Update dummy PQ extension for round two.

In this round, Google servers will echo the extension in order to test
the latency of both parties sending a PQ key-agreement message.

The extension is sent (and echoed) for both full and resumption
handshakes. This is intended to mirror the overhead of TLS 1.3 (even
when using TLS 1.2), as a resumption in TLS 1.3 still does a fresh key
agreement.

Change-Id: I9ad163afac4fd1d916f9c7359ec32994e283abeb
Reviewed-on: https://boringssl-review.googlesource.com/26185
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/internal.h

@@ -1514,6 +1514,10 @@ struct SSL_HANDSHAKE {
   // grease_seed is the entropy for GREASE values. It is valid if
   // |grease_seeded| is true.
   uint8_t grease_seed[ssl_grease_last_index + 1] = {0};
+
+  // dummy_pq_padding_len is the length of the extension that should be echoed
+  // in a ServerHello, or zero if no extension should be echoed.
+  uint16_t dummy_pq_padding_len = 0;
 };
 
 UniquePtr<SSL_HANDSHAKE> ssl_handshake_new(SSL *ssl);

ssl/t1_lib.cc

@@ -2324,12 +2324,7 @@ static bool ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
 // key-exchange and so enable measurement of the latency impact of the
 // additional bandwidth.
 
-static bool ext_dummy_pq_padding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
-  const size_t len = hs->ssl->dummy_pq_padding_len;
-  if (len == 0) {
-    return true;
-  }
-
+static bool ext_dummy_pq_padding_add(CBB *out, size_t len) {
   CBB contents;
   uint8_t *buffer;
   if (!CBB_add_u16(out, TLSEXT_TYPE_dummy_pq_padding) ||
@@ -2351,6 +2346,33 @@ static bool ext_dummy_pq_padding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
   return CBB_flush(out);
 }
 
+static bool ext_dummy_pq_padding_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
+  const size_t len = hs->ssl->dummy_pq_padding_len;
+  if (len == 0) {
+    return true;
+  }
+
+  return ext_dummy_pq_padding_add(out, len);
+}
+
+static bool ext_dummy_pq_padding_parse_clienthello(SSL_HANDSHAKE *hs,
+                                                   uint8_t *out_alert,
+                                                   CBS *contents) {
+  if (contents != nullptr &&
+      0 < CBS_len(contents) && CBS_len(contents) < (1 << 12)) {
+    hs->dummy_pq_padding_len = CBS_len(contents);
+  }
+
+  return true;
+}
+
+static bool ext_dummy_pq_padding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
+  if (!hs->dummy_pq_padding_len) {
+    return true;
+  }
+
+  return ext_dummy_pq_padding_add(out, hs->dummy_pq_padding_len);
+}
 
 // Negotiated Groups
 //
@@ -2795,8 +2817,8 @@ static const struct tls_extension kExtensions[] = {
     NULL,
     ext_dummy_pq_padding_add_clienthello,
     ignore_parse_serverhello,
-    ignore_parse_clienthello,
-    dont_add_serverhello,
+    ext_dummy_pq_padding_parse_clienthello,
+    ext_dummy_pq_padding_add_serverhello,
   },
   {
     TLSEXT_TYPE_quic_transport_parameters,

ssl/test/runner/common.go

@@ -1552,6 +1552,10 @@ type ProtocolBugs struct {
 	// length.
 	ExpectDummyPQPaddingLength int
 
+	// SendDummyPQPaddingLength causes a client to send a dummy PQ padding
+	// extension of the given length in the ClientHello.
+	SendDummyPQPaddingLength int
+
 	// SendCompressedCoordinates, if true, causes ECDH key shares over NIST
 	// curves to use compressed coordinates.
 	SendCompressedCoordinates bool

ssl/test/runner/handshake_client.go

@@ -100,6 +100,7 @@ func (c *Conn) clientHandshake() error {
 		pskBinderFirst:          c.config.Bugs.PSKBinderFirst,
 		omitExtensions:          c.config.Bugs.OmitExtensions,
 		emptyExtensions:         c.config.Bugs.EmptyExtensions,
+		dummyPQPaddingLen:       c.config.Bugs.SendDummyPQPaddingLength,
 	}
 
 	if maxVersion >= VersionTLS13 {
@@ -1492,6 +1493,11 @@ func (hs *clientHandshakeState) processServerExtensions(serverExtensions *server
 		}
 		c.quicTransportParams = serverExtensions.quicTransportParams
 	}
+
+	if l := c.config.Bugs.ExpectDummyPQPaddingLength; l != 0 && serverExtensions.dummyPQPaddingLen != l {
+		return fmt.Errorf("tls: expected %d-byte dummy PQ padding extension, but got %d bytes", l, serverExtensions.dummyPQPaddingLen)
+	}
+
 	return nil
 }
 

ssl/test/runner/handshake_messages.go

@@ -571,6 +571,11 @@ func (m *clientHelloMsg) marshal() []byte {
 		customExt := extensions.addU16LengthPrefixed()
 		customExt.addBytes([]byte(m.customExtension))
 	}
+	if l := m.dummyPQPaddingLen; l != 0 {
+		extensions.addU16(extensionDummyPQPadding)
+		body := extensions.addU16LengthPrefixed()
+		body.addBytes(make([]byte, l))
+	}
 	// The PSK extension must be last (draft-ietf-tls-tls13-18 section 4.2.6).
 	if len(m.pskIdentities) > 0 && !m.pskBinderFirst {
 		extensions.addU16(extensionPreSharedKey)
@@ -1144,6 +1149,7 @@ type serverExtensions struct {
 	supportedCurves         []CurveID
 	quicTransportParams     []byte
 	serverNameAck           bool
+	dummyPQPaddingLen       int
 }
 
 func (m *serverExtensions) marshal(extensions *byteBuilder) {
@@ -1278,6 +1284,11 @@ func (m *serverExtensions) marshal(extensions *byteBuilder) {
 		extensions.addU16(extensionServerName)
 		extensions.addU16(0) // zero length
 	}
+	if l := m.dummyPQPaddingLen; l != 0 {
+		extensions.addU16(extensionDummyPQPadding)
+		body := extensions.addU16LengthPrefixed()
+		body.addBytes(make([]byte, l))
+	}
 }
 
 func (m *serverExtensions) unmarshal(data byteReader, version uint16) bool {
@@ -1382,6 +1393,8 @@ func (m *serverExtensions) unmarshal(data byteReader, version uint16) bool {
 				return false
 			}
 			m.hasEarlyData = true
+		case extensionDummyPQPadding:
+			m.dummyPQPaddingLen = len(body)
 		default:
 			// Unknown extensions are illegal from the server.
 			return false

ssl/test/runner/runner.go

@@ -7343,23 +7343,39 @@ func addExtensionTests() {
 			continue
 		}
 
-		for _, paddingLen := range []int{1, 9700} {
-			flags := []string{
-				"-max-version", version.shimFlag(tls),
-				"-dummy-pq-padding-len", strconv.Itoa(paddingLen),
-			}
+		for _, paddingLen := range []int{400, 1100} {
+			testCases = append(testCases, testCase{
+				name:          fmt.Sprintf("DummyPQPadding-%d-%s", paddingLen, version.name),
+				testType:      clientTest,
+				tls13Variant:  version.tls13Variant,
+				resumeSession: true,
+				config: Config{
+					MaxVersion: version.version,
+					Bugs: ProtocolBugs{
+						ExpectDummyPQPaddingLength: paddingLen,
+					},
+				},
+				flags: []string{
+					"-max-version", version.shimFlag(tls),
+					"-dummy-pq-padding-len", strconv.Itoa(paddingLen),
+				},
+			})
 
 			testCases = append(testCases, testCase{
-				name:         fmt.Sprintf("DummyPQPadding-%d-%s", paddingLen, version.name),
-				testType:     clientTest,
-				tls13Variant: version.tls13Variant,
+				name:          fmt.Sprintf("DummyPQPadding-Server-%d-%s", paddingLen, version.name),
+				testType:      serverTest,
+				tls13Variant:  version.tls13Variant,
+				resumeSession: true,
 				config: Config{
 					MaxVersion: version.version,
 					Bugs: ProtocolBugs{
+						SendDummyPQPaddingLength:   paddingLen,
 						ExpectDummyPQPaddingLength: paddingLen,
 					},
 				},
-				flags: flags,
+				flags: []string{
+					"-max-version", version.shimFlag(tls),
+				},
 			})
 		}
 	}