diff options
| author | Jack Lloyd <[email protected]> | 2019-05-20 14:44:08 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2019-05-20 15:11:05 -0400 |
| commit | 67df17d31d61f013d537abc7744f707435351125 (patch) | |
| tree | cde44420bdcf69fccf8f79123479b6ef0a2712d0 /src/lib/tls/tls_alert.cpp | |
| parent | 8e781e5a1be3ecc456c8e109571a084ec8bb792e (diff) | |
Fix various issues in TLS found using BoGo
- BoGo sends unparseable OCSP responses, so we have to accomodate for
this by delaying decoding until verification and simply ignoring
OCSP responses that we can't parse.
- Check that there is no trailing garbage at the end of various messages.
- Don't send empty SNI
- Check the TLS record header versions (previously ignored)
- For CBC 1/n-1 splitting split every record instead of just first.
I think this is not a problem but it is what BoGo expects.
- New Channel::application_protocol virtual (previously was
implemented on both Client and Server but not shared).
- Changes to resumption version handling.
- Fix server version selection when newer versions are disabled.
New policy hooks added in service of BoGo:
- maximum_certificate_chain_size gives the maximum cert chain in bytes
that we'll accept.
- allow_resumption_for_renegotiation specifies if a renegotiation
attempt can be simply (re-)resumed instead.
- abort_handshake_on_undesired_renegotiation - previously we just
ignored it with a warning alert. Now behavior is configurable.
- request_client_certificate_authentication
- require_client_certificate_authentication
Diffstat (limited to 'src/lib/tls/tls_alert.cpp')
| -rw-r--r-- | src/lib/tls/tls_alert.cpp | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/src/lib/tls/tls_alert.cpp b/src/lib/tls/tls_alert.cpp index e1e8c6eb6..60c9c4b98 100644 --- a/src/lib/tls/tls_alert.cpp +++ b/src/lib/tls/tls_alert.cpp @@ -6,7 +6,7 @@ */ #include <botan/tls_alert.h> -#include <botan/exceptn.h> +#include <botan/tls_exceptn.h> namespace Botan { @@ -15,13 +15,13 @@ namespace TLS { Alert::Alert(const secure_vector<uint8_t>& buf) { if(buf.size() != 2) - throw Decoding_Error("Alert: Bad size " + std::to_string(buf.size()) + - " for alert message"); + throw Decoding_Error("Bad size (" + std::to_string(buf.size()) + + ") for TLS alert message"); if(buf[0] == 1) m_fatal = false; else if(buf[0] == 2) m_fatal = true; else - throw Decoding_Error("Alert: Bad code for alert level"); + throw TLS_Exception(Alert::ILLEGAL_PARAMETER, "Bad code for TLS alert level"); const uint8_t dc = buf[1]; @@ -103,6 +103,8 @@ std::string Alert::type_string() const return "bad_certificate_hash_value"; case UNKNOWN_PSK_IDENTITY: return "unknown_psk_identity"; + case CERTIFICATE_REQUIRED: + return "certificate_required"; case NO_APPLICATION_PROTOCOL: return "no_application_protocol"; |