diff options
author | lloyd <[email protected]> | 2014-04-11 22:13:07 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2014-04-11 22:13:07 +0000 |
commit | d96b4425121bfeb122d90c73405f951b220a839c (patch) | |
tree | 20cca858ce4aa844f9067391f7380507cca6a2d1 | |
parent | a69436e3cb4b91ec835673145fd4dbe703342a4c (diff) |
Verify that the server did not send any extension that the client didn't
offer. Previously the client only checked a couple of special cases.
-rw-r--r-- | src/lib/tls/tls_client.cpp | 22 | ||||
-rw-r--r-- | src/lib/tls/tls_extensions.cpp | 8 | ||||
-rw-r--r-- | src/lib/tls/tls_extensions.h | 3 | ||||
-rw-r--r-- | src/lib/tls/tls_messages.h | 6 | ||||
-rw-r--r-- | src/lib/tls/tls_policy.cpp | 10 | ||||
-rw-r--r-- | src/lib/tls/tls_policy.h | 4 |
6 files changed, 41 insertions, 12 deletions
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp index 2bbe51fd7..3de9130d4 100644 --- a/src/lib/tls/tls_client.cpp +++ b/src/lib/tls/tls_client.cpp @@ -209,18 +209,20 @@ void Client::process_handshake_msg(const Handshake_State* active_state, "Server replied with compression method we didn't send"); } - if(!state.client_hello()->next_protocol_notification() && - state.server_hello()->next_protocol_notification()) - { - throw TLS_Exception(Alert::HANDSHAKE_FAILURE, - "Server sent next protocol but we didn't request it"); - } + auto client_extn = state.client_hello()->extension_types(); + auto server_extn = state.server_hello()->extension_types(); - if(state.server_hello()->supports_session_ticket()) + std::vector<Handshake_Extension_Type> diff; + + std::set_difference(server_extn.begin(), server_extn.end(), + client_extn.begin(), server_extn.end(), + std::back_inserter(diff)); + + for(auto i : diff) { - if(!state.client_hello()->supports_session_ticket()) - throw TLS_Exception(Alert::HANDSHAKE_FAILURE, - "Server sent session ticket extension but we did not"); + throw TLS_Exception(Alert::HANDSHAKE_FAILURE, + "Server sent extension " + std::to_string(i) + + " but we did not request it"); } state.set_version(state.server_hello()->version()); diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp index 1ae9f1749..0860006e6 100644 --- a/src/lib/tls/tls_extensions.cpp +++ b/src/lib/tls/tls_extensions.cpp @@ -115,6 +115,14 @@ std::vector<byte> Extensions::serialize() const return buf; } +std::set<Handshake_Extension_Type> Extensions::extension_types() const + { + std::set<Handshake_Extension_Type> offers; + for(auto i = extensions.begin(); i != extensions.end(); ++i) + offers.insert(i->first); + return offers; + } + Server_Name_Indicator::Server_Name_Indicator(TLS_Data_Reader& reader, u16bit extension_size) { diff --git a/src/lib/tls/tls_extensions.h b/src/lib/tls/tls_extensions.h index caa389ded..a88938eba 100644 --- a/src/lib/tls/tls_extensions.h +++ b/src/lib/tls/tls_extensions.h @@ -13,6 +13,7 @@ #include <vector> #include <string> #include <map> +#include <set> namespace Botan { @@ -357,6 +358,8 @@ class Heartbeat_Support_Indicator : public Extension class Extensions { public: + std::set<Handshake_Extension_Type> extension_types() const; + template<typename T> T* get() const { diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h index a616b0def..f3bf8fad2 100644 --- a/src/lib/tls/tls_messages.h +++ b/src/lib/tls/tls_messages.h @@ -149,6 +149,9 @@ class Client_Hello : public Handshake_Message void update_hello_cookie(const Hello_Verify_Request& hello_verify); + std::set<Handshake_Extension_Type> extension_types() const + { return m_extensions.extension_types(); } + Client_Hello(Handshake_IO& io, Handshake_Hash& hash, Protocol_Version version, @@ -251,6 +254,9 @@ class Server_Hello : public Handshake_Message return false; } + std::set<Handshake_Extension_Type> extension_types() const + { return m_extensions.extension_types(); } + Server_Hello(Handshake_IO& io, Handshake_Hash& hash, const Policy& policy, diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index 05251e186..c1f2c311c 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -153,6 +153,16 @@ bool Policy::acceptable_ciphersuite(const Ciphersuite&) const return true; } +bool Policy::negotiate_heartbeat_support() const + { + return false; + } + +bool Policy::allow_server_initiated_renegotiation() const + { + return true; + } + namespace { class Ciphersuite_Preference_Ordering diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index 5b205dfeb..9aaa1745c 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -78,7 +78,7 @@ class BOTAN_DLL Policy /** * Attempt to negotiate the use of the heartbeat extension */ - virtual bool negotiate_heartbeat_support() const { return false; } + virtual bool negotiate_heartbeat_support() const; /** * Allow renegotiation even if the counterparty doesn't @@ -92,7 +92,7 @@ class BOTAN_DLL Policy /** * Allow servers to initiate a new handshake */ - virtual bool allow_server_initiated_renegotiation() const { return true; } + virtual bool allow_server_initiated_renegotiation() const; /** * Return the group to use for ephemeral Diffie-Hellman key agreement |