diff options
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/tls/msg_client_hello.cpp | 3 | ||||
-rw-r--r-- | src/lib/tls/msg_server_hello.cpp | 9 | ||||
-rw-r--r-- | src/lib/tls/tls_client.cpp | 24 | ||||
-rw-r--r-- | src/lib/tls/tls_policy.cpp | 2 | ||||
-rw-r--r-- | src/lib/tls/tls_policy.h | 7 | ||||
-rw-r--r-- | src/lib/tls/tls_text_policy.cpp | 5 |
6 files changed, 40 insertions, 10 deletions
diff --git a/src/lib/tls/msg_client_hello.cpp b/src/lib/tls/msg_client_hello.cpp index 3b13cf21d..bcd8397e8 100644 --- a/src/lib/tls/msg_client_hello.cpp +++ b/src/lib/tls/msg_client_hello.cpp @@ -105,7 +105,8 @@ Client_Hello::Client_Hello(Handshake_IO& io, m_extensions.add(new Renegotiation_Extension(reneg_info)); m_extensions.add(new Server_Name_Indicator(client_settings.hostname())); - m_extensions.add(new Certificate_Status_Request({}, {})); + if(policy.support_cert_status_message()) + m_extensions.add(new Certificate_Status_Request({}, {})); if(reneg_info.empty() && !next_protocols.empty()) m_extensions.add(new Application_Layer_Protocol_Notification(next_protocols)); diff --git a/src/lib/tls/msg_server_hello.cpp b/src/lib/tls/msg_server_hello.cpp index 67c3d530f..81f9e1f62 100644 --- a/src/lib/tls/msg_server_hello.cpp +++ b/src/lib/tls/msg_server_hello.cpp @@ -37,7 +37,7 @@ Server_Hello::Server_Hello(Handshake_IO& io, m_extensions.add(new Extended_Master_Secret); // Sending the extension back does not commit us to sending a stapled response - if(client_hello.supports_cert_status_message()) + if(client_hello.supports_cert_status_message() && policy.support_cert_status_message()) m_extensions.add(new Certificate_Status_Request); Ciphersuite c = Ciphersuite::by_id(m_ciphersuite); @@ -105,7 +105,7 @@ Server_Hello::Server_Hello(Handshake_IO& io, m_extensions.add(new Extended_Master_Secret); // Sending the extension back does not commit us to sending a stapled response - if(client_hello.supports_cert_status_message()) + if(client_hello.supports_cert_status_message() && policy.support_cert_status_message()) m_extensions.add(new Certificate_Status_Request); if(client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac()) @@ -115,11 +115,6 @@ Server_Hello::Server_Hello(Handshake_IO& io, m_extensions.add(new Encrypt_then_MAC); } - if(client_hello.supports_cert_status_message()) - { - m_extensions.add(new Certificate_Status_Request); - } - if(resumed_session.ciphersuite().ecc_ciphersuite()) { m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression())); diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp index 0e620a279..a1b71841d 100644 --- a/src/lib/tls/tls_client.cpp +++ b/src/lib/tls/tls_client.cpp @@ -386,7 +386,8 @@ void Client::process_handshake_msg(const Handshake_State* active_state, "Client: No certificates sent by server"); /* - Certificate verification happens after we receive the server hello done, + If the server supports certificate status messages, + certificate verification happens after we receive the server hello done, in case an OCSP response was also available */ @@ -412,6 +413,24 @@ void Client::process_handshake_msg(const Handshake_State* active_state, { state.set_expected_next(CERTIFICATE_STATUS); // optional } + else + { + try + { + auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname()); + + callbacks().tls_verify_cert_chain(server_certs, + {}, + trusted_CAs, + Usage_Type::TLS_SERVER_AUTH, + m_info.hostname(), + policy()); + } + catch(std::exception& e) + { + throw TLS_Exception(Alert::BAD_CERTIFICATE, e.what()); + } + } } else if(type == CERTIFICATE_STATUS) { @@ -459,7 +478,8 @@ void Client::process_handshake_msg(const Handshake_State* active_state, { state.server_hello_done(new Server_Hello_Done(contents)); - if(state.server_certs() != nullptr) + if(state.server_certs() != nullptr && + state.server_hello()->supports_certificate_status_message()) { try { diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp index 5d82eee0c..1c6be6620 100644 --- a/src/lib/tls/tls_policy.cpp +++ b/src/lib/tls/tls_policy.cpp @@ -341,6 +341,7 @@ bool Policy::include_time_in_hello_random() const { return true; } bool Policy::hide_unknown_users() const { return false; } bool Policy::server_uses_own_ciphersuite_preferences() const { return true; } bool Policy::negotiate_encrypt_then_mac() const { return true; } +bool Policy::support_cert_status_message() const { return true; } // 1 second initial timeout, 60 second max - see RFC 6347 sec 4.2.4.1 size_t Policy::dtls_initial_timeout() const { return 1*1000; } @@ -552,6 +553,7 @@ void Policy::print(std::ostream& o) const print_bool(o, "hide_unknown_users", hide_unknown_users()); print_bool(o, "server_uses_own_ciphersuite_preferences", server_uses_own_ciphersuite_preferences()); print_bool(o, "negotiate_encrypt_then_mac", negotiate_encrypt_then_mac()); + print_bool(o, "support_cert_status_message", support_cert_status_message()); o << "session_ticket_lifetime = " << session_ticket_lifetime() << '\n'; o << "dh_group = " << dh_group() << '\n'; o << "minimum_dh_group_size = " << minimum_dh_group_size() << '\n'; diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h index db2cbb3bb..fe7e50f8d 100644 --- a/src/lib/tls/tls_policy.h +++ b/src/lib/tls/tls_policy.h @@ -288,6 +288,11 @@ class BOTAN_PUBLIC_API(2,0) Policy virtual bool negotiate_encrypt_then_mac() const; /** + * Indicates whether certificate status messages should be supported + */ + virtual bool support_cert_status_message() const; + + /** * Return allowed ciphersuites, in order of preference */ virtual std::vector<uint16_t> ciphersuite_list(Protocol_Version version, @@ -502,6 +507,8 @@ class BOTAN_PUBLIC_API(2,0) Text_Policy : public Policy bool negotiate_encrypt_then_mac() const override; + bool support_cert_status_message() const override; + std::string dh_group() const override; size_t minimum_ecdh_group_size() const override; diff --git a/src/lib/tls/tls_text_policy.cpp b/src/lib/tls/tls_text_policy.cpp index 345e6005f..1f93b1e0f 100644 --- a/src/lib/tls/tls_text_policy.cpp +++ b/src/lib/tls/tls_text_policy.cpp @@ -103,6 +103,11 @@ bool Text_Policy::negotiate_encrypt_then_mac() const return get_bool("negotiate_encrypt_then_mac", Policy::negotiate_encrypt_then_mac()); } +bool Text_Policy::support_cert_status_message() const + { + return get_bool("support_cert_status_message", Policy::support_cert_status_message()); + } + std::string Text_Policy::dh_group() const { return get_str("dh_group", Policy::dh_group()); |