From 1521aecb124e52c57f0c6d38aa6c3989b28b5e39 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Thu, 23 May 2019 16:31:57 -0400 Subject: Fix some issues with DTLS version intolerance --- src/bogo_shim/bogo_shim.cpp | 8 ++++++-- src/bogo_shim/config.json | 5 ++--- 2 files changed, 8 insertions(+), 5 deletions(-) (limited to 'src/bogo_shim') diff --git a/src/bogo_shim/bogo_shim.cpp b/src/bogo_shim/bogo_shim.cpp index 2afabfbd0..f7d713162 100644 --- a/src/bogo_shim/bogo_shim.cpp +++ b/src/bogo_shim/bogo_shim.cpp @@ -71,6 +71,8 @@ void BOTAN_NORETURN shim_exit_with_error(const std::string& s, int rc = 1) std::string map_to_bogo_error(const std::string& e) { + shim_log("Original error " + e); + static const std::unordered_map err_map { { "Application data before handshake done", ":APPLICATION_DATA_INSTEAD_OF_HANDSHAKE:" }, @@ -91,7 +93,8 @@ std::string map_to_bogo_error(const std::string& e) { "Channel::key_material_export cannot export during renegotiation", "failed to export keying material" }, { "Client cert verify failed", ":BAD_SIGNATURE:" }, { "Client did not offer NULL compression", ":INVALID_COMPRESSION_LIST:" }, - { "Client offered version with major version under 3", ":UNSUPPORTED_PROTOCOL:" }, + { "Client offered TLS version with major version under 3", ":UNSUPPORTED_PROTOCOL:" }, + { "Client offered DTLS version with major version 0xFF", ":UNSUPPORTED_PROTOCOL:" }, { "Client policy prohibits insecure renegotiation", ":RENEGOTIATION_MISMATCH:" }, { "Client policy prohibits renegotiation", ":NO_RENEGOTIATION:" }, { "Client resumed extended ms session without sending extension", ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:" }, @@ -103,6 +106,7 @@ std::string map_to_bogo_error(const std::string& e) { "Counterparty sent inconsistent key and sig types", ":WRONG_SIGNATURE_TYPE:" }, { "Empty ALPN protocol not allowed", ":PARSE_TLSEXT:" }, { "Encoding error: Cannot encode PSS string, output length too small", ":NO_COMMON_SIGNATURE_ALGORITHMS:" }, + { "Expected TLS but got a record with DTLS version", ":WRONG_VERSION_NUMBER:" }, { "Finished message didn't verify", ":DIGEST_CHECK_FAILED:" }, { "Inconsistent length in certificate request", ":DECODE_ERROR:" }, { "Inconsistent values in fragmented DTLS handshake header", ":FRAGMENT_MISMATCH:" }, @@ -993,7 +997,7 @@ class Shim_Policy final : public Botan::TLS::Policy size_t dtls_default_mtu() const override { - return m_args.get_int_opt_or_else("mtu", 1232); + return m_args.get_int_opt_or_else("mtu", 1500); } //size_t dtls_initial_timeout() const override; diff --git a/src/bogo_shim/config.json b/src/bogo_shim/config.json index ebd9f73f1..566c18e67 100644 --- a/src/bogo_shim/config.json +++ b/src/bogo_shim/config.json @@ -120,18 +120,17 @@ "RSAPSSSupport-Default-NoCerts-TLS12-Server": "Not possible to disable PSS", "SRTP-Server-IgnoreMKI-*": "Non-empty MKI is rejected", - "DTLS-Replay*": "Needs analysis", + "DTLS-Retransmit*": "Shim needs timeout support", + "DTLS-Replay*": "Needs investigation", "AppDataAfterChangeCipherSpec-DTLS*": "Needs investigation", "DTLS-StrayRetransmitFinished-ClientFull": "Needs investigation", "DTLS-StrayRetransmitFinished-ServerResume": "Needs investigation", "LargeCiphertext-DTLS": "Needs investigation", - "MajorVersionTolerance-DTLS": "Needs investigation", "MixCompleteMessageWithFragments-DTLS": "Needs investigation", "ReorderHandshakeFragments-Small-DTLS": "Needs investigation", "SendUnencryptedFinished-DTLS": "Needs investigation", - "VersionTooLow-DTLS": "Needs investigation", "Shutdown-Shim-ApplicationData*": "Needs investigation", "Shutdown-Shim-HelloRequest-CannotHandshake*": "Needs investigation", -- cgit v1.2.3