Add support for dummy PQ padding.
This extension will be used to measure the latency impact of potentially
sending a post-quantum key share by default. At this time it's purely
measuring the impact of the client sending the key share, not the server
replying with a ciphertext.
We could use the existing padding extension for this but that extension
doesn't allow the server to echo it, so we would need a different
extension in the future anyway. Thus we just create one now.
We can assume that modern clients will be using TLS 1.3 by the time that
PQ key-exchange is established and thus the key share will be sent in
all ClientHello messages. However, since TLS 1.3 isn't quite here yet,
this extension is also sent for TLS 1.0–1.2 ClientHellos. The latency
impact should be the same either way.
Change-Id: Ie4a17551f6589b28505797e8c54cddbe3338dfe5
Reviewed-on: https://boringssl-review.googlesource.com/24585
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index 4b3de43..a8833e0 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -116,6 +116,7 @@
#include <utility>
#include <openssl/bytestring.h>
+#include <openssl/chacha.h>
#include <openssl/digest.h>
#include <openssl/err.h>
#include <openssl/evp.h>
@@ -559,6 +560,11 @@
return true;
}
+static bool ignore_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
+ CBS *contents) {
+ return true;
+}
+
static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
return true;
}
@@ -2318,6 +2324,42 @@
}
+// Dummy PQ Padding extension
+//
+// Dummy post-quantum padding invovles the client (and later server) sending
+// useless, random-looking bytes in an extension in their ClientHello or
+// ServerHello. These extensions are sized to simulate a post-quantum
+// key-exchange and so enable measurement of the latency impact of the
+// additional bandwidth.
+
+static bool ext_dummy_pq_padding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
+ const size_t len = hs->ssl->dummy_pq_padding_len;
+ if (len == 0) {
+ return true;
+ }
+
+ CBB contents;
+ uint8_t *buffer;
+ if (!CBB_add_u16(out, TLSEXT_TYPE_dummy_pq_padding) ||
+ !CBB_add_u16_length_prefixed(out, &contents) ||
+ !CBB_add_space(&contents, &buffer, len)) {
+ return false;
+ }
+
+ // The length is used as the nonce so that different length extensions have
+ // different contents. There's no reason this has to be the case, it just
+ // makes things a little more obvious in a packet dump.
+ uint8_t nonce[12] = {0};
+ memcpy(nonce, &len, sizeof(len));
+
+ memset(buffer, 0, len);
+ static const uint8_t kZeroKey[32] = {0};
+ CRYPTO_chacha_20(buffer, buffer, len, kZeroKey, nonce, 0);
+
+ return CBB_flush(out);
+}
+
+
// Negotiated Groups
//
// https://tools.ietf.org/html/rfc4492#section-5.1.2
@@ -2547,6 +2589,14 @@
ignore_parse_clienthello,
dont_add_serverhello,
},
+ {
+ TLSEXT_TYPE_dummy_pq_padding,
+ NULL,
+ ext_dummy_pq_padding_add_clienthello,
+ ignore_parse_serverhello,
+ ignore_parse_clienthello,
+ dont_add_serverhello,
+ },
// The final extension must be non-empty. WebSphere Application Server 7.0 is
// intolerant to the last extension being zero-length. See
// https://crbug.com/363583.
