diff options
author | Jack Lloyd <[email protected]> | 2019-05-20 14:44:08 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2019-05-20 15:11:05 -0400 |
commit | 67df17d31d61f013d537abc7744f707435351125 (patch) | |
tree | cde44420bdcf69fccf8f79123479b6ef0a2712d0 /src/lib/tls/msg_cert_status.cpp | |
parent | 8e781e5a1be3ecc456c8e109571a084ec8bb792e (diff) |
Fix various issues in TLS found using BoGo
- BoGo sends unparseable OCSP responses, so we have to accomodate for
this by delaying decoding until verification and simply ignoring
OCSP responses that we can't parse.
- Check that there is no trailing garbage at the end of various messages.
- Don't send empty SNI
- Check the TLS record header versions (previously ignored)
- For CBC 1/n-1 splitting split every record instead of just first.
I think this is not a problem but it is what BoGo expects.
- New Channel::application_protocol virtual (previously was
implemented on both Client and Server but not shared).
- Changes to resumption version handling.
- Fix server version selection when newer versions are disabled.
New policy hooks added in service of BoGo:
- maximum_certificate_chain_size gives the maximum cert chain in bytes
that we'll accept.
- allow_resumption_for_renegotiation specifies if a renegotiation
attempt can be simply (re-)resumed instead.
- abort_handshake_on_undesired_renegotiation - previously we just
ignored it with a warning alert. Now behavior is configurable.
- request_client_certificate_authentication
- require_client_certificate_authentication
Diffstat (limited to 'src/lib/tls/msg_cert_status.cpp')
-rw-r--r-- | src/lib/tls/msg_cert_status.cpp | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/src/lib/tls/msg_cert_status.cpp b/src/lib/tls/msg_cert_status.cpp index 8ad37336b..c0cd82a28 100644 --- a/src/lib/tls/msg_cert_status.cpp +++ b/src/lib/tls/msg_cert_status.cpp @@ -22,8 +22,8 @@ Certificate_Status::Certificate_Status(const std::vector<uint8_t>& buf) if(buf.size() < 5) throw Decoding_Error("Invalid Certificate_Status message: too small"); - if(buf[0] != 1) - throw Decoding_Error("Unexpected Certificate_Status message: unexpected message type"); + if(buf[0] != 1) // not OCSP + throw Decoding_Error("Unexpected Certificate_Status message: unexpected response type"); size_t len = make_uint32(0, buf[1], buf[2], buf[3]); @@ -31,33 +31,30 @@ Certificate_Status::Certificate_Status(const std::vector<uint8_t>& buf) if(buf.size() != len + 4) throw Decoding_Error("Invalid Certificate_Status: invalid length field"); - m_response = std::make_shared<OCSP::Response>(buf.data() + 4, buf.size() - 4); + m_response.assign(buf.begin() + 4, buf.end()); } Certificate_Status::Certificate_Status(Handshake_IO& io, Handshake_Hash& hash, std::shared_ptr<const OCSP::Response> ocsp) : - m_response(ocsp) + m_response(ocsp->raw_bits()) { hash.update(io.send(*this)); } std::vector<uint8_t> Certificate_Status::serialize() const { - BOTAN_ASSERT_NONNULL(m_response); - const std::vector<uint8_t>& m_resp_bits = m_response->raw_bits(); - - if(m_resp_bits.size() > 0xFFFFFF) // unlikely + if(m_response.size() > 0xFFFFFF) // unlikely throw Encoding_Error("OCSP response too long to encode in TLS"); - const uint32_t m_resp_bits_len = static_cast<uint32_t>(m_resp_bits.size()); + const uint32_t m_response_len = static_cast<uint32_t>(m_response.size()); std::vector<uint8_t> buf; buf.push_back(1); // type OCSP for(size_t i = 1; i < 4; ++i) - buf[i] = get_byte(i, m_resp_bits_len); + buf[i] = get_byte(i, m_response_len); - buf += m_resp_bits; + buf += m_response; return buf; } |