Updating NewSessionTicket message and updating PSK to Draft 15.
BUG=77
Change-Id: Id8c45e98c4c22cdd437cbba1e9375239e123b261
Reviewed-on: https://boringssl-review.googlesource.com/10763
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 1d16a7a..599ce02 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -189,11 +189,16 @@
SRTP_AES128_CM_HMAC_SHA1_32 = 0x0002
)
-// TicketFlags values (see draft-ietf-tls-tls13-14, section 4.4.1)
+// PskKeyExchangeMode values (see draft-ietf-tls-tls13-15)
const (
- ticketAllowEarlyData = 1
- ticketAllowDHEResumption = 2
- ticketAllowPSKResumption = 4
+ pskKEMode = 0
+ pskDHEKEMode = 1
+)
+
+// PskAuthenticationMode values (see draft-ietf-tls-tls13-15)
+const (
+ pskAuthMode = 0
+ pskSignAuthMode = 1
)
// ConnectionState records basic TLS details about the connection.
@@ -243,8 +248,6 @@
ocspResponse []byte
ticketCreationTime time.Time
ticketExpiration time.Time
- ticketFlags uint32
- ticketAgeAdd uint32
}
// ClientSessionCache is a cache of ClientSessionState objects that can be used
@@ -914,6 +917,13 @@
// session ticket.
SendEmptySessionTicket bool
+ // SnedPSKKeyExchangeModes, if present, determines the PSK key exchange modes
+ // to send.
+ SendPSKKeyExchangeModes []byte
+
+ // SendPSKAuthModes, if present, determines the PSK auth modes to send.
+ SendPSKAuthModes []byte
+
// FailIfSessionOffered, if true, causes the server to fail any
// connections where the client offers a non-empty session ID or session
// ticket.
diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go
index 1fd0200..84e1eb8 100644
--- a/ssl/test/runner/conn.go
+++ b/ssl/test/runner/conn.go
@@ -1402,6 +1402,23 @@
return nil
}
+ var foundKE, foundAuth bool
+ for _, mode := range newSessionTicket.keModes {
+ if mode == pskDHEKEMode {
+ foundKE = true
+ }
+ }
+ for _, mode := range newSessionTicket.authModes {
+ if mode == pskAuthMode {
+ foundAuth = true
+ }
+ }
+
+ // Ignore the ticket if the server preferences do not match a mode we implement.
+ if !foundKE || !foundAuth {
+ return nil
+ }
+
session := &ClientSessionState{
sessionTicket: newSessionTicket.ticket,
vers: c.vers,
@@ -1412,8 +1429,6 @@
ocspResponse: c.ocspResponse,
ticketCreationTime: c.config.time(),
ticketExpiration: c.config.time().Add(time.Duration(newSessionTicket.ticketLifetime) * time.Second),
- ticketFlags: newSessionTicket.ticketFlags,
- ticketAgeAdd: newSessionTicket.ticketAgeAdd,
}
cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
@@ -1693,17 +1708,19 @@
peerCertificatesRaw = append(peerCertificatesRaw, cert.Raw)
}
- var ageAdd uint32
- if err := binary.Read(c.config.rand(), binary.LittleEndian, &ageAdd); err != nil {
- return err
- }
-
// TODO(davidben): Allow configuring these values.
m := &newSessionTicketMsg{
version: c.vers,
ticketLifetime: uint32(24 * time.Hour / time.Second),
- ticketFlags: ticketAllowDHEResumption | ticketAllowPSKResumption,
- ticketAgeAdd: ageAdd,
+ keModes: []byte{pskDHEKEMode},
+ authModes: []byte{pskAuthMode},
+ }
+
+ if len(c.config.Bugs.SendPSKKeyExchangeModes) != 0 {
+ m.keModes = c.config.Bugs.SendPSKKeyExchangeModes
+ }
+ if len(c.config.Bugs.SendPSKAuthModes) != 0 {
+ m.authModes = c.config.Bugs.SendPSKAuthModes
}
state := sessionState{
@@ -1713,8 +1730,6 @@
certificates: peerCertificatesRaw,
ticketCreationTime: c.config.time(),
ticketExpiration: c.config.time().Add(time.Duration(m.ticketLifetime) * time.Second),
- ticketFlags: m.ticketFlags,
- ticketAgeAdd: ageAdd,
}
if !c.config.Bugs.SendEmptySessionTicket {
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index c658e72..f03e169 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -261,10 +261,20 @@
if session.vers >= VersionTLS13 || c.config.Bugs.SendBothTickets {
// TODO(nharper): Support sending more
// than one PSK identity.
- if session.ticketFlags&ticketAllowDHEResumption != 0 || c.config.Bugs.SendBothTickets {
- hello.pskIdentities = [][]uint8{ticket}
- hello.cipherSuites = append(hello.cipherSuites, ecdhePSKSuite(session.cipherSuite))
+ psk := pskIdentity{
+ keModes: []byte{pskDHEKEMode},
+ authModes: []byte{pskAuthMode},
+ ticket: ticket,
}
+ if len(c.config.Bugs.SendPSKKeyExchangeModes) != 0 {
+ psk.keModes = c.config.Bugs.SendPSKKeyExchangeModes
+ }
+ if len(c.config.Bugs.SendPSKAuthModes) != 0 {
+ psk.authModes = c.config.Bugs.SendPSKAuthModes
+ }
+
+ hello.pskIdentities = []pskIdentity{psk}
+ hello.cipherSuites = append(hello.cipherSuites, ecdhePSKSuite(session.cipherSuite))
}
if session.vers < VersionTLS13 || c.config.Bugs.SendBothTickets {
diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go
index 0b45a4d..e7a1235 100644
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go
@@ -124,6 +124,12 @@
keyExchange []byte
}
+type pskIdentity struct {
+ keModes []byte
+ authModes []byte
+ ticket []uint8
+}
+
type clientHelloMsg struct {
raw []byte
isDTLS bool
@@ -143,7 +149,7 @@
hasKeyShares bool
keyShares []keyShareEntry
trailingKeyShareData bool
- pskIdentities [][]uint8
+ pskIdentities []pskIdentity
hasEarlyData bool
earlyDataContext []byte
ticketSupported bool
@@ -185,7 +191,7 @@
m.hasKeyShares == m1.hasKeyShares &&
eqKeyShareEntryLists(m.keyShares, m1.keyShares) &&
m.trailingKeyShareData == m1.trailingKeyShareData &&
- eqByteSlices(m.pskIdentities, m1.pskIdentities) &&
+ eqPSKIdentityLists(m.pskIdentities, m1.pskIdentities) &&
m.hasEarlyData == m1.hasEarlyData &&
bytes.Equal(m.earlyDataContext, m1.earlyDataContext) &&
m.ticketSupported == m1.ticketSupported &&
@@ -316,8 +322,9 @@
pskIdentities := pskExtension.addU16LengthPrefixed()
for _, psk := range m.pskIdentities {
- pskIdentity := pskIdentities.addU16LengthPrefixed()
- pskIdentity.addBytes(psk)
+ pskIdentities.addU8LengthPrefixed().addBytes(psk.keModes)
+ pskIdentities.addU8LengthPrefixed().addBytes(psk.authModes)
+ pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket)
}
}
if m.hasEarlyData {
@@ -612,15 +619,39 @@
}
d := data[2:length]
for len(d) > 0 {
+ var psk pskIdentity
+
+ if len(d) < 1 {
+ return false
+ }
+ keModesLen := int(d[0])
+ d = d[1:]
+ if len(d) < keModesLen {
+ return false
+ }
+ psk.keModes = d[:keModesLen]
+ d = d[keModesLen:]
+
+ if len(d) < 1 {
+ return false
+ }
+ authModesLen := int(d[0])
+ d = d[1:]
+ if len(d) < authModesLen {
+ return false
+ }
+ psk.authModes = d[:authModesLen]
+ d = d[authModesLen:]
if len(d) < 2 {
return false
}
pskLen := int(d[0])<<8 | int(d[1])
d = d[2:]
+
if len(d) < pskLen {
return false
}
- psk := d[:pskLen]
+ psk.ticket = d[:pskLen]
m.pskIdentities = append(m.pskIdentities, psk)
d = d[pskLen:]
}
@@ -1781,8 +1812,8 @@
raw []byte
version uint16
ticketLifetime uint32
- ticketFlags uint32
- ticketAgeAdd uint32
+ keModes []byte
+ authModes []byte
ticket []byte
}
@@ -1797,16 +1828,20 @@
body := ticketMsg.addU24LengthPrefixed()
body.addU32(m.ticketLifetime)
if m.version >= VersionTLS13 {
- body.addU32(m.ticketFlags)
- body.addU32(m.ticketAgeAdd)
+ body.addU8LengthPrefixed().addBytes(m.keModes)
+ body.addU8LengthPrefixed().addBytes(m.authModes)
+ }
+
+ ticket := body.addU16LengthPrefixed()
+ ticket.addBytes(m.ticket)
+
+ if m.version >= VersionTLS13 {
// Send no extensions.
//
// TODO(davidben): Add an option to send a custom extension to
// test we correctly ignore unknown ones.
body.addU16(0)
}
- ticket := body.addU16LengthPrefixed()
- ticket.addBytes(m.ticket)
m.raw = ticketMsg.finish()
return m.raw
@@ -1822,31 +1857,58 @@
data = data[8:]
if m.version >= VersionTLS13 {
- if len(data) < 10 {
+ if len(data) < 1 {
return false
}
- m.ticketFlags = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
- m.ticketAgeAdd = uint32(data[4])<<24 | uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7])
- extsLength := int(data[8])<<8 + int(data[9])
- data = data[10:]
- if len(data) < extsLength {
+ keModesLength := int(data[0])
+ if len(data)-1 < keModesLength {
return false
}
- data = data[extsLength:]
+ m.keModes = data[1 : 1+keModesLength]
+ data = data[1+keModesLength:]
+
+ if len(data) < 1 {
+ return false
+ }
+ authModesLength := int(data[0])
+ if len(data)-1 < authModesLength {
+ return false
+ }
+ m.authModes = data[1 : 1+authModesLength]
+ data = data[1+authModesLength:]
}
if len(data) < 2 {
return false
}
ticketLen := int(data[0])<<8 + int(data[1])
- if len(data)-2 != ticketLen {
+ data = data[2:]
+ if len(data) < ticketLen {
return false
}
+
if m.version >= VersionTLS13 && ticketLen == 0 {
return false
}
- m.ticket = data[2:]
+ m.ticket = data[:ticketLen]
+ data = data[ticketLen:]
+
+ if m.version >= VersionTLS13 {
+ if len(data) < 2 {
+ return false
+ }
+ extsLength := int(data[0])<<8 + int(data[1])
+ data = data[2:]
+ if len(data) < extsLength {
+ return false
+ }
+ data = data[extsLength:]
+ }
+
+ if len(data) > 0 {
+ return false
+ }
return true
}
@@ -2071,3 +2133,16 @@
return true
}
+
+func eqPSKIdentityLists(x, y []pskIdentity) bool {
+ if len(x) != len(y) {
+ return false
+ }
+ for i, v := range x {
+ if !bytes.Equal(y[i].keModes, v.keModes) || !bytes.Equal(y[i].authModes, v.authModes) || !bytes.Equal(y[i].ticket, v.ticket) {
+ return false
+ }
+ }
+ return true
+
+}
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index a09dc27..934e052 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -400,10 +400,34 @@
pskIdentities := hs.clientHello.pskIdentities
if len(pskIdentities) == 0 && len(hs.clientHello.sessionTicket) > 0 && c.config.Bugs.AcceptAnySession {
- pskIdentities = [][]uint8{hs.clientHello.sessionTicket}
+ psk := pskIdentity{
+ keModes: []byte{pskDHEKEMode},
+ authModes: []byte{pskAuthMode},
+ ticket: hs.clientHello.sessionTicket,
+ }
+ pskIdentities = []pskIdentity{psk}
}
for i, pskIdentity := range pskIdentities {
- sessionState, ok := c.decryptTicket(pskIdentity)
+ foundKE := false
+ foundAuth := false
+
+ for _, keMode := range pskIdentity.keModes {
+ if keMode == pskDHEKEMode {
+ foundKE = true
+ }
+ }
+
+ for _, authMode := range pskIdentity.authModes {
+ if authMode == pskAuthMode {
+ foundAuth = true
+ }
+ }
+
+ if !foundKE || !foundAuth {
+ continue
+ }
+
+ sessionState, ok := c.decryptTicket(pskIdentity.ticket)
if !ok {
continue
}
@@ -411,9 +435,6 @@
if sessionState.vers != c.vers && c.config.Bugs.AcceptAnySession {
continue
}
- if sessionState.ticketFlags&ticketAllowDHEResumption == 0 {
- continue
- }
if sessionState.ticketExpiration.Before(c.config.time()) {
continue
}
@@ -1090,7 +1111,7 @@
ticket := hs.clientHello.sessionTicket
if len(ticket) == 0 && len(hs.clientHello.pskIdentities) > 0 && c.config.Bugs.AcceptAnySession {
- ticket = hs.clientHello.pskIdentities[0]
+ ticket = hs.clientHello.pskIdentities[0].ticket
}
if len(ticket) > 0 {
if c.config.SessionTicketsDisabled {
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 17cc507..f536ceb 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -2118,19 +2118,6 @@
expectMessageDropped: true,
},
{
- // In TLS 1.2 and below, empty NewSessionTicket messages
- // mean the server changed its mind on sending a ticket.
- name: "SendEmptySessionTicket",
- config: Config{
- MaxVersion: VersionTLS12,
- Bugs: ProtocolBugs{
- SendEmptySessionTicket: true,
- FailIfSessionOffered: true,
- },
- },
- flags: []string{"-expect-no-session"},
- },
- {
name: "BadHelloRequest-1",
renegotiate: 1,
config: Config{
@@ -7572,6 +7559,105 @@
})
}
+func addSessionTicketTests() {
+ testCases = append(testCases, testCase{
+ // In TLS 1.2 and below, empty NewSessionTicket messages
+ // mean the server changed its mind on sending a ticket.
+ name: "SendEmptySessionTicket",
+ config: Config{
+ MaxVersion: VersionTLS12,
+ Bugs: ProtocolBugs{
+ SendEmptySessionTicket: true,
+ },
+ },
+ flags: []string{"-expect-no-session"},
+ })
+
+ // Test that the server ignores unknown PSK modes.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "TLS13-SendUnknownModeSessionTicket-Server",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ Bugs: ProtocolBugs{
+ SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
+ SendPSKAuthModes: []byte{0x1a, pskAuthMode, 0x2a},
+ },
+ },
+ resumeSession: true,
+ expectedResumeVersion: VersionTLS13,
+ })
+
+ // Test that the server declines sessions with no matching key exchange mode.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "TLS13-SendBadKEModeSessionTicket-Server",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ Bugs: ProtocolBugs{
+ SendPSKKeyExchangeModes: []byte{0x1a},
+ },
+ },
+ resumeSession: true,
+ expectResumeRejected: true,
+ })
+
+ // Test that the server declines sessions with no matching auth mode.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "TLS13-SendBadAuthModeSessionTicket-Server",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ Bugs: ProtocolBugs{
+ SendPSKAuthModes: []byte{0x1a},
+ },
+ },
+ resumeSession: true,
+ expectResumeRejected: true,
+ })
+
+ // Test that the client ignores unknown PSK modes.
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "TLS13-SendUnknownModeSessionTicket-Client",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ Bugs: ProtocolBugs{
+ SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
+ SendPSKAuthModes: []byte{0x1a, pskAuthMode, 0x2a},
+ },
+ },
+ resumeSession: true,
+ expectedResumeVersion: VersionTLS13,
+ })
+
+ // Test that the client ignores tickets with no matching key exchange mode.
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "TLS13-SendBadKEModeSessionTicket-Client",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ Bugs: ProtocolBugs{
+ SendPSKKeyExchangeModes: []byte{0x1a},
+ },
+ },
+ flags: []string{"-expect-no-session"},
+ })
+
+ // Test that the client ignores tickets with no matching auth mode.
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "TLS13-SendBadAuthModeSessionTicket-Client",
+ config: Config{
+ MaxVersion: VersionTLS13,
+ Bugs: ProtocolBugs{
+ SendPSKAuthModes: []byte{0x1a},
+ },
+ },
+ flags: []string{"-expect-no-session"},
+ })
+}
+
func addChangeCipherSpecTests() {
// Test missing ChangeCipherSpecs.
testCases = append(testCases, testCase{
@@ -8642,6 +8728,7 @@
addCurveTests()
addCECPQ1Tests()
addDHEGroupSizeTests()
+ addSessionTicketTests()
addTLS13RecordTests()
addAllStateMachineCoverageTests()
addChangeCipherSpecTests()
