diff options
author | Jack Lloyd <[email protected]> | 2017-11-28 18:40:57 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2017-11-28 18:40:57 -0500 |
commit | c32ca55e773ebfc4862ce25e3bf683979880d8b8 (patch) | |
tree | e42c6244863b0a274bfb698c1768cb1e8ff395b4 /src/lib/tls | |
parent | bf5b2f471eebf58ccc5eced12e5a5ea64810d679 (diff) | |
parent | 5205df88f44b3d52854688ae790dafe33811ec4b (diff) |
Merge GH #1316 Various TLS fixes
Diffstat (limited to 'src/lib/tls')
-rw-r--r-- | src/lib/tls/msg_client_kex.cpp | 18 | ||||
-rw-r--r-- | src/lib/tls/tls_client.cpp | 8 | ||||
-rw-r--r-- | src/lib/tls/tls_extensions.cpp | 2 | ||||
-rw-r--r-- | src/lib/tls/tls_server.cpp | 5 |
4 files changed, 24 insertions, 9 deletions
diff --git a/src/lib/tls/msg_client_kex.cpp b/src/lib/tls/msg_client_kex.cpp index 742fee6b5..51040e479 100644 --- a/src/lib/tls/msg_client_kex.cpp +++ b/src/lib/tls/msg_client_kex.cpp @@ -403,17 +403,21 @@ Client_Key_Exchange::Client_Key_Exchange(const std::vector<uint8_t>& contents, throw Internal_Error("Expected key agreement key type but got " + private_key.algo_name()); + std::vector<uint8_t> client_pubkey; + + if(ka_key->algo_name() == "DH") + { + client_pubkey = reader.get_range<uint8_t>(2, 0, 65535); + } + else + { + client_pubkey = reader.get_range<uint8_t>(1, 1, 255); + } + try { PK_Key_Agreement ka(*ka_key, rng, "Raw"); - std::vector<uint8_t> client_pubkey; - - if(ka_key->algo_name() == "DH") - client_pubkey = reader.get_range<uint8_t>(2, 0, 65535); - else - client_pubkey = reader.get_range<uint8_t>(1, 0, 255); - secure_vector<uint8_t> shared_secret = ka.derive_key(0, client_pubkey).bits_of(); if(ka_key->algo_name() == "DH") diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp index ce19f04c9..0e620a279 100644 --- a/src/lib/tls/tls_client.cpp +++ b/src/lib/tls/tls_client.cpp @@ -330,7 +330,13 @@ void Client::process_handshake_msg(const Handshake_State* active_state, if(state.version() > state.client_hello()->version()) { throw TLS_Exception(Alert::HANDSHAKE_FAILURE, - "Server replied with later version than in hello"); + "Server replied with later version than client offered"); + } + + if(state.version().major_version() == 3 && state.version().minor_version() == 0) + { + throw TLS_Exception(Alert::PROTOCOL_VERSION, + "Server attempting to negotiate SSLv3 which is not supported"); } if(!policy().acceptable_protocol_version(state.version())) diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp index 8f13b2c6d..d521f6bf8 100644 --- a/src/lib/tls/tls_extensions.cpp +++ b/src/lib/tls/tls_extensions.cpp @@ -586,7 +586,7 @@ Signature_Algorithms::Signature_Algorithms(TLS_Data_Reader& reader, { uint16_t len = reader.get_uint16_t(); - if(len + 2 != extension_size) + if(len + 2 != extension_size || len % 2 == 1 || len == 0) throw Decoding_Error("Bad encoding on signature algorithms extension"); while(len) diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp index f20e363cf..66a0e0e1d 100644 --- a/src/lib/tls/tls_server.cpp +++ b/src/lib/tls/tls_server.cpp @@ -405,6 +405,11 @@ void Server::process_client_hello_msg(const Handshake_State* active_state, pending_state.client_hello(new Client_Hello(contents)); const Protocol_Version client_version = pending_state.client_hello()->version(); + if(client_version.major_version() < 3) + throw TLS_Exception(Alert::PROTOCOL_VERSION, "Client offered version with major version under 3"); + if(client_version.major_version() == 3 && client_version.minor_version() == 0) + throw TLS_Exception(Alert::PROTOCOL_VERSION, "SSLv3 is not supported"); + Protocol_Version negotiated_version; const Protocol_Version latest_supported = |