Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify that only NULL compression is sent in TLSv1.3 ClientHello #3410

Closed
wants to merge 3 commits into from
Closed

Verify that only NULL compression is sent in TLSv1.3 ClientHello #3410

wants to merge 3 commits into from

Conversation

mattcaswell
Copy link
Member

It is illegal in a TLSv1.3 ClientHello to send anything other than the
NULL compression method. We should send an alert if we find anything else
there. Previously we were ignoring this error.

Checklist
  • documentation is added or updated
  • tests are added or updated

@mattcaswell
Verify that only NULL compression is sent in TLSv1.3 ClientHello
3ceffd3 
It is illegal in a TLSv1.3 ClientHello to send anything other than the
NULL compression method. We should send an alert if we find anything else
there. Previously we were ignoring this error.
@mattcaswell
Add some badly formatted compression methods tests
10df7de 
Test that sending a non NULL compression method fails in TLSv1.3 as well
as other similar tests.
kaduk
kaduk approved these changes May 8, 2017
View reviewed changes
Copy link
Contributor

@kaduk kaduk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good, just a couple extraneous things in the tests that probably don't really harm anything.

test/recipes/70-test_comp.t Outdated
if disabled("tls1_3");

$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
$ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need the CTLOG_FILE for this test? (I didn't decode the ia32cap vector to see if we need it or not.)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not, although it is in all of the tests. The ia32cap vector turns off AESNI which caused me some headaches trying to figure out why it was failing in one of the other tests at one point. It only causes an issue under certain circumstances (which I don't now remember), but I just turn it off by default now.

test/recipes/70-test_comp.t
}

SKIP: {
skip "TLSv1.3 disabled", 2 if disabled("tls1_3");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You skip_all if tls1_3 is disabled, so this seems redundant?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, that's a copy&paste error. We shouldn't be doing a skip_all. Will fix.

test/recipes/70-test_comp.t Outdated
@comp = (
0x00, #Null compression method
0xff); #Unknown compression
} else {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be more future-proof to explicitly check against NON_NULL_COMPRESSION

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok.

@mattcaswell
Copy link
Member Author

I added a new commit to address @kaduk's feedback. I also fixed a couple of other minor things I spotted on the way. @richsalz reconfirm?

@richsalz
Copy link
Contributor

richsalz commented May 9, 2017

reconfirm

@mattcaswell
Copy link
Member Author

Pushed. Thanks.

@mattcaswell mattcaswell closed this May 9, 2017
levitte pushed a commit that referenced this pull request May 9, 2017
@mattcaswell
Verify that only NULL compression is sent in TLSv1.3 ClientHello
1fe3549 
It is illegal in a TLSv1.3 ClientHello to send anything other than the
NULL compression method. We should send an alert if we find anything else
there. Previously we were ignoring this error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from #3410)
levitte pushed a commit that referenced this pull request May 9, 2017
@mattcaswell
Add some badly formatted compression methods tests
db48a90 
Test that sending a non NULL compression method fails in TLSv1.3 as well
as other similar tests.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from #3410)
levitte pushed a commit that referenced this pull request May 9, 2017
@mattcaswell
Fix some copy&paste errors and update following review feedback
ad448b2 
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from #3410)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaduk kaduk kaduk approved these changes

@richsalz richsalz richsalz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mattcaswell @richsalz @kaduk