commit 02330e1d189692363448c37787294315080658a0
author Torne (Richard Coles) <torne@google.com> Fri Feb 27 13:46:04 2015 +0000
committer Torne (Richard Coles) <torne@google.com> Fri Feb 27 13:46:04 2015 +0000
tree d634a2fe5fa686391b63992b2fee1244a401e2f6
parent d1c0f64fb47d4a5f9bcdc470a9ebcd67a59c0432
parent 345b735e31460dfdefc95302b92baef9565d6028

Merge third_party/boringssl/src from https://boringssl.googlesource.com/boringssl.git at 345b735e31460dfdefc95302b92baef9565d6028

Update to latest M40 boringssl version; pulls in:
  Import RSAEphemeralKey tests from master.
  Only allow ephemeral RSA keys in export ciphersuites.

ssl/s3_clnt.c

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 64bccfa..0c37f76 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1293,55 +1293,7 @@
 			}
 		}
 
-	if (alg_k & SSL_kRSA)
-		{
-		CBS rsa_modulus, rsa_exponent;
-
-		/* TODO(davidben): This was originally for export
-		 * reasons. Do we still need to support it? */
-
-		if (!CBS_get_u16_length_prefixed(&server_key_exchange, &rsa_modulus) ||
-			CBS_len(&rsa_modulus) == 0 ||
-			!CBS_get_u16_length_prefixed(&server_key_exchange, &rsa_exponent) ||
-			CBS_len(&rsa_exponent) == 0)
-			{
-			al = SSL_AD_DECODE_ERROR;
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, SSL_R_DECODE_ERROR);
-			goto f_err;
-			}
-
-		if ((rsa=RSA_new()) == NULL)
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_MALLOC_FAILURE);
-			goto err;
-			}
-
-		if (!(rsa->n = BN_bin2bn(CBS_data(&rsa_modulus),
-					CBS_len(&rsa_modulus), rsa->n)))
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
-			goto err;
-			}
-
-		if (!(rsa->e = BN_bin2bn(CBS_data(&rsa_exponent),
-					CBS_len(&rsa_exponent), rsa->e)))
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_BN_LIB);
-			goto err;
-			}
-
-		/* this should be because we are using an export cipher */
-		if (alg_a & SSL_aRSA)
-			pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
-		else
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_INTERNAL_ERROR);
-			goto err;
-			}
-		s->session->sess_cert->peer_rsa_tmp=rsa;
-		rsa=NULL;
-		}
-	else if (alg_k & SSL_kEDH)
+	if (alg_k & SSL_kEDH)
 		{
 		CBS dh_p, dh_g, dh_Ys;
 

ssl/test/runner/cipher_suites.go

diff --git a/ssl/test/runner/cipher_suites.go b/ssl/test/runner/cipher_suites.go
index 5a3ac80..62b8100 100644
--- a/ssl/test/runner/cipher_suites.go
+++ b/ssl/test/runner/cipher_suites.go
@@ -289,7 +289,7 @@
 }
 
 func rsaKA(version uint16) keyAgreement {
-	return rsaKeyAgreement{}
+	return &rsaKeyAgreement{version: version}
 }
 
 func ecdheECDSAKA(version uint16) keyAgreement {

ssl/test/runner/common.go

diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 6f146af..1f7e392 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -499,6 +499,11 @@
 	// BadRenegotiationInfo causes the renegotiation extension value in a
 	// renegotiation handshake to be incorrect.
 	BadRenegotiationInfo bool
+
+	// RSAEphemeralKey, if true, causes the server to send a
+	// ServerKeyExchange message containing an ephemeral key (as in
+	// RSA_EXPORT) in the plain RSA key exchange.
+	RSAEphemeralKey bool
 }
 
 func (c *Config) serverInit() {

ssl/test/runner/key_agreement.go

diff --git a/ssl/test/runner/key_agreement.go b/ssl/test/runner/key_agreement.go
index af54a8f..86202ae 100644
--- a/ssl/test/runner/key_agreement.go
+++ b/ssl/test/runner/key_agreement.go
@@ -25,10 +25,71 @@
 
 // rsaKeyAgreement implements the standard TLS key agreement where the client
 // encrypts the pre-master secret to the server's public key.
-type rsaKeyAgreement struct{}
+type rsaKeyAgreement struct {
+	version       uint16
+	exportKey     *rsa.PrivateKey
+}
 
-func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
-	return nil, nil
+func (ka *rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
+	if !config.Bugs.RSAEphemeralKey {
+		return nil, nil
+	}
+
+	// Generate an ephemeral RSA key to use instead of the real
+	// one, as in RSA_EXPORT.
+	key, err := rsa.GenerateKey(config.rand(), 512)
+	if err != nil {
+		return nil, err
+	}
+	ka.exportKey = key
+
+	modulus := key.N.Bytes()
+	exponent := big.NewInt(int64(key.E)).Bytes()
+	serverRSAParams := make([]byte, 0, 2+len(modulus)+2+len(exponent))
+	serverRSAParams = append(serverRSAParams, byte(len(modulus)>>8), byte(len(modulus)))
+	serverRSAParams = append(serverRSAParams, modulus...)
+	serverRSAParams = append(serverRSAParams, byte(len(exponent)>>8), byte(len(exponent)))
+	serverRSAParams = append(serverRSAParams, exponent...)
+
+	var tls12HashId uint8
+	if ka.version >= VersionTLS12 {
+		if tls12HashId, err = pickTLS12HashForSignature(signatureRSA, clientHello.signatureAndHashes); err != nil {
+			return nil, err
+		}
+	}
+
+	digest, hashFunc, err := hashForServerKeyExchange(signatureRSA, tls12HashId, ka.version, clientHello.random, hello.random, serverRSAParams)
+	if err != nil {
+		return nil, err
+	}
+	var sig []byte
+	privKey, ok := cert.PrivateKey.(*rsa.PrivateKey)
+	if !ok {
+		return nil, errors.New("RSA requires a RSA server private key")
+	}
+	sig, err = rsa.SignPKCS1v15(config.rand(), privKey, hashFunc, digest)
+	if err != nil {
+		return nil, errors.New("failed to sign RSA parameters: " + err.Error())
+	}
+
+	skx := new(serverKeyExchangeMsg)
+	sigAndHashLen := 0
+	if ka.version >= VersionTLS12 {
+		sigAndHashLen = 2
+	}
+	skx.key = make([]byte, len(serverRSAParams)+sigAndHashLen+2+len(sig))
+	copy(skx.key, serverRSAParams)
+	k := skx.key[len(serverRSAParams):]
+	if ka.version >= VersionTLS12 {
+		k[0] = tls12HashId
+		k[1] = signatureRSA
+		k = k[2:]
+	}
+	k[0] = byte(len(sig) >> 8)
+	k[1] = byte(len(sig))
+	copy(k[2:], sig)
+
+	return skx, nil
 }
 
 func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
@@ -51,7 +112,11 @@
 		ciphertext = ckx.ciphertext[2:]
 	}
 
-	err = rsa.DecryptPKCS1v15SessionKey(config.rand(), cert.PrivateKey.(*rsa.PrivateKey), ciphertext, preMasterSecret)
+	key := cert.PrivateKey.(*rsa.PrivateKey)
+	if ka.exportKey != nil {
+		key = ka.exportKey
+	}
+	err = rsa.DecryptPKCS1v15SessionKey(config.rand(), key, ciphertext, preMasterSecret)
 	if err != nil {
 		return nil, err
 	}

ssl/test/runner/runner.go

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 4b43481..57213bb 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -492,6 +492,17 @@
 		shouldFail:    true,
 		expectedError: ":WRONG_CIPHER_RETURNED:",
 	},
+	{
+		name: "RSAEphemeralKey",
+		config: Config{
+			CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
+			Bugs: ProtocolBugs{
+				RSAEphemeralKey: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":UNEXPECTED_MESSAGE:",
+	},
 }
 
 func doExchange(test *testCase, config *Config, conn net.Conn, messageLen int, isResume bool) error {