-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QUIC TLS conformance updates #21686
QUIC TLS conformance updates #21686
Conversation
New commit pushed addressing a pre-existing use-after-free bug that the new tests highlighted in the CIs. |
There are conflicts now, please rebase. |
5423c04
to
d48f7e3
Compare
Rebased. |
Ping for second review? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great stuff. My approval stands either way with regards to the below comment.
If you do choose to renumber my approval can be assumed to stand for any trivial renumbering of the tests.
d48f7e3
to
bd68662
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved with the renumbering. IMO the merge waiting window does not need to reset.
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
…LATION An OpenSSL QUIC client does not send the post_handshake_auth extension. Therefore if a server sends a post-handsahke CertificateRequest then this would be treated as a TLS protocol violation with an "unexpected message" alert code. However RFC 9001 specifically requires us to treat this as QUIC PROTOCOL_VIOLATION. So we have to translate the "unexpected message" alert code in this one instance.
We should retain the TLS1_FLAGS_QUIC setting in in s3.flags even after a "clear" operation.
…value The max_early_data value must be 0xffffffff if the extension is present in a NewSessionTicket message in QUIC. Otherwise it is a PROTOCOL_VIOLATION.
We already disallowed the sending of TLS KeyUpdate messages. We also treat the receipt of a TLS KeyUpdate message as an unexpected message. RFC 9001 section 6: Endpoints MUST treat the receipt of a TLS KeyUpdate message as a connection error of type 0x010a, equivalent to a fatal TLS alert of unexpected_message; see Section 4.8.
This should result in a QUIC PROTOCOL_VIOLATION We also add tests for a post-handshake KeyUpdate, and a NewSessionTicket with an invalid max_early_data value.
The comments in quic_tls.c claimed that the dummybio was never used by us. In fact that is not entirely correct since we set and cleared the retry flags on it. This means that we have to manage it properly, and update it in the event of set1_bio() call on the record layer method.
bd68662
to
14dac16
Compare
Unfortunately, as I suspected, after #21565 went in the resulting merge conflicts were significant and non-trivial to resolve. I've now rebased and resolved all of those conflicts, but this now needs another round of reconfirmations. |
@t8m - please reconfirm? |
Pushed. Thanks. |
…LATION An OpenSSL QUIC client does not send the post_handshake_auth extension. Therefore if a server sends a post-handsahke CertificateRequest then this would be treated as a TLS protocol violation with an "unexpected message" alert code. However RFC 9001 specifically requires us to treat this as QUIC PROTOCOL_VIOLATION. So we have to translate the "unexpected message" alert code in this one instance. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
We should retain the TLS1_FLAGS_QUIC setting in in s3.flags even after a "clear" operation. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
…value The max_early_data value must be 0xffffffff if the extension is present in a NewSessionTicket message in QUIC. Otherwise it is a PROTOCOL_VIOLATION. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
We already disallowed the sending of TLS KeyUpdate messages. We also treat the receipt of a TLS KeyUpdate message as an unexpected message. RFC 9001 section 6: Endpoints MUST treat the receipt of a TLS KeyUpdate message as a connection error of type 0x010a, equivalent to a fatal TLS alert of unexpected_message; see Section 4.8. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
This should result in a QUIC PROTOCOL_VIOLATION We also add tests for a post-handshake KeyUpdate, and a NewSessionTicket with an invalid max_early_data value. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
The comments in quic_tls.c claimed that the dummybio was never used by us. In fact that is not entirely correct since we set and cleared the retry flags on it. This means that we have to manage it properly, and update it in the event of set1_bio() call on the record layer method. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
Updates for a few issues related to conformance in the QUIC TLS implementation.