New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure that the key share group is allowed for our protocol version #19317
Conversation
fixes #8369? |
Yes - although that issue says "When openssl client is configured to support only one of the curves that is forbidden in TLS 1.3, it does send that curve in supported_groups extensions and it does also put appropriate key share into the key_share extension.". However the behaviour in master/3.0 at the moment is that we do not send the curve in supported_groups, but we do still send a key_share for it! This is obviously illegal. So, it looks to me like we already fixed the issue about sending illegal supported groups, but didn't fix they key_share aspect at the same time. This PR addresses the key_share problem. |
We should never send or accept a key share group that is not in the supported groups list or a group that isn't suitable for use in TLSv1.3
This should not happen but we should tolerate and send an HRR
Make sure that a TLSv1.3 only client does not send a TLSv1.3 key_share.
94033fb
to
f6dda4e
Compare
I have rebased this PR now that #19315 has been merged. I also fixed a typo in the test which caused it to not operate correctly and pass on an unpatched version of OpenSSL! I have taken this out of "draft" state and it is ready for review. |
Ping for second review? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This pull request is ready to merge |
We should never send or accept a key share group that is not in the supported groups list or a group that isn't suitable for use in TLSv1.3 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from #19317)
This should not happen but we should tolerate and send an HRR Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from #19317)
Make sure that a TLSv1.3 only client does not send a TLSv1.3 key_share. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from #19317)
Pushed. Thanks. There was a conflict while cherry-picking to 3.0, so I raised a backport PR in #19404. |
We should never send or accept a key share group that is not in the supported groups list or a group that isn't suitable for use in TLSv1.3 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from openssl#19317)
This should not happen but we should tolerate and send an HRR Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from openssl#19317)
Make sure that a TLSv1.3 only client does not send a TLSv1.3 key_share. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from openssl#19317)
We should never send or accept a key share group that is not in the
supported groups list or a group that isn't suitable for use in TLSv1.3.
Currently if we put a TLSv1.2 group at the top of the groups list, but we only request TLSv1.3, then the supported groups list will only include TLSv1.3 groups, but the key_share will use a TLSv1.2 group. This results in the server failing with an invalid parameter alert.
server:
client:
This PR is based on #19315 and includes those commits - hence this PR is draft. I will take it out of draft once #19315 has been merged.