-
Notifications
You must be signed in to change notification settings - Fork 595
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax server_name
extension validation
#1881
Conversation
Benchmark resultsInstruction countsSignificant differencesThere are no significant instruction count differences Other differencesClick to expand
Wall-timeSignificant differencesThere are no significant wall-time differences Other differencesClick to expand
Additional informationCheckout details:
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1881 +/- ##
==========================================
+ Coverage 95.47% 95.48% +0.01%
==========================================
Files 86 86
Lines 18607 18624 +17
==========================================
+ Hits 17765 17784 +19
+ Misses 842 840 -2 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sad we have to do this. The standards are very clear on this behaviour being wrong and fixing it should be trivial for the affected projects.... It's not something deep and nuanced 😮💨
Thanks for working up a patch.
Why is the reformatting necessary/not causing issues in CI? |
Unfortunately rustfmt doesn't format the inside of |
rustls/tests/api.rs
Outdated
if let MessagePayload::Handshake { parsed, encoded } = &mut msg.payload { | ||
if let HandshakePayload::ClientHello(ch) = &mut parsed.payload { | ||
for mut ext in ch.extensions.iter_mut() { | ||
if let ClientExtension::ServerName(snr) = &mut ext { | ||
snr.clear(); | ||
snr.push( | ||
ServerNameExtensionItem::read_bytes(b"\x00\x00\x071.1.1.1").unwrap(), | ||
); | ||
} | ||
} | ||
} | ||
|
||
*encoded = Payload::new(parsed.get_encoding()); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider linearizing this, maybe with let .. else
?
93a0162
to
0d7f1b9
Compare
This works around quality-of-implementation issues in OpenSSL and Apple SecureTransport: they send `server_name` extensions containing IP addresses. RFC6066 specifically disallows that. It is a similar work-around to that adopted by LibreSSL: ignore SNI contents if they can be parsed as an IP address.
0d7f1b9
to
413dc67
Compare
This PR makes us ignore the
server_name
ClientHello extension if it contains a literal IP address. We don't indicate support for theserver_name
extension if we ignored it, and it is not available via any API -- it is as if the client did not send the extension at all. Other illegal names continue to be rejected as before.This is necessary to deal with non-compliant extension data sent by OpenSSL (openssl/openssl#20041) and Apple SecureTransport (#1878).