Enforce restrictions for ClientHello extensions - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	tb <>	2020-06-24 07:28:38 +0000
committer	tb <>	2020-06-24 07:28:38 +0000
commit	1b5079de613ae3744d2654a6d70ce52644fc66eb (patch)
tree	7c1b63d3c778f27da58f18d0adf05a7f79a1e2cf /src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
parent	e2ab506451a88600ca5dba29aff8b3d0cd203f01 (diff)
download	openbsd-1b5079de613ae3744d2654a6d70ce52644fc66eb.tar.gz openbsd-1b5079de613ae3744d2654a6d70ce52644fc66eb.tar.bz2 openbsd-1b5079de613ae3744d2654a6d70ce52644fc66eb.zip

Enforce restrictions for ClientHello extensions

RFC 8446 section 9.2 imposes some requirements on the extensions sent in the ClientHello: key_share and supported_groups must either both be present or both be absent. If no pre_shared_key was sent, the CH must contain both signature_algorithms and supported_groups. If either of these conditions is violated, servers must abort the handshake with a missing_extensions alert. Add a function that enforces this. If we are going to enforce that clients send an SNI, we can also do this in this function. Fixes failing test case in tlsfuzzer's test-tls13-keyshare-omitted.py ok beck inoguchi jsing

Diffstat (limited to 'src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: