Test the high-order bit in X25519.

This schism came up in passing again, and I realized we never added a TLS-level test for this. Fix that. Change-Id: I10f910bb5a975d6b3b73d99e7412ade35654fddb Reviewed-on: https://boringssl-review.googlesource.com/27224 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2018-04-06 19:17:20 -04:00 · 2018-04-06 19:17:20 -04:00 · 56b1a8efa6
commit 56b1a8efa6
parent 56ea9e2769
3 changed files with 25 additions and 1 deletions
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@ -1576,6 +1576,10 @@ type ProtocolBugs struct {
 	// ExpectRSAPSSSupport specifies the level of RSA-PSS support expected
 	// from the peer.
 	ExpectRSAPSSSupport RSAPSSSupport
+
+	// SetX25519HighBit, if true, causes X25519 key shares to set their
+	// high-order bit.
+	SetX25519HighBit bool
 }

 func (c *Config) serverInit() {
--- a/ssl/test/runner/key_agreement.go
+++ b/ssl/test/runner/key_agreement.go
@ -302,6 +302,7 @@ func (e *ellipticECDHCurve) finish(peerKey []byte) (preMasterSecret []byte, err
 // x25519ECDHCurve implements ecdhCurve with X25519.
 type x25519ECDHCurve struct {
 	privateKey [32]byte
+	setHighBit bool
 }

 func (e *x25519ECDHCurve) offer(rand io.Reader) (publicKey []byte, err error) {
@ -311,6 +312,9 @@ func (e *x25519ECDHCurve) offer(rand io.Reader) (publicKey []byte, err error) {
 	}
 	var out [32]byte
 	curve25519.ScalarBaseMult(&out, &e.privateKey)
+	if e.setHighBit {
+		out[31] |= 0x80
+	}
 	return out[:], nil
 }

@ -354,7 +358,7 @@ func curveForCurveID(id CurveID, config *Config) (ecdhCurve, bool) {
 	case CurveP521:
 		return &ellipticECDHCurve{curve: elliptic.P521(), sendCompressed: config.Bugs.SendCompressedCoordinates}, true
 	case CurveX25519:
-		return &x25519ECDHCurve{}, true
+		return &x25519ECDHCurve{setHighBit: config.Bugs.SetX25519HighBit}, true
 	default:
 		return nil, false
 	}
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@ -11017,6 +11017,22 @@ func addCurveTests() {
 		shouldFail:    true,
 		expectedError: ":ERROR_PARSING_EXTENSION:",
 	})
+
+	// Implementations should mask off the high order bit in X25519.
+	testCases = append(testCases, testCase{
+		name: "SetX25519HighBit",
+		config: Config{
+			CipherSuites: []uint16{
+				TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+				TLS_AES_128_GCM_SHA256,
+			},
+			CurvePreferences: []CurveID{CurveX25519},
+			Bugs: ProtocolBugs{
+				SetX25519HighBit: true,
+			},
+		},
+	})
 }

 func addTLS13RecordTests() {