QUIC TLS conformance updates #21686
Closed
QUIC TLS conformance updates #21686
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mattcaswell
added
branch: master
|
New commit pushed addressing a pre-existing use-after-free bug that the new tests highlighted in the CIs. |
|
There are conflicts now, please rebase. |
mattcaswell
force-pushed
the
quic-tls-conformance
branch
from
5423c04
to
d48f7e3
Compare
Rebased. |
t8m
approved these changes
Aug 8, 2023
t8m
removed
the
approval: otc review pending
|
Ping for second review? |
hlandau
approved these changes
Aug 9, 2023
hlandau
added
approval: done
mattcaswell
force-pushed
the
quic-tls-conformance
branch
from
d48f7e3
to
bd68662
Compare
t8m
approved these changes
Aug 10, 2023
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
mattcaswell
added
approval: ready to merge
…LATION An OpenSSL QUIC client does not send the post_handshake_auth extension. Therefore if a server sends a post-handsahke CertificateRequest then this would be treated as a TLS protocol violation with an "unexpected message" alert code. However RFC 9001 specifically requires us to treat this as QUIC PROTOCOL_VIOLATION. So we have to translate the "unexpected message" alert code in this one instance.
We should retain the TLS1_FLAGS_QUIC setting in in s3.flags even after a "clear" operation.
…value The max_early_data value must be 0xffffffff if the extension is present in a NewSessionTicket message in QUIC. Otherwise it is a PROTOCOL_VIOLATION.
We already disallowed the sending of TLS KeyUpdate messages. We also treat the receipt of a TLS KeyUpdate message as an unexpected message. RFC 9001 section 6: Endpoints MUST treat the receipt of a TLS KeyUpdate message as a connection error of type 0x010a, equivalent to a fatal TLS alert of unexpected_message; see Section 4.8.
This should result in a QUIC PROTOCOL_VIOLATION We also add tests for a post-handshake KeyUpdate, and a NewSessionTicket with an invalid max_early_data value.
The comments in quic_tls.c claimed that the dummybio was never used by us. In fact that is not entirely correct since we set and cleared the retry flags on it. This means that we have to manage it properly, and update it in the event of set1_bio() call on the record layer method.
mattcaswell
force-pushed
the
quic-tls-conformance
branch
from
bd68662
to
14dac16
Compare
mattcaswell
added
approval: review pending
|
Unfortunately, as I suspected, after #21565 went in the resulting merge conflicts were significant and non-trivial to resolve. I've now rebased and resolved all of those conflicts, but this now needs another round of reconfirmations. |
hlandau
approved these changes
Aug 11, 2023
hlandau
removed
the
approval: otc review pending
|
@t8m - please reconfirm? |
t8m
approved these changes
Aug 14, 2023
t8m
added
approval: done
mattcaswell
added
approval: ready to merge
|
Pushed. Thanks. |
openssl-machine
pushed a commit
that referenced
this pull request
Aug 15, 2023
…LATION An OpenSSL QUIC client does not send the post_handshake_auth extension. Therefore if a server sends a post-handsahke CertificateRequest then this would be treated as a TLS protocol violation with an "unexpected message" alert code. However RFC 9001 specifically requires us to treat this as QUIC PROTOCOL_VIOLATION. So we have to translate the "unexpected message" alert code in this one instance. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
openssl-machine
pushed a commit
that referenced
this pull request
Aug 15, 2023
We should retain the TLS1_FLAGS_QUIC setting in in s3.flags even after a "clear" operation. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
openssl-machine
pushed a commit
that referenced
this pull request
Aug 15, 2023
…value The max_early_data value must be 0xffffffff if the extension is present in a NewSessionTicket message in QUIC. Otherwise it is a PROTOCOL_VIOLATION. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
openssl-machine
pushed a commit
that referenced
this pull request
Aug 15, 2023
We already disallowed the sending of TLS KeyUpdate messages. We also treat the receipt of a TLS KeyUpdate message as an unexpected message. RFC 9001 section 6: Endpoints MUST treat the receipt of a TLS KeyUpdate message as a connection error of type 0x010a, equivalent to a fatal TLS alert of unexpected_message; see Section 4.8. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
openssl-machine
pushed a commit
that referenced
this pull request
Aug 15, 2023
Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
openssl-machine
pushed a commit
that referenced
this pull request
Aug 15, 2023
This should result in a QUIC PROTOCOL_VIOLATION We also add tests for a post-handshake KeyUpdate, and a NewSessionTicket with an invalid max_early_data value. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
openssl-machine
pushed a commit
that referenced
this pull request
Aug 15, 2023
The comments in quic_tls.c claimed that the dummybio was never used by us. In fact that is not entirely correct since we set and cleared the retry flags on it. This means that we have to manage it properly, and update it in the event of set1_bio() call on the record layer method. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #21686)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updates for a few issues related to conformance in the QUIC TLS implementation.