Implement experimental alternate encoding of TLS 1.3.
TLS 1.3 deployment is currently blocked by buggy middleboxes
throughout the ecosystem. As an experiment to better understand these bugs
and the problems they are causing, implement TLS 1.3 variants with
alternate encodings. These are still the same protocol, only encoded
slightly differently. We will use what we learn from these experiments to
guide the TLS 1.3 deployment strategy and proposals to the IETF, if any.
These experiments only target the basic 1-RTT TLS 1.3 handshake. Based on
what we learn from this experiment, we may try future variations to
explore 0-RTT and HelloRetryRequest.
When enabled, the server supports all TLS 1.3 variants while the client
is configured to use a particular variant.
Change-Id: I532411d1abc41314dc76acce0246879b754b4c61
Reviewed-on: https://boringssl-review.googlesource.com/17327
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index c772f77..51f7cc8 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -653,19 +653,32 @@
}
/* Renegotiations do not participate in session resumption. */
- int has_session = ssl->session != NULL &&
- !ssl->s3->initial_handshake_complete;
+ int has_session_id = ssl->session != NULL &&
+ !ssl->s3->initial_handshake_complete &&
+ ssl->session->session_id_length > 0;
CBB child;
if (!CBB_add_u16(&body, hs->client_version) ||
!CBB_add_bytes(&body, ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
- !CBB_add_u8_length_prefixed(&body, &child) ||
- (has_session &&
- !CBB_add_bytes(&child, ssl->session->session_id,
- ssl->session->session_id_length))) {
+ !CBB_add_u8_length_prefixed(&body, &child)) {
goto err;
}
+ if (has_session_id) {
+ if (!CBB_add_bytes(&child, ssl->session->session_id,
+ ssl->session->session_id_length)) {
+ goto err;
+ }
+ } else {
+ /* In TLS 1.3 experimental encodings, send a fake placeholder session ID
+ * when we do not otherwise have one to send. */
+ if (hs->max_version >= TLS1_3_VERSION &&
+ ssl->ctx->tls13_variant != tls13_default &&
+ !CBB_add_bytes(&child, hs->session_id, hs->session_id_len)) {
+ goto err;
+ }
+ }
+
if (SSL_is_dtls(ssl)) {
if (!CBB_add_u8_length_prefixed(&body, &child) ||
!CBB_add_bytes(&child, ssl->d1->cookie, ssl->d1->cookie_len)) {
@@ -748,6 +761,14 @@
return -1;
}
+ /* Initialize a random session ID for the experimental TLS 1.3 variant. */
+ if (ssl->ctx->tls13_variant != tls13_default) {
+ hs->session_id_len = sizeof(hs->session_id);
+ if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
+ return -1;
+ }
+ }
+
if (!ssl_write_client_hello(hs)) {
return -1;
}
diff --git a/ssl/internal.h b/ssl/internal.h
index f6cea7a..45f918e 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -974,6 +974,7 @@
ssl_hs_pending_ticket,
ssl_hs_early_data_rejected,
ssl_hs_read_end_of_early_data,
+ ssl_hs_read_change_cipher_spec,
};
struct ssl_handshake_st {
@@ -1007,6 +1008,11 @@
* |SSL_OP_NO_*| and |SSL_CTX_set_max_proto_version| APIs. */
uint16_t max_version;
+ /* session_id is the session ID in the ClientHello, used for the experimental
+ * TLS 1.3 variant. */
+ uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
+ uint8_t session_id_len;
+
size_t hash_len;
uint8_t secret[EVP_MAX_MD_SIZE];
uint8_t early_traffic_secret[EVP_MAX_MD_SIZE];
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 109dfd0..d8d3f4d 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -845,6 +845,10 @@
ctx->cert->enable_early_data = !!enabled;
}
+void SSL_CTX_set_tls13_variant(SSL_CTX *ctx, enum tls13_variant_t variant) {
+ ctx->tls13_variant = variant;
+}
+
void SSL_set_early_data_enabled(SSL *ssl, int enabled) {
ssl->cert->enable_early_data = !!enabled;
}
diff --git a/ssl/ssl_versions.c b/ssl/ssl_versions.c
index 5d92771..3945f7f 100644
--- a/ssl/ssl_versions.c
+++ b/ssl/ssl_versions.c
@@ -33,6 +33,7 @@
return 1;
case TLS1_3_DRAFT_VERSION:
+ case TLS1_3_EXPERIMENT_VERSION:
*out = TLS1_3_VERSION;
return 1;
@@ -55,6 +56,7 @@
static const uint16_t kTLSVersions[] = {
TLS1_3_DRAFT_VERSION,
+ TLS1_3_EXPERIMENT_VERSION,
TLS1_2_VERSION,
TLS1_1_VERSION,
TLS1_VERSION,
@@ -95,7 +97,8 @@
/* The public API uses wire versions, except we use |TLS1_3_VERSION|
* everywhere to refer to any draft TLS 1.3 versions. In this direction, we
* map it to some representative TLS 1.3 draft version. */
- if (version == TLS1_3_DRAFT_VERSION) {
+ if (version == TLS1_3_DRAFT_VERSION ||
+ version == TLS1_3_EXPERIMENT_VERSION) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
return 0;
}
@@ -235,7 +238,7 @@
int SSL_version(const SSL *ssl) {
uint16_t ret = ssl_version(ssl);
/* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
- if (ret == TLS1_3_DRAFT_VERSION) {
+ if (ret == TLS1_3_DRAFT_VERSION || ret == TLS1_3_EXPERIMENT_VERSION) {
return TLS1_3_VERSION;
}
return ret;
@@ -245,6 +248,7 @@
switch (version) {
/* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
case TLS1_3_DRAFT_VERSION:
+ case TLS1_3_EXPERIMENT_VERSION:
return "TLSv1.3";
case TLS1_2_VERSION:
@@ -291,8 +295,26 @@
}
int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
+ SSL *const ssl = hs->ssl;
+ /* As a client, only allow the configured TLS 1.3 variant. As a server,
+ * support all TLS 1.3 variants as long as tls13_variant is set to a
+ * non-default value. */
+ if (ssl->server) {
+ if (ssl->ctx->tls13_variant == tls13_default &&
+ version == TLS1_3_EXPERIMENT_VERSION) {
+ return 0;
+ }
+ } else {
+ if ((ssl->ctx->tls13_variant != tls13_experiment &&
+ version == TLS1_3_EXPERIMENT_VERSION) ||
+ (ssl->ctx->tls13_variant != tls13_default &&
+ version == TLS1_3_DRAFT_VERSION)) {
+ return 0;
+ }
+ }
+
uint16_t protocol_version;
- return method_supports_version(hs->ssl->method, version) &&
+ return method_supports_version(ssl->method, version) &&
ssl_protocol_version_from_wire(&protocol_version, version) &&
hs->min_version <= protocol_version &&
protocol_version <= hs->max_version;
diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index 6d3e6d1..4f818a4 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@@ -1171,6 +1171,9 @@
SSL_CTX_set_early_data_enabled(ssl_ctx.get(), 1);
}
+ SSL_CTX_set_tls13_variant(
+ ssl_ctx.get(), static_cast<enum tls13_variant_t>(config->tls13_variant));
+
if (config->allow_unknown_alpn_protos) {
SSL_CTX_set_allow_unknown_alpn_protos(ssl_ctx.get(), 1);
}
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 9e7b204..2be474c 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -32,10 +32,19 @@
)
// A draft version of TLS 1.3 that is sent over the wire for the current draft.
-const tls13DraftVersion = 0x7f12
+const (
+ tls13DraftVersion = 0x7f12
+ tls13ExperimentVersion = 0x7e01
+)
+
+const (
+ TLS13Default = 0
+ TLS13Experiment = 1
+)
var allTLSWireVersions = []uint16{
tls13DraftVersion,
+ tls13ExperimentVersion,
VersionTLS12,
VersionTLS11,
VersionTLS10,
@@ -404,6 +413,9 @@
// which is currently TLS 1.2.
MaxVersion uint16
+ // TLS13Variant is the variant of TLS 1.3 to use.
+ TLS13Variant int
+
// CurvePreferences contains the elliptic curves that will be used in
// an ECDHE handshake, in preference order. If empty, the default will
// be used.
@@ -1468,6 +1480,11 @@
// it returns true and the corresponding protocol version. Otherwise, it returns
// false.
func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) {
+ if (c.TLS13Variant != TLS13Experiment && wireVers == tls13ExperimentVersion) ||
+ (c.TLS13Variant != TLS13Default && wireVers == tls13DraftVersion) {
+ return 0, false
+ }
+
vers, ok := wireToVersion(wireVers, isDTLS)
if !ok || c.minVersion(isDTLS) > vers || vers > c.maxVersion(isDTLS) {
return 0, false
diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go
index 9e72084..a50029f 100644
--- a/ssl/test/runner/conn.go
+++ b/ssl/test/runner/conn.go
@@ -916,9 +916,11 @@
c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
break
}
- err := c.in.changeCipherSpec(c.config)
- if err != nil {
- c.in.setErrorLocked(c.sendAlert(err.(alert)))
+ if c.wireVersion != tls13ExperimentVersion {
+ err := c.in.changeCipherSpec(c.config)
+ if err != nil {
+ c.in.setErrorLocked(c.sendAlert(err.(alert)))
+ }
}
case recordTypeApplicationData:
@@ -1138,7 +1140,7 @@
}
c.out.freeBlock(b)
- if typ == recordTypeChangeCipherSpec {
+ if typ == recordTypeChangeCipherSpec && c.wireVersion != tls13ExperimentVersion {
err = c.out.changeCipherSpec(c.config)
if err != nil {
return n, c.sendAlertLocked(alertLevelError, err.(alert))
diff --git a/ssl/test/runner/dtls.go b/ssl/test/runner/dtls.go
index 87b9975..b0b6c18 100644
--- a/ssl/test/runner/dtls.go
+++ b/ssl/test/runner/dtls.go
@@ -35,7 +35,7 @@
switch vers {
case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12:
return vers, true
- case tls13DraftVersion:
+ case tls13DraftVersion, tls13ExperimentVersion:
return VersionTLS13, true
}
}
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index f0bfca4..cac1ebf 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -732,6 +732,12 @@
hs.finishedHash.addEntropy(zeroSecret)
}
+ if c.wireVersion == tls13ExperimentVersion {
+ if err := c.readRecord(recordTypeChangeCipherSpec); err != nil {
+ return err
+ }
+ }
+
// Derive handshake traffic keys and switch read key to handshake
// traffic key.
clientHandshakeTrafficSecret := hs.finishedHash.deriveSecret(clientHandshakeTrafficLabel)
@@ -911,6 +917,11 @@
}
c.sendAlert(alertEndOfEarlyData)
}
+
+ if c.wireVersion == tls13ExperimentVersion {
+ c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
+ }
+
c.out.useTrafficSecret(c.vers, hs.suite, clientHandshakeTrafficSecret, clientWrite)
if certReq != nil && !c.config.Bugs.SkipClientCertificate {
diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go
index 86e2821..92bbdca 100644
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go
@@ -853,12 +853,12 @@
}
hello.addBytes(m.random)
- if vers < VersionTLS13 {
+ if vers < VersionTLS13 || m.vers == tls13ExperimentVersion {
sessionId := hello.addU8LengthPrefixed()
sessionId.addBytes(m.sessionId)
}
hello.addU16(m.cipherSuite)
- if vers < VersionTLS13 {
+ if vers < VersionTLS13 || m.vers == tls13ExperimentVersion {
hello.addU8(m.compressionMethod)
}
@@ -913,7 +913,7 @@
}
m.random = data[6:38]
data = data[38:]
- if vers < VersionTLS13 {
+ if vers < VersionTLS13 || m.vers == tls13ExperimentVersion {
sessionIdLen := int(data[0])
if sessionIdLen > 32 || len(data) < 1+sessionIdLen {
return false
@@ -926,7 +926,7 @@
}
m.cipherSuite = uint16(data[0])<<8 | uint16(data[1])
data = data[2:]
- if vers < VersionTLS13 {
+ if vers < VersionTLS13 || m.vers == tls13ExperimentVersion {
if len(data) < 1 {
return false
}
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index f70f4697..f6692e1 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -281,7 +281,7 @@
}
if config.Bugs.ExpectNoTLS12Session {
- if len(hs.clientHello.sessionId) > 0 {
+ if len(hs.clientHello.sessionId) > 0 && c.wireVersion != tls13ExperimentVersion {
return fmt.Errorf("tls: client offered an unexpected session ID")
}
if len(hs.clientHello.sessionTicket) > 0 {
@@ -361,6 +361,7 @@
hs.hello = &serverHelloMsg{
isDTLS: c.isDTLS,
vers: c.wireVersion,
+ sessionId: hs.clientHello.sessionId,
versOverride: config.Bugs.SendServerHelloVersion,
customExtension: config.Bugs.CustomUnencryptedExtension,
unencryptedALPN: config.Bugs.SendUnencryptedALPN,
@@ -753,6 +754,10 @@
}
c.flushHandshake()
+ if c.wireVersion == tls13ExperimentVersion {
+ c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
+ }
+
// Switch to handshake traffic keys.
serverHandshakeTrafficSecret := hs.finishedHash.deriveSecret(serverHandshakeTrafficLabel)
c.out.useTrafficSecret(c.vers, hs.suite, serverHandshakeTrafficSecret, serverWrite)
@@ -913,6 +918,12 @@
}
}
+ if c.wireVersion == tls13ExperimentVersion && !c.skipEarlyData {
+ if err := c.readRecord(recordTypeChangeCipherSpec); err != nil {
+ return err
+ }
+ }
+
// Switch input stream to handshake traffic keys.
c.in.useTrafficSecret(c.vers, hs.suite, clientHandshakeTrafficSecret, clientWrite)
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 03ba755..acf1fa8 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -263,12 +263,9 @@
panic("Unknown test certificate")
}
-// configVersionToWire maps a protocol version to the default wire version to
-// test at that protocol.
-//
-// TODO(davidben): Rather than mapping these, make tlsVersions contains a list
-// of wire versions and test all of them.
-func configVersionToWire(vers uint16, protocol protocol) uint16 {
+// recordVersionToWire maps a record-layer protocol version to its wire
+// representation.
+func recordVersionToWire(vers uint16, protocol protocol) uint16 {
if protocol == dtls {
switch vers {
case VersionTLS12:
@@ -280,8 +277,6 @@
switch vers {
case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12:
return vers
- case VersionTLS13:
- return tls13DraftVersion
}
}
@@ -1191,29 +1186,93 @@
}
type tlsVersion struct {
- name string
+ name string
+ // version is the protocol version.
version uint16
// excludeFlag is the legacy shim flag to disable the version.
excludeFlag string
hasDTLS bool
- // shimTLS and shimDTLS are values the shim uses to refer to these
- // versions in TLS and DTLS, respectively.
- shimTLS, shimDTLS int
+ // versionDTLS, if non-zero, is the DTLS-specific representation of the version.
+ versionDTLS uint16
+ // versionWire, if non-zero, is the wire representation of the
+ // version. Otherwise the wire version is the protocol version or
+ // versionDTLS.
+ versionWire uint16
+ tls13Variant int
}
func (vers tlsVersion) shimFlag(protocol protocol) string {
- if protocol == dtls {
- return strconv.Itoa(vers.shimDTLS)
+ // The shim uses the protocol version in its public API, but uses the
+ // DTLS-specific version if it exists.
+ if protocol == dtls && vers.versionDTLS != 0 {
+ return strconv.Itoa(int(vers.versionDTLS))
}
- return strconv.Itoa(vers.shimTLS)
+ return strconv.Itoa(int(vers.version))
+}
+
+func (vers tlsVersion) wire(protocol protocol) uint16 {
+ if protocol == dtls && vers.versionDTLS != 0 {
+ return vers.versionDTLS
+ }
+ if vers.versionWire != 0 {
+ return vers.versionWire
+ }
+ return vers.version
}
var tlsVersions = []tlsVersion{
- {"SSL3", VersionSSL30, "-no-ssl3", false, VersionSSL30, 0},
- {"TLS1", VersionTLS10, "-no-tls1", true, VersionTLS10, VersionDTLS10},
- {"TLS11", VersionTLS11, "-no-tls11", false, VersionTLS11, 0},
- {"TLS12", VersionTLS12, "-no-tls12", true, VersionTLS12, VersionDTLS12},
- {"TLS13", VersionTLS13, "-no-tls13", false, VersionTLS13, 0},
+ {
+ name: "SSL3",
+ version: VersionSSL30,
+ excludeFlag: "-no-ssl3",
+ },
+ {
+ name: "TLS1",
+ version: VersionTLS10,
+ excludeFlag: "-no-tls1",
+ hasDTLS: true,
+ versionDTLS: VersionDTLS10,
+ },
+ {
+ name: "TLS11",
+ version: VersionTLS11,
+ excludeFlag: "-no-tls11",
+ },
+ {
+ name: "TLS12",
+ version: VersionTLS12,
+ excludeFlag: "-no-tls12",
+ hasDTLS: true,
+ versionDTLS: VersionDTLS12,
+ },
+ {
+ name: "TLS13",
+ version: VersionTLS13,
+ excludeFlag: "-no-tls13",
+ versionWire: tls13DraftVersion,
+ tls13Variant: TLS13Default,
+ },
+ {
+ name: "TLS13Experiment",
+ version: VersionTLS13,
+ excludeFlag: "-no-tls13",
+ versionWire: tls13ExperimentVersion,
+ tls13Variant: TLS13Experiment,
+ },
+}
+
+func allVersions(protocol protocol) []tlsVersion {
+ if protocol == tls {
+ return tlsVersions
+ }
+
+ var ret []tlsVersion
+ for _, vers := range tlsVersions {
+ if vers.hasDTLS {
+ ret = append(ret, vers)
+ }
+ }
+ return ret
}
type testCipherSuite struct {
@@ -3892,6 +3951,34 @@
tests = append(tests, testCase{
testType: clientTest,
+ name: "TLS13Experiment-EarlyData-Client",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ MinVersion: VersionTLS13,
+ TLS13Variant: TLS13Experiment,
+ MaxEarlyDataSize: 16384,
+ },
+ resumeConfig: &Config{
+ MaxVersion: VersionTLS13,
+ MinVersion: VersionTLS13,
+ TLS13Variant: TLS13Experiment,
+ MaxEarlyDataSize: 16384,
+ Bugs: ProtocolBugs{
+ ExpectEarlyData: [][]byte{{'h', 'e', 'l', 'l', 'o'}},
+ },
+ },
+ resumeSession: true,
+ flags: []string{
+ "-enable-early-data",
+ "-expect-early-data-info",
+ "-expect-accept-early-data",
+ "-on-resume-shim-writes-first",
+ "-tls13-variant", "1",
+ },
+ })
+
+ tests = append(tests, testCase{
+ testType: clientTest,
name: "TLS13-EarlyData-TooMuchData-Client",
config: Config{
MaxVersion: VersionTLS13,
@@ -3998,6 +4085,28 @@
tests = append(tests, testCase{
testType: serverTest,
+ name: "TLS13Experiment-EarlyData-Server",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ MinVersion: VersionTLS13,
+ TLS13Variant: TLS13Experiment,
+ Bugs: ProtocolBugs{
+ SendEarlyData: [][]byte{{1, 2, 3, 4}},
+ ExpectEarlyDataAccepted: true,
+ ExpectHalfRTTData: [][]byte{{254, 253, 252, 251}},
+ },
+ },
+ messageCount: 2,
+ resumeSession: true,
+ flags: []string{
+ "-enable-early-data",
+ "-expect-accept-early-data",
+ "-tls13-variant", "1",
+ },
+ })
+
+ tests = append(tests, testCase{
+ testType: serverTest,
name: "TLS13-MaxEarlyData-Server",
config: Config{
MaxVersion: VersionTLS13,
@@ -4782,24 +4891,42 @@
}
func addVersionNegotiationTests() {
- for i, shimVers := range tlsVersions {
- // Assemble flags to disable all newer versions on the shim.
- var flags []string
- for _, vers := range tlsVersions[i+1:] {
- flags = append(flags, vers.excludeFlag)
- }
-
- // Test configuring the runner's maximum version.
- for _, runnerVers := range tlsVersions {
- protocols := []protocol{tls}
- if runnerVers.hasDTLS && shimVers.hasDTLS {
- protocols = append(protocols, dtls)
+ for _, protocol := range []protocol{tls, dtls} {
+ for _, shimVers := range allVersions(protocol) {
+ // Assemble flags to disable all newer versions on the shim.
+ var flags []string
+ for _, vers := range allVersions(protocol) {
+ if vers.version > shimVers.version {
+ flags = append(flags, vers.excludeFlag)
+ }
}
- for _, protocol := range protocols {
+
+ flags2 := []string{"-max-version", shimVers.shimFlag(protocol)}
+
+ if shimVers.tls13Variant != 0 {
+ flags = append(flags, "-tls13-variant", strconv.Itoa(shimVers.tls13Variant))
+ flags2 = append(flags2, "-tls13-variant", strconv.Itoa(shimVers.tls13Variant))
+ }
+
+ // Test configuring the runner's maximum version.
+ for _, runnerVers := range allVersions(protocol) {
expectedVersion := shimVers.version
if runnerVers.version < shimVers.version {
expectedVersion = runnerVers.version
}
+ // When running and shim have different TLS 1.3 variants enabled,
+ // shim clients are expected to fall back to TLS 1.2, while shim
+ // servers support both variants when enabled when the experiment is
+ // enabled.
+ expectedServerVersion := expectedVersion
+ expectedClientVersion := expectedVersion
+ if expectedVersion == VersionTLS13 && runnerVers.tls13Variant != shimVers.tls13Variant {
+ expectedClientVersion = VersionTLS12
+ expectedServerVersion = VersionTLS12
+ if shimVers.tls13Variant != TLS13Default {
+ expectedServerVersion = VersionTLS13
+ }
+ }
suffix := shimVers.name + "-" + runnerVers.name
if protocol == dtls {
@@ -4811,38 +4938,40 @@
if clientVers > VersionTLS10 {
clientVers = VersionTLS10
}
- clientVers = configVersionToWire(clientVers, protocol)
- serverVers := expectedVersion
- if expectedVersion >= VersionTLS13 {
+ clientVers = recordVersionToWire(clientVers, protocol)
+ serverVers := expectedServerVersion
+ if expectedServerVersion >= VersionTLS13 {
serverVers = VersionTLS10
}
- serverVers = configVersionToWire(serverVers, protocol)
+ serverVers = recordVersionToWire(serverVers, protocol)
testCases = append(testCases, testCase{
protocol: protocol,
testType: clientTest,
name: "VersionNegotiation-Client-" + suffix,
config: Config{
- MaxVersion: runnerVers.version,
+ MaxVersion: runnerVers.version,
+ TLS13Variant: runnerVers.tls13Variant,
Bugs: ProtocolBugs{
ExpectInitialRecordVersion: clientVers,
},
},
flags: flags,
- expectedVersion: expectedVersion,
+ expectedVersion: expectedClientVersion,
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: clientTest,
name: "VersionNegotiation-Client2-" + suffix,
config: Config{
- MaxVersion: runnerVers.version,
+ MaxVersion: runnerVers.version,
+ TLS13Variant: runnerVers.tls13Variant,
Bugs: ProtocolBugs{
ExpectInitialRecordVersion: clientVers,
},
},
- flags: []string{"-max-version", shimVers.shimFlag(protocol)},
- expectedVersion: expectedVersion,
+ flags: flags2,
+ expectedVersion: expectedClientVersion,
})
testCases = append(testCases, testCase{
@@ -4850,26 +4979,28 @@
testType: serverTest,
name: "VersionNegotiation-Server-" + suffix,
config: Config{
- MaxVersion: runnerVers.version,
+ MaxVersion: runnerVers.version,
+ TLS13Variant: runnerVers.tls13Variant,
Bugs: ProtocolBugs{
ExpectInitialRecordVersion: serverVers,
},
},
flags: flags,
- expectedVersion: expectedVersion,
+ expectedVersion: expectedServerVersion,
})
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "VersionNegotiation-Server2-" + suffix,
config: Config{
- MaxVersion: runnerVers.version,
+ MaxVersion: runnerVers.version,
+ TLS13Variant: runnerVers.tls13Variant,
Bugs: ProtocolBugs{
ExpectInitialRecordVersion: serverVers,
},
},
- flags: []string{"-max-version", shimVers.shimFlag(protocol)},
- expectedVersion: expectedVersion,
+ flags: flags2,
+ expectedVersion: expectedServerVersion,
})
}
}
@@ -4887,17 +5018,18 @@
suffix += "-DTLS"
}
- wireVersion := configVersionToWire(vers.version, protocol)
testCases = append(testCases, testCase{
protocol: protocol,
testType: serverTest,
name: "VersionNegotiationExtension-" + suffix,
config: Config{
+ TLS13Variant: vers.tls13Variant,
Bugs: ProtocolBugs{
- SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
+ SendSupportedVersions: []uint16{0x1111, vers.wire(protocol), 0x2222},
},
},
expectedVersion: vers.version,
+ flags: []string{"-tls13-variant", strconv.Itoa(vers.tls13Variant)},
})
}
@@ -5121,19 +5253,34 @@
}
func addMinimumVersionTests() {
- for i, shimVers := range tlsVersions {
- // Assemble flags to disable all older versions on the shim.
- var flags []string
- for _, vers := range tlsVersions[:i] {
- flags = append(flags, vers.excludeFlag)
- }
-
- for _, runnerVers := range tlsVersions {
- protocols := []protocol{tls}
- if runnerVers.hasDTLS && shimVers.hasDTLS {
- protocols = append(protocols, dtls)
+ for _, protocol := range []protocol{tls, dtls} {
+ for _, shimVers := range allVersions(protocol) {
+ // Assemble flags to disable all older versions on the shim.
+ var flags []string
+ for _, vers := range allVersions(protocol) {
+ if vers.version < shimVers.version {
+ flags = append(flags, vers.excludeFlag)
+ }
}
- for _, protocol := range protocols {
+
+ flags2 := []string{"-min-version", shimVers.shimFlag(protocol)}
+
+ if shimVers.tls13Variant != 0 {
+ flags = append(flags, "-tls13-variant", strconv.Itoa(shimVers.tls13Variant))
+ flags2 = append(flags2, "-tls13-variant", strconv.Itoa(shimVers.tls13Variant))
+ }
+
+ for _, runnerVers := range allVersions(protocol) {
+ // Different TLS 1.3 variants are incompatible with each other and don't
+ // produce consistent minimum versions.
+ //
+ // TODO(davidben): Fold these tests (the main value is in the
+ // NegotiateVersion bug) into addVersionNegotiationTests and test based
+ // on intended shim behavior, not the shim + runner combination.
+ if shimVers.tls13Variant != runnerVers.tls13Variant {
+ continue
+ }
+
suffix := shimVers.name + "-" + runnerVers.name
if protocol == dtls {
suffix += "-DTLS"
@@ -5155,12 +5302,13 @@
testType: clientTest,
name: "MinimumVersion-Client-" + suffix,
config: Config{
- MaxVersion: runnerVers.version,
+ MaxVersion: runnerVers.version,
+ TLS13Variant: runnerVers.tls13Variant,
Bugs: ProtocolBugs{
// Ensure the server does not decline to
// select a version (versions extension) or
// cipher (some ciphers depend on versions).
- NegotiateVersion: configVersionToWire(runnerVers.version, protocol),
+ NegotiateVersion: runnerVers.wire(protocol),
IgnorePeerCipherPreferences: shouldFail,
},
},
@@ -5175,16 +5323,17 @@
testType: clientTest,
name: "MinimumVersion-Client2-" + suffix,
config: Config{
- MaxVersion: runnerVers.version,
+ MaxVersion: runnerVers.version,
+ TLS13Variant: runnerVers.tls13Variant,
Bugs: ProtocolBugs{
// Ensure the server does not decline to
// select a version (versions extension) or
// cipher (some ciphers depend on versions).
- NegotiateVersion: configVersionToWire(runnerVers.version, protocol),
+ NegotiateVersion: runnerVers.wire(protocol),
IgnorePeerCipherPreferences: shouldFail,
},
},
- flags: []string{"-min-version", shimVers.shimFlag(protocol)},
+ flags: flags2,
expectedVersion: expectedVersion,
shouldFail: shouldFail,
expectedError: expectedError,
@@ -5196,7 +5345,8 @@
testType: serverTest,
name: "MinimumVersion-Server-" + suffix,
config: Config{
- MaxVersion: runnerVers.version,
+ MaxVersion: runnerVers.version,
+ TLS13Variant: runnerVers.tls13Variant,
},
flags: flags,
expectedVersion: expectedVersion,
@@ -5209,9 +5359,10 @@
testType: serverTest,
name: "MinimumVersion-Server2-" + suffix,
config: Config{
- MaxVersion: runnerVers.version,
+ MaxVersion: runnerVers.version,
+ TLS13Variant: runnerVers.tls13Variant,
},
- flags: []string{"-min-version", shimVers.shimFlag(protocol)},
+ flags: flags2,
expectedVersion: expectedVersion,
shouldFail: shouldFail,
expectedError: expectedError,
@@ -6178,13 +6329,20 @@
suffix += "-DTLS"
}
+ // We can't resume across TLS 1.3 variants and error out earlier in the
+ // session resumption.
+ if sessionVers.tls13Variant != resumeVers.tls13Variant {
+ continue
+ }
+
if sessionVers.version == resumeVers.version {
testCases = append(testCases, testCase{
protocol: protocol,
name: "Resume-Client" + suffix,
resumeSession: true,
config: Config{
- MaxVersion: sessionVers.version,
+ MaxVersion: sessionVers.version,
+ TLS13Variant: sessionVers.tls13Variant,
Bugs: ProtocolBugs{
ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
@@ -6192,6 +6350,9 @@
},
expectedVersion: sessionVers.version,
expectedResumeVersion: resumeVers.version,
+ flags: []string{
+ "-tls13-variant", strconv.Itoa(sessionVers.tls13Variant),
+ },
})
} else {
error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
@@ -6209,11 +6370,13 @@
name: "Resume-Client-Mismatch" + suffix,
resumeSession: true,
config: Config{
- MaxVersion: sessionVers.version,
+ MaxVersion: sessionVers.version,
+ TLS13Variant: sessionVers.tls13Variant,
},
expectedVersion: sessionVers.version,
resumeConfig: &Config{
- MaxVersion: resumeVers.version,
+ MaxVersion: resumeVers.version,
+ TLS13Variant: resumeVers.tls13Variant,
Bugs: ProtocolBugs{
AcceptAnySession: true,
},
@@ -6221,6 +6384,10 @@
expectedResumeVersion: resumeVers.version,
shouldFail: true,
expectedError: error,
+ flags: []string{
+ "-on-initial-tls13-variant", strconv.Itoa(sessionVers.tls13Variant),
+ "-on-resume-tls13-variant", strconv.Itoa(resumeVers.tls13Variant),
+ },
})
}
@@ -6229,15 +6396,21 @@
name: "Resume-Client-NoResume" + suffix,
resumeSession: true,
config: Config{
- MaxVersion: sessionVers.version,
+ MaxVersion: sessionVers.version,
+ TLS13Variant: sessionVers.tls13Variant,
},
expectedVersion: sessionVers.version,
resumeConfig: &Config{
- MaxVersion: resumeVers.version,
+ MaxVersion: resumeVers.version,
+ TLS13Variant: resumeVers.tls13Variant,
},
newSessionsOnResume: true,
expectResumeRejected: true,
expectedResumeVersion: resumeVers.version,
+ flags: []string{
+ "-on-initial-tls13-variant", strconv.Itoa(sessionVers.tls13Variant),
+ "-on-resume-tls13-variant", strconv.Itoa(resumeVers.tls13Variant),
+ },
})
testCases = append(testCases, testCase{
@@ -6246,17 +6419,23 @@
name: "Resume-Server" + suffix,
resumeSession: true,
config: Config{
- MaxVersion: sessionVers.version,
+ MaxVersion: sessionVers.version,
+ TLS13Variant: sessionVers.tls13Variant,
},
expectedVersion: sessionVers.version,
- expectResumeRejected: sessionVers.version != resumeVers.version,
+ expectResumeRejected: sessionVers != resumeVers,
resumeConfig: &Config{
- MaxVersion: resumeVers.version,
+ MaxVersion: resumeVers.version,
+ TLS13Variant: resumeVers.tls13Variant,
Bugs: ProtocolBugs{
SendBothTickets: true,
},
},
expectedResumeVersion: resumeVers.version,
+ flags: []string{
+ "-on-initial-tls13-variant", strconv.Itoa(sessionVers.tls13Variant),
+ "-on-resume-tls13-variant", strconv.Itoa(resumeVers.tls13Variant),
+ },
})
}
}
@@ -10169,6 +10348,19 @@
testCases = append(testCases, testCase{
testType: serverTest,
+ name: "SkipEarlyData-Experiment",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ TLS13Variant: TLS13Experiment,
+ Bugs: ProtocolBugs{
+ SendFakeEarlyDataLength: 4,
+ },
+ },
+ flags: []string{"-tls13-variant", "1"},
+ })
+
+ testCases = append(testCases, testCase{
+ testType: serverTest,
name: "SkipEarlyData-OmitEarlyDataExtension",
config: Config{
MaxVersion: VersionTLS13,
@@ -10669,6 +10861,32 @@
testCases = append(testCases, testCase{
testType: clientTest,
+ name: "TLS13Experiment-EarlyData-Reject-Client",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ MaxEarlyDataSize: 16384,
+ TLS13Variant: TLS13Experiment,
+ },
+ resumeConfig: &Config{
+ MaxVersion: VersionTLS13,
+ TLS13Variant: TLS13Experiment,
+ MaxEarlyDataSize: 16384,
+ Bugs: ProtocolBugs{
+ AlwaysRejectEarlyData: true,
+ },
+ },
+ resumeSession: true,
+ flags: []string{
+ "-enable-early-data",
+ "-expect-early-data-info",
+ "-expect-reject-early-data",
+ "-on-resume-shim-writes-first",
+ "-tls13-variant", "1",
+ },
+ })
+
+ testCases = append(testCases, testCase{
+ testType: clientTest,
name: "TLS13-EarlyData-RejectTicket-Client",
config: Config{
MaxVersion: VersionTLS13,
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index 195371f..f925504 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -189,6 +189,7 @@
{ "-max-send-fragment", &TestConfig::max_send_fragment },
{ "-read-size", &TestConfig::read_size },
{ "-expect-ticket-age-skew", &TestConfig::expect_ticket_age_skew },
+ { "-tls13-variant", &TestConfig::tls13_variant },
};
const Flag<std::vector<int>> kIntVectorFlags[] = {
diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h
index 7b4b342..e157936 100644
--- a/ssl/test/test_config.h
+++ b/ssl/test/test_config.h
@@ -93,6 +93,7 @@
bool use_ticket_callback = false;
bool renew_ticket = false;
bool enable_early_data = false;
+ int tls13_variant = 0;
bool enable_client_custom_extension = false;
bool enable_server_custom_extension = false;
bool custom_extension_skip = false;
diff --git a/ssl/tls13_both.c b/ssl/tls13_both.c
index 6fdfb26..de2401e 100644
--- a/ssl/tls13_both.c
+++ b/ssl/tls13_both.c
@@ -64,6 +64,14 @@
break;
}
+ case ssl_hs_read_change_cipher_spec: {
+ int ret = ssl->method->read_change_cipher_spec(ssl);
+ if (ret <= 0) {
+ return ret;
+ }
+ break;
+ }
+
case ssl_hs_read_end_of_early_data: {
if (ssl->s3->hs->can_early_read) {
/* While we are processing early data, the handshake returns early. */
diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c
index 92ea4f8..0010ccb 100644
--- a/ssl/tls13_client.c
+++ b/ssl/tls13_client.c
@@ -32,6 +32,7 @@
state_process_hello_retry_request = 0,
state_send_second_client_hello,
state_process_server_hello,
+ state_process_change_cipher_spec,
state_process_encrypted_extensions,
state_continue_second_server_flight,
state_process_certificate_request,
@@ -165,13 +166,18 @@
return ssl_hs_error;
}
- CBS cbs, server_random, extensions;
+ CBS cbs, server_random, session_id, extensions;
uint16_t server_wire_version;
uint16_t cipher_suite;
+ uint8_t compression_method;
CBS_init(&cbs, ssl->init_msg, ssl->init_num);
if (!CBS_get_u16(&cbs, &server_wire_version) ||
!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) ||
+ (ssl->version == TLS1_3_EXPERIMENT_VERSION &&
+ !CBS_get_u8_length_prefixed(&cbs, &session_id)) ||
!CBS_get_u16(&cbs, &cipher_suite) ||
+ (ssl->version == TLS1_3_EXPERIMENT_VERSION &&
+ (!CBS_get_u8(&cbs, &compression_method) || compression_method != 0)) ||
!CBS_get_u16_length_prefixed(&cbs, &extensions) ||
CBS_len(&cbs) != 0) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
@@ -313,18 +319,31 @@
OPENSSL_free(dhe_secret);
if (!ssl_hash_current_message(hs) ||
- !tls13_derive_handshake_secrets(hs) ||
- !tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,
+ !tls13_derive_handshake_secrets(hs)) {
+ return ssl_hs_error;
+ }
+ hs->tls13_state = state_process_change_cipher_spec;
+ return ssl->version == TLS1_3_EXPERIMENT_VERSION
+ ? ssl_hs_read_change_cipher_spec
+ : ssl_hs_ok;
+}
+
+static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
+ SSL *const ssl = hs->ssl;
+ if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,
hs->hash_len)) {
return ssl_hs_error;
}
- /* If not sending early data, set client traffic keys now so that alerts are
- * encrypted. */
- if (!hs->early_data_offered &&
- !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
- hs->hash_len)) {
- return ssl_hs_error;
+ if (!hs->early_data_offered) {
+ /* If not sending early data, set client traffic keys now so that alerts are
+ * encrypted. */
+ if ((ssl->version == TLS1_3_EXPERIMENT_VERSION &&
+ !ssl3_add_change_cipher_spec(ssl)) ||
+ !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
+ hs->hash_len)) {
+ return ssl_hs_error;
+ }
}
hs->tls13_state = state_process_encrypted_extensions;
@@ -500,10 +519,13 @@
}
}
- if (hs->early_data_offered &&
- !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
- hs->hash_len)) {
- return ssl_hs_error;
+ if (hs->early_data_offered) {
+ if ((ssl->version == TLS1_3_EXPERIMENT_VERSION &&
+ !ssl3_add_change_cipher_spec(ssl)) ||
+ !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
+ hs->hash_len)) {
+ return ssl_hs_error;
+ }
}
hs->tls13_state = state_send_client_certificate;
@@ -622,6 +644,9 @@
case state_process_server_hello:
ret = do_process_server_hello(hs);
break;
+ case state_process_change_cipher_spec:
+ ret = do_process_change_cipher_spec(hs);
+ break;
case state_process_encrypted_extensions:
ret = do_process_encrypted_extensions(hs);
break;
diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c
index fe2463b..58e062d 100644
--- a/ssl/tls13_server.c
+++ b/ssl/tls13_server.c
@@ -38,6 +38,7 @@
state_send_server_certificate_verify,
state_send_server_finished,
state_read_second_client_flight,
+ state_process_change_cipher_spec,
state_process_end_of_early_data,
state_process_client_certificate,
state_process_client_certificate_verify,
@@ -199,12 +200,17 @@
SSL_CLIENT_HELLO client_hello;
if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
- ssl->init_num)) {
+ ssl->init_num) ||
+ client_hello.session_id_len > sizeof(hs->session_id)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return ssl_hs_error;
}
+ OPENSSL_memcpy(hs->session_id, client_hello.session_id,
+ client_hello.session_id_len);
+ hs->session_id_len = client_hello.session_id_len;
+
/* Negotiate the cipher suite. */
hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);
if (hs->new_cipher == NULL) {
@@ -509,12 +515,16 @@
SSL *const ssl = hs->ssl;
/* Send a ServerHello. */
- CBB cbb, body, extensions;
+ CBB cbb, body, extensions, session_id;
if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) ||
!CBB_add_u16(&body, ssl->version) ||
!RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||
!CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
+ (ssl->version == TLS1_3_EXPERIMENT_VERSION &&
+ (!CBB_add_u8_length_prefixed(&body, &session_id) ||
+ !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len))) ||
!CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||
+ (ssl->version == TLS1_3_EXPERIMENT_VERSION && !CBB_add_u8(&body, 0)) ||
!CBB_add_u16_length_prefixed(&body, &extensions) ||
!ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||
!ssl_ext_key_share_add_serverhello(hs, &extensions) ||
@@ -522,6 +532,11 @@
goto err;
}
+ if (ssl->version == TLS1_3_EXPERIMENT_VERSION &&
+ !ssl3_add_change_cipher_spec(ssl)) {
+ goto err;
+ }
+
/* Derive and enable the handshake traffic secrets. */
if (!tls13_derive_handshake_secrets(hs) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,
@@ -667,6 +682,18 @@
}
static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
+ hs->tls13_state = state_process_change_cipher_spec;
+ /* If early data was accepted, the ChangeCipherSpec message will be in the
+ * discarded early data. */
+ if (hs->early_data_offered && !hs->ssl->early_data_accepted) {
+ return ssl_hs_ok;
+ }
+ return hs->ssl->version == TLS1_3_EXPERIMENT_VERSION
+ ? ssl_hs_read_change_cipher_spec
+ : ssl_hs_ok;
+}
+
+static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret,
hs->hash_len)) {
@@ -814,6 +841,9 @@
case state_process_end_of_early_data:
ret = do_process_end_of_early_data(hs);
break;
+ case state_process_change_cipher_spec:
+ ret = do_process_change_cipher_spec(hs);
+ break;
case state_process_client_certificate:
ret = do_process_client_certificate(hs);
break;
