Update ECH GREASE to draft-ietf-tls-esni-09 Bug: 275 Change-Id: I9ae9128c25f18f346641d54d5c14527bc5c74d3f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44784 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>

commit: 92c48be84a96b428d6eb854e5c201ade88e98a8b [log] [tgz]
author: Dan McArdle <dmcardle@google.com> Mon Dec 21 17:17:03 2020 -0500
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Tue Jan 05 20:51:39 2021 +0000
tree: f16ccef39feb03308262335b10a8f81a20bafb31
parent: 78f15a6aa9f11ab7cff736f920c4858cc38264fb [diff]
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index e40e2b2..b2b391a 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -3561,7 +3561,7 @@
 //
 // ECH support in BoringSSL is still experimental and under development.
 //
-// See https://tools.ietf.org/html/draft-ietf-tls-esni-08.
+// See https://tools.ietf.org/html/draft-ietf-tls-esni-09.
 
 // SSL_set_enable_ech_grease configures whether the client may send ECH GREASE
 // as part of this connection.

diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 22689a2..ee73d21 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h

@@ -238,9 +238,10 @@
 // extension number.
 #define TLSEXT_TYPE_application_settings 17513
 
-// ExtensionType value from draft-ietf-tls-esni-08. This is not an IANA defined
+// ExtensionType values from draft-ietf-tls-esni-09. This is not an IANA defined
 // extension number.
-#define TLSEXT_TYPE_encrypted_client_hello 0xfe08
+#define TLSEXT_TYPE_encrypted_client_hello 0xfe09
+#define TLSEXT_TYPE_ech_is_inner 0xda09
 
 // ExtensionType value from RFC6962
 #define TLSEXT_TYPE_certificate_timestamp 18

diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index 955eae7..7ec61fd 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc

@@ -593,7 +593,7 @@
 
 // Encrypted Client Hello (ECH)
 //
-// https://tools.ietf.org/html/draft-ietf-tls-esni-08
+// https://tools.ietf.org/html/draft-ietf-tls-esni-09
 
 // random_size returns a random value between |min| and |max|, inclusive.
 static size_t random_size(size_t min, size_t max) {
@@ -619,18 +619,14 @@
   }
 
   constexpr uint16_t kdf_id = EVP_HPKE_HKDF_SHA256;
-  const EVP_MD *kdf = EVP_HPKE_get_hkdf_md(kdf_id);
-  assert(kdf != nullptr);
-
   const uint16_t aead_id = EVP_has_aes_hardware()
                                ? EVP_HPKE_AEAD_AES_GCM_128
                                : EVP_HPKE_AEAD_CHACHA20POLY1305;
   const EVP_AEAD *aead = EVP_HPKE_get_aead(aead_id);
   assert(aead != nullptr);
 
-  uint8_t ech_config_id_buf[EVP_MAX_MD_SIZE];
-  Span<uint8_t> ech_config_id(ech_config_id_buf, EVP_MD_size(kdf));
-  RAND_bytes(ech_config_id.data(), ech_config_id.size());
+  uint8_t ech_config_id[8];
+  RAND_bytes(ech_config_id, sizeof(ech_config_id));
 
   uint8_t ech_enc[X25519_PUBLIC_VALUE_LEN];
   uint8_t private_key_unused[X25519_PRIVATE_KEY_LEN];
@@ -688,8 +684,7 @@
       !CBB_add_u16(&ech_body, kdf_id) ||  //
       !CBB_add_u16(&ech_body, aead_id) ||
       !CBB_add_u8_length_prefixed(&ech_body, &config_id_cbb) ||
-      !CBB_add_bytes(&config_id_cbb, ech_config_id.data(),
-                     ech_config_id.size()) ||
+      !CBB_add_bytes(&config_id_cbb, ech_config_id, sizeof(ech_config_id)) ||
       !CBB_add_u16_length_prefixed(&ech_body, &enc_cbb) ||
       !CBB_add_bytes(&enc_cbb, ech_enc, OPENSSL_ARRAY_SIZE(ech_enc)) ||
       !CBB_add_u16_length_prefixed(&ech_body, &payload_cbb) ||

diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 522f458..b8e0eae 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go

@@ -127,7 +127,7 @@
 	extensionChannelID                  uint16 = 30032  // not IANA assigned
 	extensionDelegatedCredentials       uint16 = 0x22   // draft-ietf-tls-subcerts-06
 	extensionDuplicate                  uint16 = 0xffff // not IANA assigned
-	extensionEncryptedClientHello       uint16 = 0xfe08 // not IANA assigned
+	extensionEncryptedClientHello       uint16 = 0xfe09 // not IANA assigned
 )
 
 // TLS signaling cipher suite values

diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go
index b175a93..42b5eb5 100644
--- a/ssl/test/runner/handshake_messages.go
+++ b/ssl/test/runner/handshake_messages.go

@@ -282,7 +282,7 @@
 }
 
 // The contents of a CH "encrypted_client_hello" extension.
-// https://tools.ietf.org/html/draft-ietf-tls-esni-08
+// https://tools.ietf.org/html/draft-ietf-tls-esni-09
 type clientECH struct {
 	hpkeKDF  uint16
 	hpkeAEAD uint16
@@ -422,7 +422,7 @@
 		})
 	}
 	if m.clientECH != nil {
-		// https://tools.ietf.org/html/draft-ietf-tls-esni-08
+		// https://tools.ietf.org/html/draft-ietf-tls-esni-09
 		body := newByteBuilder()
 		body.addU16(m.clientECH.hpkeKDF)
 		body.addU16(m.clientECH.hpkeAEAD)
commit	92c48be84a96b428d6eb854e5c201ade88e98a8b	[log] [tgz]
author	Dan McArdle <dmcardle@google.com>	Mon Dec 21 17:17:03 2020 -0500
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Tue Jan 05 20:51:39 2021 +0000
tree	f16ccef39feb03308262335b10a8f81a20bafb31
parent	78f15a6aa9f11ab7cff736f920c4858cc38264fb [diff]