[openssl/openssl] b644a9: Unexpected QUIC post-handshake CertificateRequests...

Matt Caswell noreply at github.com
Tue Aug 15 13:50:15 UTC 2023


  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: b644a9323f0060e27b3e45101856dc9e3bec0ac4
      https://github.com/openssl/openssl/commit/b644a9323f0060e27b3e45101856dc9e3bec0ac4
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    M include/internal/quic_tls.h
    M ssl/quic/quic_channel.c
    M ssl/quic/quic_tls.c

  Log Message:
  -----------
  Unexpected QUIC post-handshake CertificateRequests are a PROTOCOL_VIOLATION

An OpenSSL QUIC client does not send the post_handshake_auth extension.
Therefore if a server sends a post-handsahke CertificateRequest then this
would be treated as a TLS protocol violation with an "unexpected message"
alert code. However RFC 9001 specifically requires us to treat this as
QUIC PROTOCOL_VIOLATION. So we have to translate the "unexpected message"
alert code in this one instance.

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)


  Commit: 0f2add9e8d4c1dc09848ea12aaad2eb4c5358bf2
      https://github.com/openssl/openssl/commit/0f2add9e8d4c1dc09848ea12aaad2eb4c5358bf2
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    M ssl/s3_lib.c

  Log Message:
  -----------
  Don't forget we are doing QUIC if we clear the QUIC TLS data

We should retain the TLS1_FLAGS_QUIC setting in in s3.flags even after a
"clear" operation.

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)


  Commit: 04c7fb53e0437f83e2476e5d55a1af61959fadf5
      https://github.com/openssl/openssl/commit/04c7fb53e0437f83e2476e5d55a1af61959fadf5
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    M include/internal/quic_tls.h
    M ssl/quic/quic_channel.c
    M ssl/quic/quic_tls.c
    M ssl/statem/extensions_clnt.c

  Log Message:
  -----------
  NewSessionTickets with an early_data extension must have a valid max value

The max_early_data value must be 0xffffffff if the extension is present in
a NewSessionTicket message in QUIC. Otherwise it is a PROTOCOL_VIOLATION.

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)


  Commit: 50a0af2e41ea61a79c19c17f9e87541e283ba8bf
      https://github.com/openssl/openssl/commit/50a0af2e41ea61a79c19c17f9e87541e283ba8bf
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    M ssl/statem/statem_clnt.c
    M ssl/statem/statem_srvr.c

  Log Message:
  -----------
  TLS KeyUpdate messages are not allowed in QUIC

We already disallowed the sending of TLS KeyUpdate messages. We also treat
the receipt of a TLS KeyUpdate message as an unexpected message.

RFC 9001 section 6:
Endpoints MUST treat the receipt of a TLS KeyUpdate message as a connection
error of type 0x010a, equivalent to a fatal TLS alert of unexpected_message;
see Section 4.8.

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)


  Commit: 614c08c23999e39945b556851eabff157aef833f
      https://github.com/openssl/openssl/commit/614c08c23999e39945b556851eabff157aef833f
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    M include/internal/quic_tserver.h
    M ssl/quic/quic_tserver.c
    M test/quic_multistream_test.c

  Log Message:
  -----------
  Add the ability to send NewSessionTicket messages when we want them

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)


  Commit: 644ef0bb696eeaf3572e858b2beeca17b0621a3f
      https://github.com/openssl/openssl/commit/644ef0bb696eeaf3572e858b2beeca17b0621a3f
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    M include/internal/quic_tserver.h
    M ssl/quic/quic_tserver.c
    M test/quic_multistream_test.c

  Log Message:
  -----------
  Add a test for receiving a post-handshake CertificateRequest

This should result in a QUIC PROTOCOL_VIOLATION

We also add tests for a post-handshake KeyUpdate, and a NewSessionTicket
with an invalid max_early_data value.

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)


  Commit: 643f542a89bee93e043d0899b2a1ca700d1cc418
      https://github.com/openssl/openssl/commit/643f542a89bee93e043d0899b2a1ca700d1cc418
  Author: Matt Caswell <matt at openssl.org>
  Date:   2023-08-15 (Tue, 15 Aug 2023)

  Changed paths:
    M ssl/quic/quic_tls.c

  Log Message:
  -----------
  Fix a use-after-free in quic_tls.c

The comments in quic_tls.c claimed that the dummybio was never used by
us. In fact that is not entirely correct since we set and cleared the
retry flags on it. This means that we have to manage it properly, and update
it in the event of set1_bio() call on the record layer method.

Reviewed-by: Hugo Landau <hlandau at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21686)


Compare: https://github.com/openssl/openssl/compare/98d81174d376...643f542a89be


More information about the openssl-commits mailing list