| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Also reference the knowledge base article instead of a discussion thread.
|
| |
|
|
|
|
|
|
| |
If no TLS extensions are present in a client hello or server hello, omit
the entire extensions block, rather than including it with a length of
zero.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- When parsing the OCSP extension we can have multiple responder IDs - pull
these out correctly.
- Stop using CBS_stow() - it's unnecessary since we just need access to the
data and length (which we can get via CBS_data() and CBS_len()).
- Use a temporary pointer when calling d2i_*() functions, since it will
increment the pointer by the number of bytes it consumed when decoding.
The original code incorrectly passes the pointer allocated via CBS_stow()
(using malloc()) to a d2i_*() function and then calls free() on the now
incremented pointer, most likely resulting in a crash. This issue was
reported by Robert Swiecki who found the issue using honggfuzz.
ok beck@
|
| |
|
|
|
|
|
| |
after we finish building the responder ID list. Otherwise adding to the
responder ID list fails.
ok beck@
|
| |
|
|
|
|
| |
leaving ssl_add_{client,server}hello_tlsext() as pointer to CBB wrappers.
ok doug@
|
| |
|
|
|
|
|
| |
This needs to skip past the CBS data or it will be treated as a decode
error even though it returns 1.
ok jsing@
|
| |
|
|
|
|
|
|
| |
callback has been installed. This ensures that the ALPN extension is valid
and avoids leaving unprocessed extension data, which leads to a decode
error.
Found the hard way by jsg@
|
| |
|
|
| |
input + ok beck@, jsing@
|
| |
|
|
|
| |
ok bcook@ beck@
input + ok jsing@
|
| |
|
|
|
|
|
|
|
|
| |
RFC 4492 only defines elliptic_curves for ClientHello. However, F5 is
sending it in ServerHello. We need to skip over it since our TLS extension
parsing code is now more strict.
Thanks to Armin Wolfermann and WJ Liu for reporting the issue.
input + ok jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
ok beck@ doug@
|
| |
|
|
|
|
| |
extension framework.
ok jsing@ beck@
|
| |
|
|
|
|
| |
extension framework.
input + ok jsing@
|
| | |
|
| |
|
|
|
|
| |
new extension framework.
input + ok jsing@
|
| |
|
|
|
|
|
|
| |
tlsext_sni_serverhello_parse(). This also adds a check to ensure that
if we have an existing session, the name matches what we specified via
SNI.
ok doug@
|
| |
|
|
|
|
|
|
| |
and the new extension framework.
Feedback from doug@
ok inoguchi@
|
|
|
Introduce a TLS extension handling framework that has per-extension type
functions to determine if an extension is needed, to build the extension
data and parse the extension data. This is somewhat analogous to BoringSSL,
however these build and parse functions are intentionally symetrical. The
framework is hooked into the existing TLS handling code in such a way that
we can gradual convert the extension handling code.
Convert the TLS Server Name Indication extension to the new framework,
while rewriting it to use CBB/CBS and be more strict in the process.
Discussed with beck@
ok inoguchi@
|
