diff options
author | Falko Strenzke <[email protected]> | 2018-10-11 16:12:59 +0200 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2019-05-22 13:42:59 -0400 |
commit | f56f29c893b06e3d412e82f28e6c8aa075700ec3 (patch) | |
tree | 77525f4dc98e7cb804983bdc38c4b3e86f099096 /src/lib/tls | |
parent | b5176ca26fd36cb51588a5d3d7094eaa313fcf63 (diff) |
added status_request extension and cert chain to the stapling-reponse generating callback's signature
Diffstat (limited to 'src/lib/tls')
-rw-r--r-- | src/lib/tls/tls_callbacks.h | 4 | ||||
-rw-r--r-- | src/lib/tls/tls_extensions.cpp | 28 | ||||
-rw-r--r-- | src/lib/tls/tls_extensions.h | 17 | ||||
-rw-r--r-- | src/lib/tls/tls_server.cpp | 21 |
4 files changed, 56 insertions, 14 deletions
diff --git a/src/lib/tls/tls_callbacks.h b/src/lib/tls/tls_callbacks.h index 6b93e7d6b..2c217993a 100644 --- a/src/lib/tls/tls_callbacks.h +++ b/src/lib/tls/tls_callbacks.h @@ -12,6 +12,7 @@ #include <botan/tls_session.h> #include <botan/tls_alert.h> +#include <botan/tls_extensions.h> #include <botan/pubkey.h> #include <functional> @@ -20,6 +21,7 @@ namespace Botan { class Certificate_Store; class X509_Certificate; + namespace OCSP { class Response; @@ -149,7 +151,7 @@ class BOTAN_PUBLIC_API(2,0) Callbacks * * @return the encoded OCSP response to be sent to the client which indicates the revocation status of the server certificate. Return an empty vector to indicate that no response is available, and thus suppress the Certificate_Status message. */ - virtual std::vector<uint8_t> tls_srv_provoide_cert_status_response() const + virtual std::vector<uint8_t> tls_srv_provoide_cert_status_response(std::vector<X509_Certificate> const& , Certificate_Status_Request const& ) const { return std::vector<uint8_t>(); } diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp index a673f867b..917a76b92 100644 --- a/src/lib/tls/tls_extensions.cpp +++ b/src/lib/tls/tls_extensions.cpp @@ -539,14 +539,36 @@ std::vector<uint8_t> Certificate_Status_Request::serialize() const Certificate_Status_Request::Certificate_Status_Request(TLS_Data_Reader& reader, uint16_t extension_size) : - m_server_side(false) + m_server_side(false) // This ctor is used by both client and server, so the information is wrong here. + // However, m_server_side is only evaluated when sending the object, thus the error + // made will not matter. However, a better modelling would be nice. { if(extension_size > 0) { const uint8_t type = reader.get_byte(); if(type == 1) { - reader.discard_next(extension_size - 1); // fixme + extension_size -= 1; + size_t len_resp_id_list = reader.get_uint16_t(); + extension_size -= 2; + if(len_resp_id_list + 2 > extension_size) + { + throw Decoding_Error("Bad size of responder id list in Certificate_Status_Request extension"); + } + m_ocsp_names = reader.get_fixed<uint8_t>(len_resp_id_list); + extension_size -= len_resp_id_list; + size_t len_requ_ext = reader.get_uint16_t(); + extension_size -= 2; + if(len_requ_ext > extension_size) + { + throw Decoding_Error("Bad size of extensions in Certificate_Status_Request extension"); + } + m_extension_bytes = reader.get_fixed<uint8_t>(len_requ_ext ); + extension_size -= len_requ_ext; + if(extension_size != 0) + { + throw Decoding_Error("trailing bytes in Certificate_Status_Request extension"); + } } else { @@ -555,7 +577,7 @@ Certificate_Status_Request::Certificate_Status_Request(TLS_Data_Reader& reader, } } -Certificate_Status_Request::Certificate_Status_Request(const std::vector<X509_DN>& ocsp_responder_ids, +Certificate_Status_Request::Certificate_Status_Request(const std::vector<uint8_t>& ocsp_responder_ids, const std::vector<std::vector<uint8_t>>& ocsp_key_ids) : m_ocsp_names(ocsp_responder_ids), m_ocsp_keys(ocsp_key_ids), diff --git a/src/lib/tls/tls_extensions.h b/src/lib/tls/tls_extensions.h index 3ecfb7c0f..4f7bd5464 100644 --- a/src/lib/tls/tls_extensions.h +++ b/src/lib/tls/tls_extensions.h @@ -397,17 +397,28 @@ class BOTAN_UNSTABLE_API Certificate_Status_Request final : public Extension bool empty() const override { return false; } + std::vector<uint8_t> get_responder_id_list() const + { + return m_ocsp_names; + } + + std::vector<uint8_t> get_request_extensions() const + { + return m_extension_bytes; + } + + // Server generated version: empty Certificate_Status_Request(); // Client version, both lists can be empty - Certificate_Status_Request(const std::vector<X509_DN>& ocsp_responder_ids, + Certificate_Status_Request(const std::vector<uint8_t>& ocsp_responder_ids, const std::vector<std::vector<uint8_t>>& ocsp_key_ids); Certificate_Status_Request(TLS_Data_Reader& reader, uint16_t extension_size); private: - std::vector<X509_DN> m_ocsp_names; - std::vector<std::vector<uint8_t>> m_ocsp_keys; + std::vector<uint8_t> m_ocsp_names; + std::vector<std::vector<uint8_t>> m_ocsp_keys; // is this field really needed std::vector<uint8_t> m_extension_bytes; bool m_server_side; }; diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp index 9e9ca517e..387ae019e 100644 --- a/src/lib/tls/tls_server.cpp +++ b/src/lib/tls/tls_server.cpp @@ -846,13 +846,20 @@ void Server::session_create(Server_Handshake_State& pending_state, pending_state.server_certs(new Certificate(pending_state.handshake_io(), pending_state.hash(), cert_chains[algo_used])); - if(pending_state.client_hello()->supports_cert_status_message() && callbacks().tls_srv_provoide_cert_status_response().size() > 0) - { - pending_state.server_cert_status(new Certificate_Status( - pending_state.handshake_io(), - pending_state.hash(), - callbacks().tls_srv_provoide_cert_status_response() - )); + + if(pending_state.client_hello()->supports_cert_status_message()) + { + Certificate_Status_Request * csr = pending_state.client_hello()->extensions().get<Certificate_Status_Request>(); + // csr is non-null if client_hello()->supports_cert_status_message() + std::vector<uint8_t> resp_bytes = callbacks().tls_srv_provoide_cert_status_response(cert_chains[algo_used], *csr); + if(resp_bytes.size() > 0) + { + pending_state.server_cert_status(new Certificate_Status( + pending_state.handshake_io(), + pending_state.hash(), + resp_bytes + )); + } } private_key = m_creds.private_key_for( |