gr1ffon/quic-go
1
0
Fork 0
forked from quic-go/quic-go
Code Pull Requests Activity

fix inchoate CHLO detection with missing STKs

Browse Source 
This fixes a STK-bypass security issue discovered by Alessandro Ghedini.
This commit is contained in:
Lucas Clemente
2016-09-17 16:49:58 +02:00
parent 638f6ae5e5
commit 9e5bba7937
2 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
handshake/crypto_setup.go
View File

@@ -178,7 +178,7 @@ func (h *CryptoSetup) isInchoateCHLO(cryptoData map[Tag][]byte) bool {
} }
if err := h.scfg.stkSource.VerifyToken(h.ip, cryptoData[TagSTK]); err != nil { if err := h.scfg.stkSource.VerifyToken(h.ip, cryptoData[TagSTK]); err != nil {
utils.Infof("STK invalid: %s", err.Error()) utils.Infof("STK invalid: %s", err.Error())
return false return true
} }
return false return false
} }

12
handshake/crypto_setup_test.go
View File

@@ -278,17 +278,25 @@ var _ = Describe("Crypto setup", func() {
}) })
It("recognizes inchoate CHLOs missing SCID", func() { It("recognizes inchoate CHLOs missing SCID", func() {
Expect(cs.isInchoateCHLO(map[Tag][]byte{TagPUBS: nil})).To(BeTrue()) Expect(cs.isInchoateCHLO(map[Tag][]byte{TagPUBS: nil, TagSTK: validSTK})).To(BeTrue())
}) })
It("recognizes inchoate CHLOs missing PUBS", func() { It("recognizes inchoate CHLOs missing PUBS", func() {
Expect(cs.isInchoateCHLO(map[Tag][]byte{TagSCID: scfg.ID})).To(BeTrue()) Expect(cs.isInchoateCHLO(map[Tag][]byte{TagSCID: scfg.ID, TagSTK: validSTK})).To(BeTrue())
})
It("recognizes inchoate CHLOs with invalid tokens", func() {
Expect(cs.isInchoateCHLO(map[Tag][]byte{
TagSCID: scfg.ID,
TagPUBS: nil,
})).To(BeTrue())
}) })
It("recognizes proper CHLOs", func() { It("recognizes proper CHLOs", func() {
Expect(cs.isInchoateCHLO(map[Tag][]byte{ Expect(cs.isInchoateCHLO(map[Tag][]byte{
TagSCID: scfg.ID, TagSCID: scfg.ID,
TagPUBS: nil, TagPUBS: nil,
TagSTK: validSTK,
})).To(BeFalse()) })).To(BeFalse())
}) })