Update to TLS 1.3 draft 18.
This is the squash of the following CLs:
https://boringssl-review.googlesource.com/c/12021/9
https://boringssl-review.googlesource.com/c/12022/9
https://boringssl-review.googlesource.com/c/12107/19
https://boringssl-review.googlesource.com/c/12141/22
https://boringssl-review.googlesource.com/c/12181/33
The Go portions were written by Nick Harper
BUG=112
Change-Id: I375a1fcead493ec3e0282e231ccc8d7c4dde5063
Reviewed-on: https://boringssl-review.googlesource.com/12300
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 5eede01..ac86baa 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -865,18 +865,22 @@
return true;
}
-// CreateSessionWithTicket returns a sample |SSL_SESSION| with the ticket
-// replaced for one of length |ticket_len| or nullptr on failure.
-static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(size_t ticket_len) {
+// CreateSessionWithTicket returns a sample |SSL_SESSION| with the specified
+// version and ticket length or nullptr on failure.
+static bssl::UniquePtr<SSL_SESSION> CreateSessionWithTicket(uint16_t version,
+ size_t ticket_len) {
std::vector<uint8_t> der;
if (!DecodeBase64(&der, kOpenSSLSession)) {
return nullptr;
}
- bssl::UniquePtr<SSL_SESSION> session(SSL_SESSION_from_bytes(der.data(), der.size()));
+ bssl::UniquePtr<SSL_SESSION> session(
+ SSL_SESSION_from_bytes(der.data(), der.size()));
if (!session) {
return nullptr;
}
+ session->ssl_version = version;
+
// Swap out the ticket for a garbage one.
OPENSSL_free(session->tlsext_tick);
session->tlsext_tick = reinterpret_cast<uint8_t*>(OPENSSL_malloc(ticket_len));
@@ -915,27 +919,32 @@
return true;
}
-// GetClientHelloLen creates a client SSL connection with a ticket of length
-// |ticket_len| and records the ClientHello. It returns the length of the
-// ClientHello, not including the record header, on success and zero on error.
-static size_t GetClientHelloLen(size_t ticket_len) {
+// GetClientHelloLen creates a client SSL connection with the specified version
+// and ticket length. It returns the length of the ClientHello, not including
+// the record header, on success and zero on error.
+static size_t GetClientHelloLen(uint16_t max_version, uint16_t session_version,
+ size_t ticket_len) {
bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
- bssl::UniquePtr<SSL_SESSION> session = CreateSessionWithTicket(ticket_len);
+ bssl::UniquePtr<SSL_SESSION> session =
+ CreateSessionWithTicket(session_version, ticket_len);
if (!ctx || !session) {
return 0;
}
+
+ // Set a one-element cipher list so the baseline ClientHello is unpadded.
bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
- // Test at TLS 1.2. TLS 1.3 adds enough extensions that the ClientHello is
- // longer than our test vectors.
if (!ssl || !SSL_set_session(ssl.get(), session.get()) ||
- !SSL_set_max_proto_version(ssl.get(), TLS1_2_VERSION)) {
+ !SSL_set_cipher_list(ssl.get(), "ECDHE-RSA-AES128-GCM-SHA256") ||
+ !SSL_set_max_proto_version(ssl.get(), max_version)) {
return 0;
}
+
std::vector<uint8_t> client_hello;
if (!GetClientHello(ssl.get(), &client_hello) ||
client_hello.size() <= SSL3_RT_HEADER_LENGTH) {
return 0;
}
+
return client_hello.size() - SSL3_RT_HEADER_LENGTH;
}
@@ -964,28 +973,37 @@
{0x201, 0x201},
};
-static bool TestPaddingExtension() {
+static bool TestPaddingExtension(uint16_t max_version,
+ uint16_t session_version) {
// Sample a baseline length.
- size_t base_len = GetClientHelloLen(1);
+ size_t base_len = GetClientHelloLen(max_version, session_version, 1);
if (base_len == 0) {
return false;
}
for (const PaddingTest &test : kPaddingTests) {
if (base_len > test.input_len) {
- fprintf(stderr, "Baseline ClientHello too long.\n");
+ fprintf(stderr,
+ "Baseline ClientHello too long (max_version = %04x, "
+ "session_version = %04x).\n",
+ max_version, session_version);
return false;
}
- size_t padded_len = GetClientHelloLen(1 + test.input_len - base_len);
+ size_t padded_len = GetClientHelloLen(max_version, session_version,
+ 1 + test.input_len - base_len);
if (padded_len != test.padded_len) {
- fprintf(stderr, "%u-byte ClientHello padded to %u bytes, not %u.\n",
+ fprintf(stderr,
+ "%u-byte ClientHello padded to %u bytes, not %u (max_version = "
+ "%04x, session_version = %04x).\n",
static_cast<unsigned>(test.input_len),
static_cast<unsigned>(padded_len),
- static_cast<unsigned>(test.padded_len));
+ static_cast<unsigned>(test.padded_len), max_version,
+ session_version);
return false;
}
}
+
return true;
}
@@ -2584,7 +2602,14 @@
!TestDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &DTLSv1_method) ||
!TestDefaultVersion(TLS1_2_VERSION, TLS1_2_VERSION, &DTLSv1_2_method) ||
!TestCipherGetRFCName() ||
- !TestPaddingExtension() ||
+ // Test the padding extension at TLS 1.2.
+ !TestPaddingExtension(TLS1_2_VERSION, TLS1_2_VERSION) ||
+ // Test the padding extension at TLS 1.3 with a TLS 1.2 session, so there
+ // will be no PSK binder after the padding extension.
+ !TestPaddingExtension(TLS1_3_VERSION, TLS1_2_VERSION) ||
+ // Test the padding extension at TLS 1.3 with a TLS 1.3 session, so there
+ // will be a PSK binder after the padding extension.
+ !TestPaddingExtension(TLS1_3_VERSION, TLS1_3_DRAFT_VERSION) ||
!TestClientCAList() ||
!TestInternalSessionCache() ||
!TestSequenceNumber() ||
