aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls/msg_cert_status.cpp
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2019-05-20 14:44:08 -0400
committerJack Lloyd <[email protected]>2019-05-20 15:11:05 -0400
commit67df17d31d61f013d537abc7744f707435351125 (patch)
treecde44420bdcf69fccf8f79123479b6ef0a2712d0 /src/lib/tls/msg_cert_status.cpp
parent8e781e5a1be3ecc456c8e109571a084ec8bb792e (diff)
Fix various issues in TLS found using BoGo
- BoGo sends unparseable OCSP responses, so we have to accomodate for this by delaying decoding until verification and simply ignoring OCSP responses that we can't parse. - Check that there is no trailing garbage at the end of various messages. - Don't send empty SNI - Check the TLS record header versions (previously ignored) - For CBC 1/n-1 splitting split every record instead of just first. I think this is not a problem but it is what BoGo expects. - New Channel::application_protocol virtual (previously was implemented on both Client and Server but not shared). - Changes to resumption version handling. - Fix server version selection when newer versions are disabled. New policy hooks added in service of BoGo: - maximum_certificate_chain_size gives the maximum cert chain in bytes that we'll accept. - allow_resumption_for_renegotiation specifies if a renegotiation attempt can be simply (re-)resumed instead. - abort_handshake_on_undesired_renegotiation - previously we just ignored it with a warning alert. Now behavior is configurable. - request_client_certificate_authentication - require_client_certificate_authentication
Diffstat (limited to 'src/lib/tls/msg_cert_status.cpp')
-rw-r--r--src/lib/tls/msg_cert_status.cpp19
1 files changed, 8 insertions, 11 deletions
diff --git a/src/lib/tls/msg_cert_status.cpp b/src/lib/tls/msg_cert_status.cpp
index 8ad37336b..c0cd82a28 100644
--- a/src/lib/tls/msg_cert_status.cpp
+++ b/src/lib/tls/msg_cert_status.cpp
@@ -22,8 +22,8 @@ Certificate_Status::Certificate_Status(const std::vector<uint8_t>& buf)
if(buf.size() < 5)
throw Decoding_Error("Invalid Certificate_Status message: too small");
- if(buf[0] != 1)
- throw Decoding_Error("Unexpected Certificate_Status message: unexpected message type");
+ if(buf[0] != 1) // not OCSP
+ throw Decoding_Error("Unexpected Certificate_Status message: unexpected response type");
size_t len = make_uint32(0, buf[1], buf[2], buf[3]);
@@ -31,33 +31,30 @@ Certificate_Status::Certificate_Status(const std::vector<uint8_t>& buf)
if(buf.size() != len + 4)
throw Decoding_Error("Invalid Certificate_Status: invalid length field");
- m_response = std::make_shared<OCSP::Response>(buf.data() + 4, buf.size() - 4);
+ m_response.assign(buf.begin() + 4, buf.end());
}
Certificate_Status::Certificate_Status(Handshake_IO& io,
Handshake_Hash& hash,
std::shared_ptr<const OCSP::Response> ocsp) :
- m_response(ocsp)
+ m_response(ocsp->raw_bits())
{
hash.update(io.send(*this));
}
std::vector<uint8_t> Certificate_Status::serialize() const
{
- BOTAN_ASSERT_NONNULL(m_response);
- const std::vector<uint8_t>& m_resp_bits = m_response->raw_bits();
-
- if(m_resp_bits.size() > 0xFFFFFF) // unlikely
+ if(m_response.size() > 0xFFFFFF) // unlikely
throw Encoding_Error("OCSP response too long to encode in TLS");
- const uint32_t m_resp_bits_len = static_cast<uint32_t>(m_resp_bits.size());
+ const uint32_t m_response_len = static_cast<uint32_t>(m_response.size());
std::vector<uint8_t> buf;
buf.push_back(1); // type OCSP
for(size_t i = 1; i < 4; ++i)
- buf[i] = get_byte(i, m_resp_bits_len);
+ buf[i] = get_byte(i, m_response_len);
- buf += m_resp_bits;
+ buf += m_response;
return buf;
}