aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-01-24 15:16:53 -0500
committerJack Lloyd <[email protected]>2018-01-24 15:16:53 -0500
commit8f17d65056903ca4da9bb16a85db717e4bea4456 (patch)
tree1b04df1100a2f7c88ce4a655883f5b31e71a929a /src/lib
parent3648a72198f709da53a4903e242af7269897ebad (diff)
parent08b7ca1d35c0e4d06695e8744708ae6cf3f5af7a (diff)
Merge GH #1385 Remove TLS compression negotitation logic
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/tls/msg_client_hello.cpp7
-rw-r--r--src/lib/tls/msg_server_hello.cpp4
-rw-r--r--src/lib/tls/tls_channel.cpp4
-rw-r--r--src/lib/tls/tls_client.cpp6
-rw-r--r--src/lib/tls/tls_magic.h5
-rw-r--r--src/lib/tls/tls_messages.h86
-rw-r--r--src/lib/tls/tls_policy.cpp8
-rw-r--r--src/lib/tls/tls_policy.h9
-rw-r--r--src/lib/tls/tls_server.cpp24
-rw-r--r--src/lib/tls/tls_session.cpp15
-rw-r--r--src/lib/tls/tls_session.h10
11 files changed, 60 insertions, 118 deletions
diff --git a/src/lib/tls/msg_client_hello.cpp b/src/lib/tls/msg_client_hello.cpp
index cde2b737a..eeeaf8c71 100644
--- a/src/lib/tls/msg_client_hello.cpp
+++ b/src/lib/tls/msg_client_hello.cpp
@@ -88,7 +88,7 @@ Client_Hello::Client_Hello(Handshake_IO& io,
m_version(client_settings.protocol_version()),
m_random(make_hello_random(rng, policy)),
m_suites(policy.ciphersuite_list(m_version, !client_settings.srp_identifier().empty())),
- m_comp_methods(policy.compression())
+ m_comp_methods(1)
{
BOTAN_ASSERT(policy.acceptable_protocol_version(client_settings.protocol_version()),
"Our policy accepts the version we are offering");
@@ -160,14 +160,11 @@ Client_Hello::Client_Hello(Handshake_IO& io,
m_session_id(session.session_id()),
m_random(make_hello_random(rng, policy)),
m_suites(policy.ciphersuite_list(m_version, (session.srp_identifier() != ""))),
- m_comp_methods(policy.compression())
+ m_comp_methods(1)
{
if(!value_exists(m_suites, session.ciphersuite_code()))
m_suites.push_back(session.ciphersuite_code());
- if(!value_exists(m_comp_methods, session.compression_method()))
- m_comp_methods.push_back(session.compression_method());
-
/*
We always add the EMS extension, even if not used in the original session.
If the server understands it and follows the RFC it should reject our resume
diff --git a/src/lib/tls/msg_server_hello.cpp b/src/lib/tls/msg_server_hello.cpp
index 9eb33645b..5e290eb68 100644
--- a/src/lib/tls/msg_server_hello.cpp
+++ b/src/lib/tls/msg_server_hello.cpp
@@ -32,7 +32,7 @@ Server_Hello::Server_Hello(Handshake_IO& io,
m_session_id(server_settings.session_id()),
m_random(make_hello_random(rng, policy)),
m_ciphersuite(server_settings.ciphersuite()),
- m_comp_method(server_settings.compression())
+ m_comp_method(0)
{
if(client_hello.supports_extended_master_secret())
m_extensions.add(new Extended_Master_Secret);
@@ -100,7 +100,7 @@ Server_Hello::Server_Hello(Handshake_IO& io,
m_session_id(client_hello.session_id()),
m_random(make_hello_random(rng, policy)),
m_ciphersuite(resumed_session.ciphersuite_code()),
- m_comp_method(resumed_session.compression_method())
+ m_comp_method(0)
{
if(client_hello.supports_extended_master_secret())
m_extensions.add(new Extended_Master_Secret);
diff --git a/src/lib/tls/tls_channel.cpp b/src/lib/tls/tls_channel.cpp
index f56cff24b..e92b298de 100644
--- a/src/lib/tls/tls_channel.cpp
+++ b/src/lib/tls/tls_channel.cpp
@@ -200,7 +200,7 @@ void Channel::change_cipher_spec_reader(Connection_Side side)
BOTAN_ASSERT(pending && pending->server_hello(),
"Have received server hello");
- if(pending->server_hello()->compression_method() != NO_COMPRESSION)
+ if(pending->server_hello()->compression_method() != 0)
throw Internal_Error("Negotiated unknown compression algorithm");
sequence_numbers().new_read_cipher_state();
@@ -229,7 +229,7 @@ void Channel::change_cipher_spec_writer(Connection_Side side)
BOTAN_ASSERT(pending && pending->server_hello(),
"Have received server hello");
- if(pending->server_hello()->compression_method() != NO_COMPRESSION)
+ if(pending->server_hello()->compression_method() != 0)
throw Internal_Error("Negotiated unknown compression algorithm");
sequence_numbers().new_write_cipher_state();
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp
index 631779e99..c88b6a7db 100644
--- a/src/lib/tls/tls_client.cpp
+++ b/src/lib/tls/tls_client.cpp
@@ -261,11 +261,10 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
"Server replied with a signaling ciphersuite");
}
- if(!value_exists(state.client_hello()->compression_methods(),
- state.server_hello()->compression_method()))
+ if(state.server_hello()->compression_method() != 0)
{
throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
- "Server replied with compression method we didn't send");
+ "Server replied with non-null compression method");
}
auto client_extn = state.client_hello()->extension_types();
@@ -609,7 +608,6 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
state.session_keys().master_secret(),
state.server_hello()->version(),
state.server_hello()->ciphersuite(),
- state.server_hello()->compression_method(),
CLIENT,
state.server_hello()->supports_extended_master_secret(),
state.server_hello()->supports_encrypt_then_mac(),
diff --git a/src/lib/tls/tls_magic.h b/src/lib/tls/tls_magic.h
index 70b94f90d..f9643f004 100644
--- a/src/lib/tls/tls_magic.h
+++ b/src/lib/tls/tls_magic.h
@@ -58,11 +58,6 @@ enum Handshake_Type {
const char* handshake_type_to_string(Handshake_Type t);
-enum Compression_Method {
- NO_COMPRESSION = 0x00,
- DEFLATE_COMPRESSION = 0x01
-};
-
}
}
diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h
index 767635830..35ec3c83c 100644
--- a/src/lib/tls/tls_messages.h
+++ b/src/lib/tls/tls_messages.h
@@ -69,24 +69,24 @@ class BOTAN_UNSTABLE_API Client_Hello final : public Handshake_Message
{
public:
class Settings final
- {
- public:
- Settings(const Protocol_Version version,
- const std::string& hostname = "",
- const std::string& srp_identifier = "")
- : m_new_session_version(version),
- m_hostname(hostname),
- m_srp_identifier(srp_identifier) {}
-
- const Protocol_Version protocol_version() const { return m_new_session_version; }
- const std::string& hostname() const { return m_hostname; }
- const std::string& srp_identifier() const { return m_srp_identifier; }
-
- private:
- const Protocol_Version m_new_session_version;
- const std::string m_hostname;
- const std::string m_srp_identifier;
- };
+ {
+ public:
+ Settings(const Protocol_Version version,
+ const std::string& hostname = "",
+ const std::string& srp_identifier = "") :
+ m_new_session_version(version),
+ m_hostname(hostname),
+ m_srp_identifier(srp_identifier) {}
+
+ const Protocol_Version protocol_version() const { return m_new_session_version; }
+ const std::string& hostname() const { return m_hostname; }
+ const std::string& srp_identifier() const { return m_srp_identifier; }
+
+ private:
+ const Protocol_Version m_new_session_version;
+ const std::string m_hostname;
+ const std::string m_srp_identifier;
+ };
Handshake_Type type() const override { return CLIENT_HELLO; }
@@ -98,8 +98,6 @@ class BOTAN_UNSTABLE_API Client_Hello final : public Handshake_Message
const std::vector<uint16_t>& ciphersuites() const { return m_suites; }
- const std::vector<uint8_t>& compression_methods() const { return m_comp_methods; }
-
bool offered_suite(uint16_t ciphersuite) const;
bool sent_fallback_scsv() const;
@@ -185,32 +183,28 @@ class BOTAN_UNSTABLE_API Server_Hello final : public Handshake_Message
{
public:
class Settings final
- {
- public:
- Settings(const std::vector<uint8_t> new_session_id,
- Protocol_Version new_session_version,
- uint16_t ciphersuite,
- uint8_t compression,
- bool offer_session_ticket)
- : m_new_session_id(new_session_id),
- m_new_session_version(new_session_version),
- m_ciphersuite(ciphersuite),
- m_compression(compression),
- m_offer_session_ticket(offer_session_ticket) {}
-
- const std::vector<uint8_t>& session_id() const { return m_new_session_id; }
- Protocol_Version protocol_version() const { return m_new_session_version; }
- uint16_t ciphersuite() const { return m_ciphersuite; }
- uint8_t compression() const { return m_compression; }
- bool offer_session_ticket() const { return m_offer_session_ticket; }
-
- private:
- const std::vector<uint8_t> m_new_session_id;
- Protocol_Version m_new_session_version;
- uint16_t m_ciphersuite;
- uint8_t m_compression;
- bool m_offer_session_ticket;
- };
+ {
+ public:
+ Settings(const std::vector<uint8_t> new_session_id,
+ Protocol_Version new_session_version,
+ uint16_t ciphersuite,
+ bool offer_session_ticket) :
+ m_new_session_id(new_session_id),
+ m_new_session_version(new_session_version),
+ m_ciphersuite(ciphersuite),
+ m_offer_session_ticket(offer_session_ticket) {}
+
+ const std::vector<uint8_t>& session_id() const { return m_new_session_id; }
+ Protocol_Version protocol_version() const { return m_new_session_version; }
+ uint16_t ciphersuite() const { return m_ciphersuite; }
+ bool offer_session_ticket() const { return m_offer_session_ticket; }
+
+ private:
+ const std::vector<uint8_t> m_new_session_id;
+ Protocol_Version m_new_session_version;
+ uint16_t m_ciphersuite;
+ bool m_offer_session_ticket;
+ };
Handshake_Type type() const override { return SERVER_HELLO; }
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index d849faf9d..ce87edac1 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -270,14 +270,6 @@ void Policy::check_peer_key_acceptable(const Public_Key& public_key) const
std::to_string(expected_keylength));
}
-/*
-* Return allowed compression algorithms
-*/
-std::vector<uint8_t> Policy::compression() const
- {
- return std::vector<uint8_t>{ NO_COMPRESSION };
- }
-
uint32_t Policy::session_ticket_lifetime() const
{
return 86400; // ~1 day
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index 786cdeea8..84da00bfb 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -102,15 +102,6 @@ class BOTAN_PUBLIC_API(2,0) Policy
virtual bool use_ecc_point_compression() const;
/**
- * Returns a list of compression algorithms we are willing to use,
- * in order of preference. Allowed values any value of
- * Compression_Method.
- *
- * @note Compression is not currently supported
- */
- virtual std::vector<uint8_t> compression() const;
-
- /**
* Choose an elliptic curve to use
*/
virtual std::string choose_curve(const std::vector<std::string>& curve_names) const;
diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp
index cd52c92f2..2d2fb769b 100644
--- a/src/lib/tls/tls_server.cpp
+++ b/src/lib/tls/tls_server.cpp
@@ -98,11 +98,6 @@ bool check_for_resume(Session& session_info,
session_info.ciphersuite_code()))
return false;
- // client didn't send original compression method
- if(!value_exists(client_hello->compression_methods(),
- session_info.compression_method()))
- return false;
-
#if defined(BOTAN_HAS_SRP6)
// client sent a different SRP identity
if(client_hello->srp_identifier() != "")
@@ -264,23 +259,6 @@ uint16_t choose_ciphersuite(
"Can't agree on a ciphersuite with client");
}
-
-/*
-* Choose which compression algorithm to use
-*/
-uint8_t choose_compression(const Policy& policy,
- const std::vector<uint8_t>& c_comp)
- {
- std::vector<uint8_t> s_comp = policy.compression();
-
- for(size_t i = 0; i != s_comp.size(); ++i)
- for(size_t j = 0; j != c_comp.size(); ++j)
- if(s_comp[i] == c_comp[j])
- return s_comp[i];
-
- return NO_COMPRESSION;
- }
-
std::map<std::string, std::vector<X509_Certificate> >
get_server_certs(const std::string& hostname,
Credentials_Manager& creds)
@@ -615,7 +593,6 @@ void Server::process_finished_msg(Server_Handshake_State& pending_state,
pending_state.session_keys().master_secret(),
pending_state.server_hello()->version(),
pending_state.server_hello()->ciphersuite(),
- pending_state.server_hello()->compression_method(),
SERVER,
pending_state.server_hello()->supports_extended_master_secret(),
pending_state.server_hello()->supports_encrypt_then_mac(),
@@ -811,7 +788,6 @@ void Server::session_create(Server_Handshake_State& pending_state,
make_hello_random(rng(), policy()), // new session ID
pending_state.version(),
ciphersuite,
- choose_compression(policy(), pending_state.client_hello()->compression_methods()),
have_session_ticket_key);
pending_state.server_hello(new Server_Hello(
diff --git a/src/lib/tls/tls_session.cpp b/src/lib/tls/tls_session.cpp
index e73aa4fa6..f595101f2 100644
--- a/src/lib/tls/tls_session.cpp
+++ b/src/lib/tls/tls_session.cpp
@@ -22,7 +22,6 @@ Session::Session(const std::vector<uint8_t>& session_identifier,
const secure_vector<uint8_t>& master_secret,
Protocol_Version version,
uint16_t ciphersuite,
- uint8_t compression_method,
Connection_Side side,
bool extended_master_secret,
bool encrypt_then_mac,
@@ -37,7 +36,6 @@ Session::Session(const std::vector<uint8_t>& session_identifier,
m_master_secret(master_secret),
m_version(version),
m_ciphersuite(ciphersuite),
- m_compression_method(compression_method),
m_connection_side(side),
m_srtp_profile(srtp_profile),
m_extended_master_secret(extended_master_secret),
@@ -71,6 +69,7 @@ Session::Session(const uint8_t ber[], size_t ber_len)
size_t start_time = 0;
size_t srtp_profile = 0;
size_t fragment_size = 0;
+ size_t compression_method = 0;
BER_Decoder(ber, ber_len)
.start_cons(SEQUENCE)
@@ -82,7 +81,7 @@ Session::Session(const uint8_t ber[], size_t ber_len)
.decode(m_identifier, OCTET_STRING)
.decode(m_session_ticket, OCTET_STRING)
.decode_integer_type(m_ciphersuite)
- .decode_integer_type(m_compression_method)
+ .decode_integer_type(compression_method)
.decode_integer_type(side_code)
.decode_integer_type(fragment_size)
.decode(m_extended_master_secret)
@@ -98,6 +97,14 @@ Session::Session(const uint8_t ber[], size_t ber_len)
.verify_end();
/*
+ * Compression is not supported and must be zero
+ */
+ if(compression_method != 0)
+ {
+ throw Decoding_Error("Serialized TLS session contains non-null compression method");
+ }
+
+ /*
Fragment size is not supported anymore, but the field is still
set in the session object.
*/
@@ -142,7 +149,7 @@ secure_vector<uint8_t> Session::DER_encode() const
.encode(m_identifier, OCTET_STRING)
.encode(m_session_ticket, OCTET_STRING)
.encode(static_cast<size_t>(m_ciphersuite))
- .encode(static_cast<size_t>(m_compression_method))
+ .encode(static_cast<size_t>(/*old compression method*/0))
.encode(static_cast<size_t>(m_connection_side))
.encode(static_cast<size_t>(/*old fragment size*/0))
.encode(m_extended_master_secret)
diff --git a/src/lib/tls/tls_session.h b/src/lib/tls/tls_session.h
index 62e2b2df9..5a75e6a32 100644
--- a/src/lib/tls/tls_session.h
+++ b/src/lib/tls/tls_session.h
@@ -35,7 +35,6 @@ class BOTAN_PUBLIC_API(2,0) Session final
m_start_time(std::chrono::system_clock::time_point::min()),
m_version(),
m_ciphersuite(0),
- m_compression_method(0),
m_connection_side(static_cast<Connection_Side>(0)),
m_srtp_profile(0),
m_extended_master_secret(false),
@@ -49,7 +48,6 @@ class BOTAN_PUBLIC_API(2,0) Session final
const secure_vector<uint8_t>& master_secret,
Protocol_Version version,
uint16_t ciphersuite,
- uint8_t compression_method,
Connection_Side side,
bool supports_extended_master_secret,
bool supports_encrypt_then_mac,
@@ -130,11 +128,6 @@ class BOTAN_PUBLIC_API(2,0) Session final
Ciphersuite ciphersuite() const { return Ciphersuite::by_id(m_ciphersuite); }
/**
- * Get the compression method used in the saved session
- */
- uint8_t compression_method() const { return m_compression_method; }
-
- /**
* Get which side of the connection the resumed session we are/were
* acting as.
*/
@@ -190,7 +183,7 @@ class BOTAN_PUBLIC_API(2,0) Session final
const Server_Information& server_info() const { return m_server_info; }
private:
- enum { TLS_SESSION_PARAM_STRUCT_VERSION = 20160812};
+ enum { TLS_SESSION_PARAM_STRUCT_VERSION = 20160812 };
std::chrono::system_clock::time_point m_start_time;
@@ -200,7 +193,6 @@ class BOTAN_PUBLIC_API(2,0) Session final
Protocol_Version m_version;
uint16_t m_ciphersuite;
- uint8_t m_compression_method;
Connection_Side m_connection_side;
uint16_t m_srtp_profile;
bool m_extended_master_secret;