Don't reuse CRT from initial handshake during renegotiation

After mitigating the 'triple handshake attack' by checking that the peer's end-CRT didn't change during renegotation, the current code avoids re-parsing the CRT by moving the CRT-pointer from the old session to the new one. While efficient, this will no longer work once only the hash of the peer's CRT is stored beyond the handshake. This commit removes the code-path moving the old CRT, and instead frees the entire peer CRT chain from the initial handshake as soon as the 'triple handshake attack' protection has completed.
2019-02-05 15:06:15 +00:00 · 2019-02-05 15:06:15 +00:00 · 60848e6574
commit 60848e6574
parent 86016a03a1
1 changed files with 5 additions and 11 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -5901,18 +5901,12 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl )
                    return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
                }

-                /* Move CRT chain structure to new session instance. */
-                ssl->session_negotiate->peer_cert = ssl->session->peer_cert;
-                ssl->session->peer_cert = NULL;
+                /* Now we can safely free the original chain. */
+                mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
+                mbedtls_free( ssl->session_negotiate->peer_cert );
+                ssl->session_negotiate->peer_cert = NULL;

-                /* Delete all remaining CRTs from the original CRT chain. */
-                mbedtls_x509_crt_free(
-                    ssl->session_negotiate->peer_cert->next );
-                mbedtls_free( ssl->session_negotiate->peer_cert->next );
-                ssl->session_negotiate->peer_cert->next = NULL;
-
-                i += n;
-                continue;
+                /* Intentional fallthrough. */
            }
 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */