefEq CurveCoefficientsEquiv
-
- add(&coefEq.C, &cparams.C, &cparams.C)
- // A24p = A+2C
- add(&coefEq.A, &cparams.A, &coefEq.C)
- // C24 = 4*C
- add(&coefEq.C, &coefEq.C, &coefEq.C)
- return coefEq
-}
-
-// Recovers (A:C) curve parameters from projectively equivalent (A+2C:A-2C).
-func RecoverCurveCoefficients3(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
- add(&cparams.A, &coefEq.A, &coefEq.C)
- // cparams.A = 2*(A+2C+A-2C) = 4A
- add(&cparams.A, &cparams.A, &cparams.A)
- // cparams.C = (A+2C-A+2C) = 4C
- sub(&cparams.C, &coefEq.A, &coefEq.C)
- return
-}
-
-// Recovers (A:C) curve parameters from projectively equivalent (A+2C:4C).
-func RecoverCurveCoefficients4(cparams *ProjectiveCurveParameters, coefEq *CurveCoefficientsEquiv) {
- // cparams.C = (4C)*1/2=2C
- mul(&cparams.C, &coefEq.C, &Params.HalfFp2)
- // cparams.A = A+2C - 2C = A
- sub(&cparams.A, &coefEq.A, &cparams.C)
- // cparams.C = 2C * 1/2 = C
- mul(&cparams.C, &cparams.C, &Params.HalfFp2)
- return
-}
-
-// Combined coordinate doubling and differential addition. Takes projective points
-// P,Q,Q-P and (A+2C)/4C curve E coefficient. Returns 2*P and P+Q calculated on E.
-// Function is used only by RightToLeftLadder. Corresponds to Algorithm 5 of SIKE
-func xDbladd(P, Q, QmP *ProjectivePoint, a24 *Fp2) (dblP, PaQ ProjectivePoint) {
- var t0, t1, t2 Fp2
- xQmP, zQmP := &QmP.X, &QmP.Z
- xPaQ, zPaQ := &PaQ.X, &PaQ.Z
- x2P, z2P := &dblP.X, &dblP.Z
- xP, zP := &P.X, &P.Z
- xQ, zQ := &Q.X, &Q.Z
-
- add(&t0, xP, zP) // t0 = Xp+Zp
- sub(&t1, xP, zP) // t1 = Xp-Zp
- sqr(x2P, &t0) // 2P.X = t0^2
- sub(&t2, xQ, zQ) // t2 = Xq-Zq
- add(xPaQ, xQ, zQ) // Xp+q = Xq+Zq
- mul(&t0, &t0, &t2) // t0 = t0 * t2
- mul(z2P, &t1, &t1) // 2P.Z = t1 * t1
- mul(&t1, &t1, xPaQ) // t1 = t1 * Xp+q
- sub(&t2, x2P, z2P) // t2 = 2P.X - 2P.Z
- mul(x2P, x2P, z2P) // 2P.X = 2P.X * 2P.Z
- mul(xPaQ, a24, &t2) // Xp+q = A24 * t2
- sub(zPaQ, &t0, &t1) // Zp+q = t0 - t1
- add(z2P, xPaQ, z2P) // 2P.Z = Xp+q + 2P.Z
- add(xPaQ, &t0, &t1) // Xp+q = t0 + t1
- mul(z2P, z2P, &t2) // 2P.Z = 2P.Z * t2
- sqr(zPaQ, zPaQ) // Zp+q = Zp+q ^ 2
- sqr(xPaQ, xPaQ) // Xp+q = Xp+q ^ 2
- mul(zPaQ, xQmP, zPaQ) // Zp+q = Xq-p * Zp+q
- mul(xPaQ, zQmP, xPaQ) // Xp+q = Zq-p * Xp+q
- return
-}
-
-// Given the curve parameters, xP = x(P), computes xP = x([2^k]P)
-// Safe to overlap xP, x2P.
-func Pow2k(xP *ProjectivePoint, params *CurveCoefficientsEquiv, k uint32) {
- var t0, t1 Fp2
-
- x, z := &xP.X, &xP.Z
- for i := uint32(0); i < k; i++ {
- sub(&t0, x, z) // t0 = Xp - Zp
- add(&t1, x, z) // t1 = Xp + Zp
- sqr(&t0, &t0) // t0 = t0 ^ 2
- sqr(&t1, &t1) // t1 = t1 ^ 2
- mul(z, ¶ms.C, &t0) // Z2p = C24 * t0
- mul(x, z, &t1) // X2p = Z2p * t1
- sub(&t1, &t1, &t0) // t1 = t1 - t0
- mul(&t0, ¶ms.A, &t1) // t0 = A24+ * t1
- add(z, z, &t0) // Z2p = Z2p + t0
- mul(z, z, &t1) // Zp = Z2p * t1
- }
-}
-
-// Given the curve parameters, xP = x(P), and k >= 0, compute xP = x([3^k]P).
-//
-// Safe to overlap xP, xR.
-func Pow3k(xP *ProjectivePoint, params *CurveCoefficientsEquiv, k uint32) {
- var t0, t1, t2, t3, t4, t5, t6 Fp2
-
- x, z := &xP.X, &xP.Z
- for i := uint32(0); i < k; i++ {
- sub(&t0, x, z) // t0 = Xp - Zp
- sqr(&t2, &t0) // t2 = t0^2
- add(&t1, x, z) // t1 = Xp + Zp
- sqr(&t3, &t1) // t3 = t1^2
- add(&t4, &t1, &t0) // t4 = t1 + t0
- sub(&t0, &t1, &t0) // t0 = t1 - t0
- sqr(&t1, &t4) // t1 = t4^2
- sub(&t1, &t1, &t3) // t1 = t1 - t3
- sub(&t1, &t1, &t2) // t1 = t1 - t2
- mul(&t5, &t3, ¶ms.A) // t5 = t3 * A24+
- mul(&t3, &t3, &t5) // t3 = t5 * t3
- mul(&t6, &t2, ¶ms.C) // t6 = t2 * A24-
- mul(&t2, &t2, &t6) // t2 = t2 * t6
- sub(&t3, &t2, &t3) // t3 = t2 - t3
- sub(&t2, &t5, &t6) // t2 = t5 - t6
- mul(&t1, &t2, &t1) // t1 = t2 * t1
- add(&t2, &t3, &t1) // t2 = t3 + t1
- sqr(&t2, &t2) // t2 = t2^2
- mul(x, &t2, &t4) // X3p = t2 * t4
- sub(&t1, &t3, &t1) // t1 = t3 - t1
- sqr(&t1, &t1) // t1 = t1^2
- mul(z, &t1, &t0) // Z3p = t1 * t0
- }
-}
-
-// Set (y1, y2, y3) = (1/x1, 1/x2, 1/x3).
-//
-// All xi, yi must be distinct.
-func Fp2Batch3Inv(x1, x2, x3, y1, y2, y3 *Fp2) {
- var x1x2, t Fp2
-
- mul(&x1x2, x1, x2) // x1*x2
- mul(&t, &x1x2, x3) // 1/(x1*x2*x3)
- inv(&t, &t)
- mul(y1, &t, x2) // 1/x1
- mul(y1, y1, x3)
- mul(y2, &t, x1) // 1/x2
- mul(y2, y2, x3)
- mul(y3, &t, &x1x2) // 1/x3
-}
-
-// ScalarMul3Pt is a right-to-left point multiplication that given the
-// x-coordinate of P, Q and P-Q calculates the x-coordinate of R=Q+[scalar]P.
-// nbits must be smaller or equal to len(scalar).
-func ScalarMul3Pt(cparams *ProjectiveCurveParameters, P, Q, PmQ *ProjectivePoint, nbits uint, scalar []uint8) ProjectivePoint {
- var R0, R2, R1 ProjectivePoint
- aPlus2Over4 := calcAplus2Over4(cparams)
- R1 = *P
- R2 = *PmQ
- R0 = *Q
-
- // Iterate over the bits of the scalar, bottom to top
- prevBit := uint8(0)
- for i := uint(0); i < nbits; i++ {
- bit := (scalar[i>>3] >> (i & 7) & 1)
- swap := prevBit ^ bit
- prevBit = bit
- condSwap(&R1.X, &R1.Z, &R2.X, &R2.Z, swap)
- R0, R2 = xDbladd(&R0, &R2, &R1, &aPlus2Over4)
- }
- condSwap(&R1.X, &R1.Z, &R2.X, &R2.Z, prevBit)
- return R1
-}
-
-// Given a three-torsion point p = x(PB) on the curve E_(A:C), construct the
-// three-isogeny phi : E_(A:C) -> E_(A:C)/<P_3> = E_(A':C').
-//
-// Input: (XP_3: ZP_3), where P_3 has exact order 3 on E_A/C
-// Output: * Curve coordinates (A' + 2C', A' - 2C') corresponding to E_A'/C' = A_E/C/<P3>
-// * isogeny phi with constants in F_p^2
-func (phi *isogeny3) GenerateCurve(p *ProjectivePoint) CurveCoefficientsEquiv {
- var t0, t1, t2, t3, t4 Fp2
- var coefEq CurveCoefficientsEquiv
- var K1, K2 = &phi.K1, &phi.K2
-
- sub(K1, &p.X, &p.Z) // K1 = XP3 - ZP3
- sqr(&t0, K1) // t0 = K1^2
- add(K2, &p.X, &p.Z) // K2 = XP3 + ZP3
- sqr(&t1, K2) // t1 = K2^2
- add(&t2, &t0, &t1) // t2 = t0 + t1
- add(&t3, K1, K2) // t3 = K1 + K2
- sqr(&t3, &t3) // t3 = t3^2
- sub(&t3, &t3, &t2) // t3 = t3 - t2
- add(&t2, &t1, &t3) // t2 = t1 + t3
- add(&t3, &t3, &t0) // t3 = t3 + t0
- add(&t4, &t3, &t0) // t4 = t3 + t0
- add(&t4, &t4, &t4) // t4 = t4 + t4
- add(&t4, &t1, &t4) // t4 = t1 + t4
- mul(&coefEq.C, &t2, &t4) // A24m = t2 * t4
- add(&t4, &t1, &t2) // t4 = t1 + t2
- add(&t4, &t4, &t4) // t4 = t4 + t4
- add(&t4, &t0, &t4) // t4 = t0 + t4
- mul(&t4, &t3, &t4) // t4 = t3 * t4
- sub(&t0, &t4, &coefEq.C) // t0 = t4 - A24m
- add(&coefEq.A, &coefEq.C, &t0) // A24p = A24m + t0
- return coefEq
-}
-
-// Given a 3-isogeny phi and a point pB = x(PB), compute x(QB), the x-coordinate
-// of the image QB = phi(PB) of PB under phi : E_(A:C) -> E_(A':C').
-//
-// The output xQ = x(Q) is then a point on the curve E_(A':C'); the curve
-// parameters are returned by the GenerateCurve function used to construct phi.
-func (phi *isogeny3) EvaluatePoint(p *ProjectivePoint) ProjectivePoint {
- var t0, t1, t2 Fp2
- var q ProjectivePoint
- var K1, K2 = &phi.K1, &phi.K2
- var px, pz = &p.X, &p.Z
-
- add(&t0, px, pz) // t0 = XQ + ZQ
- sub(&t1, px, pz) // t1 = XQ - ZQ
- mul(&t0, K1, &t0) // t2 = K1 * t0
- mul(&t1, K2, &t1) // t1 = K2 * t1
- add(&t2, &t0, &t1) // t2 = t0 + t1
- sub(&t0, &t1, &t0) // t0 = t1 - t0
- sqr(&t2, &t2) // t2 = t2 ^ 2
- sqr(&t0, &t0) // t0 = t0 ^ 2
- mul(&q.X, px, &t2) // XQ'= XQ * t2
- mul(&q.Z, pz, &t0) // ZQ'= ZQ * t0
- return q
-}
-
-// Given a four-torsion point p = x(PB) on the curve E_(A:C), construct the
-// four-isogeny phi : E_(A:C) -> E_(A:C)/<P_4> = E_(A':C').
-//
-// Input: (XP_4: ZP_4), where P_4 has exact order 4 on E_A/C
-// Output: * Curve coordinates (A' + 2C', 4C') corresponding to E_A'/C' = A_E/C/<P4>
-// * isogeny phi with constants in F_p^2
-func (phi *isogeny4) GenerateCurve(p *ProjectivePoint) CurveCoefficientsEquiv {
- var coefEq CurveCoefficientsEquiv
- var xp4, zp4 = &p.X, &p.Z
- var K1, K2, K3 = &phi.K1, &phi.K2, &phi.K3
-
- sub(K2, xp4, zp4)
- add(K3, xp4, zp4)
- sqr(K1, zp4)
- add(K1, K1, K1)
- sqr(&coefEq.C, K1)
- add(K1, K1, K1)
- sqr(&coefEq.A, xp4)
- add(&coefEq.A, &coefEq.A, &coefEq.A)
- sqr(&coefEq.A, &coefEq.A)
- return coefEq
-}
-
-// Given a 4-isogeny phi and a point xP = x(P), compute x(Q), the x-coordinate
-// of the image Q = phi(P) of P under phi : E_(A:C) -> E_(A':C').
-//
-// Input: isogeny returned by GenerateCurve and point q=(Qx,Qz) from E0_A/C
-// Output: Corresponding point q from E1_A'/C', where E1 is 4-isogenous to E0
-func (phi *isogeny4) EvaluatePoint(p *ProjectivePoint) ProjectivePoint {
- var t0, t1 Fp2
- var q = *p
- var xq, zq = &q.X, &q.Z
- var K1, K2, K3 = &phi.K1, &phi.K2, &phi.K3
-
- add(&t0, xq, zq)
- sub(&t1, xq, zq)
- mul(xq, &t0, K2)
- mul(zq, &t1, K3)
- mul(&t0, &t0, &t1)
- mul(&t0, &t0, K1)
- add(&t1, xq, zq)
- sub(zq, xq, zq)
- sqr(&t1, &t1)
- sqr(zq, zq)
- add(xq, &t0, &t1)
- sub(&t0, zq, &t0)
- mul(xq, xq, &t1)
- mul(zq, zq, &t0)
- return q
-}
diff --git a/src/ssl/test/runner/sike/sike.go b/src/ssl/test/runner/sike/sike.go
deleted file mode 100644
index dcd6cfc..0000000
--- a/src/ssl/test/runner/sike/sike.go
+++ /dev/null
@@ -1,683 +0,0 @@
-// Copyright (c) 2019, Cloudflare Inc.
-//
-// Permission to use, copy, modify, and/or distribute this software for any
-// purpose with or without fee is hereby granted, provided that the above
-// copyright notice and this permission notice appear in all copies.
-//
-// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
-// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-package sike
-
-import (
- "crypto/sha256"
- "crypto/subtle"
- "errors"
- "io"
-)
-
-// Zeroize Fp2
-func zeroize(fp *Fp2) {
- // Zeroizing in 2 separated loops tells compiler to
- // use fast runtime.memclr()
- for i := range fp.A {
- fp.A[i] = 0
- }
- for i := range fp.B {
- fp.B[i] = 0
- }
-}
-
-// Convert the input to wire format.
-//
-// The output byte slice must be at least 2*bytelen(p) bytes long.
-func convFp2ToBytes(output []byte, fp2 *Fp2) {
- if len(output) < 2*Params.Bytelen {
- panic("output byte slice too short")
- }
- var a Fp2
- fromMontDomain(fp2, &a)
-
- // convert to bytes in little endian form
- for i := 0; i < Params.Bytelen; i++ {
- // set i = j*8 + k
- tmp := i / 8
- k := uint64(i % 8)
- output[i] = byte(a.A[tmp] >> (8 * k))
- output[i+Params.Bytelen] = byte(a.B[tmp] >> (8 * k))
- }
-}
-
-// Read 2*bytelen(p) bytes into the given ExtensionFieldElement.
-//
-// It is an error to call this function if the input byte slice is less than 2*bytelen(p) bytes long.
-func convBytesToFp2(fp2 *Fp2, input []byte) {
- if len(input) < 2*Params.Bytelen {
- panic("input byte slice too short")
- }
-
- for i := 0; i < Params.Bytelen; i++ {
- j := i / 8
- k := uint64(i % 8)
- fp2.A[j] |= uint64(input[i]) << (8 * k)
- fp2.B[j] |= uint64(input[i+Params.Bytelen]) << (8 * k)
- }
- toMontDomain(fp2)
-}
-
-// -----------------------------------------------------------------------------
-// Functions for traversing isogeny trees acoording to strategy. Key type 'A' is
-//
-
-// Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed
-// for public key generation.
-func traverseTreePublicKeyA(curve *ProjectiveCurveParameters, xR, phiP, phiQ, phiR *ProjectivePoint, pub *PublicKey) {
- var points = make([]ProjectivePoint, 0, 8)
- var indices = make([]int, 0, 8)
- var i, sidx int
-
- cparam := CalcCurveParamsEquiv4(curve)
- phi := NewIsogeny4()
- strat := pub.params.A.IsogenyStrategy
- stratSz := len(strat)
-
- for j := 1; j <= stratSz; j++ {
- for i <= stratSz-j {
- points = append(points, *xR)
- indices = append(indices, i)
-
- k := strat[sidx]
- sidx++
- Pow2k(xR, &cparam, 2*k)
- i += int(k)
- }
-
- cparam = phi.GenerateCurve(xR)
- for k := 0; k < len(points); k++ {
- points[k] = phi.EvaluatePoint(&points[k])
- }
-
- *phiP = phi.EvaluatePoint(phiP)
- *phiQ = phi.EvaluatePoint(phiQ)
- *phiR = phi.EvaluatePoint(phiR)
-
- // pop xR from points
- *xR, points = points[len(points)-1], points[:len(points)-1]
- i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1]
- }
-}
-
-// Traverses isogeny tree in order to compute xR needed
-// for public key generation.
-func traverseTreeSharedKeyA(curve *ProjectiveCurveParameters, xR *ProjectivePoint, pub *PublicKey) {
- var points = make([]ProjectivePoint, 0, 8)
- var indices = make([]int, 0, 8)
- var i, sidx int
-
- cparam := CalcCurveParamsEquiv4(curve)
- phi := NewIsogeny4()
- strat := pub.params.A.IsogenyStrategy
- stratSz := len(strat)
-
- for j := 1; j <= stratSz; j++ {
- for i <= stratSz-j {
- points = append(points, *xR)
- indices = append(indices, i)
-
- k := strat[sidx]
- sidx++
- Pow2k(xR, &cparam, 2*k)
- i += int(k)
- }
-
- cparam = phi.GenerateCurve(xR)
- for k := 0; k < len(points); k++ {
- points[k] = phi.EvaluatePoint(&points[k])
- }
-
- // pop xR from points
- *xR, points = points[len(points)-1], points[:len(points)-1]
- i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1]
- }
-}
-
-// Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed
-// for public key generation.
-func traverseTreePublicKeyB(curve *ProjectiveCurveParameters, xR, phiP, phiQ, phiR *ProjectivePoint, pub *PublicKey) {
- var points = make([]ProjectivePoint, 0, 8)
- var indices = make([]int, 0, 8)
- var i, sidx int
-
- cparam := CalcCurveParamsEquiv3(curve)
- phi := NewIsogeny3()
- strat := pub.params.B.IsogenyStrategy
- stratSz := len(strat)
-
- for j := 1; j <= stratSz; j++ {
- for i <= stratSz-j {
- points = append(points, *xR)
- indices = append(indices, i)
-
- k := strat[sidx]
- sidx++
- Pow3k(xR, &cparam, k)
- i += int(k)
- }
-
- cparam = phi.GenerateCurve(xR)
- for k := 0; k < len(points); k++ {
- points[k] = phi.EvaluatePoint(&points[k])
- }
-
- *phiP = phi.EvaluatePoint(phiP)
- *phiQ = phi.EvaluatePoint(phiQ)
- *phiR = phi.EvaluatePoint(phiR)
-
- // pop xR from points
- *xR, points = points[len(points)-1], points[:len(points)-1]
- i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1]
- }
-}
-
-// Traverses isogeny tree in order to compute xR, xP, xQ and xQmP needed
-// for public key generation.
-func traverseTreeSharedKeyB(curve *ProjectiveCurveParameters, xR *ProjectivePoint, pub *PublicKey) {
- var points = make([]ProjectivePoint, 0, 8)
- var indices = make([]int, 0, 8)
- var i, sidx int
-
- cparam := CalcCurveParamsEquiv3(curve)
- phi := NewIsogeny3()
- strat := pub.params.B.IsogenyStrategy
- stratSz := len(strat)
-
- for j := 1; j <= stratSz; j++ {
- for i <= stratSz-j {
- points = append(points, *xR)
- indices = append(indices, i)
-
- k := strat[sidx]
- sidx++
- Pow3k(xR, &cparam, k)
- i += int(k)
- }
-
- cparam = phi.GenerateCurve(xR)
- for k := 0; k < len(points); k++ {
- points[k] = phi.EvaluatePoint(&points[k])
- }
-
- // pop xR from points
- *xR, points = points[len(points)-1], points[:len(points)-1]
- i, indices = int(indices[len(indices)-1]), indices[:len(indices)-1]
- }
-}
-
-// Generate a public key in the 2-torsion group
-func publicKeyGenA(prv *PrivateKey) (pub *PublicKey) {
- var xPA, xQA, xRA ProjectivePoint
- var xPB, xQB, xRB, xK ProjectivePoint
- var invZP, invZQ, invZR Fp2
-
- pub = NewPublicKey(KeyVariant_SIDH_A)
- var phi = NewIsogeny4()
-
- // Load points for A
- xPA = ProjectivePoint{X: prv.params.A.Affine_P, Z: prv.params.OneFp2}
- xQA = ProjectivePoint{X: prv.params.A.Affine_Q, Z: prv.params.OneFp2}
- xRA = ProjectivePoint{X: prv.params.A.Affine_R, Z: prv.params.OneFp2}
-
- // Load points for B
- xRB = ProjectivePoint{X: prv.params.B.Affine_R, Z: prv.params.OneFp2}
- xQB = ProjectivePoint{X: prv.params.B.Affine_Q, Z: prv.params.OneFp2}
- xPB = ProjectivePoint{X: prv.params.B.Affine_P, Z: prv.params.OneFp2}
-
- // Find isogeny kernel
- xK = ScalarMul3Pt(&pub.params.InitCurve, &xPA, &xQA, &xRA, prv.params.A.SecretBitLen, prv.Scalar)
- traverseTreePublicKeyA(&pub.params.InitCurve, &xK, &xPB, &xQB, &xRB, pub)
-
- // Secret isogeny
- phi.GenerateCurve(&xK)
- xPA = phi.EvaluatePoint(&xPB)
- xQA = phi.EvaluatePoint(&xQB)
- xRA = phi.EvaluatePoint(&xRB)
- Fp2Batch3Inv(&xPA.Z, &xQA.Z, &xRA.Z, &invZP, &invZQ, &invZR)
-
- mul(&pub.affine_xP, &xPA.X, &invZP)
- mul(&pub.affine_xQ, &xQA.X, &invZQ)
- mul(&pub.affine_xQmP, &xRA.X, &invZR)
- return
-}
-
-// Generate a public key in the 3-torsion group
-func publicKeyGenB(prv *PrivateKey) (pub *PublicKey) {
- var xPB, xQB, xRB, xK ProjectivePoint
- var xPA, xQA, xRA ProjectivePoint
- var invZP, invZQ, invZR Fp2
-
- pub = NewPublicKey(prv.keyVariant)
- var phi = NewIsogeny3()
-
- // Load points for B
- xRB = ProjectivePoint{X: prv.params.B.Affine_R, Z: prv.params.OneFp2}
- xQB = ProjectivePoint{X: prv.params.B.Affine_Q, Z: prv.params.OneFp2}
- xPB = ProjectivePoint{X: prv.params.B.Affine_P, Z: prv.params.OneFp2}
-
- // Load points for A
- xPA = ProjectivePoint{X: prv.params.A.Affine_P, Z: prv.params.OneFp2}
- xQA = ProjectivePoint{X: prv.params.A.Affine_Q, Z: prv.params.OneFp2}
- xRA = ProjectivePoint{X: prv.params.A.Affine_R, Z: prv.params.OneFp2}
-
- xK = ScalarMul3Pt(&pub.params.InitCurve, &xPB, &xQB, &xRB, prv.params.B.SecretBitLen, prv.Scalar)
- traverseTreePublicKeyB(&pub.params.InitCurve, &xK, &xPA, &xQA, &xRA, pub)
-
- phi.GenerateCurve(&xK)
- xPB = phi.EvaluatePoint(&xPA)
- xQB = phi.EvaluatePoint(&xQA)
- xRB = phi.EvaluatePoint(&xRA)
- Fp2Batch3Inv(&xPB.Z, &xQB.Z, &xRB.Z, &invZP, &invZQ, &invZR)
-
- mul(&pub.affine_xP, &xPB.X, &invZP)
- mul(&pub.affine_xQ, &xQB.X, &invZQ)
- mul(&pub.affine_xQmP, &xRB.X, &invZR)
- return
-}
-
-// -----------------------------------------------------------------------------
-// Key agreement functions
-//
-
-// Establishing shared keys in in 2-torsion group
-func deriveSecretA(prv *PrivateKey, pub *PublicKey) []byte {
- var sharedSecret = make([]byte, pub.params.SharedSecretSize)
- var xP, xQ, xQmP ProjectivePoint
- var xK ProjectivePoint
- var cparam ProjectiveCurveParameters
- var phi = NewIsogeny4()
- var jInv Fp2
-
- // Recover curve coefficients
- RecoverCoordinateA(&cparam, &pub.affine_xP, &pub.affine_xQ, &pub.affine_xQmP)
- // C=1
- cparam.C = Params.OneFp2
-
- // Find kernel of the morphism
- xP = ProjectivePoint{X: pub.affine_xP, Z: pub.params.OneFp2}
- xQ = ProjectivePoint{X: pub.affine_xQ, Z: pub.params.OneFp2}
- xQmP = ProjectivePoint{X: pub.affine_xQmP, Z: pub.params.OneFp2}
- xK = ScalarMul3Pt(&cparam, &xP, &xQ, &xQmP, pub.params.A.SecretBitLen, prv.Scalar)
-
- // Traverse isogeny tree
- traverseTreeSharedKeyA(&cparam, &xK, pub)
-
- // Calculate j-invariant on isogeneus curve
- c := phi.GenerateCurve(&xK)
- RecoverCurveCoefficients4(&cparam, &c)
- Jinvariant(&cparam, &jInv)
- convFp2ToBytes(sharedSecret, &jInv)
- return sharedSecret
-}
-
-// Establishing shared keys in in 3-torsion group
-func deriveSecretB(prv *PrivateKey, pub *PublicKey) []byte {
- var sharedSecret = make([]byte, pub.params.SharedSecretSize)
- var xP, xQ, xQmP ProjectivePoint
- var xK ProjectivePoint
- var cparam ProjectiveCurveParameters
- var phi = NewIsogeny3()
- var jInv Fp2
-
- // Recover curve A coefficient
- RecoverCoordinateA(&cparam, &pub.affine_xP, &pub.affine_xQ, &pub.affine_xQmP)
- // C=1
- cparam.C = Params.OneFp2
-
- // Find kernel of the morphism
- xP = ProjectivePoint{X: pub.affine_xP, Z: pub.params.OneFp2}
- xQ = ProjectivePoint{X: pub.affine_xQ, Z: pub.params.OneFp2}
- xQmP = ProjectivePoint{X: pub.affine_xQmP, Z: pub.params.OneFp2}
- xK = ScalarMul3Pt(&cparam, &xP, &xQ, &xQmP, pub.params.B.SecretBitLen, prv.Scalar)
-
- // Traverse isogeny tree
- traverseTreeSharedKeyB(&cparam, &xK, pub)
-
- // Calculate j-invariant on isogeneus curve
- c := phi.GenerateCurve(&xK)
- RecoverCurveCoefficients3(&cparam, &c)
- Jinvariant(&cparam, &jInv)
- convFp2ToBytes(sharedSecret, &jInv)
- return sharedSecret
-}
-
-func encrypt(skA *PrivateKey, pkA, pkB *PublicKey, ptext []byte) ([]byte, error) {
- if pkB.keyVariant != KeyVariant_SIKE {
- return nil, errors.New("wrong key type")
- }
-
- j, err := DeriveSecret(skA, pkB)
- if err != nil {
- return nil, err
- }
-
- if len(ptext) != pkA.params.KemSize {
- panic("Implementation error")
- }
-
- digest := sha256.Sum256(j)
- // Uses truncated digest (first 16-bytes)
- for i, _ := range ptext {
- digest[i] ^= ptext[i]
- }
-
- ret := make([]byte, pkA.Size()+len(ptext))
- copy(ret, pkA.Export())
- copy(ret[pkA.Size():], digest[:pkA.params.KemSize])
- return ret, nil
-}
-
-// NewPrivateKey initializes private key.
-// Usage of this function guarantees that the object is correctly initialized.
-func NewPrivateKey(v KeyVariant) *PrivateKey {
- prv := &PrivateKey{key: key{params: &Params, keyVariant: v}}
- if (v & KeyVariant_SIDH_A) == KeyVariant_SIDH_A {
- prv.Scalar = make([]byte, prv.params.A.SecretByteLen)
- } else {
- prv.Scalar = make([]byte, prv.params.B.SecretByteLen)
- }
- if v == KeyVariant_SIKE {
- prv.S = make([]byte, prv.params.MsgLen)
- }
- return prv
-}
-
-// NewPublicKey initializes public key.
-// Usage of this function guarantees that the object is correctly initialized.
-func NewPublicKey(v KeyVariant) *PublicKey {
- return &PublicKey{key: key{params: &Params, keyVariant: v}}
-}
-
-// Import clears content of the public key currently stored in the structure
-// and imports key stored in the byte string. Returns error in case byte string
-// size is wrong. Doesn't perform any validation.
-func (pub *PublicKey) Import(input []byte) error {
- if len(input) != pub.Size() {
- return errors.New("sidh: input to short")
- }
- ssSz := pub.params.SharedSecretSize
- convBytesToFp2(&pub.affine_xP, input[0:ssSz])
- convBytesToFp2(&pub.affine_xQ, input[ssSz:2*ssSz])
- convBytesToFp2(&pub.affine_xQmP, input[2*ssSz:3*ssSz])
- return nil
-}
-
-// Exports currently stored key. In case structure hasn't been filled with key data
-// returned byte string is filled with zeros.
-func (pub *PublicKey) Export() []byte {
- output := make([]byte, pub.params.PublicKeySize)
- ssSz := pub.params.SharedSecretSize
- convFp2ToBytes(output[0:ssSz], &pub.affine_xP)
- convFp2ToBytes(output[ssSz:2*ssSz], &pub.affine_xQ)
- convFp2ToBytes(output[2*ssSz:3*ssSz], &pub.affine_xQmP)
- return output
-}
-
-// Size returns size of the public key in bytes
-func (pub *PublicKey) Size() int {
- return pub.params.PublicKeySize
-}
-
-// Exports currently stored key. In case structure hasn't been filled with key data
-// returned byte string is filled with zeros.
-func (prv *PrivateKey) Export() []byte {
- ret := make([]byte, len(prv.Scalar)+len(prv.S))
- copy(ret, prv.S)
- copy(ret[len(prv.S):], prv.Scalar)
- return ret
-}
-
-// Size returns size of the private key in bytes
-func (prv *PrivateKey) Size() int {
- tmp := len(prv.Scalar)
- if prv.keyVariant == KeyVariant_SIKE {
- tmp += int(prv.params.MsgLen)
- }
- return tmp
-}
-
-// Import clears content of the private key currently stored in the structure
-// and imports key from octet string. In case of SIKE, the random value 'S'
-// must be prepended to the value of actual private key (see SIKE spec for details).
-// Function doesn't import public key value to PrivateKey object.
-func (prv *PrivateKey) Import(input []byte) error {
- if len(input) != prv.Size() {
- return errors.New("sidh: input to short")
- }
- copy(prv.S, input[:len(prv.S)])
- copy(prv.Scalar, input[len(prv.S):])
- return nil
-}
-
-// Generates random private key for SIDH or SIKE. Generated value is
-// formed as little-endian integer from key-space <2^(e2-1)..2^e2 - 1>
-// for KeyVariant_A or <2^(s-1)..2^s - 1>, where s = floor(log_2(3^e3)),
-// for KeyVariant_B.
-//
-// Returns error in case user provided RNG fails.
-func (prv *PrivateKey) Generate(rand io.Reader) error {
- var err error
- var dp *DomainParams
-
- if (prv.keyVariant & KeyVariant_SIDH_A) == KeyVariant_SIDH_A {
- dp = &prv.params.A
- } else {
- dp = &prv.params.B
- }
-
- if prv.keyVariant == KeyVariant_SIKE {
- _, err = io.ReadFull(rand, prv.S)
- }
-
- // Private key generation takes advantage of the fact that keyspace for secret
- // key is (0, 2^x - 1), for some possitivite value of 'x' (see SIKE, 1.3.8).
- // It means that all bytes in the secret key, but the last one, can take any
- // value between <0x00,0xFF>. Similarily for the last byte, but generation
- // needs to chop off some bits, to make sure generated value is an element of
- // a key-space.
- _, err = io.ReadFull(rand, prv.Scalar)
- if err != nil {
- return err
- }
- prv.Scalar[len(prv.Scalar)-1] &= (1 << (dp.SecretBitLen % 8)) - 1
- // Make sure scalar is SecretBitLen long. SIKE spec says that key
- // space starts from 0, but I'm not confortable with having low
- // value scalars used for private keys. It is still secrure as per
- // table 5.1 in [SIKE].
- prv.Scalar[len(prv.Scalar)-1] |= 1 << ((dp.SecretBitLen % 8) - 1)
- return err
-}
-
-// Generates public key.
-//
-// Constant time.
-func (prv *PrivateKey) GeneratePublicKey() *PublicKey {
- if (prv.keyVariant & KeyVariant_SIDH_A) == KeyVariant_SIDH_A {
- return publicKeyGenA(prv)
- }
- return publicKeyGenB(prv)
-}
-
-// Computes a shared secret which is a j-invariant. Function requires that pub has
-// different KeyVariant than prv. Length of returned output is 2*ceil(log_2 P)/8),
-// where P is a prime defining finite field.
-//
-// It's important to notice that each keypair must not be used more than once
-// to calculate shared secret.
-//
-// Function may return error. This happens only in case provided input is invalid.
-// Constant time for properly initialized private and public key.
-func DeriveSecret(prv *PrivateKey, pub *PublicKey) ([]byte, error) {
-
- if (pub == nil) || (prv == nil) {
- return nil, errors.New("sidh: invalid arguments")
- }
-
- if (pub.keyVariant == prv.keyVariant) || (pub.params.Id != prv.params.Id) {
- return nil, errors.New("sidh: public and private are incompatbile")
- }
-
- if (prv.keyVariant & KeyVariant_SIDH_A) == KeyVariant_SIDH_A {
- return deriveSecretA(prv, pub), nil
- } else {
- return deriveSecretB(prv, pub), nil
- }
-}
-
-// Uses SIKE public key to encrypt plaintext. Requires cryptographically secure PRNG
-// Returns ciphertext in case encryption succeeds. Returns error in case PRNG fails
-// or wrongly formatted input was provided.
-func Encrypt(rng io.Reader, pub *PublicKey, ptext []byte) ([]byte, error) {
- var ptextLen = len(ptext)
- // c1 must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3)
- if ptextLen != pub.params.KemSize {
- return nil, errors.New("Unsupported message length")
- }
-
- skA := NewPrivateKey(KeyVariant_SIDH_A)
- err := skA.Generate(rng)
- if err != nil {
- return nil, err
- }
-
- pkA := skA.GeneratePublicKey()
- return encrypt(skA, pkA, pub, ptext)
-}
-
-// Uses SIKE private key to decrypt ciphertext. Returns plaintext in case
-// decryption succeeds or error in case unexptected input was provided.
-// Constant time
-func Decrypt(prv *PrivateKey, ctext []byte) ([]byte, error) {
- var c1_len int
- n := make([]byte, prv.params.KemSize)
- pk_len := prv.params.PublicKeySize
-
- if prv.keyVariant != KeyVariant_SIKE {
- return nil, errors.New("wrong key type")
- }
-
- // ctext is a concatenation of (pubkey_A || c1=ciphertext)
- // it must be security level + 64 bits (see [SIKE] 1.4 and 4.3.3)
- c1_len = len(ctext) - pk_len
- if c1_len != int(prv.params.KemSize) {
- return nil, errors.New("wrong size of cipher text")
- }
-
- c0 := NewPublicKey(KeyVariant_SIDH_A)
- err := c0.Import(ctext[:pk_len])
- if err != nil {
- return nil, err
- }
- j, err := DeriveSecret(prv, c0)
- if err != nil {
- return nil, err
- }
-
- digest := sha256.Sum256(j)
- copy(n, digest[:])
-
- for i, _ := range n {
- n[i] ^= ctext[pk_len+i]
- }
- return n[:c1_len], nil
-}
-
-// Encapsulation receives the public key and generates SIKE ciphertext and shared secret.
-// The generated ciphertext is used for authentication.
-// The rng must be cryptographically secure PRNG.
-// Error is returned in case PRNG fails or wrongly formatted input was provided.
-func Encapsulate(rng io.Reader, pub *PublicKey) (ctext []byte, secret []byte, err error) {
- // Buffer for random, secret message
- ptext := make([]byte, pub.params.MsgLen)
- // SHA256 hash context object
- d := sha256.New()
-
- // Generate ephemeral value
- _, err = io.ReadFull(rng, ptext)
- if err != nil {
- return nil, nil, err
- }
-
- // Implementation uses first 28-bytes of secret
- d.Write(ptext)
- d.Write(pub.Export())
- digest := d.Sum(nil)
- // r = G(ptext||pub)
- r := digest[:pub.params.A.SecretByteLen]
-
- // (c0 || c1) = Enc(pkA, ptext; r)
- skA := NewPrivateKey(KeyVariant_SIDH_A)
- err = skA.Import(r)
- if err != nil {
- return nil, nil, err
- }
-
- pkA := skA.GeneratePublicKey()
- ctext, err = encrypt(skA, pkA, pub, ptext)
- if err != nil {
- return nil, nil, err
- }
-
- // K = H(ptext||(c0||c1))
- d.Reset()
- d.Write(ptext)
- d.Write(ctext)
- digest = d.Sum(digest[:0])
- return ctext, digest[:pub.params.KemSize], nil
-}
-
-// Decapsulate given the keypair and ciphertext as inputs, Decapsulate outputs a shared
-// secret if plaintext verifies correctly, otherwise function outputs random value.
-// Decapsulation may fail in case input is wrongly formatted.
-// Constant time for properly initialized input.
-func Decapsulate(prv *PrivateKey, pub *PublicKey, ctext []byte) ([]byte, error) {
- var skA = NewPrivateKey(KeyVariant_SIDH_A)
- // SHA256 hash context object
- d := sha256.New()
-
- m, err := Decrypt(prv, ctext)
- if err != nil {
- return nil, err
- }
-
- // r' = G(m'||pub)
- d.Write(m)
- d.Write(pub.Export())
- digest := d.Sum(nil)
- // Never fails
- skA.Import(digest[:pub.params.A.SecretByteLen])
-
- // Never fails
- pkA := skA.GeneratePublicKey()
- c0 := pkA.Export()
-
- d.Reset()
- if subtle.ConstantTimeCompare(c0, ctext[:len(c0)]) == 1 {
- d.Write(m)
- } else {
- // S is chosen at random when generating a key and is unknown to the other party. It
- // may seem weird, but it's correct. It is important that S is unpredictable
- // to other party. Without this check, it is possible to recover a secret, by
- // providing series of invalid ciphertexts. It is also important that in case
- //
- // See more details in "On the security of supersingular isogeny cryptosystems"
- // (S. Galbraith, et al., 2016, ePrint #859).
- d.Write(prv.S)
- }
- d.Write(ctext)
- digest = d.Sum(digest[:0])
- return digest[:pub.params.KemSize], nil
-}
diff --git a/src/ssl/test/runner/sike/sike_test.go b/src/ssl/test/runner/sike/sike_test.go
deleted file mode 100644
index 2e146bc..0000000
--- a/src/ssl/test/runner/sike/sike_test.go
+++ /dev/null
@@ -1,698 +0,0 @@
-// Copyright (c) 2019, Cloudflare Inc.
-//
-// Permission to use, copy, modify, and/or distribute this software for any
-// purpose with or without fee is hereby granted, provided that the above
-// copyright notice and this permission notice appear in all copies.
-//
-// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
-// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-package sike
-
-import (
- "bufio"
- "bytes"
- "crypto/rand"
- "encoding/hex"
- "math/big"
- "strings"
- "testing"
-)
-
-var tdata = struct {
- name string
- PrB_sidh string
- PkB_sidh string
- PrA_sidh string
- PkA_sidh string
- PkB_sike string
- PrB_sike string
-}{
- name: "P-434",
- PrA_sidh: "3A727E04EA9B7E2A766A6F846489E7E7B915263BCEED308BB10FC9",
- PkA_sidh: "9E668D1E6750ED4B91EE052C32839CA9DD2E56D52BC24DECC950AA" +
- "AD24CEED3F9049C77FE80F0B9B01E7F8DAD7833EEC2286544D6380" +
- "009C379CDD3E7517CEF5E20EB01F8231D52FC30DC61D2F63FB357F" +
- "85DC6396E8A95DB9740BD3A972C8DB7901B31F074CD3E45345CA78" +
- "F900817130E688A29A7CF0073B5C00FF2C65FBE776918EF9BD8E75" +
- "B29EF7FAB791969B60B0C5B37A8992EDEF95FA7BAC40A95DAFE02E" +
- "237301FEE9A7A43FD0B73477E8035DD12B73FAFEF18D39904DDE36" +
- "53A754F36BE1888F6607C6A7951349A414352CF31A29F2C40302DB" +
- "406C48018C905EB9DC46AFBF42A9187A9BB9E51B587622A2862DC7" +
- "D5CC598BF38ED6320FB51D8697AD3D7A72ABCC32A393F0133DA8DF" +
- "5E253D9E00B760B2DF342FCE974DCFE946CFE4727783531882800F" +
- "9E5DD594D6D5A6275EEFEF9713ED838F4A06BB34D7B8D46E0B385A" +
- "AEA1C7963601",
- PrB_sidh: "E37BFE55B43B32448F375903D8D226EC94ADBFEA1D2B3536EB987001",
- PkB_sidh: "C9F73E4497AAA3FDF9EB688135866A8A83934BA10E273B8CC3808C" +
- "F0C1F5FAB3E9BB295885881B73DEBC875670C0F51C4BB40DF5FEDE" +
- "01B8AF32D1BF10508B8C17B2734EB93B2B7F5D84A4A0F2F816E9E2" +
- "C32AC253C0B6025B124D05A87A9E2A8567930F44BAA14219B941B6" +
- "B400B4AED1D796DA12A5A9F0B8F3F5EE9DD43F64CB24A3B1719DF2" +
- "78ADF56B5F3395187829DA2319DEABF6BBD6EDA244DE2B62CC5AC2" +
- "50C1009DD1CD4712B0B37406612AD002B5E51A62B51AC9C0374D14" +
- "3ABBBD58275FAFC4A5E959C54838C2D6D9FB43B7B2609061267B6A" +
- "2E6C6D01D295C4223E0D3D7A4CDCFB28A7818A737935279751A6DD" +
- "8290FD498D1F6AD5F4FFF6BDFA536713F509DCE8047252F1E7D0DD" +
- "9FCC414C0070B5DCCE3665A21A032D7FBE749181032183AFAD240B" +
- "7E671E87FBBEC3A8CA4C11AA7A9A23AC69AE2ACF54B664DECD2775" +
- "3D63508F1B02",
- PrB_sike: "4B622DE1350119C45A9F2E2EF3DC5DF56A27FCDFCDDAF58CD69B90" +
- "3752D68C200934E160B234E49EDE247601",
- PkB_sike: "1BD0A2E81307B6F96461317DDF535ACC0E59C742627BAE60D27605" +
- "E10FAF722D22A73E184CB572A12E79DCD58C6B54FB01442114CBE9" +
- "010B6CAEC25D04C16C5E42540C1524C545B8C67614ED4183C9FA5B" +
- "D0BE45A7F89FBC770EE8E7E5E391C7EE6F35F74C29E6D9E35B1663" +
- "DA01E48E9DEB2347512D366FDE505161677055E3EF23054D276E81" +
- "7E2C57025DA1C10D2461F68617F2D11256EEE4E2D7DBDF6C8E34F3" +
- "A0FD00C625428CB41857002159DAB94267ABE42D630C6AAA91AF83" +
- "7C7A6740754EA6634C45454C51B0BB4D44C3CCCCE4B32C00901CF6" +
- "9C008D013348379B2F9837F428A01B6173584691F2A6F3A3C4CF48" +
- "7D20D261B36C8CDB1BC158E2A5162A9DA4F7A97AA0879B9897E2B6" +
- "891B672201F9AEFBF799C27B2587120AC586A511360926FB7DA8EB" +
- "F5CB5272F396AE06608422BE9792E2CE9BEF21BF55B7EFF8DC7EC8" +
- "C99910D3F800",
-}
-
-/* -------------------------------------------------------------------------
- Helpers
- -------------------------------------------------------------------------*/
-// Fail if err !=nil. Display msg as an error message
-func checkErr(t testing.TB, err error, msg string) {
- t.Helper()
- if err != nil {
- t.Error(msg)
- }
-}
-
-// Utility used for running same test with all registered prime fields
-type MultiIdTestingFunc func(testing.TB)
-
-// Converts string to private key
-func convToPrv(s string, v KeyVariant) *PrivateKey {
- key := NewPrivateKey(v)
- hex, e := hex.DecodeString(s)
- if e != nil {
- panic("non-hex number provided")
- }
- e = key.Import(hex)
- if e != nil {
- panic("Can't import private key")
- }
- return key
-}
-
-// Converts string to public key
-func convToPub(s string, v KeyVariant) *PublicKey {
- key := NewPublicKey(v)
- hex, e := hex.DecodeString(s)
- if e != nil {
- panic("non-hex number provided")
- }
- e = key.Import(hex)
- if e != nil {
- panic("Can't import public key")
- }
- return key
-}
-
-/* -------------------------------------------------------------------------
- Unit tests
- -------------------------------------------------------------------------*/
-func TestKeygen(t *testing.T) {
- alicePrivate := convToPrv(tdata.PrA_sidh, KeyVariant_SIDH_A)
- bobPrivate := convToPrv(tdata.PrB_sidh, KeyVariant_SIDH_B)
- expPubA := convToPub(tdata.PkA_sidh, KeyVariant_SIDH_A)
- expPubB := convToPub(tdata.PkB_sidh, KeyVariant_SIDH_B)
-
- pubA := alicePrivate.GeneratePublicKey()
- pubB := bobPrivate.GeneratePublicKey()
-
- if !bytes.Equal(pubA.Export(), expPubA.Export()) {
- t.Fatalf("unexpected value of public key A")
- }
- if !bytes.Equal(pubB.Export(), expPubB.Export()) {
- t.Fatalf("unexpected value of public key B")
- }
-}
-
-func TestImportExport(t *testing.T) {
- var err error
- a := NewPublicKey(KeyVariant_SIDH_A)
- b := NewPublicKey(KeyVariant_SIDH_B)
-
- // Import keys
- a_hex, err := hex.DecodeString(tdata.PkA_sidh)
- checkErr(t, err, "invalid hex-number provided")
-
- err = a.Import(a_hex)
- checkErr(t, err, "import failed")
-
- b_hex, err := hex.DecodeString(tdata.PkB_sike)
- checkErr(t, err, "invalid hex-number provided")
-
- err = b.Import(b_hex)
- checkErr(t, err, "import failed")
-
- // Export and check if same
- if !bytes.Equal(b.Export(), b_hex) || !bytes.Equal(a.Export(), a_hex) {
- t.Fatalf("export/import failed")
- }
-
- if (len(b.Export()) != b.Size()) || (len(a.Export()) != a.Size()) {
- t.Fatalf("wrong size of exported keys")
- }
-}
-
-func testPrivateKeyBelowMax(t testing.TB) {
- for variant, keySz := range map[KeyVariant]*DomainParams{
- KeyVariant_SIDH_A: &Params.A,
- KeyVariant_SIDH_B: &Params.B} {
-
- func(v KeyVariant, dp *DomainParams) {
- var blen = int(dp.SecretByteLen)
- var prv = NewPrivateKey(v)
-
- // Calculate either (2^e2 - 1) or (2^s - 1); where s=ceil(log_2(3^e3)))
- maxSecertVal := big.NewInt(int64(dp.SecretBitLen))
- maxSecertVal.Exp(big.NewInt(int64(2)), maxSecertVal, nil)
- maxSecertVal.Sub(maxSecertVal, big.NewInt(1))
-
- // Do same test 1000 times
- for i := 0; i < 1000; i++ {
- err := prv.Generate(rand.Reader)
- checkErr(t, err, "Private key generation")
-
- // Convert to big-endian, as that's what expected by (*Int)SetBytes()
- secretBytes := prv.Export()
- for i := 0; i < int(blen/2); i++ {
- tmp := secretBytes[i] ^ secretBytes[blen-i-1]
- secretBytes[i] = tmp ^ secretBytes[i]
- secretBytes[blen-i-1] = tmp ^ secretBytes[blen-i-1]
- }
- prvBig := new(big.Int).SetBytes(secretBytes)
- // Check if generated key is bigger than acceptable
- if prvBig.Cmp(maxSecertVal) == 1 {
- t.Error("Generated private key is wrong")
- }
- }
- }(variant, keySz)
- }
-}
-
-func testKeyAgreement(t *testing.T, pkA, prA, pkB, prB string) {
- var e error
-
- // KeyPairs
- alicePublic := convToPub(pkA, KeyVariant_SIDH_A)
- bobPublic := convToPub(pkB, KeyVariant_SIDH_B)
- alicePrivate := convToPrv(prA, KeyVariant_SIDH_A)
- bobPrivate := convToPrv(prB, KeyVariant_SIDH_B)
-
- // Do actual test
- s1, e := DeriveSecret(bobPrivate, alicePublic)
- checkErr(t, e, "derivation s1")
- s2, e := DeriveSecret(alicePrivate, bobPublic)
- checkErr(t, e, "derivation s1")
-
- if !bytes.Equal(s1[:], s2[:]) {
- t.Fatalf("two shared keys: %d, %d do not match", s1, s2)
- }
-
- // Negative case
- dec, e := hex.DecodeString(tdata.PkA_sidh)
- if e != nil {
- t.FailNow()
- }
- dec[0] = ^dec[0]
- e = alicePublic.Import(dec)
- if e != nil {
- t.FailNow()
- }
-
- s1, e = DeriveSecret(bobPrivate, alicePublic)
- checkErr(t, e, "derivation of s1 failed")
- s2, e = DeriveSecret(alicePrivate, bobPublic)
- checkErr(t, e, "derivation of s2 failed")
-
- if bytes.Equal(s1[:], s2[:]) {
- t.Fatalf("The two shared keys: %d, %d match", s1, s2)
- }
-}
-
-func TestDerivationRoundTrip(t *testing.T) {
- var err error
-
- prvA := NewPrivateKey(KeyVariant_SIDH_A)
- prvB := NewPrivateKey(KeyVariant_SIDH_B)
-
- // Generate private keys
- err = prvA.Generate(rand.Reader)
- checkErr(t, err, "key generation failed")
- err = prvB.Generate(rand.Reader)
- checkErr(t, err, "key generation failed")
-
- // Generate public keys
- pubA := prvA.GeneratePublicKey()
- pubB := prvB.GeneratePublicKey()
-
- // Derive shared secret
- s1, err := DeriveSecret(prvB, pubA)
- checkErr(t, err, "")
-
- s2, err := DeriveSecret(prvA, pubB)
- checkErr(t, err, "")
-
- if !bytes.Equal(s1[:], s2[:]) {
- t.Fatalf("Two shared keys: \n%X, \n%X do not match", s1, s2)
- }
-}
-
-// Encrypt, Decrypt, check if input/output plaintext is the same
-func testPKERoundTrip(t testing.TB, id uint8) {
- // Message to be encrypted
- var msg = make([]byte, Params.MsgLen)
- for i, _ := range msg {
- msg[i] = byte(i)
- }
-
- // Import keys
- pkB := NewPublicKey(KeyVariant_SIKE)
- skB := NewPrivateKey(KeyVariant_SIKE)
- pk_hex, err := hex.DecodeString(tdata.PkB_sike)
- if err != nil {
- t.Fatal(err)
- }
- sk_hex, err := hex.DecodeString(tdata.PrB_sike)
- if err != nil {
- t.Fatal(err)
- }
- if pkB.Import(pk_hex) != nil || skB.Import(sk_hex) != nil {
- t.Error("Import")
- }
-
- ct, err := Encrypt(rand.Reader, pkB, msg[:])
- if err != nil {
- t.Fatal(err)
- }
- pt, err := Decrypt(skB, ct)
- if err != nil {
- t.Fatal(err)
- }
- if !bytes.Equal(pt[:], msg[:]) {
- t.Errorf("Decryption failed \n got : %X\n exp : %X", pt, msg)
- }
-}
-
-// Generate key and check if can encrypt
-func TestPKEKeyGeneration(t *testing.T) {
- // Message to be encrypted
- var msg = make([]byte, Params.MsgLen)
- var err error
- for i, _ := range msg {
- msg[i] = byte(i)
- }
-
- sk := NewPrivateKey(KeyVariant_SIKE)
- err = sk.Generate(rand.Reader)
- checkErr(t, err, "PEK key generation")
- pk := sk.GeneratePublicKey()
-
- // Try to encrypt
- ct, err := Encrypt(rand.Reader, pk, msg[:])
- checkErr(t, err, "PEK encryption")
- pt, err := Decrypt(sk, ct)
- checkErr(t, err, "PEK key decryption")
-
- if !bytes.Equal(pt[:], msg[:]) {
- t.Fatalf("Decryption failed \n got : %X\n exp : %X", pt, msg)
- }
-}
-
-func TestNegativePKE(t *testing.T) {
- var msg [40]byte
- var err error
-
- // Generate key
- sk := NewPrivateKey(KeyVariant_SIKE)
- err = sk.Generate(rand.Reader)
- checkErr(t, err, "key generation")
-
- pk := sk.GeneratePublicKey()
-
- // bytelen(msg) - 1
- ct, err := Encrypt(rand.Reader, pk, msg[:Params.KemSize+8-1])
- if err == nil {
- t.Fatal("Error hasn't been returned")
- }
- if ct != nil {
- t.Fatal("Ciphertext must be nil")
- }
-
- // KemSize - 1
- pt, err := Decrypt(sk, msg[:Params.KemSize+8-1])
- if err == nil {
- t.Fatal("Error hasn't been returned")
- }
- if pt != nil {
- t.Fatal("Ciphertext must be nil")
- }
-}
-
-func testKEMRoundTrip(t *testing.T, pkB, skB []byte) {
- // Import keys
- pk := NewPublicKey(KeyVariant_SIKE)
- sk := NewPrivateKey(KeyVariant_SIKE)
- if pk.Import(pkB) != nil || sk.Import(skB) != nil {
- t.Error("Import failed")
- }
-
- ct, ss_e, err := Encapsulate(rand.Reader, pk)
- if err != nil {
- t.Error("Encapsulate failed")
- }
-
- ss_d, err := Decapsulate(sk, pk, ct)
- if err != nil {
- t.Error("Decapsulate failed")
- }
- if !bytes.Equal(ss_e, ss_d) {
- t.Error("Shared secrets from decapsulation and encapsulation differ")
- }
-}
-
-func TestKEMRoundTrip(t *testing.T) {
- pk, err := hex.DecodeString(tdata.PkB_sike)
- checkErr(t, err, "public key B not a number")
- sk, err := hex.DecodeString(tdata.PrB_sike)
- checkErr(t, err, "private key B not a number")
- testKEMRoundTrip(t, pk, sk)
-}
-
-func TestKEMKeyGeneration(t *testing.T) {
- // Generate key
- sk := NewPrivateKey(KeyVariant_SIKE)
- checkErr(t, sk.Generate(rand.Reader), "error: key generation")
- pk := sk.GeneratePublicKey()
-
- // calculated shared secret
- ct, ss_e, err := Encapsulate(rand.Reader, pk)
-
- checkErr(t, err, "encapsulation failed")
- ss_d, err := Decapsulate(sk, pk, ct)
- checkErr(t, err, "decapsulation failed")
-
- if !bytes.Equal(ss_e, ss_d) {
- t.Fatalf("KEM failed \n encapsulated: %X\n decapsulated: %X", ss_d, ss_e)
- }
-}
-
-func TestNegativeKEM(t *testing.T) {
- sk := NewPrivateKey(KeyVariant_SIKE)
- checkErr(t, sk.Generate(rand.Reader), "error: key generation")
- pk := sk.GeneratePublicKey()
-
- ct, ss_e, err := Encapsulate(rand.Reader, pk)
- checkErr(t, err, "pre-requisite for a test failed")
-
- ct[0] = ct[0] - 1
- ss_d, err := Decapsulate(sk, pk, ct)
- checkErr(t, err, "decapsulation returns error when invalid ciphertext provided")
-
- if bytes.Equal(ss_e, ss_d) {
- // no idea how this could ever happen, but it would be very bad
- t.Error("critical error")
- }
-
- // Try encapsulating with SIDH key
- pkSidh := NewPublicKey(KeyVariant_SIDH_B)
- prSidh := NewPrivateKey(KeyVariant_SIDH_B)
- _, _, err = Encapsulate(rand.Reader, pkSidh)
- if err == nil {
- t.Error("encapsulation accepts SIDH public key")
- }
- // Try decapsulating with SIDH key
- _, err = Decapsulate(prSidh, pk, ct)
- if err == nil {
- t.Error("decapsulation accepts SIDH private key key")
- }
-}
-
-// In case invalid ciphertext is provided, SIKE's decapsulation must
-// return same (but unpredictable) result for a given key.
-func TestNegativeKEMSameWrongResult(t *testing.T) {
- sk := NewPrivateKey(KeyVariant_SIKE)
- checkErr(t, sk.Generate(rand.Reader), "error: key generation")
- pk := sk.GeneratePublicKey()
-
- ct, encSs, err := Encapsulate(rand.Reader, pk)
- checkErr(t, err, "pre-requisite for a test failed")
-
- // make ciphertext wrong
- ct[0] = ct[0] - 1
- decSs1, err := Decapsulate(sk, pk, ct)
- checkErr(t, err, "pre-requisite for a test failed")
-
- // second decapsulation must be done with same, but imported private key
- expSk := sk.Export()
-
- // creat new private key
- sk = NewPrivateKey(KeyVariant_SIKE)
- err = sk.Import(expSk)
- checkErr(t, err, "import failed")
-
- // try decapsulating again. ss2 must be same as ss1 and different than
- // original plaintext
- decSs2, err := Decapsulate(sk, pk, ct)
- checkErr(t, err, "pre-requisite for a test failed")
-
- if !bytes.Equal(decSs1, decSs2) {
- t.Error("decapsulation is insecure")
- }
-
- if bytes.Equal(encSs, decSs1) || bytes.Equal(encSs, decSs2) {
- // this test requires that decapsulation returns wrong result
- t.Errorf("test implementation error")
- }
-}
-
-func readAndCheckLine(r *bufio.Reader) []byte {
- // Read next line from buffer
- line, isPrefix, err := r.ReadLine()
- if err != nil || isPrefix {
- panic("Wrong format of input file")
- }
-
- // Function expects that line is in format "KEY = HEX_VALUE". Get
- // value, which should be a hex string
- hexst := strings.Split(string(line), "=")[1]
- hexst = strings.TrimSpace(hexst)
- // Convert value to byte string
- ret, err := hex.DecodeString(hexst)
- if err != nil {
- panic("Wrong format of input file")
- }
- return ret
-}
-
-func testKeygenSIKE(pk, sk []byte, id uint8) bool {
- // Import provided private key
- var prvKey = NewPrivateKey(KeyVariant_SIKE)
- if prvKey.Import(sk) != nil {
- panic("sike test: can't load KAT")
- }
-
- // Generate public key
- pubKey := prvKey.GeneratePublicKey()
- return bytes.Equal(pubKey.Export(), pk)
-}
-
-func testDecapsulation(pk, sk, ct, ssExpected []byte, id uint8) bool {
- var pubKey = NewPublicKey(KeyVariant_SIKE)
- var prvKey = NewPrivateKey(KeyVariant_SIKE)
- if pubKey.Import(pk) != nil || prvKey.Import(sk) != nil {
- panic("sike test: can't load KAT")
- }
-
- ssGot, err := Decapsulate(prvKey, pubKey, ct)
- if err != nil {
- panic("sike test: can't perform degcapsulation KAT")
- }
-
- return bytes.Equal(ssGot, ssExpected)
-}
-
-func TestKeyAgreement(t *testing.T) {
- testKeyAgreement(t, tdata.PkA_sidh, tdata.PrA_sidh, tdata.PkB_sidh, tdata.PrB_sidh)
-}
-
-// Same values as in sike_test.cc
-func TestDecapsulation(t *testing.T) {
- var sk = [16 + 28]byte{
- 0x04, 0x5E, 0x01, 0x42, 0xB8, 0x2F, 0xE1, 0x9A, 0x38, 0x25,
- 0x92, 0xE7, 0xDC, 0xBA, 0xF7, 0x1B, 0xB1, 0xFD, 0x34, 0x42,
- 0xDB, 0x02, 0xBC, 0x9D, 0x4C, 0xD0, 0x72, 0x34, 0x4D, 0xBD,
- 0x06, 0xDF, 0x1C, 0x7D, 0x0A, 0x88, 0xB2, 0x50, 0xC4, 0xF6,
- 0xAE, 0xE8, 0x25, 0x01,
- }
-
- var pk = [330]byte{
- 0x6D, 0x8D, 0xF5, 0x7B, 0xCD, 0x47, 0xCA, 0xCB, 0x7A, 0x38,
- 0xB7, 0xA6, 0x90, 0xB7, 0x37, 0x03, 0xD4, 0x6F, 0x27, 0x73,
- 0x74, 0x17, 0x5A, 0xA4, 0x0D, 0xC6, 0x81, 0xAD, 0xDB, 0xF7,
- 0x18, 0xB2, 0x3C, 0x30, 0xCF, 0xAA, 0x08, 0x11, 0x91, 0xCC,
- 0x27, 0x4E, 0xF1, 0xA6, 0xB7, 0xDA, 0xD2, 0xCF, 0x99, 0x7F,
- 0xF7, 0xE1, 0xD0, 0xCE, 0x00, 0xD2, 0x4B, 0xA4, 0x33, 0xB4,
- 0x87, 0x01, 0x3F, 0x02, 0xF7, 0xF9, 0xDE, 0xC3, 0x60, 0x62,
- 0xDA, 0x3F, 0x74, 0xA9, 0x44, 0xBE, 0x19, 0xD5, 0x03, 0x2A,
- 0x79, 0x8C, 0xA7, 0xFF, 0xEA, 0xB3, 0xBB, 0xB5, 0xD4, 0x1D,
- 0x8F, 0x92, 0xCE, 0x62, 0x6E, 0x99, 0x24, 0xD7, 0x57, 0xFA,
- 0xCD, 0xB6, 0xE2, 0x8E, 0xFD, 0x22, 0x0E, 0x31, 0x21, 0x01,
- 0x8D, 0x79, 0xF8, 0x3E, 0x27, 0xEC, 0x43, 0x40, 0xDB, 0x82,
- 0xE5, 0xEB, 0x6C, 0x97, 0x66, 0x29, 0x15, 0x68, 0xB7, 0x4D,
- 0x84, 0xD1, 0x8A, 0x0B, 0x12, 0x36, 0x2C, 0x0C, 0x0A, 0x6E,
- 0x4E, 0xDE, 0xA5, 0x8A, 0xDE, 0x77, 0xDD, 0x70, 0x49, 0x73,
- 0xAC, 0x27, 0x6D, 0x8D, 0x25, 0x9A, 0xE4, 0x25, 0xE8, 0x95,
- 0x8F, 0xFE, 0x90, 0x3B, 0x00, 0x69, 0x20, 0xE8, 0x7C, 0xA5,
- 0xF5, 0x79, 0xC0, 0x61, 0x51, 0x91, 0x35, 0x25, 0x3F, 0x17,
- 0x2F, 0x70, 0x73, 0xF0, 0x89, 0xB5, 0xC8, 0x25, 0xB8, 0xE5,
- 0x7E, 0x34, 0xDD, 0x11, 0xE5, 0xD6, 0xC3, 0xD5, 0x29, 0x89,
- 0xC6, 0x2C, 0x99, 0x53, 0x1D, 0x2C, 0x77, 0xB0, 0xB6, 0xA1,
- 0xBD, 0x79, 0xFB, 0x4A, 0xC2, 0x48, 0x4C, 0x62, 0x51, 0x00,
- 0xE3, 0x91, 0x2A, 0xCB, 0x84, 0x03, 0x5D, 0x2D, 0xC8, 0x33,
- 0xE9, 0x14, 0xBF, 0x74, 0x21, 0xBC, 0xF4, 0x76, 0xE5, 0x42,
- 0xB8, 0xBD, 0xE2, 0xE7, 0x20, 0x95, 0x54, 0xF2, 0xED, 0xC0,
- 0x79, 0x38, 0x1E, 0xD2, 0xEA, 0x1A, 0x63, 0x85, 0xE7, 0x3A,
- 0xDA, 0xAD, 0xAB, 0x1B, 0x1E, 0x19, 0x9E, 0x73, 0xD0, 0x10,
- 0x2E, 0x38, 0xAC, 0x8B, 0x00, 0x6A, 0x30, 0x2C, 0x3D, 0x70,
- 0x8E, 0x39, 0x6D, 0xC0, 0x12, 0x61, 0x7D, 0x2A, 0x0A, 0x04,
- 0x95, 0x8E, 0x09, 0x3C, 0x7B, 0xEC, 0x2E, 0xBC, 0xE8, 0xE8,
- 0xE8, 0x37, 0x29, 0xC4, 0x7E, 0x76, 0x48, 0xB9, 0x3B, 0x72,
- 0xE5, 0x99, 0x9B, 0xF9, 0xE3, 0x99, 0x72, 0x3F, 0x35, 0x29,
- 0x85, 0xE0, 0xC8, 0xBF, 0xB1, 0x6B, 0xB1, 0x6E, 0x72, 0x00,
- }
-
- var ct = [330 + 16]byte{
- 0xFF, 0xEB, 0xEF, 0x4A, 0xC0, 0x57, 0x0F, 0x26, 0xAC, 0x76,
- 0xA8, 0xB0, 0xA3, 0x5D, 0x9C, 0xD9, 0x25, 0xD1, 0x7F, 0x92,
- 0x5D, 0xF4, 0x23, 0x34, 0xC3, 0x03, 0x10, 0xE1, 0xB0, 0x24,
- 0x9B, 0x44, 0x58, 0x26, 0x13, 0x56, 0x83, 0x43, 0x72, 0x69,
- 0x28, 0x0D, 0x55, 0x07, 0x1F, 0xDB, 0xC0, 0x23, 0x34, 0x83,
- 0x1A, 0x09, 0x9B, 0x80, 0x00, 0x64, 0x56, 0xDC, 0x79, 0x7A,
- 0xD2, 0xCE, 0x23, 0xC9, 0x72, 0x27, 0xFC, 0x8D, 0xAB, 0xBF,
- 0xD3, 0x17, 0xF6, 0x91, 0x7B, 0x15, 0x93, 0x83, 0x8A, 0x4F,
- 0x6C, 0xCA, 0x4A, 0x94, 0xDA, 0xC7, 0x9D, 0xB6, 0xD6, 0xBA,
- 0xBD, 0x81, 0x9A, 0x78, 0xE5, 0xE5, 0xBE, 0x17, 0xBC, 0xCB,
- 0xC8, 0x23, 0x80, 0x5F, 0x75, 0xF8, 0xDB, 0x51, 0x55, 0x00,
- 0x25, 0x33, 0x52, 0x64, 0xB2, 0xD6, 0xD8, 0x9A, 0x2A, 0x9E,
- 0x29, 0x99, 0x13, 0x33, 0xE2, 0xA7, 0x98, 0xAC, 0xD7, 0x79,
- 0x5C, 0x2F, 0xBA, 0x07, 0xC3, 0x03, 0x37, 0xD6, 0xE6, 0xB5,
- 0xA1, 0xF5, 0x29, 0xB6, 0xF6, 0xC0, 0x5C, 0x44, 0x68, 0x2B,
- 0x0B, 0xF5, 0x00, 0x01, 0x44, 0xD5, 0xCC, 0x23, 0xB5, 0x27,
- 0x4F, 0xCA, 0xB4, 0x05, 0x01, 0xF9, 0xD4, 0x41, 0xE0, 0xE1,
- 0x1E, 0xCF, 0xA9, 0xBC, 0x79, 0xD7, 0xD5, 0xF5, 0x3C, 0xE6,
- 0x93, 0xF4, 0x6C, 0x84, 0x5A, 0x2C, 0x4B, 0xE4, 0x91, 0xB2,
- 0xB2, 0xB8, 0xAD, 0x74, 0x9A, 0x69, 0x79, 0x4C, 0x84, 0xB7,
- 0xBF, 0xF1, 0x68, 0x4B, 0xAE, 0x0F, 0x7F, 0x45, 0x3B, 0x18,
- 0x3F, 0xFA, 0x00, 0x48, 0xE0, 0x3A, 0xE2, 0xC0, 0xAE, 0x00,
- 0xCE, 0x90, 0x28, 0xA4, 0x1B, 0xBE, 0xCA, 0x0C, 0x21, 0x29,
- 0x64, 0x30, 0x5E, 0x35, 0xAD, 0xFD, 0x83, 0x47, 0x40, 0x6D,
- 0x15, 0x56, 0xFC, 0xF8, 0x5F, 0xAB, 0x81, 0xFE, 0x6B, 0xE9,
- 0x6B, 0xED, 0x27, 0x35, 0x7C, 0xD8, 0x2C, 0xD4, 0xF2, 0x11,
- 0xE6, 0xAF, 0xDF, 0xB8, 0x91, 0x96, 0xEB, 0xF7, 0x4C, 0x8D,
- 0x70, 0x77, 0x90, 0x81, 0x00, 0x09, 0x19, 0x27, 0x8A, 0x9E,
- 0xB6, 0x1A, 0xE9, 0xAC, 0x6C, 0xC9, 0xF8, 0xEA, 0xA2, 0x34,
- 0xB8, 0xAC, 0xB3, 0xB3, 0x68, 0xA1, 0xB7, 0x29, 0x55, 0xCA,
- 0x40, 0x23, 0x92, 0x5C, 0x0C, 0x79, 0x6B, 0xD6, 0x9F, 0x5B,
- 0xD2, 0xE6, 0xAE, 0x04, 0xCB, 0xEC, 0xC7, 0x88, 0x18, 0xDB,
- 0x7A, 0xE6, 0xD6, 0xC9, 0x39, 0xFD, 0x93, 0x9B, 0xC8, 0x01,
- 0x6F, 0x3E, 0x6C, 0x90, 0x3E, 0x73, 0x76, 0x99, 0x7C, 0x48,
- 0xDA, 0x68, 0x48, 0x80, 0x2B, 0x63,
- }
- var ssExp = [16]byte{
- 0xA1, 0xF9, 0x5A, 0x67, 0xB9, 0x3D, 0x1E, 0x72, 0xE8, 0xC5,
- 0x71, 0xF1, 0x4C, 0xB2, 0xAA, 0x6D,
- }
-
- var prvObj = NewPrivateKey(KeyVariant_SIKE)
- var pubObj = NewPublicKey(KeyVariant_SIKE)
-
- if pubObj.Import(pk[:]) != nil || prvObj.Import(sk[:]) != nil {
- t.Error("Can't import one of the keys")
- }
-
- res, _ := Decapsulate(prvObj, pubObj, ct[:])
- if !bytes.Equal(ssExp[:], res) {
- t.Error("Wrong decapsulation result")
- }
-}
-
-/* -------------------------------------------------------------------------
- Benchmarking
- -------------------------------------------------------------------------*/
-
-func BenchmarkSidhKeyAgreement(b *testing.B) {
- // KeyPairs
- alicePublic := convToPub(tdata.PkA_sidh, KeyVariant_SIDH_A)
- alicePrivate := convToPrv(tdata.PrA_sidh, KeyVariant_SIDH_A)
- bobPublic := convToPub(tdata.PkB_sidh, KeyVariant_SIDH_B)
- bobPrivate := convToPrv(tdata.PrB_sidh, KeyVariant_SIDH_B)
-
- for i := 0; i < b.N; i++ {
- // Derive shared secret
- DeriveSecret(bobPrivate, alicePublic)
- DeriveSecret(alicePrivate, bobPublic)
- }
-}
-
-func BenchmarkAliceKeyGenPrv(b *testing.B) {
- prv := NewPrivateKey(KeyVariant_SIDH_A)
- for n := 0; n < b.N; n++ {
- prv.Generate(rand.Reader)
- }
-}
-
-func BenchmarkBobKeyGenPrv(b *testing.B) {
- prv := NewPrivateKey(KeyVariant_SIDH_B)
- for n := 0; n < b.N; n++ {
- prv.Generate(rand.Reader)
- }
-}
-
-func BenchmarkAliceKeyGenPub(b *testing.B) {
- prv := NewPrivateKey(KeyVariant_SIDH_A)
- prv.Generate(rand.Reader)
- for n := 0; n < b.N; n++ {
- prv.GeneratePublicKey()
- }
-}
-
-func BenchmarkBobKeyGenPub(b *testing.B) {
- prv := NewPrivateKey(KeyVariant_SIDH_B)
- prv.Generate(rand.Reader)
- for n := 0; n < b.N; n++ {
- prv.GeneratePublicKey()
- }
-}
-
-func BenchmarkSharedSecretAlice(b *testing.B) {
- aPr := convToPrv(tdata.PrA_sidh, KeyVariant_SIDH_A)
- bPk := convToPub(tdata.PkB_sike, KeyVariant_SIDH_B)
- for n := 0; n < b.N; n++ {
- DeriveSecret(aPr, bPk)
- }
-}
-
-func BenchmarkSharedSecretBob(b *testing.B) {
- // m_B = 3*randint(0,3^238)
- aPk := convToPub(tdata.PkA_sidh, KeyVariant_SIDH_A)
- bPr := convToPrv(tdata.PrB_sidh, KeyVariant_SIDH_B)
- for n := 0; n < b.N; n++ {
- DeriveSecret(bPr, aPk)
- }
-}
diff --git a/src/ssl/test/runner/tls.go b/src/ssl/test/runner/tls.go
index 1862b3d..128d22e 100644
--- a/src/ssl/test/runner/tls.go
+++ b/src/ssl/test/runner/tls.go
@@ -276,13 +276,15 @@
}
func getCertificatePublicKey(cert *x509.Certificate) crypto.PublicKey {
- // TODO(davidben): When Go 1.13 is released, use the Ed25519 support in
- // the standard library.
+ if cert.PublicKey != nil {
+ return cert.PublicKey
+ }
+
if isEd25519Certificate(cert) {
return ed25519.PublicKey(cert.RawSubjectPublicKeyInfo[len(ed25519SPKIPrefix):])
}
- return cert.PublicKey
+ return nil
}
var ed25519PKCS8Prefix = []byte{0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,
@@ -292,12 +294,6 @@
// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
func parsePrivateKey(der []byte) (crypto.PrivateKey, error) {
- // TODO(davidben): When Go 1.13 is released, use the Ed25519 support in
- // the standard library.
- if bytes.HasPrefix(der, ed25519PKCS8Prefix) && len(der) == len(ed25519PKCS8Prefix)+32 {
- seed := der[len(ed25519PKCS8Prefix):]
- return ed25519.NewKeyFromSeed(seed), nil
- }
if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
return key, nil
}
@@ -313,5 +309,10 @@
return key, nil
}
+ if bytes.HasPrefix(der, ed25519PKCS8Prefix) && len(der) == len(ed25519PKCS8Prefix)+32 {
+ seed := der[len(ed25519PKCS8Prefix):]
+ return ed25519.NewKeyFromSeed(seed), nil
+ }
+
return nil, errors.New("crypto/tls: failed to parse private key")
}
diff --git a/src/ssl/test/test_config.cc b/src/ssl/test/test_config.cc
index bd32ce9..70e061b 100644
--- a/src/ssl/test/test_config.cc
+++ b/src/ssl/test/test_config.cc
@@ -51,181 +51,181 @@
}
const Flag<bool> kBoolFlags[] = {
- {"-server", &TestConfig::is_server},
- {"-dtls", &TestConfig::is_dtls},
- {"-fallback-scsv", &TestConfig::fallback_scsv},
- {"-require-any-client-certificate",
- &TestConfig::require_any_client_certificate},
- {"-false-start", &TestConfig::false_start},
- {"-async", &TestConfig::async},
- {"-write-different-record-sizes",
- &TestConfig::write_different_record_sizes},
- {"-cbc-record-splitting", &TestConfig::cbc_record_splitting},
- {"-partial-write", &TestConfig::partial_write},
- {"-no-tls13", &TestConfig::no_tls13},
- {"-no-tls12", &TestConfig::no_tls12},
- {"-no-tls11", &TestConfig::no_tls11},
- {"-no-tls1", &TestConfig::no_tls1},
- {"-no-ticket", &TestConfig::no_ticket},
- {"-enable-channel-id", &TestConfig::enable_channel_id},
- {"-shim-writes-first", &TestConfig::shim_writes_first},
- {"-expect-session-miss", &TestConfig::expect_session_miss},
- {"-decline-alpn", &TestConfig::decline_alpn},
- {"-select-empty-alpn", &TestConfig::select_empty_alpn},
- {"-expect-extended-master-secret",
- &TestConfig::expect_extended_master_secret},
- {"-enable-ocsp-stapling", &TestConfig::enable_ocsp_stapling},
- {"-enable-signed-cert-timestamps",
- &TestConfig::enable_signed_cert_timestamps},
- {"-implicit-handshake", &TestConfig::implicit_handshake},
- {"-use-early-callback", &TestConfig::use_early_callback},
- {"-fail-early-callback", &TestConfig::fail_early_callback},
- {"-install-ddos-callback", &TestConfig::install_ddos_callback},
- {"-fail-ddos-callback", &TestConfig::fail_ddos_callback},
- {"-fail-cert-callback", &TestConfig::fail_cert_callback},
- {"-handshake-never-done", &TestConfig::handshake_never_done},
- {"-use-export-context", &TestConfig::use_export_context},
- {"-tls-unique", &TestConfig::tls_unique},
- {"-expect-ticket-renewal", &TestConfig::expect_ticket_renewal},
- {"-expect-no-session", &TestConfig::expect_no_session},
- {"-expect-ticket-supports-early-data",
- &TestConfig::expect_ticket_supports_early_data},
- {"-use-ticket-callback", &TestConfig::use_ticket_callback},
- {"-renew-ticket", &TestConfig::renew_ticket},
- {"-enable-early-data", &TestConfig::enable_early_data},
- {"-check-close-notify", &TestConfig::check_close_notify},
- {"-shim-shuts-down", &TestConfig::shim_shuts_down},
- {"-verify-fail", &TestConfig::verify_fail},
- {"-verify-peer", &TestConfig::verify_peer},
- {"-verify-peer-if-no-obc", &TestConfig::verify_peer_if_no_obc},
- {"-expect-verify-result", &TestConfig::expect_verify_result},
- {"-renegotiate-once", &TestConfig::renegotiate_once},
- {"-renegotiate-freely", &TestConfig::renegotiate_freely},
- {"-renegotiate-ignore", &TestConfig::renegotiate_ignore},
- {"-forbid-renegotiation-after-handshake",
- &TestConfig::forbid_renegotiation_after_handshake},
- {"-enable-all-curves", &TestConfig::enable_all_curves},
- {"-use-old-client-cert-callback",
- &TestConfig::use_old_client_cert_callback},
- {"-send-alert", &TestConfig::send_alert},
- {"-peek-then-read", &TestConfig::peek_then_read},
- {"-enable-grease", &TestConfig::enable_grease},
- {"-use-exporter-between-reads", &TestConfig::use_exporter_between_reads},
- {"-retain-only-sha256-client-cert",
- &TestConfig::retain_only_sha256_client_cert},
- {"-expect-sha256-client-cert", &TestConfig::expect_sha256_client_cert},
- {"-read-with-unfinished-write", &TestConfig::read_with_unfinished_write},
- {"-expect-secure-renegotiation", &TestConfig::expect_secure_renegotiation},
- {"-expect-no-secure-renegotiation",
- &TestConfig::expect_no_secure_renegotiation},
- {"-expect-session-id", &TestConfig::expect_session_id},
- {"-expect-no-session-id", &TestConfig::expect_no_session_id},
- {"-expect-accept-early-data", &TestConfig::expect_accept_early_data},
- {"-expect-reject-early-data", &TestConfig::expect_reject_early_data},
- {"-expect-no-offer-early-data", &TestConfig::expect_no_offer_early_data},
- {"-no-op-extra-handshake", &TestConfig::no_op_extra_handshake},
- {"-handshake-twice", &TestConfig::handshake_twice},
- {"-allow-unknown-alpn-protos", &TestConfig::allow_unknown_alpn_protos},
- {"-enable-ed25519", &TestConfig::enable_ed25519},
- {"-use-custom-verify-callback", &TestConfig::use_custom_verify_callback},
- {"-allow-false-start-without-alpn",
- &TestConfig::allow_false_start_without_alpn},
- {"-ignore-tls13-downgrade", &TestConfig::ignore_tls13_downgrade},
- {"-expect-tls13-downgrade", &TestConfig::expect_tls13_downgrade},
- {"-handoff", &TestConfig::handoff},
- {"-no-rsa-pss-rsae-certs", &TestConfig::no_rsa_pss_rsae_certs},
- {"-use-ocsp-callback", &TestConfig::use_ocsp_callback},
- {"-set-ocsp-in-callback", &TestConfig::set_ocsp_in_callback},
- {"-decline-ocsp-callback", &TestConfig::decline_ocsp_callback},
- {"-fail-ocsp-callback", &TestConfig::fail_ocsp_callback},
- {"-install-cert-compression-algs",
- &TestConfig::install_cert_compression_algs},
- {"-is-handshaker-supported", &TestConfig::is_handshaker_supported},
- {"-handshaker-resume", &TestConfig::handshaker_resume},
- {"-reverify-on-resume", &TestConfig::reverify_on_resume},
- {"-enforce-rsa-key-usage", &TestConfig::enforce_rsa_key_usage},
- {"-jdk11-workaround", &TestConfig::jdk11_workaround},
- {"-server-preference", &TestConfig::server_preference},
- {"-export-traffic-secrets", &TestConfig::export_traffic_secrets},
- {"-key-update", &TestConfig::key_update},
- {"-expect-delegated-credential-used",
- &TestConfig::expect_delegated_credential_used},
- {"-enable-pq-experiment-signal", &TestConfig::enable_pq_experiment_signal},
- {"-expect-pq-experiment-signal", &TestConfig::expect_pq_experiment_signal},
+ { "-server", &TestConfig::is_server },
+ { "-dtls", &TestConfig::is_dtls },
+ { "-fallback-scsv", &TestConfig::fallback_scsv },
+ { "-require-any-client-certificate",
+ &TestConfig::require_any_client_certificate },
+ { "-false-start", &TestConfig::false_start },
+ { "-async", &TestConfig::async },
+ { "-write-different-record-sizes",
+ &TestConfig::write_different_record_sizes },
+ { "-cbc-record-splitting", &TestConfig::cbc_record_splitting },
+ { "-partial-write", &TestConfig::partial_write },
+ { "-no-tls13", &TestConfig::no_tls13 },
+ { "-no-tls12", &TestConfig::no_tls12 },
+ { "-no-tls11", &TestConfig::no_tls11 },
+ { "-no-tls1", &TestConfig::no_tls1 },
+ { "-no-ticket", &TestConfig::no_ticket },
+ { "-enable-channel-id", &TestConfig::enable_channel_id },
+ { "-shim-writes-first", &TestConfig::shim_writes_first },
+ { "-expect-session-miss", &TestConfig::expect_session_miss },
+ { "-decline-alpn", &TestConfig::decline_alpn },
+ { "-select-empty-alpn", &TestConfig::select_empty_alpn },
+ { "-expect-extended-master-secret",
+ &TestConfig::expect_extended_master_secret },
+ { "-enable-ocsp-stapling", &TestConfig::enable_ocsp_stapling },
+ { "-enable-signed-cert-timestamps",
+ &TestConfig::enable_signed_cert_timestamps },
+ { "-implicit-handshake", &TestConfig::implicit_handshake },
+ { "-use-early-callback", &TestConfig::use_early_callback },
+ { "-fail-early-callback", &TestConfig::fail_early_callback },
+ { "-install-ddos-callback", &TestConfig::install_ddos_callback },
+ { "-fail-ddos-callback", &TestConfig::fail_ddos_callback },
+ { "-fail-cert-callback", &TestConfig::fail_cert_callback },
+ { "-handshake-never-done", &TestConfig::handshake_never_done },
+ { "-use-export-context", &TestConfig::use_export_context },
+ { "-tls-unique", &TestConfig::tls_unique },
+ { "-expect-ticket-renewal", &TestConfig::expect_ticket_renewal },
+ { "-expect-no-session", &TestConfig::expect_no_session },
+ { "-expect-ticket-supports-early-data",
+ &TestConfig::expect_ticket_supports_early_data },
+ { "-use-ticket-callback", &TestConfig::use_ticket_callback },
+ { "-renew-ticket", &TestConfig::renew_ticket },
+ { "-enable-early-data", &TestConfig::enable_early_data },
+ { "-check-close-notify", &TestConfig::check_close_notify },
+ { "-shim-shuts-down", &TestConfig::shim_shuts_down },
+ { "-verify-fail", &TestConfig::verify_fail },
+ { "-verify-peer", &TestConfig::verify_peer },
+ { "-verify-peer-if-no-obc", &TestConfig::verify_peer_if_no_obc },
+ { "-expect-verify-result", &TestConfig::expect_verify_result },
+ { "-renegotiate-once", &TestConfig::renegotiate_once },
+ { "-renegotiate-freely", &TestConfig::renegotiate_freely },
+ { "-renegotiate-ignore", &TestConfig::renegotiate_ignore },
+ { "-forbid-renegotiation-after-handshake",
+ &TestConfig::forbid_renegotiation_after_handshake },
+ { "-enable-all-curves", &TestConfig::enable_all_curves },
+ { "-use-old-client-cert-callback",
+ &TestConfig::use_old_client_cert_callback },
+ { "-send-alert", &TestConfig::send_alert },
+ { "-peek-then-read", &TestConfig::peek_then_read },
+ { "-enable-grease", &TestConfig::enable_grease },
+ { "-use-exporter-between-reads", &TestConfig::use_exporter_between_reads },
+ { "-retain-only-sha256-client-cert",
+ &TestConfig::retain_only_sha256_client_cert },
+ { "-expect-sha256-client-cert",
+ &TestConfig::expect_sha256_client_cert },
+ { "-read-with-unfinished-write", &TestConfig::read_with_unfinished_write },
+ { "-expect-secure-renegotiation",
+ &TestConfig::expect_secure_renegotiation },
+ { "-expect-no-secure-renegotiation",
+ &TestConfig::expect_no_secure_renegotiation },
+ { "-expect-session-id", &TestConfig::expect_session_id },
+ { "-expect-no-session-id", &TestConfig::expect_no_session_id },
+ { "-expect-accept-early-data", &TestConfig::expect_accept_early_data },
+ { "-expect-reject-early-data", &TestConfig::expect_reject_early_data },
+ { "-expect-no-offer-early-data", &TestConfig::expect_no_offer_early_data },
+ { "-no-op-extra-handshake", &TestConfig::no_op_extra_handshake },
+ { "-handshake-twice", &TestConfig::handshake_twice },
+ { "-allow-unknown-alpn-protos", &TestConfig::allow_unknown_alpn_protos },
+ { "-enable-ed25519", &TestConfig::enable_ed25519 },
+ { "-use-custom-verify-callback", &TestConfig::use_custom_verify_callback },
+ { "-allow-false-start-without-alpn",
+ &TestConfig::allow_false_start_without_alpn },
+ { "-ignore-tls13-downgrade", &TestConfig::ignore_tls13_downgrade },
+ { "-expect-tls13-downgrade", &TestConfig::expect_tls13_downgrade },
+ { "-handoff", &TestConfig::handoff },
+ { "-no-rsa-pss-rsae-certs", &TestConfig::no_rsa_pss_rsae_certs },
+ { "-use-ocsp-callback", &TestConfig::use_ocsp_callback },
+ { "-set-ocsp-in-callback", &TestConfig::set_ocsp_in_callback },
+ { "-decline-ocsp-callback", &TestConfig::decline_ocsp_callback },
+ { "-fail-ocsp-callback", &TestConfig::fail_ocsp_callback },
+ { "-install-cert-compression-algs",
+ &TestConfig::install_cert_compression_algs },
+ { "-is-handshaker-supported", &TestConfig::is_handshaker_supported },
+ { "-handshaker-resume", &TestConfig::handshaker_resume },
+ { "-reverify-on-resume", &TestConfig::reverify_on_resume },
+ { "-enforce-rsa-key-usage", &TestConfig::enforce_rsa_key_usage },
+ { "-jdk11-workaround", &TestConfig::jdk11_workaround },
+ { "-server-preference", &TestConfig::server_preference },
+ { "-export-traffic-secrets", &TestConfig::export_traffic_secrets },
+ { "-key-update", &TestConfig::key_update },
};
const Flag<std::string> kStringFlags[] = {
- {"-write-settings", &TestConfig::write_settings},
- {"-key-file", &TestConfig::key_file},
- {"-cert-file", &TestConfig::cert_file},
- {"-expect-server-name", &TestConfig::expect_server_name},
- {"-advertise-npn", &TestConfig::advertise_npn},
- {"-expect-next-proto", &TestConfig::expect_next_proto},
- {"-select-next-proto", &TestConfig::select_next_proto},
- {"-send-channel-id", &TestConfig::send_channel_id},
- {"-host-name", &TestConfig::host_name},
- {"-advertise-alpn", &TestConfig::advertise_alpn},
- {"-expect-alpn", &TestConfig::expect_alpn},
- {"-expect-late-alpn", &TestConfig::expect_late_alpn},
- {"-expect-advertised-alpn", &TestConfig::expect_advertised_alpn},
- {"-select-alpn", &TestConfig::select_alpn},
- {"-psk", &TestConfig::psk},
- {"-psk-identity", &TestConfig::psk_identity},
- {"-srtp-profiles", &TestConfig::srtp_profiles},
- {"-cipher", &TestConfig::cipher},
- {"-export-label", &TestConfig::export_label},
- {"-export-context", &TestConfig::export_context},
- {"-expect-peer-cert-file", &TestConfig::expect_peer_cert_file},
- {"-use-client-ca-list", &TestConfig::use_client_ca_list},
- {"-expect-client-ca-list", &TestConfig::expect_client_ca_list},
- {"-expect-msg-callback", &TestConfig::expect_msg_callback},
- {"-handshaker-path", &TestConfig::handshaker_path},
- {"-delegated-credential", &TestConfig::delegated_credential},
- {"-expect-early-data-reason", &TestConfig::expect_early_data_reason},
+ { "-write-settings", &TestConfig::write_settings },
+ { "-key-file", &TestConfig::key_file },
+ { "-cert-file", &TestConfig::cert_file },
+ { "-expect-server-name", &TestConfig::expected_server_name },
+ { "-advertise-npn", &TestConfig::advertise_npn },
+ { "-expect-next-proto", &TestConfig::expected_next_proto },
+ { "-select-next-proto", &TestConfig::select_next_proto },
+ { "-send-channel-id", &TestConfig::send_channel_id },
+ { "-host-name", &TestConfig::host_name },
+ { "-advertise-alpn", &TestConfig::advertise_alpn },
+ { "-expect-alpn", &TestConfig::expected_alpn },
+ { "-expect-late-alpn", &TestConfig::expected_late_alpn },
+ { "-expect-advertised-alpn", &TestConfig::expected_advertised_alpn },
+ { "-select-alpn", &TestConfig::select_alpn },
+ { "-psk", &TestConfig::psk },
+ { "-psk-identity", &TestConfig::psk_identity },
+ { "-srtp-profiles", &TestConfig::srtp_profiles },
+ { "-cipher", &TestConfig::cipher },
+ { "-export-label", &TestConfig::export_label },
+ { "-export-context", &TestConfig::export_context },
+ { "-expect-peer-cert-file", &TestConfig::expect_peer_cert_file },
+ { "-use-client-ca-list", &TestConfig::use_client_ca_list },
+ { "-expect-client-ca-list", &TestConfig::expected_client_ca_list },
+ { "-expect-msg-callback", &TestConfig::expect_msg_callback },
+ { "-handshaker-path", &TestConfig::handshaker_path },
+ { "-delegated-credential", &TestConfig::delegated_credential },
};
const Flag<std::string> kBase64Flags[] = {
- {"-expect-certificate-types", &TestConfig::expect_certificate_types},
- {"-expect-channel-id", &TestConfig::expect_channel_id},
- {"-token-binding-params", &TestConfig::send_token_binding_params},
- {"-expect-ocsp-response", &TestConfig::expect_ocsp_response},
- {"-expect-signed-cert-timestamps",
- &TestConfig::expect_signed_cert_timestamps},
- {"-ocsp-response", &TestConfig::ocsp_response},
- {"-signed-cert-timestamps", &TestConfig::signed_cert_timestamps},
- {"-ticket-key", &TestConfig::ticket_key},
- {"-quic-transport-params", &TestConfig::quic_transport_params},
- {"-expect-quic-transport-params",
- &TestConfig::expect_quic_transport_params},
+ { "-expect-certificate-types", &TestConfig::expected_certificate_types },
+ { "-expect-channel-id", &TestConfig::expected_channel_id },
+ { "-token-binding-params", &TestConfig::send_token_binding_params },
+ { "-expect-ocsp-response", &TestConfig::expected_ocsp_response },
+ { "-expect-signed-cert-timestamps",
+ &TestConfig::expected_signed_cert_timestamps },
+ { "-ocsp-response", &TestConfig::ocsp_response },
+ { "-signed-cert-timestamps", &TestConfig::signed_cert_timestamps },
+ { "-ticket-key", &TestConfig::ticket_key },
+ { "-quic-transport-params", &TestConfig::quic_transport_params },
+ { "-expected-quic-transport-params",
+ &TestConfig::expected_quic_transport_params },
};
const Flag<int> kIntFlags[] = {
- {"-port", &TestConfig::port},
- {"-resume-count", &TestConfig::resume_count},
- {"-expect-token-binding-param", &TestConfig::expect_token_binding_param},
- {"-min-version", &TestConfig::min_version},
- {"-max-version", &TestConfig::max_version},
- {"-expect-version", &TestConfig::expect_version},
- {"-mtu", &TestConfig::mtu},
- {"-export-keying-material", &TestConfig::export_keying_material},
- {"-expect-total-renegotiations", &TestConfig::expect_total_renegotiations},
- {"-expect-peer-signature-algorithm",
- &TestConfig::expect_peer_signature_algorithm},
- {"-expect-curve-id", &TestConfig::expect_curve_id},
- {"-initial-timeout-duration-ms", &TestConfig::initial_timeout_duration_ms},
- {"-max-cert-list", &TestConfig::max_cert_list},
- {"-expect-cipher-aes", &TestConfig::expect_cipher_aes},
- {"-expect-cipher-no-aes", &TestConfig::expect_cipher_no_aes},
- {"-resumption-delay", &TestConfig::resumption_delay},
- {"-max-send-fragment", &TestConfig::max_send_fragment},
- {"-read-size", &TestConfig::read_size},
- {"-expect-ticket-age-skew", &TestConfig::expect_ticket_age_skew},
+ { "-port", &TestConfig::port },
+ { "-resume-count", &TestConfig::resume_count },
+ { "-expected-token-binding-param",
+ &TestConfig::expected_token_binding_param },
+ { "-min-version", &TestConfig::min_version },
+ { "-max-version", &TestConfig::max_version },
+ { "-expect-version", &TestConfig::expect_version },
+ { "-mtu", &TestConfig::mtu },
+ { "-export-early-keying-material",
+ &TestConfig::export_early_keying_material },
+ { "-export-keying-material", &TestConfig::export_keying_material },
+ { "-expect-total-renegotiations", &TestConfig::expect_total_renegotiations },
+ { "-expect-peer-signature-algorithm",
+ &TestConfig::expect_peer_signature_algorithm },
+ { "-expect-curve-id", &TestConfig::expect_curve_id },
+ { "-initial-timeout-duration-ms", &TestConfig::initial_timeout_duration_ms },
+ { "-max-cert-list", &TestConfig::max_cert_list },
+ { "-expect-cipher-aes", &TestConfig::expect_cipher_aes },
+ { "-expect-cipher-no-aes", &TestConfig::expect_cipher_no_aes },
+ { "-resumption-delay", &TestConfig::resumption_delay },
+ { "-max-send-fragment", &TestConfig::max_send_fragment },
+ { "-read-size", &TestConfig::read_size },
+ { "-expect-ticket-age-skew", &TestConfig::expect_ticket_age_skew },
};
const Flag<std::vector<int>> kIntVectorFlags[] = {
{"-signing-prefs", &TestConfig::signing_prefs},
{"-verify-prefs", &TestConfig::verify_prefs},
- {"-expect-peer-verify-pref", &TestConfig::expect_peer_verify_prefs},
+ {"-expect-peer-verify-pref", &TestConfig::expected_peer_verify_prefs},
{"-curves", &TestConfig::curves},
};
@@ -243,7 +243,7 @@
if (string_field != NULL) {
*i = *i + 1;
if (*i >= argc) {
- fprintf(stderr, "Missing parameter.\n");
+ fprintf(stderr, "Missing parameter\n");
return false;
}
if (!skip) {
@@ -256,19 +256,19 @@
if (base64_field != NULL) {
*i = *i + 1;
if (*i >= argc) {
- fprintf(stderr, "Missing parameter.\n");
+ fprintf(stderr, "Missing parameter\n");
return false;
}
size_t len;
if (!EVP_DecodedLength(&len, strlen(argv[*i]))) {
- fprintf(stderr, "Invalid base64: %s.\n", argv[*i]);
+ fprintf(stderr, "Invalid base64: %s\n", argv[*i]);
return false;
}
std::unique_ptr<uint8_t[]> decoded(new uint8_t[len]);
if (!EVP_DecodeBase64(decoded.get(), &len, len,
reinterpret_cast<const uint8_t *>(argv[*i]),
strlen(argv[*i]))) {
- fprintf(stderr, "Invalid base64: %s.\n", argv[*i]);
+ fprintf(stderr, "Invalid base64: %s\n", argv[*i]);
return false;
}
if (!skip) {
@@ -282,7 +282,7 @@
if (int_field) {
*i = *i + 1;
if (*i >= argc) {
- fprintf(stderr, "Missing parameter.\n");
+ fprintf(stderr, "Missing parameter\n");
return false;
}
if (!skip) {
@@ -296,7 +296,7 @@
if (int_vector_field) {
*i = *i + 1;
if (*i >= argc) {
- fprintf(stderr, "Missing parameter.\n");
+ fprintf(stderr, "Missing parameter\n");
return false;
}
@@ -307,7 +307,7 @@
return true;
}
- fprintf(stderr, "Unknown argument: %s.\n", flag);
+ fprintf(stderr, "Unknown argument: %s\n", flag);
return false;
}
@@ -403,9 +403,9 @@
const TestConfig *config = GetTestConfig(ssl);
const char *server_name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
if (server_name == nullptr ||
- std::string(server_name) != config->expect_server_name) {
- fprintf(stderr, "servername mismatch (got %s; want %s).\n", server_name,
- config->expect_server_name.c_str());
+ std::string(server_name) != config->expected_server_name) {
+ fprintf(stderr, "servername mismatch (got %s; want %s)\n", server_name,
+ config->expected_server_name.c_str());
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
@@ -449,7 +449,7 @@
if (content_type == SSL3_RT_HEADER) {
if (len !=
(config->is_dtls ? DTLS1_RT_HEADER_LENGTH : SSL3_RT_HEADER_LENGTH)) {
- fprintf(stderr, "Incorrect length for record header: %zu.\n", len);
+ fprintf(stderr, "Incorrect length for record header: %zu\n", len);
state->msg_callback_ok = false;
}
return;
@@ -459,7 +459,7 @@
switch (content_type) {
case 0:
if (version != SSL2_VERSION) {
- fprintf(stderr, "Incorrect version for V2ClientHello: %x.\n", version);
+ fprintf(stderr, "Incorrect version for V2ClientHello: %x\n", version);
state->msg_callback_ok = false;
return;
}
@@ -509,7 +509,7 @@
return;
default:
- fprintf(stderr, "Invalid content_type: %d.\n", content_type);
+ fprintf(stderr, "Invalid content_type: %d\n", content_type);
state->msg_callback_ok = false;
}
}
@@ -618,11 +618,11 @@
return SSL_TLSEXT_ERR_NOACK;
}
- if (!config->expect_advertised_alpn.empty() &&
- (config->expect_advertised_alpn.size() != inlen ||
- OPENSSL_memcmp(config->expect_advertised_alpn.data(), in, inlen) !=
+ if (!config->expected_advertised_alpn.empty() &&
+ (config->expected_advertised_alpn.size() != inlen ||
+ OPENSSL_memcmp(config->expected_advertised_alpn.data(), in, inlen) !=
0)) {
- fprintf(stderr, "bad ALPN select callback inputs.\n");
+ fprintf(stderr, "bad ALPN select callback inputs\n");
exit(1);
}
@@ -634,12 +634,12 @@
static bool CheckVerifyCallback(SSL *ssl) {
const TestConfig *config = GetTestConfig(ssl);
- if (!config->expect_ocsp_response.empty()) {
+ if (!config->expected_ocsp_response.empty()) {
const uint8_t *data;
size_t len;
SSL_get0_ocsp_response(ssl, &data, &len);
if (len == 0) {
- fprintf(stderr, "OCSP response not available in verify callback.\n");
+ fprintf(stderr, "OCSP response not available in verify callback\n");
return false;
}
}
@@ -808,7 +808,7 @@
for (const auto &part : parts) {
std::string binary;
if (!HexDecode(&binary, part)) {
- fprintf(stderr, "Bad hex string: %s.\n", part.c_str());
+ fprintf(stderr, "Bad hex string: %s\n", part.c_str());
return ret;
}
@@ -847,22 +847,22 @@
static bool CheckPeerVerifyPrefs(SSL *ssl) {
const TestConfig *config = GetTestConfig(ssl);
- if (!config->expect_peer_verify_prefs.empty()) {
+ if (!config->expected_peer_verify_prefs.empty()) {
const uint16_t *peer_sigalgs;
size_t num_peer_sigalgs =
SSL_get0_peer_verify_algorithms(ssl, &peer_sigalgs);
- if (config->expect_peer_verify_prefs.size() != num_peer_sigalgs) {
+ if (config->expected_peer_verify_prefs.size() != num_peer_sigalgs) {
fprintf(stderr,
"peer verify preferences length mismatch (got %zu, wanted %zu)\n",
- num_peer_sigalgs, config->expect_peer_verify_prefs.size());
+ num_peer_sigalgs, config->expected_peer_verify_prefs.size());
return false;
}
for (size_t i = 0; i < num_peer_sigalgs; i++) {
if (static_cast<int>(peer_sigalgs[i]) !=
- config->expect_peer_verify_prefs[i]) {
+ config->expected_peer_verify_prefs[i]) {
fprintf(stderr,
"peer verify preference %zu mismatch (got %04x, wanted %04x\n",
- i, peer_sigalgs[i], config->expect_peer_verify_prefs[i]);
+ i, peer_sigalgs[i], config->expected_peer_verify_prefs[i]);
return false;
}
}
@@ -877,29 +877,29 @@
return false;
}
- if (!config->expect_certificate_types.empty()) {
+ if (!config->expected_certificate_types.empty()) {
const uint8_t *certificate_types;
size_t certificate_types_len =
SSL_get0_certificate_types(ssl, &certificate_types);
- if (certificate_types_len != config->expect_certificate_types.size() ||
+ if (certificate_types_len != config->expected_certificate_types.size() ||
OPENSSL_memcmp(certificate_types,
- config->expect_certificate_types.data(),
+ config->expected_certificate_types.data(),
certificate_types_len) != 0) {
- fprintf(stderr, "certificate types mismatch.\n");
+ fprintf(stderr, "certificate types mismatch\n");
return false;
}
}
- if (!config->expect_client_ca_list.empty()) {
+ if (!config->expected_client_ca_list.empty()) {
bssl::UniquePtr<STACK_OF(X509_NAME)> expected =
- DecodeHexX509Names(config->expect_client_ca_list);
+ DecodeHexX509Names(config->expected_client_ca_list);
const size_t num_expected = sk_X509_NAME_num(expected.get());
const STACK_OF(X509_NAME) *received = SSL_get_client_CA_list(ssl);
const size_t num_received = sk_X509_NAME_num(received);
if (num_received != num_expected) {
- fprintf(stderr, "expected %u names in CertificateRequest but got %u.\n",
+ fprintf(stderr, "expected %u names in CertificateRequest but got %u\n",
static_cast<unsigned>(num_expected),
static_cast<unsigned>(num_received));
return false;
@@ -908,7 +908,7 @@
for (size_t i = 0; i < num_received; i++) {
if (X509_NAME_cmp(sk_X509_NAME_value(received, i),
sk_X509_NAME_value(expected.get(), i)) != 0) {
- fprintf(stderr, "names in CertificateRequest differ at index #%d.\n",
+ fprintf(stderr, "names in CertificateRequest differ at index #%d\n",
static_cast<unsigned>(i));
return false;
}
@@ -1099,16 +1099,35 @@
const TestConfig *config = GetTestConfig(client_hello->ssl);
GetTestState(client_hello->ssl)->early_callback_called = true;
- if (!config->expect_server_name.empty()) {
- const char *server_name =
- SSL_get_servername(client_hello->ssl, TLSEXT_NAMETYPE_host_name);
- if (server_name == nullptr ||
- std::string(server_name) != config->expect_server_name) {
- fprintf(stderr,
- "Server name mismatch in early callback (got %s; want %s).\n",
- server_name, config->expect_server_name.c_str());
+ if (!config->expected_server_name.empty()) {
+ const uint8_t *extension_data;
+ size_t extension_len;
+ CBS extension, server_name_list, host_name;
+ uint8_t name_type;
+
+ if (!SSL_early_callback_ctx_extension_get(
+ client_hello, TLSEXT_TYPE_server_name, &extension_data,
+ &extension_len)) {
+ fprintf(stderr, "Could not find server_name extension.\n");
return ssl_select_cert_error;
}
+
+ CBS_init(&extension, extension_data, extension_len);
+ if (!CBS_get_u16_length_prefixed(&extension, &server_name_list) ||
+ CBS_len(&extension) != 0 ||
+ !CBS_get_u8(&server_name_list, &name_type) ||
+ name_type != TLSEXT_NAMETYPE_host_name ||
+ !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
+ CBS_len(&server_name_list) != 0) {
+ fprintf(stderr, "Could not decode server_name extension.\n");
+ return ssl_select_cert_error;
+ }
+
+ if (!CBS_mem_equal(&host_name,
+ (const uint8_t *)config->expected_server_name.data(),
+ config->expected_server_name.size())) {
+ fprintf(stderr, "Server name mismatch.\n");
+ }
}
if (config->fail_early_callback) {
@@ -1221,7 +1240,7 @@
SSL_CTX_set_grease_enabled(ssl_ctx.get(), 1);
}
- if (!expect_server_name.empty()) {
+ if (!expected_server_name.empty()) {
SSL_CTX_set_tlsext_servername_callback(ssl_ctx.get(), ServerNameCallback);
}
@@ -1325,10 +1344,6 @@
SSL_CTX_set_options(ssl_ctx.get(), SSL_OP_CIPHER_SERVER_PREFERENCE);
}
- if (enable_pq_experiment_signal) {
- SSL_CTX_enable_pq_experiment_signal(ssl_ctx.get());
- }
-
return ssl_ctx;
}
@@ -1356,7 +1371,7 @@
// Account for the trailing '\0' for the identity.
if (config->psk_identity.size() >= max_identity_len ||
config->psk.size() > max_psk_len) {
- fprintf(stderr, "PSK buffers too small.\n");
+ fprintf(stderr, "PSK buffers too small\n");
return 0;
}
@@ -1375,7 +1390,7 @@
}
if (config->psk.size() > max_psk_len) {
- fprintf(stderr, "PSK buffers too small.\n");
+ fprintf(stderr, "PSK buffers too small\n");
return 0;
}
@@ -1505,7 +1520,7 @@
if (no_ticket) {
SSL_set_options(ssl.get(), SSL_OP_NO_TICKET);
}
- if (!expect_channel_id.empty() || enable_channel_id) {
+ if (!expected_channel_id.empty() || enable_channel_id) {
SSL_set_tls_channel_id_enabled(ssl.get(), 1);
}
if (!send_channel_id.empty()) {
@@ -1607,9 +1622,6 @@
case SSL_CURVE_CECPQ2:
nids.push_back(NID_CECPQ2);
break;
- case SSL_CURVE_CECPQ2b:
- nids.push_back(NID_CECPQ2b);
- break;
}
if (!SSL_set1_curves(ssl.get(), &nids[0], nids.size())) {
return nullptr;
@@ -1618,8 +1630,8 @@
}
if (enable_all_curves) {
static const int kAllCurves[] = {
- NID_secp224r1, NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1,
- NID_X25519, NID_CECPQ2, NID_CECPQ2b,
+ NID_secp224r1, NID_X9_62_prime256v1, NID_secp384r1,
+ NID_secp521r1, NID_X25519, NID_CECPQ2,
};
if (!SSL_set1_curves(ssl.get(), kAllCurves,
OPENSSL_ARRAY_SIZE(kAllCurves))) {
@@ -1666,8 +1678,7 @@
if (!delegated_credential.empty()) {
std::string::size_type comma = delegated_credential.find(',');
if (comma == std::string::npos) {
- fprintf(stderr,
- "failed to find comma in delegated credential argument.\n");
+ fprintf(stderr, "failed to find comma in delegated credential argument");
return nullptr;
}
@@ -1675,7 +1686,7 @@
const std::string pkcs8_hex = delegated_credential.substr(comma + 1);
std::string dc, pkcs8;
if (!HexDecode(&dc, dc_hex) || !HexDecode(&pkcs8, pkcs8_hex)) {
- fprintf(stderr, "failed to hex decode delegated credential argument.\n");
+ fprintf(stderr, "failed to hex decode delegated credential argument");
return nullptr;
}
@@ -1686,7 +1697,7 @@
bssl::UniquePtr<EVP_PKEY> priv(EVP_parse_private_key(&pkcs8_cbs));
if (!priv) {
- fprintf(stderr, "failed to parse delegated credential private key.\n");
+ fprintf(stderr, "failed to parse delegated credential private key");
return nullptr;
}
diff --git a/src/ssl/test/test_config.h b/src/ssl/test/test_config.h
index ce4b416..9221d6f 100644
--- a/src/ssl/test/test_config.h
+++ b/src/ssl/test/test_config.h
@@ -32,15 +32,15 @@
bool fallback_scsv = false;
std::vector<int> signing_prefs;
std::vector<int> verify_prefs;
- std::vector<int> expect_peer_verify_prefs;
+ std::vector<int> expected_peer_verify_prefs;
std::vector<int> curves;
std::string key_file;
std::string cert_file;
- std::string expect_server_name;
- std::string expect_certificate_types;
+ std::string expected_server_name;
+ std::string expected_certificate_types;
bool require_any_client_certificate = false;
std::string advertise_npn;
- std::string expect_next_proto;
+ std::string expected_next_proto;
bool false_start = false;
std::string select_next_proto;
bool async = false;
@@ -52,31 +52,31 @@
bool no_tls11 = false;
bool no_tls1 = false;
bool no_ticket = false;
- std::string expect_channel_id;
+ std::string expected_channel_id;
bool enable_channel_id = false;
std::string send_channel_id;
- int expect_token_binding_param = -1;
+ int expected_token_binding_param = -1;
std::string send_token_binding_params;
bool shim_writes_first = false;
std::string host_name;
std::string advertise_alpn;
- std::string expect_alpn;
- std::string expect_late_alpn;
- std::string expect_advertised_alpn;
+ std::string expected_alpn;
+ std::string expected_late_alpn;
+ std::string expected_advertised_alpn;
std::string select_alpn;
bool decline_alpn = false;
bool select_empty_alpn = false;
std::string quic_transport_params;
- std::string expect_quic_transport_params;
+ std::string expected_quic_transport_params;
bool expect_session_miss = false;
bool expect_extended_master_secret = false;
std::string psk;
std::string psk_identity;
std::string srtp_profiles;
bool enable_ocsp_stapling = false;
- std::string expect_ocsp_response;
+ std::string expected_ocsp_response;
bool enable_signed_cert_timestamps = false;
- std::string expect_signed_cert_timestamps;
+ std::string expected_signed_cert_timestamps;
int min_version = 0;
int max_version = 0;
int expect_version = 0;
@@ -89,6 +89,7 @@
bool fail_cert_callback = false;
std::string cipher;
bool handshake_never_done = false;
+ int export_early_keying_material = 0;
int export_keying_material = 0;
std::string export_label;
std::string export_context;
@@ -126,7 +127,7 @@
bool use_old_client_cert_callback = false;
int initial_timeout_duration_ms = 0;
std::string use_client_ca_list;
- std::string expect_client_ca_list;
+ std::string expected_client_ca_list;
bool send_alert = false;
bool peek_then_read = false;
bool enable_grease = false;
@@ -172,11 +173,7 @@
bool server_preference = false;
bool export_traffic_secrets = false;
bool key_update = false;
- bool expect_delegated_credential_used = false;
std::string delegated_credential;
- std::string expect_early_data_reason;
- bool enable_pq_experiment_signal = false;
- bool expect_pq_experiment_signal = false;
int argc;
char **argv;
diff --git a/src/ssl/tls13_both.cc b/src/ssl/tls13_both.cc
index 1a49e4c..ba5719f 100644
--- a/src/ssl/tls13_both.cc
+++ b/src/ssl/tls13_both.cc
@@ -370,8 +370,13 @@
return false;
}
- if (!ssl_public_key_verify(ssl, signature, signature_algorithm,
- hs->peer_pubkey.get(), input)) {
+ bool sig_ok = ssl_public_key_verify(ssl, signature, signature_algorithm,
+ hs->peer_pubkey.get(), input);
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+ sig_ok = true;
+ ERR_clear_error();
+#endif
+ if (!sig_ok) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
return false;
@@ -483,16 +488,15 @@
if (ssl_signing_with_dc(hs)) {
const CRYPTO_BUFFER *raw = dc->raw.get();
- CBB child;
if (!CBB_add_u16(&extensions, TLSEXT_TYPE_delegated_credential) ||
- !CBB_add_u16_length_prefixed(&extensions, &child) ||
- !CBB_add_bytes(&child, CRYPTO_BUFFER_data(raw),
+ !CBB_add_u16(&extensions, CRYPTO_BUFFER_len(raw)) ||
+ !CBB_add_bytes(&extensions,
+ CRYPTO_BUFFER_data(raw),
CRYPTO_BUFFER_len(raw)) ||
!CBB_flush(&extensions)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
- ssl->s3->delegated_credential_used = true;
}
for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cert->chain.get()); i++) {
diff --git a/src/ssl/tls13_client.cc b/src/ssl/tls13_client.cc
index f411e19..ac97165 100644
--- a/src/ssl/tls13_client.cc
+++ b/src/ssl/tls13_client.cc
@@ -188,7 +188,6 @@
hs->tls13_state = state_send_second_client_hello;
// 0-RTT is rejected if we receive a HelloRetryRequest.
if (hs->in_early_data) {
- ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
return ssl_hs_early_data_rejected;
}
return ssl_hs_ok;
@@ -901,7 +900,7 @@
return false;
}
- if (have_early_data_info) {
+ if (have_early_data_info && ssl->enable_early_data) {
if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||
CBS_len(&early_data_info) != 0) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
diff --git a/src/ssl/tls13_enc.cc b/src/ssl/tls13_enc.cc
index b6a402f..7353561 100644
--- a/src/ssl/tls13_enc.cc
+++ b/src/ssl/tls13_enc.cc
@@ -38,7 +38,6 @@
return false;
}
- assert(hs->transcript.DigestLen() <= SSL_MAX_MD_SIZE);
hs->hash_len = hs->transcript.DigestLen();
// Initialize the secret to the zero key.
@@ -216,6 +215,7 @@
static const char kTLS13LabelExporter[] = "exp master";
+static const char kTLS13LabelEarlyExporter[] = "e exp master";
static const char kTLS13LabelClientEarlyTraffic[] = "c e traffic";
static const char kTLS13LabelClientHandshakeTraffic[] = "c hs traffic";
@@ -229,9 +229,13 @@
kTLS13LabelClientEarlyTraffic,
strlen(kTLS13LabelClientEarlyTraffic)) ||
!ssl_log_secret(ssl, "CLIENT_EARLY_TRAFFIC_SECRET",
- hs->early_traffic_secret, hs->hash_len)) {
+ hs->early_traffic_secret, hs->hash_len) ||
+ !derive_secret(hs, ssl->s3->early_exporter_secret, hs->hash_len,
+ kTLS13LabelEarlyExporter,
+ strlen(kTLS13LabelEarlyExporter))) {
return false;
}
+ ssl->s3->early_exporter_secret_len = hs->hash_len;
if (ssl->quic_method != nullptr) {
if (ssl->server) {
diff --git a/src/ssl/tls13_server.cc b/src/ssl/tls13_server.cc
index 4ebea5b..caaf0c7 100644
--- a/src/ssl/tls13_server.cc
+++ b/src/ssl/tls13_server.cc
@@ -53,12 +53,6 @@
static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
-// Allow a minute of ticket age skew in either direction. This covers
-// transmission delays in ClientHello and NewSessionTicket, as well as
-// drift between client and server clock rate since the ticket was issued.
-// See RFC 8446, section 8.3.
-static const int32_t kMaxTicketAgeSkewSeconds = 60;
-
static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, bool *out_need_retry,
SSL_CLIENT_HELLO *client_hello) {
SSL *const ssl = hs->ssl;
@@ -103,15 +97,77 @@
return 1;
}
+// CipherScorer produces a "score" for each possible cipher suite offered by
+// the client.
+class CipherScorer {
+ public:
+ CipherScorer(uint16_t group_id)
+ : aes_is_fine_(EVP_has_aes_hardware()),
+ security_128_is_fine_(group_id != SSL_CURVE_CECPQ2) {}
+
+ typedef std::tuple<bool, bool, bool> Score;
+
+ // MinScore returns a |Score| that will compare less than the score of all
+ // cipher suites.
+ Score MinScore() const {
+ return Score(false, false, false);
+ }
+
+ Score Evaluate(const SSL_CIPHER *a) const {
+ return Score(
+ // Something is always preferable to nothing.
+ true,
+ // Either 128-bit is fine, or 256-bit is preferred.
+ security_128_is_fine_ || a->algorithm_enc != SSL_AES128GCM,
+ // Either AES is fine, or else ChaCha20 is preferred.
+ aes_is_fine_ || a->algorithm_enc == SSL_CHACHA20POLY1305);
+ }
+
+ private:
+ const bool aes_is_fine_;
+ const bool security_128_is_fine_;
+};
+
static const SSL_CIPHER *choose_tls13_cipher(
const SSL *ssl, const SSL_CLIENT_HELLO *client_hello, uint16_t group_id) {
+ if (client_hello->cipher_suites_len % 2 != 0) {
+ return nullptr;
+ }
+
CBS cipher_suites;
CBS_init(&cipher_suites, client_hello->cipher_suites,
client_hello->cipher_suites_len);
const uint16_t version = ssl_protocol_version(ssl);
- return ssl_choose_tls13_cipher(cipher_suites, version, group_id);
+ const SSL_CIPHER *best = nullptr;
+ CipherScorer scorer(group_id);
+ CipherScorer::Score best_score = scorer.MinScore();
+
+ while (CBS_len(&cipher_suites) > 0) {
+ uint16_t cipher_suite;
+ if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
+ return nullptr;
+ }
+
+ // Limit to TLS 1.3 ciphers we know about.
+ const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
+ if (candidate == nullptr ||
+ SSL_CIPHER_get_min_version(candidate) > version ||
+ SSL_CIPHER_get_max_version(candidate) < version) {
+ continue;
+ }
+
+ const CipherScorer::Score candidate_score = scorer.Evaluate(candidate);
+ // |candidate_score| must be larger to displace the current choice. That way
+ // the client's order controls between ciphers with an equal score.
+ if (candidate_score > best_score) {
+ best = candidate;
+ best_score = candidate_score;
+ }
+ }
+
+ return best;
}
static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
@@ -251,15 +307,16 @@
static enum ssl_ticket_aead_result_t select_session(
SSL_HANDSHAKE *hs, uint8_t *out_alert, UniquePtr<SSL_SESSION> *out_session,
- int32_t *out_ticket_age_skew, bool *out_offered_ticket,
- const SSLMessage &msg, const SSL_CLIENT_HELLO *client_hello) {
+ int32_t *out_ticket_age_skew, const SSLMessage &msg,
+ const SSL_CLIENT_HELLO *client_hello) {
SSL *const ssl = hs->ssl;
- *out_session = nullptr;
+ *out_session = NULL;
+ // Decode the ticket if we agreed on a PSK key exchange mode.
CBS pre_shared_key;
- *out_offered_ticket = ssl_client_hello_get_extension(
- client_hello, &pre_shared_key, TLSEXT_TYPE_pre_shared_key);
- if (!*out_offered_ticket) {
+ if (!hs->accept_psk_mode ||
+ !ssl_client_hello_get_extension(client_hello, &pre_shared_key,
+ TLSEXT_TYPE_pre_shared_key)) {
return ssl_ticket_aead_ignore_ticket;
}
@@ -280,11 +337,6 @@
return ssl_ticket_aead_error;
}
- // If the peer did not offer psk_dhe, ignore the resumption.
- if (!hs->accept_psk_mode) {
- return ssl_ticket_aead_ignore_ticket;
- }
-
// TLS 1.3 session tickets are renewed separately as part of the
// NewSessionTicket.
bool unused_renew;
@@ -354,18 +406,10 @@
uint8_t alert = SSL_AD_DECODE_ERROR;
UniquePtr<SSL_SESSION> session;
- bool offered_ticket = false;
- switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew,
- &offered_ticket, msg, &client_hello)) {
+ switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew, msg,
+ &client_hello)) {
case ssl_ticket_aead_ignore_ticket:
assert(!session);
- if (!ssl->enable_early_data) {
- ssl->s3->early_data_reason = ssl_early_data_disabled;
- } else if (!offered_ticket) {
- ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
- } else {
- ssl->s3->early_data_reason = ssl_early_data_session_not_resumed;
- }
if (!ssl_get_new_session(hs, 1 /* server */)) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
@@ -377,32 +421,24 @@
// a fresh session.
hs->new_session =
SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);
- if (hs->new_session == nullptr) {
- ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return ssl_hs_error;
+
+ if (ssl->enable_early_data &&
+ // Early data must be acceptable for this ticket.
+ session->ticket_max_early_data != 0 &&
+ // The client must have offered early data.
+ hs->early_data_offered &&
+ // Channel ID is incompatible with 0-RTT.
+ !ssl->s3->channel_id_valid &&
+ // If Token Binding is negotiated, reject 0-RTT.
+ !ssl->s3->token_binding_negotiated &&
+ // The negotiated ALPN must match the one in the ticket.
+ MakeConstSpan(ssl->s3->alpn_selected) == session->early_alpn) {
+ ssl->s3->early_data_accepted = true;
}
- if (!ssl->enable_early_data) {
- ssl->s3->early_data_reason = ssl_early_data_disabled;
- } else if (session->ticket_max_early_data == 0) {
- ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
- } else if (!hs->early_data_offered) {
- ssl->s3->early_data_reason = ssl_early_data_peer_declined;
- } else if (ssl->s3->channel_id_valid) {
- // Channel ID is incompatible with 0-RTT.
- ssl->s3->early_data_reason = ssl_early_data_channel_id;
- } else if (ssl->s3->token_binding_negotiated) {
- // Token Binding is incompatible with 0-RTT.
- ssl->s3->early_data_reason = ssl_early_data_token_binding;
- } else if (MakeConstSpan(ssl->s3->alpn_selected) != session->early_alpn) {
- // The negotiated ALPN must match the one in the ticket.
- ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;
- } else if (ssl->s3->ticket_age_skew < -kMaxTicketAgeSkewSeconds ||
- kMaxTicketAgeSkewSeconds < ssl->s3->ticket_age_skew) {
- ssl->s3->early_data_reason = ssl_early_data_ticket_age_skew;
- } else {
- ssl->s3->early_data_reason = ssl_early_data_accepted;
- ssl->s3->early_data_accepted = true;
+ if (hs->new_session == NULL) {
+ ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return ssl_hs_error;
}
ssl->s3->session_reused = true;
@@ -463,10 +499,7 @@
bool need_retry;
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
if (need_retry) {
- if (ssl->s3->early_data_accepted) {
- ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
- ssl->s3->early_data_accepted = false;
- }
+ ssl->s3->early_data_accepted = false;
ssl->s3->skip_early_data = true;
ssl->method->next_message(ssl);
if (!hs->transcript.UpdateForHelloRetryRequest()) {
@@ -917,15 +950,7 @@
}
hs->tls13_state = state_done;
- // In TLS 1.3, the NewSessionTicket isn't flushed until the server performs a
- // write, to prevent a non-reading client from causing the server to hang in
- // the case of a small server write buffer. Consumers which don't write data
- // to the client will need to do a zero-byte write if they wish to flush the
- // tickets.
- if (hs->ssl->ctx->quic_method != nullptr && sent_tickets) {
- return ssl_hs_flush;
- }
- return ssl_hs_ok;
+ return sent_tickets ? ssl_hs_flush : ssl_hs_ok;
}
enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
diff --git a/src/ssl/tls_method.cc b/src/ssl/tls_method.cc
index 95fac4d..bc9410b 100644
--- a/src/ssl/tls_method.cc
+++ b/src/ssl/tls_method.cc
@@ -125,9 +125,9 @@
ssl3_set_write_state,
};
-static bool ssl_noop_x509_check_client_CA_names(
+static int ssl_noop_x509_check_client_CA_names(
STACK_OF(CRYPTO_BUFFER) *names) {
- return true;
+ return 1;
}
static void ssl_noop_x509_clear(CERT *cert) {}
@@ -135,29 +135,29 @@
static void ssl_noop_x509_dup(CERT *new_cert, const CERT *cert) {}
static void ssl_noop_x509_flush_cached_leaf(CERT *cert) {}
static void ssl_noop_x509_flush_cached_chain(CERT *cert) {}
-static bool ssl_noop_x509_session_cache_objects(SSL_SESSION *sess) {
- return true;
+static int ssl_noop_x509_session_cache_objects(SSL_SESSION *sess) {
+ return 1;
}
-static bool ssl_noop_x509_session_dup(SSL_SESSION *new_session,
- const SSL_SESSION *session) {
- return true;
+static int ssl_noop_x509_session_dup(SSL_SESSION *new_session,
+ const SSL_SESSION *session) {
+ return 1;
}
static void ssl_noop_x509_session_clear(SSL_SESSION *session) {}
-static bool ssl_noop_x509_session_verify_cert_chain(SSL_SESSION *session,
- SSL_HANDSHAKE *hs,
- uint8_t *out_alert) {
- return false;
+static int ssl_noop_x509_session_verify_cert_chain(SSL_SESSION *session,
+ SSL_HANDSHAKE *hs,
+ uint8_t *out_alert) {
+ return 0;
}
static void ssl_noop_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE *hs) {}
-static bool ssl_noop_x509_ssl_new(SSL_HANDSHAKE *hs) { return true; }
+static int ssl_noop_x509_ssl_new(SSL_HANDSHAKE *hs) { return 1; }
static void ssl_noop_x509_ssl_config_free(SSL_CONFIG *cfg) {}
static void ssl_noop_x509_ssl_flush_cached_client_CA(SSL_CONFIG *cfg) {}
-static bool ssl_noop_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
- return true;
+static int ssl_noop_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
+ return 1;
}
-static bool ssl_noop_x509_ssl_ctx_new(SSL_CTX *ctx) { return true; }
-static void ssl_noop_x509_ssl_ctx_free(SSL_CTX *ctx) {}
+static int ssl_noop_x509_ssl_ctx_new(SSL_CTX *ctx) { return 1; }
+static void ssl_noop_x509_ssl_ctx_free(SSL_CTX *ctx) { }
static void ssl_noop_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {}
const SSL_X509_METHOD ssl_noop_x509_method = {