Enforce restrictions for ClientHello extensions - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	tb <>	2020-06-24 07:28:38 +0000
committer	tb <>	2020-06-24 07:28:38 +0000
commit	e462afaa4660571e2f70d975fc276c4bce2dc53b (patch)
tree	7c1b63d3c778f27da58f18d0adf05a7f79a1e2cf /src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
parent	b9d0670685c64a09052a51a08ac46fafd3580cc8 (diff)
download	openbsd-e462afaa4660571e2f70d975fc276c4bce2dc53b.tar.gz openbsd-e462afaa4660571e2f70d975fc276c4bce2dc53b.tar.bz2 openbsd-e462afaa4660571e2f70d975fc276c4bce2dc53b.zip

Enforce restrictions for ClientHello extensions

RFC 8446 section 9.2 imposes some requirements on the extensions sent in the ClientHello: key_share and supported_groups must either both be present or both be absent. If no pre_shared_key was sent, the CH must contain both signature_algorithms and supported_groups. If either of these conditions is violated, servers must abort the handshake with a missing_extensions alert. Add a function that enforces this. If we are going to enforce that clients send an SNI, we can also do this in this function. Fixes failing test case in tlsfuzzer's test-tls13-keyshare-omitted.py ok beck inoguchi jsing

Diffstat (limited to 'src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: