Google Git
Sign in
boringssl/boringssl.git/d9791bf10a5982bd2c709be5c7d68a73de832e90^!/.
commit
d9791bf10a5982bd2c709be5c7d68a73de832e90
[log]
author
David Benjamin <davidben@google.com>
Tue Sep 27 16:39:52 2016 -0400
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Tue Sep 27 21:07:52 2016 +0000
tree
99b78caca5c4b3ba987d8a39f78b316b05568ffd
parent
9f16ce1ea83e75dd68251804824d6fa7d028865d [diff]
Apply GREASE to the version extension.

BUG=106

Change-Id: Iaa12aeb67627f3c22fe4a917c89c646cb3dc1843
Reviewed-on: https://boringssl-review.googlesource.com/11325
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/internal.h b/ssl/internal.h
index fca2dda..3745592 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -1021,6 +1021,7 @@
   ssl_grease_group,
   ssl_grease_extension1,
   ssl_grease_extension2,
+  ssl_grease_version,
 };
 
 /* ssl_get_grease_value returns a GREASE value for |ssl|. For a given

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 281fc71..da446e0 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -2279,6 +2279,12 @@
     return 0;
   }
 
+  /* Add a fake version. See draft-davidben-tls-grease-01. */
+  if (ssl->ctx->grease_enabled &&
+      !CBB_add_u16(&versions, ssl_get_grease_value(ssl, ssl_grease_version))) {
+    return 0;
+  }
+
   for (uint16_t version = max_version; version >= min_version; version--) {
     if (!CBB_add_u16(&versions, ssl->method->version_to_wire(version))) {
       return 0;

diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 3f166ec..affdbda 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go

@@ -233,13 +233,16 @@
 		c.vers = config.Bugs.NegotiateVersionOnRenego
 	} else if len(hs.clientHello.supportedVersions) > 0 {
 		// Use the versions extension if supplied.
-		var foundVersion bool
+		var foundVersion, foundGREASE bool
 		for _, extVersion := range hs.clientHello.supportedVersions {
+			if isGREASEValue(extVersion) {
+				foundGREASE = true
+			}
 			extVersion, ok = wireToVersion(extVersion, c.isDTLS)
 			if !ok {
 				continue
 			}
-			if config.isSupportedVersion(extVersion, c.isDTLS) {
+			if config.isSupportedVersion(extVersion, c.isDTLS) && !foundVersion {
 				c.vers = extVersion
 				foundVersion = true
 				break
@@ -249,6 +252,9 @@
 			c.sendAlert(alertProtocolVersion)
 			return errors.New("tls: client did not offer any supported protocol versions")
 		}
+		if config.Bugs.ExpectGREASE && !foundGREASE {
+			return errors.New("tls: no GREASE version value found")
+		}
 	} else {
 		// Otherwise, use the legacy ClientHello version.
 		version := clientVersion