Implement ChannelID for TLS 1.3.
Channel ID for TLS 1.3 uses the same digest construction as
CertificateVerify. This message is signed with the Channel ID key and
put in the same handshake message (with the same format) as in TLS 1.2.
BUG=103
Change-Id: Ia5b2dffe5a39c39db0cecb0aa6bdc328e53accc2
Reviewed-on: https://boringssl-review.googlesource.com/11420
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 9147134..43deb2e 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -900,6 +900,27 @@
}
}
+ if encryptedExtensions.extensions.channelIDRequested {
+ msg, err := c.readHandshake()
+ if err != nil {
+ return err
+ }
+ channelIDMsg, ok := msg.(*channelIDMsg)
+ if !ok {
+ c.sendAlert(alertUnexpectedMessage)
+ return unexpectedMessageError(channelIDMsg, msg)
+ }
+ channelIDHash := crypto.SHA256.New()
+ channelIDHash.Write(hs.finishedHash.certificateVerifyInput(channelIDContextTLS13))
+ channelID, err := verifyChannelIDMessage(channelIDMsg, channelIDHash.Sum(nil))
+ if err != nil {
+ return err
+ }
+ c.channelID = channelID
+
+ hs.writeClientHash(channelIDMsg.marshal())
+ }
+
// Read the client Finished message.
msg, err := c.readHandshake()
if err != nil {
@@ -1126,10 +1147,8 @@
serverExtensions.extendedMasterSecret = c.vers >= VersionTLS10 && hs.clientHello.extendedMasterSecret && !disableEMS
}
- if c.vers < VersionTLS13 || config.Bugs.NegotiateChannelIDAtAllVersions {
- if hs.clientHello.channelIDSupported && config.RequestChannelID {
- serverExtensions.channelIDRequested = true
- }
+ if hs.clientHello.channelIDSupported && config.RequestChannelID {
+ serverExtensions.channelIDRequested = true
}
if hs.clientHello.srtpProtectionProfiles != nil {
@@ -1568,20 +1587,13 @@
c.sendAlert(alertUnexpectedMessage)
return unexpectedMessageError(channelIDMsg, msg)
}
- x := new(big.Int).SetBytes(channelIDMsg.channelID[0:32])
- y := new(big.Int).SetBytes(channelIDMsg.channelID[32:64])
- r := new(big.Int).SetBytes(channelIDMsg.channelID[64:96])
- s := new(big.Int).SetBytes(channelIDMsg.channelID[96:128])
- if !elliptic.P256().IsOnCurve(x, y) {
- return errors.New("tls: invalid channel ID public key")
- }
- channelID := &ecdsa.PublicKey{elliptic.P256(), x, y}
var resumeHash []byte
if isResume {
resumeHash = hs.sessionState.handshakeHash
}
- if !ecdsa.Verify(channelID, hs.finishedHash.hashForChannelID(resumeHash), r, s) {
- return errors.New("tls: invalid channel ID signature")
+ channelID, err := verifyChannelIDMessage(channelIDMsg, hs.finishedHash.hashForChannelID(resumeHash))
+ if err != nil {
+ return err
}
c.channelID = channelID
@@ -1765,6 +1777,21 @@
return nil, nil
}
+func verifyChannelIDMessage(channelIDMsg *channelIDMsg, channelIDHash []byte) (*ecdsa.PublicKey, error) {
+ x := new(big.Int).SetBytes(channelIDMsg.channelID[0:32])
+ y := new(big.Int).SetBytes(channelIDMsg.channelID[32:64])
+ r := new(big.Int).SetBytes(channelIDMsg.channelID[64:96])
+ s := new(big.Int).SetBytes(channelIDMsg.channelID[96:128])
+ if !elliptic.P256().IsOnCurve(x, y) {
+ return nil, errors.New("tls: invalid channel ID public key")
+ }
+ channelID := &ecdsa.PublicKey{elliptic.P256(), x, y}
+ if !ecdsa.Verify(channelID, channelIDHash, r, s) {
+ return nil, errors.New("tls: invalid channel ID signature")
+ }
+ return channelID, nil
+}
+
func (hs *serverHandshakeState) writeServerHash(msg []byte) {
// writeServerHash is called before writeRecord.
hs.writeHash(msg, hs.c.sendHandshakeSeq)