diff options
author | David Benjamin <davidben@google.com> | 2016-09-27 23:39:52 +0300 |
---|---|---|
committer | CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | 2016-09-28 00:07:52 +0300 |
commit | d9791bf10a5982bd2c709be5c7d68a73de832e90 (patch) | |
tree | 99b78caca5c4b3ba987d8a39f78b316b05568ffd | |
parent | 9f16ce1ea83e75dd68251804824d6fa7d028865d (diff) |
Apply GREASE to the version extension.
BUG=106
Change-Id: Iaa12aeb67627f3c22fe4a917c89c646cb3dc1843
Reviewed-on: https://boringssl-review.googlesource.com/11325
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
-rw-r--r-- | ssl/internal.h | 1 | ||||
-rw-r--r-- | ssl/t1_lib.c | 6 | ||||
-rw-r--r-- | ssl/test/runner/handshake_server.go | 10 |
3 files changed, 15 insertions, 2 deletions
diff --git a/ssl/internal.h b/ssl/internal.h index fca2dda7..3745592b 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -1021,6 +1021,7 @@ enum ssl_grease_index_t { ssl_grease_group, ssl_grease_extension1, ssl_grease_extension2, + ssl_grease_version, }; /* ssl_get_grease_value returns a GREASE value for |ssl|. For a given diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 281fc718..da446e01 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2279,6 +2279,12 @@ static int ext_supported_versions_add_clienthello(SSL *ssl, CBB *out) { return 0; } + /* Add a fake version. See draft-davidben-tls-grease-01. */ + if (ssl->ctx->grease_enabled && + !CBB_add_u16(&versions, ssl_get_grease_value(ssl, ssl_grease_version))) { + return 0; + } + for (uint16_t version = max_version; version >= min_version; version--) { if (!CBB_add_u16(&versions, ssl->method->version_to_wire(version))) { return 0; diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go index 3f166ecd..affdbda1 100644 --- a/ssl/test/runner/handshake_server.go +++ b/ssl/test/runner/handshake_server.go @@ -233,13 +233,16 @@ func (hs *serverHandshakeState) readClientHello() error { c.vers = config.Bugs.NegotiateVersionOnRenego } else if len(hs.clientHello.supportedVersions) > 0 { // Use the versions extension if supplied. - var foundVersion bool + var foundVersion, foundGREASE bool for _, extVersion := range hs.clientHello.supportedVersions { + if isGREASEValue(extVersion) { + foundGREASE = true + } extVersion, ok = wireToVersion(extVersion, c.isDTLS) if !ok { continue } - if config.isSupportedVersion(extVersion, c.isDTLS) { + if config.isSupportedVersion(extVersion, c.isDTLS) && !foundVersion { c.vers = extVersion foundVersion = true break @@ -249,6 +252,9 @@ func (hs *serverHandshakeState) readClientHello() error { c.sendAlert(alertProtocolVersion) return errors.New("tls: client did not offer any supported protocol versions") } + if config.Bugs.ExpectGREASE && !foundGREASE { + return errors.New("tls: no GREASE version value found") + } } else { // Otherwise, use the legacy ClientHello version. version := clientVersion |