diff --git a/compliance/initialize_duvet.sh b/compliance/initialize_duvet.sh index d9a6acfdf4c..347c8001644 100755 --- a/compliance/initialize_duvet.sh +++ b/compliance/initialize_duvet.sh @@ -7,4 +7,6 @@ duvet extract https://tools.ietf.org/rfc/rfc8448 # Example Handshake Traces for duvet extract https://tools.ietf.org/rfc/rfc7627 # Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension duvet extract https://tools.ietf.org/rfc/rfc5746 # Transport Layer Security (TLS) Renegotiation Indication Extension duvet extract https://tools.ietf.org/rfc/rfc4492 # Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) +duvet extract https://tools.ietf.org/rfc/rfc8422 # Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier + diff --git a/tls/extensions/s2n_ec_point_format.c b/tls/extensions/s2n_ec_point_format.c index ae003c8fc87..d5e6c877423 100644 --- a/tls/extensions/s2n_ec_point_format.c +++ b/tls/extensions/s2n_ec_point_format.c @@ -64,9 +64,17 @@ static int s2n_ec_point_format_send(struct s2n_connection *conn, struct s2n_stuf static int s2n_ec_point_format_recv(struct s2n_connection *conn, struct s2n_stuffer *extension) { - /** - * Only uncompressed points are supported by the server and the client must include it in + /* Only uncompressed points are supported by the server and the client must include it in * the extension. Just skip the extension. + * + *= https://tools.ietf.org/rfc/rfc8422#section-5.1.2 + *= type=exception + *= reason=Incorrect implementations exist in the wild. Skipping validation. + *# If the client sends the extension and the extension does not contain + *# the uncompressed point format, and the client has used the Supported + *# Groups extension to indicate support for any of the curves defined in + *# this specification, then the server MUST abort the handshake and + *# return an illegal_parameter alert. */ conn->ec_point_formats = 1; return S2N_SUCCESS; diff --git a/tls/s2n_record_read.c b/tls/s2n_record_read.c index 552b6b2aae9..484570e103d 100644 --- a/tls/s2n_record_read.c +++ b/tls/s2n_record_read.c @@ -106,12 +106,19 @@ int s2n_record_header_parse( S2N_ERROR_IF(conn->actual_protocol_version_established && MIN(conn->actual_protocol_version, S2N_TLS12) /* check against legacy record version (1.2) in tls 1.3 */ != version, S2N_ERR_BAD_MESSAGE); - POSIX_GUARD(s2n_stuffer_read_uint16(in, fragment_length)); - /* Some servers send fragments that are above the maximum length. (e.g. - * Openssl 1.0.1, so we don't check if the fragment length is > - * S2N_TLS_MAXIMUM_FRAGMENT_LENGTH. The on-the-wire max is 65k + /* Some servers send fragments that are above the maximum length (e.g. + * Openssl 1.0.1), so we don't check if the fragment length is > + * S2N_TLS_MAXIMUM_FRAGMENT_LENGTH. We allow up to 2^16. + * + *= https://tools.ietf.org/rfc/rfc8446#section-5.1 + *= type=exception + *= reason=Incorrect implementations exist in the wild. Ignoring instead. + *# The length MUST NOT exceed 2^14 bytes. An + *# endpoint that receives a record that exceeds this length MUST + *# terminate the connection with a "record_overflow" alert. */ + POSIX_GUARD(s2n_stuffer_read_uint16(in, fragment_length)); POSIX_GUARD(s2n_stuffer_reread(in)); return 0;