Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rebase to 1.1.1l after security advisory #45

Merged
merged 28 commits into from
Aug 24, 2021

Conversation

tmshort
Copy link
Member

@tmshort tmshort commented Aug 24, 2021

Checklist
  • documentation is added or updated
  • tests are added or updated

tmshort and others added 28 commits August 24, 2021 10:11
This is a cherry-pick of 2a4b03a306439307e0b822b17eda3bdabddfbb68
on the master-quic-support2 branch (2019-10-07)
Which was a rebase/squash of master-quic-support:

* 5aa62ce Add support for more secrets - Todd Short/Todd Short (master-quic-support)
* 58e0643 Tweeks to quic_change_cipher_state() - Todd Short/Todd Short
* 8169702 Move QUIC code out of tls13_change_cipher_state() - Todd Short/Todd Short
* a08cfe6 Correctly disable middlebox compat - Todd Short/Todd Short
* 3a9eabf Add OPENSSL_NO_QUIC wrapper - Todd Short/Todd Short
* f550eca Add client early traffic secret storage - Todd Short/Todd Short
* 1b787ae Quick fix: s2c to c2s for early secret - Todd Short/Todd Short
* f97e6a9 Don't process an incomplete message - Todd Short/Todd Short
* 81f0ce2 Reset init state in SSL_process_quic_post_handshake() - Todd Short/Todd Short
* 5d59cf9 Fix quic_transport constructors/parsers - Todd Short/Todd Short
* 5e5f91c Fix INSTALL nit. - Todd Short/Todd Short
* bd290ab Fix duplicate word in docs - Todd Short/Todd Short
* 699590b fixup! Handle partial handshake messages - Todd Short/Todd Short
* a472a8d Handle partial handshake messages - Todd Short/Todd Short
* 363cf3d fixup! Use proper secrets for handshake - Todd Short/Todd Short
* b03fee6 Use proper secrets for handshake - Todd Short/Todd Short
* 2ab1aa0 Move QUIC transport params to encrypted extensions - Todd Short/Todd Short
* 0d16af9 Make temp secret names less confusing - Todd Short/Todd Short
* abb6f39 New method to get QUIC secret length - Todd Short/Todd Short
* 05fdae9 Add support for BoringSSL QUIC APIs - Todd Short/Todd Short

This adds a compatible API for BoringSSL's QUIC support, based
on the current |draft-ietf-quic-tls|.

Based on BoringSSL commit 3c034b2cf386b3131f75520705491871a2e0cafe
Based on BoringSSL commit c8e0f90f83b9ec38ea833deb86b5a41360b62b6a
Based on BoringSSL commit 3cbb0299a28a8bd0136257251a78b91a96c5eec8
Based on BoringSSL commit cc9d935256539af2d3b7f831abf57c0d685ffd81
Based on BoringSSL commit e6eef1ca16a022e476bbaedffef044597cfc8f4b
Based on BoringSSL commit 6f733791148cf8a076bf0e95498235aadbe5926d
Based on BoringSSL commit 384d0eaf1930af1ebc47eda751f0c78dfcba1c03
Based on BoringSSL commit a0373182eb5cc7b81d49f434596b473c7801c942
Based on BoringSSL commit b1b76aee3cb43ce11889403c5334283d951ebd37

New method to get QUIC secret length

Make temp secret names less confusing

Move QUIC transport params to encrypted extensions

Use proper secrets for handshake

fixup! Use proper secrets for handshake

Handle partial handshake messages

fixup! Handle partial handshake messages

Fix duplicate word in docs

Fix INSTALL nit.

Fix quic_transport constructors/parsers

Reset init state in SSL_process_quic_post_handshake()

Don't process an incomplete message

Quick fix: s2c to c2s for early secret

Add client early traffic secret storage

Add OPENSSL_NO_QUIC wrapper

Correctly disable middlebox compat

Move QUIC code out of tls13_change_cipher_state()

Create quic_change_cipher_state() that does the minimal required
to generate the QUIC secrets. (e.g. encryption contexts are not
initialized).

Tweeks to quic_change_cipher_state()

Add support for more secrets

(cherry picked from commit 3b0bdf8)
(cherry picked from commit 16fafdf4e0ec6cddd5705f407e5dca26cb30914d)
(cherry picked from commit b97af13)
(cherry picked from commit 1fe3e02)
(cherry picked from commit aa4d9c6)
Try to reduce unneeded whitespace changes and wrap new code to 80 columns.
Reword documentation to attempt to improve clarity.
Add some more sanity checks and clarifying comments to the code.
Update referenced I-D versions.

(cherry picked from commit 4a03a80)
QUIC does not use the TLS KeyUpdate message/mechanism, and indeed
it is an error to generate or receive such a message.  Add the
necessary checks (noting that the check for receipt should be
redundant since SSL_provide_quic_data() is the only way to provide
input to the TLS layer for a QUIC connection).

(cherry picked from commit fea9d3b)
For now, just test that we don't generate any, since we don't really
expose the mechanics for encrypting one and the QUIC API is not
integrated into the TLSProxy setup.

(cherry picked from commit 67ac3a2)
Add an extra EVP test that provides empty input key material.
It currently fails, since attempting to set a zero-length key
on an EVP_PKEY_CTX results in a call to OPENSSL_memdup() with
length zero, which returns NULL and is detected as failure.

(cherry picked from commit 232c9a1)
When making a copy to keep in the EVP_PKEY_CTX, allocate a single
byte for the cached key instead of letting memdup return NULL
and cause the call to fail.  The length still gets set to zero
properly, so we don't end up inspecting the allocated byte, but
it's important to have a non-NULL pointer set.

(cherry picked from commit 93f2e10)
Make all data supplied via SSL_provide_quic_data() pass through an
internal buffer, so that we can handle data supplied with arbitrary
framing and only parse complete TLS records onto the list of QUIC_DATA
managed by quic_input_data_head/quic_input_data_tail.

This lets us remove the concept of "incomplete" QUIC_DATA structures,
and the 'offset' field needed to support them.

However, we've already moved the provided data onto the buffer by
the time we can check for KeyUpdate messages, so defer that check
to quic_get_message() (where it is adjacent to the preexisting
ChangeCipherSpec check).

To avoid extra memory copies, we also make the QUIC_DATA structures
just store offsets into the consolidated buffer instead of having copies
of the TLS handshake messages themselves.

(cherry picked from commit 0bbcd60)
The QUIC-TLS spec requires that TLS handshake messages do not cross
encryption level boundaries, but we were not previously enforcing this.

(cherry picked from commit 5b76e4f)
Prefix the shared library version with 17 (for 'Q'), to allow this
version to be used alongside a standard OpenSSL distribution

Add +quic to the version (i.e. OPENSSL_VERSION_TEXT)
Different from 3.0.0 as there's no OpenSSL_info()
* QUIC: Add early data support

This commit adds SSL_set_quic_early_data_enabled to add early data
support to QUIC.

* fixup! QUIC: Add early data support

* fixup! QUIC: Add early data support
This commit makes SSL_provide_quic_data accept 0 length data, which
matches BoringSSL behavior.

Fixes openssl#9
This API requests that the TLS stack generate a (TLS 1.3)
NewSessionTicket message the next time it is safe to do so (i.e., we do
not have other data pending write, which could be mid-record).  For
efficiency, defer actually generating/writing the ticket until there
is other data to write, to avoid producing server-to-client traffic when
not needed.

Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#11416)

(cherry picked from commit 3bfacb5)
Run a normal handshake and then request some extra tickets,
checking that the new_session_cb is called the expected number of
times.  Since the tickets are generated in the same way as other
tickets, there should not be a need to verify that these specific ones
can be used to resume.

Run the test with both zero and a non-zero number of tickets issued in the
initial handshake.

Reviewed-by: Matt Caswell <[email protected]>
(Merged from openssl#11416)

(cherry picked from commit f0049b8)
Expand a couple literal tabs, and de-indent the body of a function.

Reviewed-by: Shane Lontis <[email protected]>
(Merged from openssl#11728)

(cherry picked from commit 35774d5)
* Let SSL_new_session_ticket() work immediately

The initial implementation always deferred the generation of the
requested ticket(s) until the next application write, but this
means that the ticket cannot be written at all until there is
application data ready to write.  In some scenarios this application
data may never arrive or may take a long time to arrive, so (when
already at a record boundary) allow the application to explicitly call
SSL_do_handshake() after SSL_new_session_ticket() to force an immediate
write, even when there is no application data available.  The default
behavior remains to defer the generation of the ticket and coalesce the
network traffic for the ticket and application data.

* Test new SSL_new_session_ticket() functionality

Now that we can become "in init" directly after the call, test the
various scenarios where explicit SSL_do_handshake() calls can come
into play.

* Update SSL_new_session_ticket() manual for triggered send

Document the recently added functionality.

(cherry picked from commit 4fb1ff7)
@tmshort tmshort requested a review from kaduk August 24, 2021 14:23
Copy link
Member

@kaduk kaduk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice clean rebase (but the automated tooling gets slightly confused about the #ifdef in one place where we add our sslapitest)

@tmshort
Copy link
Member Author

tmshort commented Aug 24, 2021

I don't believe we should wait for all the checks to pass... I have #46 open to look into anything still outstanding for 1.1.1 in terms of tests.

@tmshort tmshort merged commit df92821 into quictls:OpenSSL_1_1_1l+quic Aug 24, 2021
@tmshort tmshort deleted the tshort-1_1_1l+quic branch August 30, 2021 13:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants