Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HRR verifications #378

Closed
wants to merge 3 commits into from
Closed

HRR verifications #378

wants to merge 3 commits into from

Conversation

ocheron
Copy link
Contributor

@ocheron ocheron commented Jul 12, 2019

Adds missing verifications or alerts regarding HRR like stability of version and cipher.

@ocheron
Make client abort when two HRR are received
9fcb364 
Removes the possibility of infinite loop and adds the requirement from
RFC 8446 section 4.1.4:

   If a client receives a second HelloRetryRequest in the same
   connection (i.e., where the ClientHello was itself in response to a
   HelloRetryRequest), it MUST abort the handshake with an
   "unexpected_message" alert.
@ocheron
Fail with IllegalParameter when HRR makes cipher change
aadd22c 
Removes use of 'error' and replaces with alert specified in RFC 8446
section 4.1.4:

   Servers MUST ensure that they negotiate the same cipher suite when
   receiving a conformant updated ClientHello (if the server selects
   the cipher suite as the first step in the negotiation, then this
   will happen automatically).  Upon receiving the ServerHello,
   clients MUST check that the cipher suite supplied in the
   ServerHello is the same as that in the HelloRetryRequest and
   otherwise abort the handshake with an "illegal_parameter" alert.
@ocheron
Fail with IllegalParameter when HRR makes version change
589cb39 
Adds the check listed in RFC 8446 section 4.1.4:

   The value of selected_version in the HelloRetryRequest
   "supported_versions" extension MUST be retained in the ServerHello,
   and a client MUST abort the handshake with an "illegal_parameter"
   alert if the value changes.
@kazu-yamamoto kazu-yamamoto self-requested a review July 16, 2019 05:32
kazu-yamamoto
kazu-yamamoto approved these changes Jul 16, 2019
View reviewed changes
Copy link
Collaborator

@kazu-yamamoto kazu-yamamoto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

kazu-yamamoto added a commit to kazu-yamamoto/hs-tls that referenced this pull request Jul 16, 2019
@kazu-yamamoto
Merge PR haskell-tls#378
d6d7b1d
@kazu-yamamoto
Copy link
Collaborator

Merged.

@ocheron ocheron deleted the hrr-verif branch July 17, 2019 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kazu-yamamoto kazu-yamamoto kazu-yamamoto approved these changes

Assignees
No one assigned
Labels
TLS1.3
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ocheron @kazu-yamamoto