Update ECH GREASE to draft-ietf-tls-esni-09
Bug: 275
Change-Id: I9ae9128c25f18f346641d54d5c14527bc5c74d3f
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44784
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index e40e2b2..b2b391a 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3561,7 +3561,7 @@
//
// ECH support in BoringSSL is still experimental and under development.
//
-// See https://tools.ietf.org/html/draft-ietf-tls-esni-08.
+// See https://tools.ietf.org/html/draft-ietf-tls-esni-09.
// SSL_set_enable_ech_grease configures whether the client may send ECH GREASE
// as part of this connection.
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 22689a2..ee73d21 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -238,9 +238,10 @@
// extension number.
#define TLSEXT_TYPE_application_settings 17513
-// ExtensionType value from draft-ietf-tls-esni-08. This is not an IANA defined
+// ExtensionType values from draft-ietf-tls-esni-09. This is not an IANA defined
// extension number.
-#define TLSEXT_TYPE_encrypted_client_hello 0xfe08
+#define TLSEXT_TYPE_encrypted_client_hello 0xfe09
+#define TLSEXT_TYPE_ech_is_inner 0xda09
// ExtensionType value from RFC6962
#define TLSEXT_TYPE_certificate_timestamp 18
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index 955eae7..7ec61fd 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -593,7 +593,7 @@
// Encrypted Client Hello (ECH)
//
-// https://tools.ietf.org/html/draft-ietf-tls-esni-08
+// https://tools.ietf.org/html/draft-ietf-tls-esni-09
// random_size returns a random value between |min| and |max|, inclusive.
static size_t random_size(size_t min, size_t max) {
@@ -619,18 +619,14 @@
}
constexpr uint16_t kdf_id = EVP_HPKE_HKDF_SHA256;
- const EVP_MD *kdf = EVP_HPKE_get_hkdf_md(kdf_id);
- assert(kdf != nullptr);
-
const uint16_t aead_id = EVP_has_aes_hardware()
? EVP_HPKE_AEAD_AES_GCM_128
: EVP_HPKE_AEAD_CHACHA20POLY1305;
const EVP_AEAD *aead = EVP_HPKE_get_aead(aead_id);
assert(aead != nullptr);
- uint8_t ech_config_id_buf[EVP_MAX_MD_SIZE];
- Span<uint8_t> ech_config_id(ech_config_id_buf, EVP_MD_size(kdf));
- RAND_bytes(ech_config_id.data(), ech_config_id.size());
+ uint8_t ech_config_id[8];
+ RAND_bytes(ech_config_id, sizeof(ech_config_id));
uint8_t ech_enc[X25519_PUBLIC_VALUE_LEN];
uint8_t private_key_unused[X25519_PRIVATE_KEY_LEN];
@@ -688,8 +684,7 @@
!CBB_add_u16(&ech_body, kdf_id) || //
!CBB_add_u16(&ech_body, aead_id) ||
!CBB_add_u8_length_prefixed(&ech_body, &config_id_cbb) ||
- !CBB_add_bytes(&config_id_cbb, ech_config_id.data(),
- ech_config_id.size()) ||
+ !CBB_add_bytes(&config_id_cbb, ech_config_id, sizeof(ech_config_id)) ||
!CBB_add_u16_length_prefixed(&ech_body, &enc_cbb) ||
!CBB_add_bytes(&enc_cbb, ech_enc, OPENSSL_ARRAY_SIZE(ech_enc)) ||
!CBB_add_u16_length_prefixed(&ech_body, &payload_cbb) ||
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 522f458..b8e0eae 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -127,7 +127,7 @@
extensionChannelID uint16 = 30032 // not IANA assigned
extensionDelegatedCredentials uint16 = 0x22 // draft-ietf-tls-subcerts-06
extensionDuplicate uint16 = 0xffff // not IANA assigned
- extensionEncryptedClientHello uint16 = 0xfe08 // not IANA assigned
+ extensionEncryptedClientHello uint16 = 0xfe09 // not IANA assigned
)
// TLS signaling cipher suite values
diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go
index b175a93..42b5eb5 100644
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go
@@ -282,7 +282,7 @@
}
// The contents of a CH "encrypted_client_hello" extension.
-// https://tools.ietf.org/html/draft-ietf-tls-esni-08
+// https://tools.ietf.org/html/draft-ietf-tls-esni-09
type clientECH struct {
hpkeKDF uint16
hpkeAEAD uint16
@@ -422,7 +422,7 @@
})
}
if m.clientECH != nil {
- // https://tools.ietf.org/html/draft-ietf-tls-esni-08
+ // https://tools.ietf.org/html/draft-ietf-tls-esni-09
body := newByteBuilder()
body.addU16(m.clientECH.hpkeKDF)
body.addU16(m.clientECH.hpkeAEAD)