diff options
| author | lloyd <[email protected]> | 2012-06-09 03:48:30 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2012-06-09 03:48:30 +0000 |
| commit | d8f1ea81916a8230d8148fce0219beaf67bd0ba6 (patch) | |
| tree | 5bee8e92f84eede322fdc01876a7a0f0553aa960 /src/tls/c_hello.cpp | |
| parent | a4b2dba2bfea267e1a1535fbe33103f4c2153724 (diff) | |
A fix for bug 192. First, when renegotiating in the client, attempt to
renegotiate using our currently negotiated version instead of our
preferred version. It turns out that neither OpenSSL nor GnuTLS like
clients changing the version between negotiations, both send a
protocol_version alert. So we probably want to avoid doing that.
On the server side, handle a client sending inconsistent versions as
best we can. If the client attmepts to renegotiate a session using a
later version, return a server hello with their original version (this
is what OpenSSL does). If they attempt to renegotiate using an earlier
version, send a fatal alert and close the connection, since this seems
like a dubious thing to do.
Also, fix the situation where we as a TLS v1.0 server (because of
configuration) are talking to a TLS v1.2 client. We would still use
their signature_algorithms extension and send a SHA-256 (or whatever)
signature!
Diffstat (limited to 'src/tls/c_hello.cpp')
| -rw-r--r-- | src/tls/c_hello.cpp | 43 |
1 files changed, 2 insertions, 41 deletions
diff --git a/src/tls/c_hello.cpp b/src/tls/c_hello.cpp index 93b7e217c..919ed93f4 100644 --- a/src/tls/c_hello.cpp +++ b/src/tls/c_hello.cpp @@ -63,13 +63,14 @@ std::vector<byte> Hello_Request::serialize() const */ Client_Hello::Client_Hello(Record_Writer& writer, Handshake_Hash& hash, + Protocol_Version version, const Policy& policy, RandomNumberGenerator& rng, const std::vector<byte>& reneg_info, bool next_protocol, const std::string& hostname, const std::string& srp_identifier) : - m_version(policy.pref_version()), + m_version(version), m_random(make_hello_random(rng)), m_suites(ciphersuite_list(policy, (srp_identifier != ""))), m_comp_methods(policy.compression()), @@ -238,19 +239,6 @@ void Client_Hello::deserialize_sslv2(const std::vector<byte>& buf) m_secure_renegotiation = value_exists(m_suites, static_cast<u16bit>(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)); - - if(m_version >= Protocol_Version::TLS_V12) - { - m_supported_algos.push_back(std::make_pair("SHA-1", "RSA")); - m_supported_algos.push_back(std::make_pair("SHA-1", "DSA")); - m_supported_algos.push_back(std::make_pair("SHA-1", "ECDSA")); - } - else - { - m_supported_algos.push_back(std::make_pair("TLS.Digest.0", "RSA")); - m_supported_algos.push_back(std::make_pair("SHA-1", "DSA")); - m_supported_algos.push_back(std::make_pair("SHA-1", "ECDSA")); - } } /* @@ -319,33 +307,6 @@ void Client_Hello::deserialize(const std::vector<byte>& buf) m_supported_algos = sigs->supported_signature_algorthms(); } - if(m_supported_algos.empty()) - { - if(m_version >= Protocol_Version::TLS_V12) - { - /* - The rule for when a TLS 1.2 client not sending the extension - is strange; in theory, the server is supposed to act as if - the client had sent only SHA-1 using whatever signature - algorithm we end up negotiating. Right here, we don't know - what we'll end up negotiating (depends on policy), but we do - know that we'll only negotiate something the client sent, so - we can safely say it supports everything here and know that - we'll filter it out later. - */ - m_supported_algos.push_back(std::make_pair("SHA-1", "RSA")); - m_supported_algos.push_back(std::make_pair("SHA-1", "DSA")); - m_supported_algos.push_back(std::make_pair("SHA-1", "ECDSA")); - } - else - { - // For versions before TLS 1.2, insert fake values for the old defaults - m_supported_algos.push_back(std::make_pair("TLS.Digest.0", "RSA")); - m_supported_algos.push_back(std::make_pair("SHA-1", "DSA")); - m_supported_algos.push_back(std::make_pair("SHA-1", "ECDSA")); - } - } - if(Maximum_Fragment_Length* frag = extensions.get<Maximum_Fragment_Length>()) { m_fragment_size = frag->fragment_size(); |