Implement final TLS 1.3 RFC!!!

The anti-downgrade signal is being implemented in a follow-up change.

Change-Id: I5ea3ff429ed1389a3577026588fef3660d2d0615
Reviewed-on: https://boringssl-review.googlesource.com/30904
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
Steven Valdez 2018-08-13 10:07:45 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent 1c337e566d
commit d451453067
6 changed files with 56 additions and 27 deletions

View File

@ -3400,10 +3400,16 @@ OPENSSL_EXPORT int SSL_renegotiate_pending(SSL *ssl);
// performed by |ssl|. This includes the pending renegotiation, if any. // performed by |ssl|. This includes the pending renegotiation, if any.
OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl); OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl);
// tls13_variant_t determines what TLS 1.3 variant to negotiate.
//
// TODO(svaldez): Make |tls13_rfc| the default after callers are switched to
// explicitly enable |tls13_all|.
enum tls13_variant_t { enum tls13_variant_t {
tls13_default = 0, tls13_default = 0,
tls13_draft23, tls13_draft23,
tls13_draft28, tls13_draft28,
tls13_rfc,
tls13_all = tls13_default,
}; };
// SSL_CTX_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the // SSL_CTX_set_tls13_variant sets which variant of TLS 1.3 we negotiate. On the

View File

@ -30,6 +30,7 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
case TLS1_VERSION: case TLS1_VERSION:
case TLS1_1_VERSION: case TLS1_1_VERSION:
case TLS1_2_VERSION: case TLS1_2_VERSION:
case TLS1_3_VERSION:
*out = version; *out = version;
return true; return true;
@ -56,6 +57,7 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
// decreasing preference. // decreasing preference.
static const uint16_t kTLSVersions[] = { static const uint16_t kTLSVersions[] = {
TLS1_3_VERSION,
TLS1_3_DRAFT28_VERSION, TLS1_3_DRAFT28_VERSION,
TLS1_3_DRAFT23_VERSION, TLS1_3_DRAFT23_VERSION,
TLS1_2_VERSION, TLS1_2_VERSION,
@ -101,6 +103,7 @@ static const char *ssl_version_to_string(uint16_t version) {
switch (version) { switch (version) {
case TLS1_3_DRAFT23_VERSION: case TLS1_3_DRAFT23_VERSION:
case TLS1_3_DRAFT28_VERSION: case TLS1_3_DRAFT28_VERSION:
case TLS1_3_VERSION:
return "TLSv1.3"; return "TLSv1.3";
case TLS1_2_VERSION: case TLS1_2_VERSION:
@ -128,6 +131,7 @@ static uint16_t wire_version_to_api(uint16_t version) {
// Report TLS 1.3 draft versions as TLS 1.3 in the public API. // Report TLS 1.3 draft versions as TLS 1.3 in the public API.
case TLS1_3_DRAFT23_VERSION: case TLS1_3_DRAFT23_VERSION:
case TLS1_3_DRAFT28_VERSION: case TLS1_3_DRAFT28_VERSION:
case TLS1_3_VERSION:
return TLS1_3_VERSION; return TLS1_3_VERSION;
default: default:
return version; return version;
@ -142,9 +146,6 @@ static bool api_version_to_wire(uint16_t *out, uint16_t version) {
version == TLS1_3_DRAFT28_VERSION) { version == TLS1_3_DRAFT28_VERSION) {
return false; return false;
} }
if (version == TLS1_3_VERSION) {
version = TLS1_3_DRAFT23_VERSION;
}
// Check it is a real protocol version. // Check it is a real protocol version.
uint16_t unused; uint16_t unused;
@ -301,6 +302,8 @@ bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
return version == TLS1_3_DRAFT23_VERSION; return version == TLS1_3_DRAFT23_VERSION;
case tls13_draft28: case tls13_draft28:
return version == TLS1_3_DRAFT28_VERSION; return version == TLS1_3_DRAFT28_VERSION;
case tls13_rfc:
return version == TLS1_3_VERSION;
case tls13_default: case tls13_default:
return true; return true;
} }
@ -354,7 +357,7 @@ bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
} }
bool ssl_is_draft28(uint16_t version) { bool ssl_is_draft28(uint16_t version) {
return version == TLS1_3_DRAFT28_VERSION; return version == TLS1_3_DRAFT28_VERSION || version == TLS1_3_VERSION;
} }
} // namespace bssl } // namespace bssl

View File

@ -42,9 +42,11 @@ const (
TLS13Default = 0 TLS13Default = 0
TLS13Draft23 = 1 TLS13Draft23 = 1
TLS13Draft28 = 2 TLS13Draft28 = 2
TLS13RFC = 3
) )
var allTLSWireVersions = []uint16{ var allTLSWireVersions = []uint16{
VersionTLS13,
tls13Draft28Version, tls13Draft28Version,
tls13Draft23Version, tls13Draft23Version,
VersionTLS12, VersionTLS12,
@ -1740,7 +1742,7 @@ func wireToVersion(vers uint16, isDTLS bool) (uint16, bool) {
} }
} else { } else {
switch vers { switch vers {
case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12: case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13:
return vers, true return vers, true
case tls13Draft23Version, tls13Draft28Version: case tls13Draft23Version, tls13Draft28Version:
return VersionTLS13, true return VersionTLS13, true
@ -1751,22 +1753,37 @@ func wireToVersion(vers uint16, isDTLS bool) (uint16, bool) {
} }
func isDraft28(vers uint16) bool { func isDraft28(vers uint16) bool {
return vers == tls13Draft28Version return vers == tls13Draft28Version || vers == VersionTLS13
} }
// isSupportedVersion checks if the specified wire version is acceptable. If so, // isSupportedVersion checks if the specified wire version is acceptable. If so,
// it returns true and the corresponding protocol version. Otherwise, it returns // it returns true and the corresponding protocol version. Otherwise, it returns
// false. // false.
func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) { func (c *Config) isSupportedVersion(wireVers uint16, isDTLS bool) (uint16, bool) {
if (c.TLS13Variant == TLS13Draft23 && wireVers == tls13Draft28Version) ||
(c.TLS13Variant == TLS13Draft28 && wireVers == tls13Draft23Version) {
return 0, false
}
vers, ok := wireToVersion(wireVers, isDTLS) vers, ok := wireToVersion(wireVers, isDTLS)
if !ok || c.minVersion(isDTLS) > vers || vers > c.maxVersion(isDTLS) { if !ok || c.minVersion(isDTLS) > vers || vers > c.maxVersion(isDTLS) {
return 0, false return 0, false
} }
if vers == VersionTLS13 {
switch c.TLS13Variant {
case TLS13Draft23:
if wireVers != tls13Draft23Version {
return 0, false
}
case TLS13Draft28:
if wireVers != tls13Draft28Version {
return 0, false
}
case TLS13RFC:
if wireVers != VersionTLS13 {
return 0, false
}
case TLS13Default:
// Allow all of them.
default:
panic(c.TLS13Variant)
}
}
return vers, true return vers, true
} }

View File

@ -1024,7 +1024,8 @@ func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version)) panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
} }
if ver.tls13Variant != 0 { // Ignore this check against "TLS13", since TLS13 is used in many test names.
if ver.tls13Variant != 0 && ver.tls13Variant != TLS13RFC {
var foundFlag bool var foundFlag bool
for _, flag := range test.flags { for _, flag := range test.flags {
if flag == "-tls13-variant" { if flag == "-tls13-variant" {
@ -1375,6 +1376,13 @@ var tlsVersions = []tlsVersion{
hasDTLS: true, hasDTLS: true,
versionDTLS: VersionDTLS12, versionDTLS: VersionDTLS12,
}, },
{
name: "TLS13",
version: VersionTLS13,
excludeFlag: "-no-tls13",
versionWire: VersionTLS13,
tls13Variant: TLS13RFC,
},
{ {
name: "TLS13Draft23", name: "TLS13Draft23",
version: VersionTLS13, version: VersionTLS13,
@ -1480,7 +1488,7 @@ func bigFromHex(hex string) *big.Int {
func convertToSplitHandshakeTests(tests []testCase) (splitHandshakeTests []testCase) { func convertToSplitHandshakeTests(tests []testCase) (splitHandshakeTests []testCase) {
var stdout bytes.Buffer var stdout bytes.Buffer
shim := exec.Command(*shimPath, "-is-handshaker-supported") shim := exec.Command(*shimPath, "-is-handshaker-supported")
shim.Stdout = &stdout; shim.Stdout = &stdout
if err := shim.Run(); err != nil { if err := shim.Run(); err != nil {
panic(err) panic(err)
} }
@ -2831,7 +2839,7 @@ read alert 1 0
messageCount: 5, messageCount: 5,
keyUpdateRequest: keyUpdateRequested, keyUpdateRequest: keyUpdateRequested,
readWithUnfinishedWrite: true, readWithUnfinishedWrite: true,
flags: []string{"-async"}, flags: []string{"-async"},
}, },
{ {
name: "SendSNIWarningAlert", name: "SendSNIWarningAlert",
@ -5748,19 +5756,6 @@ func addVersionNegotiationTests() {
expectedVersion: VersionTLS12, expectedVersion: VersionTLS12,
}) })
testCases = append(testCases, testCase{
testType: serverTest,
name: "RejectFinalTLS13",
config: Config{
Bugs: ProtocolBugs{
SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
},
},
// We currently implement a draft TLS 1.3 version. Ensure that
// the true TLS 1.3 value is ignored for now.
expectedVersion: VersionTLS12,
})
// Test that TLS 1.2 isn't negotiated by the supported_versions extension in // Test that TLS 1.2 isn't negotiated by the supported_versions extension in
// the ServerHello. // the ServerHello.
testCases = append(testCases, testCase{ testCases = append(testCases, testCase{

View File

@ -337,6 +337,10 @@ static bool GetTLS13Variant(tls13_variant_t *out, const std::string &in) {
*out = tls13_draft28; *out = tls13_draft28;
return true; return true;
} }
if (in == "rfc") {
*out = tls13_rfc;
return true;
}
return false; return false;
} }

View File

@ -157,6 +157,10 @@ static bool GetTLS13Variant(tls13_variant_t *out, const std::string &in) {
*out = tls13_draft28; *out = tls13_draft28;
return true; return true;
} }
if (in == "rfc") {
*out = tls13_rfc;
return true;
}
return false; return false;
} }