From 67df17d31d61f013d537abc7744f707435351125 Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Mon, 20 May 2019 14:44:08 -0400 Subject: Fix various issues in TLS found using BoGo - BoGo sends unparseable OCSP responses, so we have to accomodate for this by delaying decoding until verification and simply ignoring OCSP responses that we can't parse. - Check that there is no trailing garbage at the end of various messages. - Don't send empty SNI - Check the TLS record header versions (previously ignored) - For CBC 1/n-1 splitting split every record instead of just first. I think this is not a problem but it is what BoGo expects. - New Channel::application_protocol virtual (previously was implemented on both Client and Server but not shared). - Changes to resumption version handling. - Fix server version selection when newer versions are disabled. New policy hooks added in service of BoGo: - maximum_certificate_chain_size gives the maximum cert chain in bytes that we'll accept. - allow_resumption_for_renegotiation specifies if a renegotiation attempt can be simply (re-)resumed instead. - abort_handshake_on_undesired_renegotiation - previously we just ignored it with a warning alert. Now behavior is configurable. - request_client_certificate_authentication - require_client_certificate_authentication --- src/lib/tls/tls_algos.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/lib/tls/tls_algos.h') diff --git a/src/lib/tls/tls_algos.h b/src/lib/tls/tls_algos.h index 19612be2e..4852a4349 100644 --- a/src/lib/tls/tls_algos.h +++ b/src/lib/tls/tls_algos.h @@ -109,10 +109,10 @@ enum class Signature_Scheme : uint16_t { BOTAN_UNSTABLE_API const std::vector& all_signature_schemes(); -bool signature_scheme_is_known(Signature_Scheme scheme); +bool BOTAN_UNSTABLE_API signature_scheme_is_known(Signature_Scheme scheme); std::string BOTAN_UNSTABLE_API sig_scheme_to_string(Signature_Scheme scheme); -std::string hash_function_of_scheme(Signature_Scheme scheme); -std::string padding_string_for_scheme(Signature_Scheme scheme); +std::string BOTAN_UNSTABLE_API hash_function_of_scheme(Signature_Scheme scheme); +std::string BOTAN_UNSTABLE_API padding_string_for_scheme(Signature_Scheme scheme); std::string signature_algorithm_of_scheme(Signature_Scheme scheme); /* -- cgit v1.2.3