Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correct kx group selection #1784

Merged
merged 6 commits into from
Feb 19, 2024
Merged

Correct kx group selection #1784

merged 6 commits into from
Feb 19, 2024

Commits on Feb 19, 2024

  1. Pass through key exchange errors 

    In 3355e06 we generalised the error type here, but we didn't
get rid of code that discarded the information-less error.
    @ctz
    ctz committed Feb 19, 2024
    Configuration menu
    Copy the full SHA
    e5e0b3c View commit details
    Browse the repository at this point in the history

  2. tests/api.rs: minor formatting corrections

    @ctz
    ctz committed Feb 19, 2024
    Configuration menu
    Copy the full SHA
    33e059c View commit details
    Browse the repository at this point in the history

  3. test_client_rejects_hrr_with_varied_session_id: tighten 

    By ignoring everything not precisely expected, these ran the risk
of incorrectly passing.  eg, `assert_server_requests_retry_and_echoes_session_id`
would pass if the server sent a `ServerHello`.
    @ctz
    ctz committed Feb 19, 2024
    Configuration menu
    Copy the full SHA
    2e745d1 View commit details
    Browse the repository at this point in the history

  4. Prefer supported_groups extension in kx group choice 

    Prior to this, we preferred to avoid a `HelloRetryRequest` when
any supported `KeyShare` was supplied.  But as [1] describes,
this means a client which sends a `KeyShare` for a less-preferred
group would end up using that, rather than a more-preferred group
supported by both peers.

[1]: https://www.ietf.org/archive/id/draft-davidben-tls-key-share-prediction-00.html#name-downgrades
    @ctz
    ctz committed Feb 19, 2024
    Configuration menu
    Copy the full SHA
    0e5c51f View commit details
    Browse the repository at this point in the history

  5. Select key exchange group and cipher suite together 

    This is complex because the choice of usable cipher suites depends
on selected protocol version, and the set of mutually supported
key exchange groups.  Then, the usable set of key exchange groups
depends on the actually-selected cipher suite.
    @ctz
    ctz committed Feb 19, 2024
    Configuration menu
    Copy the full SHA
    0125301 View commit details
    Browse the repository at this point in the history

  6. Inline choose_ciphersuite_preferring_client and co 

    Test the behaviour of `ServerConfig::ignore_client_order` at
the public API level.
    @ctz
    ctz committed Feb 19, 2024
    Configuration menu
    Copy the full SHA
    59532da View commit details
    Browse the repository at this point in the history