Don't dereference hs->credential on TLS 1.2 PSK ciphers TLS 1.2 PSK ciphers don't use the credentials system and won't have a credential set. The OCSP and SCT extension callbacks didn't handle this case correctly. Since we were already checking for ssl_cipher_uses_certificate_auth in the OCSP one, which implies there's a credential, I opted to just fix the order of the conditions, as well as align the SCT one with it. I thought we had test coverage for this, but runner automatically configures a certificate even when it doesn't need one, so we never actually exercised this path. Refine the automatic behavior a bit. Change-Id: Idf7f06688fc51a2f5d23fd83c23f6da7035e27a7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66927 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Pete Bentley <prb@google.com>

commit: 4fa4804c8ab4521079af62dba5260a99c34b8a29 [log] [tgz]
author: David Benjamin <davidben@google.com> Tue Mar 12 09:48:29 2024 -0400
committer: Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Tue Mar 12 15:17:20 2024 +0000
tree: 02c9201fe5c38541326be03c1c3e7dead435f932
parent: dbad745811195c00b729efd0ee0a09b7d9fce1d2 [diff]
diff --git a/ssl/extensions.cc b/ssl/extensions.cc
index a5e4ec8..20a5d30 100644
--- a/ssl/extensions.cc
+++ b/ssl/extensions.cc

@@ -1128,10 +1128,9 @@
 static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
   SSL *const ssl = hs->ssl;
   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
-      !hs->ocsp_stapling_requested ||
-      hs->credential->ocsp_response == nullptr ||  //
-      ssl->s3->session_reused ||
-      !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
+      !hs->ocsp_stapling_requested || ssl->s3->session_reused ||
+      !ssl_cipher_uses_certificate_auth(hs->new_cipher) ||
+      hs->credential->ocsp_response == nullptr) {
     return true;
   }
 
@@ -1346,8 +1345,10 @@
 
 static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
   SSL *const ssl = hs->ssl;
+  assert(hs->scts_requested);
   // The extension shouldn't be sent when resuming sessions.
   if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || ssl->s3->session_reused ||
+      !ssl_cipher_uses_certificate_auth(hs->new_cipher) ||
       hs->credential->signed_cert_timestamp_list == nullptr) {
     return true;
   }

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index cd7fbca..8cc698b 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -1453,7 +1453,7 @@
 
 	// Configure the default credential.
 	shimCertificate := test.shimCertificate
-	if shimCertificate == nil && len(test.shimCredentials) == 0 && test.testType == serverTest {
+	if shimCertificate == nil && len(test.shimCredentials) == 0 && test.testType == serverTest && len(test.config.PreSharedKey) == 0 {
 		shimCertificate = &rsaCertificate
 	}
 	if shimCertificate != nil {
@@ -3715,11 +3715,13 @@
 	}
 	prefix := protocol.String() + "-"
 
-	var cert Credential
-	if hasComponent(suite.name, "ECDSA") {
-		cert = ecdsaP256Certificate
-	} else {
-		cert = rsaCertificate
+	var cert *Credential
+	if isTLS13Suite(suite.name) {
+		cert = &rsaCertificate
+	} else if hasComponent(suite.name, "ECDSA") {
+		cert = &ecdsaP256Certificate
+	} else if hasComponent(suite.name, "RSA") {
+		cert = &rsaCertificate
 	}
 
 	var flags []string
@@ -3750,6 +3752,11 @@
 	serverCipherSuites := []uint16{suite.id}
 	if shouldFail {
 		expectedServerError = ":NO_SHARED_CIPHER:"
+		if ver.version >= VersionTLS13 && cert == nil {
+			// TLS 1.2 PSK ciphers won't configure a server certificate, but we
+			// require one in TLS 1.3.
+			expectedServerError = ":NO_CERTIFICATE_SET:"
+		}
 		expectedClientError = ":WRONG_CIPHER_RETURNED:"
 		// Configure the server to select ciphers as normal but
 		// select an incompatible cipher in ServerHello.
@@ -3768,14 +3775,14 @@
 			MinVersion:           ver.version,
 			MaxVersion:           ver.version,
 			CipherSuites:         []uint16{suite.id},
-			Credential:           &cert,
+			Credential:           cert,
 			PreSharedKey:         []byte(psk),
 			PreSharedKeyIdentity: pskIdentity,
 			Bugs: ProtocolBugs{
 				AdvertiseAllConfiguredCiphers: true,
 			},
 		},
-		shimCertificate:      &cert,
+		shimCertificate:      cert,
 		flags:                flags,
 		resumeSession:        true,
 		shouldFail:           shouldFail,
@@ -3791,7 +3798,7 @@
 			MinVersion:           ver.version,
 			MaxVersion:           ver.version,
 			CipherSuites:         serverCipherSuites,
-			Credential:           &cert,
+			Credential:           cert,
 			PreSharedKey:         []byte(psk),
 			PreSharedKeyIdentity: pskIdentity,
 			Bugs: ProtocolBugs{
@@ -3818,7 +3825,7 @@
 			MinVersion:           ver.version,
 			MaxVersion:           ver.version,
 			CipherSuites:         []uint16{suite.id},
-			Credential:           &cert,
+			Credential:           cert,
 			PreSharedKey:         []byte(psk),
 			PreSharedKeyIdentity: pskIdentity,
 		},
@@ -3845,7 +3852,7 @@
 				MinVersion:           ver.version,
 				MaxVersion:           ver.version,
 				CipherSuites:         []uint16{suite.id},
-				Credential:           &cert,
+				Credential:           cert,
 				PreSharedKey:         []byte(psk),
 				PreSharedKeyIdentity: pskIdentity,
 			},
commit	4fa4804c8ab4521079af62dba5260a99c34b8a29	[log] [tgz]
author	David Benjamin <davidben@google.com>	Tue Mar 12 09:48:29 2024 -0400
committer	Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>	Tue Mar 12 15:17:20 2024 +0000
tree	02c9201fe5c38541326be03c1c3e7dead435f932
parent	dbad745811195c00b729efd0ee0a09b7d9fce1d2 [diff]