aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlloyd <[email protected]>2014-04-11 22:13:07 +0000
committerlloyd <[email protected]>2014-04-11 22:13:07 +0000
commitd96b4425121bfeb122d90c73405f951b220a839c (patch)
tree20cca858ce4aa844f9067391f7380507cca6a2d1
parenta69436e3cb4b91ec835673145fd4dbe703342a4c (diff)
Verify that the server did not send any extension that the client didn't
offer. Previously the client only checked a couple of special cases.
-rw-r--r--src/lib/tls/tls_client.cpp22
-rw-r--r--src/lib/tls/tls_extensions.cpp8
-rw-r--r--src/lib/tls/tls_extensions.h3
-rw-r--r--src/lib/tls/tls_messages.h6
-rw-r--r--src/lib/tls/tls_policy.cpp10
-rw-r--r--src/lib/tls/tls_policy.h4
6 files changed, 41 insertions, 12 deletions
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp
index 2bbe51fd7..3de9130d4 100644
--- a/src/lib/tls/tls_client.cpp
+++ b/src/lib/tls/tls_client.cpp
@@ -209,18 +209,20 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
"Server replied with compression method we didn't send");
}
- if(!state.client_hello()->next_protocol_notification() &&
- state.server_hello()->next_protocol_notification())
- {
- throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
- "Server sent next protocol but we didn't request it");
- }
+ auto client_extn = state.client_hello()->extension_types();
+ auto server_extn = state.server_hello()->extension_types();
- if(state.server_hello()->supports_session_ticket())
+ std::vector<Handshake_Extension_Type> diff;
+
+ std::set_difference(server_extn.begin(), server_extn.end(),
+ client_extn.begin(), server_extn.end(),
+ std::back_inserter(diff));
+
+ for(auto i : diff)
{
- if(!state.client_hello()->supports_session_ticket())
- throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
- "Server sent session ticket extension but we did not");
+ throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
+ "Server sent extension " + std::to_string(i) +
+ " but we did not request it");
}
state.set_version(state.server_hello()->version());
diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp
index 1ae9f1749..0860006e6 100644
--- a/src/lib/tls/tls_extensions.cpp
+++ b/src/lib/tls/tls_extensions.cpp
@@ -115,6 +115,14 @@ std::vector<byte> Extensions::serialize() const
return buf;
}
+std::set<Handshake_Extension_Type> Extensions::extension_types() const
+ {
+ std::set<Handshake_Extension_Type> offers;
+ for(auto i = extensions.begin(); i != extensions.end(); ++i)
+ offers.insert(i->first);
+ return offers;
+ }
+
Server_Name_Indicator::Server_Name_Indicator(TLS_Data_Reader& reader,
u16bit extension_size)
{
diff --git a/src/lib/tls/tls_extensions.h b/src/lib/tls/tls_extensions.h
index caa389ded..a88938eba 100644
--- a/src/lib/tls/tls_extensions.h
+++ b/src/lib/tls/tls_extensions.h
@@ -13,6 +13,7 @@
#include <vector>
#include <string>
#include <map>
+#include <set>
namespace Botan {
@@ -357,6 +358,8 @@ class Heartbeat_Support_Indicator : public Extension
class Extensions
{
public:
+ std::set<Handshake_Extension_Type> extension_types() const;
+
template<typename T>
T* get() const
{
diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h
index a616b0def..f3bf8fad2 100644
--- a/src/lib/tls/tls_messages.h
+++ b/src/lib/tls/tls_messages.h
@@ -149,6 +149,9 @@ class Client_Hello : public Handshake_Message
void update_hello_cookie(const Hello_Verify_Request& hello_verify);
+ std::set<Handshake_Extension_Type> extension_types() const
+ { return m_extensions.extension_types(); }
+
Client_Hello(Handshake_IO& io,
Handshake_Hash& hash,
Protocol_Version version,
@@ -251,6 +254,9 @@ class Server_Hello : public Handshake_Message
return false;
}
+ std::set<Handshake_Extension_Type> extension_types() const
+ { return m_extensions.extension_types(); }
+
Server_Hello(Handshake_IO& io,
Handshake_Hash& hash,
const Policy& policy,
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 05251e186..c1f2c311c 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -153,6 +153,16 @@ bool Policy::acceptable_ciphersuite(const Ciphersuite&) const
return true;
}
+bool Policy::negotiate_heartbeat_support() const
+ {
+ return false;
+ }
+
+bool Policy::allow_server_initiated_renegotiation() const
+ {
+ return true;
+ }
+
namespace {
class Ciphersuite_Preference_Ordering
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index 5b205dfeb..9aaa1745c 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -78,7 +78,7 @@ class BOTAN_DLL Policy
/**
* Attempt to negotiate the use of the heartbeat extension
*/
- virtual bool negotiate_heartbeat_support() const { return false; }
+ virtual bool negotiate_heartbeat_support() const;
/**
* Allow renegotiation even if the counterparty doesn't
@@ -92,7 +92,7 @@ class BOTAN_DLL Policy
/**
* Allow servers to initiate a new handshake
*/
- virtual bool allow_server_initiated_renegotiation() const { return true; }
+ virtual bool allow_server_initiated_renegotiation() const;
/**
* Return the group to use for ephemeral Diffie-Hellman key agreement