From 615e677c0bc386cc012d0d1639bd0caef69d1aa7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 3 Nov 2014 08:23:14 +0100 Subject: [PATCH] Make renegotiation a compile-time option --- include/polarssl/config.h | 13 +++++ include/polarssl/ssl.h | 16 +++++- library/ssl_cli.c | 63 ++++++++++++++-------- library/ssl_srv.c | 107 +++++++++++++++++++++++++------------ library/ssl_tls.c | 34 +++++++++--- programs/ssl/ssl_client2.c | 17 ++++-- programs/ssl/ssl_server2.c | 19 +++++-- 7 files changed, 196 insertions(+), 73 deletions(-) diff --git a/include/polarssl/config.h b/include/polarssl/config.h index 50b4e339e..2dc4240ca 100644 --- a/include/polarssl/config.h +++ b/include/polarssl/config.h @@ -821,6 +821,19 @@ */ //#define POLARSSL_SSL_HW_RECORD_ACCEL +/** + * \def POLARSSL_SSL_RENEGOTIATION + * + * Enable support for TLS renegotiation. + * + * The two main uses of renegotiation are (1) refresh keys on long-lived + * connections and (2) client authentication after the initial handshake. + * If you don't need renegotiation, it's probably better to disable it, since + * it has been associated with security issues in the past and is easy to + * misuse/misunderstand. + */ +#define POLARSSL_SSL_RENEGOTIATION + /** * \def POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO * diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 194e94471..37123c799 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -687,7 +687,9 @@ struct _ssl_context */ int state; /*!< SSL handshake: current state */ int renegotiation; /*!< Initial or renegotiation */ +#if defined(POLARSSL_SSL_RENEGOTIATION) int renego_records_seen; /*!< Records since renego request */ +#endif int major_ver; /*!< equal to SSL_MAJOR_VERSION_3 */ int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */ @@ -810,9 +812,11 @@ struct _ssl_context int authmode; /*!< verification mode */ int client_auth; /*!< flag for client auth. */ int verify_result; /*!< verification result */ +#if defined(POLARSSL_SSL_RENEGOTIATION) int disable_renegotiation; /*!< enable/disable renegotiation */ - int allow_legacy_renegotiation; /*!< allow legacy renegotiation */ int renego_max_records; /*!< grace period for renegotiation */ +#endif + int allow_legacy_renegotiation; /*!< allow legacy renegotiation */ const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */ #if defined(POLARSSL_SSL_SET_CURVES) const ecp_group_id *curve_list; /*!< allowed curves */ @@ -861,9 +865,11 @@ struct _ssl_context */ int secure_renegotiation; /*!< does peer support legacy or secure renegotiation */ +#if defined(POLARSSL_SSL_RENEGOTIATION) size_t verify_data_len; /*!< length of verify data stored */ char own_verify_data[36]; /*!< previous handshake verify data */ char peer_verify_data[36]; /*!< previous handshake verify data */ +#endif }; #if defined(POLARSSL_SSL_HW_RECORD_ACCEL) @@ -1446,6 +1452,7 @@ int ssl_set_session_tickets( ssl_context *ssl, int use_tickets ); void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime ); #endif /* POLARSSL_SSL_SESSION_TICKETS */ +#if defined(POLARSSL_SSL_RENEGOTIATION) /** * \brief Enable / Disable renegotiation support for connection when * initiated by peer @@ -1460,6 +1467,7 @@ void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime ); * SSL_RENEGOTIATION_DISABLED) */ void ssl_set_renegotiation( ssl_context *ssl, int renegotiation ); +#endif /* POLARSSL_SSL_RENEGOTIATION */ /** * \brief Prevent or allow legacy renegotiation. @@ -1490,8 +1498,9 @@ void ssl_set_renegotiation( ssl_context *ssl, int renegotiation ); */ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy ); +#if defined(POLARSSL_SSL_RENEGOTIATION) /** - * \brief Enforce server-requested renegotiation. + * \brief Enforce requested renegotiation. * (Default: enforced, max_records = 16) * * When we request a renegotiation, the peer can comply or @@ -1519,6 +1528,7 @@ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy ); * it but allow for a grace period of max_records records. */ void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records ); +#endif /* POLARSSL_SSL_RENEGOTIATION */ /** * \brief Return the number of data bytes available to read @@ -1620,6 +1630,7 @@ int ssl_handshake( ssl_context *ssl ); */ int ssl_handshake_step( ssl_context *ssl ); +#if defined(POLARSSL_SSL_RENEGOTIATION) /** * \brief Initiate an SSL renegotiation on the running connection. * Client: perform the renegotiation right now. @@ -1631,6 +1642,7 @@ int ssl_handshake_step( ssl_context *ssl ); * \return 0 if successful, or any ssl_handshake() return value. */ int ssl_renegotiate( ssl_context *ssl ); +#endif /* POLARSSL_SSL_RENEGOTIATION */ /** * \brief Read at most 'len' application data bytes diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 27abb3efe..f0ce3778d 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -114,6 +114,7 @@ static void ssl_write_hostname_ext( ssl_context *ssl, } #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ +#if defined(POLARSSL_SSL_RENEGOTIATION) static void ssl_write_renegotiation_ext( ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -141,6 +142,7 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl, *olen = 5 + ssl->verify_data_len; } +#endif /* POLARSSL_SSL_RENEGOTIATION */ #if defined(POLARSSL_SSL_PROTO_TLS1_2) static void ssl_write_signature_algorithms_ext( ssl_context *ssl, @@ -464,7 +466,9 @@ static int ssl_write_client_hello( ssl_context *ssl ) return( POLARSSL_ERR_SSL_NO_RNG ); } +#if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) +#endif { ssl->major_ver = ssl->min_major_ver; ssl->minor_ver = ssl->min_minor_ver; @@ -528,7 +532,10 @@ static int ssl_write_client_hello( ssl_context *ssl ) */ n = ssl->session_negotiate->length; - if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 || + if( n < 16 || n > 32 || +#if defined(POLARSSL_SSL_RENEGOTIATION) + ssl->renegotiation != SSL_INITIAL_HANDSHAKE || +#endif ssl->handshake->resume == 0 ) { n = 0; @@ -539,8 +546,10 @@ static int ssl_write_client_hello( ssl_context *ssl ) * RFC 5077 section 3.4: "When presenting a ticket, the client MAY * generate and include a Session ID in the TLS ClientHello." */ - if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE && - ssl->session_negotiate->ticket != NULL && +#if defined(POLARSSL_SSL_RENEGOTIATION) + if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) +#endif + if( ssl->session_negotiate->ticket != NULL && ssl->session_negotiate->ticket_len != 0 ) { ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 ); @@ -570,7 +579,9 @@ static int ssl_write_client_hello( ssl_context *ssl ) /* * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV */ +#if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) +#endif { *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO ); @@ -625,8 +636,10 @@ static int ssl_write_client_hello( ssl_context *ssl ) ext_len += olen; #endif +#if defined(POLARSSL_SSL_RENEGOTIATION) ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; +#endif #if defined(POLARSSL_SSL_PROTO_TLS1_2) ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); @@ -694,21 +707,8 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl, { int ret; - if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) - { - if( len != 1 || buf[0] != 0x0 ) - { - SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) ); - - if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) - return( ret ); - - return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); - } - - ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; - } - else +#if defined(POLARSSL_SSL_RENEGOTIATION) + if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) { /* Check verify-data in constant-time. The length OTOH is no secret */ if( len != 1 + ssl->verify_data_len * 2 || @@ -718,7 +718,7 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl, safer_memcmp( buf + 1 + ssl->verify_data_len, ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) { - SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) ); + SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) return( ret ); @@ -726,6 +726,21 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl, return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); } } + else +#endif /* POLARSSL_SSL_RENEGOTIATION */ + { + if( len != 1 || buf[0] != 0x00 ) + { + SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); + + if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) + return( ret ); + + return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); + } + + ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; + } return( 0 ); } @@ -902,6 +917,7 @@ static int ssl_parse_server_hello( ssl_context *ssl ) if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) { +#if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->renegotiation == SSL_RENEGOTIATION ) { ssl->renego_records_seen++; @@ -917,6 +933,7 @@ static int ssl_parse_server_hello( ssl_context *ssl ) SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); } +#endif /* POLARSSL_SSL_RENEGOTIATION */ SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); @@ -1025,8 +1042,10 @@ static int ssl_parse_server_hello( ssl_context *ssl ) /* * Check if the session can be resumed */ - if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || - ssl->handshake->resume == 0 || n == 0 || + if( ssl->handshake->resume == 0 || n == 0 || +#if defined(POLARSSL_SSL_RENEGOTIATION) + ssl->renegotiation != SSL_INITIAL_HANDSHAKE || +#endif ssl->session_negotiate->ciphersuite != i || ssl->session_negotiate->compression != comp || ssl->session_negotiate->length != n || @@ -1201,6 +1220,7 @@ static int ssl_parse_server_hello( ssl_context *ssl ) SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); handshake_failure = 1; } +#if defined(POLARSSL_SSL_RENEGOTIATION) else if( ssl->renegotiation == SSL_RENEGOTIATION && ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION && renegotiation_info_seen == 0 ) @@ -1222,6 +1242,7 @@ static int ssl_parse_server_hello( ssl_context *ssl ) SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); handshake_failure = 1; } +#endif /* POLARSSL_SSL_RENEGOTIATION */ if( handshake_failure == 1 ) { diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 01b0aca20..2017abe85 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -431,11 +431,29 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl, { int ret; - if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) +#if defined(POLARSSL_SSL_RENEGOTIATION) + if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) + { + /* Check verify-data in constant-time. The length OTOH is no secret */ + if( len != 1 + ssl->verify_data_len || + buf[0] != ssl->verify_data_len || + safer_memcmp( buf + 1, ssl->peer_verify_data, + ssl->verify_data_len ) != 0 ) + { + SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) ); + + if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) + return( ret ); + + return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + } + else +#endif /* POLARSSL_SSL_RENEGOTIATION */ { if( len != 1 || buf[0] != 0x0 ) { - SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) ); + SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) ); if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) return( ret ); @@ -445,22 +463,6 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl, ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; } - else - { - /* Check verify-data in constant-time. The length OTOH is no secret */ - if( len != 1 + ssl->verify_data_len || - buf[0] != ssl->verify_data_len || - safer_memcmp( buf + 1, ssl->peer_verify_data, - ssl->verify_data_len ) != 0 ) - { - SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) ); - - if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) - return( ret ); - - return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); - } - } return( 0 ); } @@ -653,11 +655,13 @@ static int ssl_parse_session_ticket_ext( ssl_context *ssl, if( len == 0 ) return( 0 ); +#if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) { SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); return( 0 ); } +#endif /* POLARSSL_SSL_RENEGOTIATION */ /* * Failures are ok: just ignore the ticket and proceed. @@ -893,6 +897,7 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); +#if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) { SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); @@ -902,6 +907,7 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); } +#endif /* POLARSSL_SSL_RENEGOTIATION */ buf = ssl->in_hdr; @@ -1038,15 +1044,18 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl ) if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO ) { SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); +#if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->renegotiation == SSL_RENEGOTIATION ) { - SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) ); + SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV " + "during renegotiation" ) ); if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) return( ret ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); } +#endif /* POLARSSL_SSL_RENEGOTIATION */ ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; break; } @@ -1126,8 +1135,10 @@ static int ssl_parse_client_hello( ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); - if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE && - ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 ) +#if defined(POLARSSL_SSL_RENEGOTIATION) + if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) +#endif + if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 ) { SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); return( ret ); @@ -1177,18 +1188,22 @@ static int ssl_parse_client_hello( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); } - if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE && - ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 ) +#if defined(POLARSSL_SSL_RENEGOTIATION) + if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) +#endif + if( ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 ) { SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); return( ret ); } buf = ssl->in_msg; - if( !ssl->renegotiation ) - n = ssl->in_left - 5; - else +#if defined(POLARSSL_SSL_RENEGOTIATION) + if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) n = ssl->in_msglen; + else +#endif + n = ssl->in_left - 5; ssl->handshake->update_checksum( ssl, buf, n ); @@ -1351,6 +1366,7 @@ static int ssl_parse_client_hello( ssl_context *ssl ) if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO ) { SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); +#if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->renegotiation == SSL_RENEGOTIATION ) { SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) ); @@ -1360,7 +1376,9 @@ static int ssl_parse_client_hello( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); } +#endif /* POLARSSL_SSL_RENEGOTIATION */ ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; + renegotiation_info_seen = 1; break; } } @@ -1405,8 +1423,10 @@ static int ssl_parse_client_hello( ssl_context *ssl ) #if defined(POLARSSL_SSL_PROTO_TLS1_2) case TLS_EXT_SIG_ALG: SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); +#if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->renegotiation == SSL_RENEGOTIATION ) break; +#endif ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); if( ret != 0 ) @@ -1491,12 +1511,13 @@ static int ssl_parse_client_hello( ssl_context *ssl ) /* * Renegotiation security checks */ - if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && + if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION && ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE ) { SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); handshake_failure = 1; } +#if defined(POLARSSL_SSL_RENEGOTIATION) else if( ssl->renegotiation == SSL_RENEGOTIATION && ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION && renegotiation_info_seen == 0 ) @@ -1518,6 +1539,7 @@ static int ssl_parse_client_hello( ssl_context *ssl ) SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); handshake_failure = 1; } +#endif /* POLARSSL_SSL_RENEGOTIATION */ if( handshake_failure == 1 ) { @@ -1644,16 +1666,29 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl, *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); - *p++ = 0x00; - *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; - *p++ = ssl->verify_data_len * 2 & 0xFF; +#if defined(POLARSSL_SSL_RENEGOTIATION) + if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) + { + *p++ = 0x00; + *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; + *p++ = ssl->verify_data_len * 2 & 0xFF; - memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); - p += ssl->verify_data_len; - memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); - p += ssl->verify_data_len; + memcpy( p, ssl->peer_verify_data, ssl->verify_data_len ); + p += ssl->verify_data_len; + memcpy( p, ssl->own_verify_data, ssl->verify_data_len ); + p += ssl->verify_data_len; - *olen = 5 + ssl->verify_data_len * 2; + *olen = 5 + ssl->verify_data_len * 2; + } + else +#endif /* POLARSSL_SSL_RENEGOTIATION */ + { + *p++ = 0x00; + *p++ = 0x01; + *p++ = 0x00; + + *olen = 5; + } } #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) @@ -1812,7 +1847,9 @@ static int ssl_write_server_hello( ssl_context *ssl ) * If not, try looking up session ID in our cache. */ if( ssl->handshake->resume == 0 && +#if defined(POLARSSL_SSL_RENEGOTIATION) ssl->renegotiation == SSL_INITIAL_HANDSHAKE && +#endif ssl->session_negotiate->length != 0 && ssl->f_get_cache != NULL && ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5f080defe..898182c9b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2595,6 +2595,7 @@ int ssl_parse_certificate( ssl_context *ssl ) SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); +#if defined(POLARSSL_SSL_RENEGOTIATION) /* * On client, make sure the server cert doesn't change during renego to * avoid "triple handshake" attack: https://secure-resumption.com/ @@ -2618,6 +2619,7 @@ int ssl_parse_certificate( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE ); } } +#endif /* POLARSSL_SSL_RENEGOTIATION */ if( ssl->authmode != SSL_VERIFY_NONE ) { @@ -3060,11 +3062,13 @@ void ssl_handshake_wrapup( ssl_context *ssl ) polarssl_free( ssl->handshake ); ssl->handshake = NULL; +#if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->renegotiation == SSL_RENEGOTIATION ) { ssl->renegotiation = SSL_RENEGOTIATION_DONE; ssl->renego_records_seen = 0; } +#endif /* * Switch in our now active transform context @@ -3123,8 +3127,10 @@ int ssl_write_finished( ssl_context *ssl ) // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63) hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12; +#if defined(POLARSSL_SSL_RENEGOTIATION) ssl->verify_data_len = hash_len; memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len ); +#endif ssl->out_msglen = 4 + hash_len; ssl->out_msgtype = SSL_MSG_HANDSHAKE; @@ -3244,8 +3250,10 @@ int ssl_parse_finished( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_FINISHED ); } +#if defined(POLARSSL_SSL_RENEGOTIATION) ssl->verify_data_len = hash_len; memcpy( ssl->peer_verify_data, buf, hash_len ); +#endif if( ssl->handshake->resume != 0 ) { @@ -3394,7 +3402,9 @@ int ssl_init( ssl_context *ssl ) ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() ); +#if defined(POLARSSL_SSL_RENEGOTIATION) ssl->renego_max_records = SSL_RENEGO_MAX_RECORDS_DEFAULT; +#endif #if defined(POLARSSL_DHM_C) if( ( ret = mpi_read_string( &ssl->dhm_P, 16, @@ -3460,12 +3470,16 @@ int ssl_session_reset( ssl_context *ssl ) int ret; ssl->state = SSL_HELLO_REQUEST; + +#if defined(POLARSSL_SSL_RENEGOTIATION) ssl->renegotiation = SSL_INITIAL_HANDSHAKE; - ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION; + ssl->renego_records_seen = 0; ssl->verify_data_len = 0; memset( ssl->own_verify_data, 0, 36 ); memset( ssl->peer_verify_data, 0, 36 ); +#endif + ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION; ssl->in_offt = NULL; @@ -3486,8 +3500,6 @@ int ssl_session_reset( ssl_context *ssl ) ssl->transform_in = NULL; ssl->transform_out = NULL; - ssl->renego_records_seen = 0; - memset( ssl->out_ctr, 0, SSL_BUFFER_LEN ); memset( ssl->in_ctr, 0, SSL_BUFFER_LEN ); @@ -4004,20 +4016,22 @@ int ssl_set_truncated_hmac( ssl_context *ssl, int truncate ) } #endif /* POLARSSL_SSL_TRUNCATED_HMAC */ -void ssl_set_renegotiation( ssl_context *ssl, int renegotiation ) -{ - ssl->disable_renegotiation = renegotiation; -} - void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy ) { ssl->allow_legacy_renegotiation = allow_legacy; } +#if defined(POLARSSL_SSL_RENEGOTIATION) +void ssl_set_renegotiation( ssl_context *ssl, int renegotiation ) +{ + ssl->disable_renegotiation = renegotiation; +} + void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records ) { ssl->renego_max_records = max_records; } +#endif /* POLARSSL_SSL_RENEGOTIATION */ #if defined(POLARSSL_SSL_SESSION_TICKETS) int ssl_set_session_tickets( ssl_context *ssl, int use_tickets ) @@ -4147,6 +4161,7 @@ int ssl_handshake( ssl_context *ssl ) return( ret ); } +#if defined(POLARSSL_SSL_RENEGOTIATION) #if defined(POLARSSL_SSL_SRV_C) /* * Write HelloRequest to request renegotiation on server @@ -4258,6 +4273,7 @@ int ssl_renegotiate( ssl_context *ssl ) return( ret ); } +#endif /* POLARSSL_SSL_RENEGOTIATION */ /* * Receive application data decrypted from the SSL layer @@ -4313,6 +4329,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) } } +#if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->in_msgtype == SSL_MSG_HANDSHAKE ) { SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); @@ -4393,6 +4410,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); } } +#endif /* POLARSSL_SSL_RENEGOTIATION */ /* Fatal and closure alerts handled by ssl_read_record() */ if( ssl->in_msgtype == SSL_MSG_ALERT ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 5f8454646..fb13bc9c7 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -284,6 +284,14 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags ) #define USAGE_ALPN "" #endif /* POLARSSL_SSL_ALPN */ +#if defined(POLARSSL_SSL_RENEGOTIATION) +#define USAGE_RENEGO \ + " renegotiation=%%d default: 0 (disabled)\n" \ + " renegotiate=%%d default: 0 (disabled)\n" +#else +#define USAGE_RENEGO "" +#endif + #define USAGE \ "\n usage: ssl_client2 param=<>...\n" \ "\n acceptable parameters:\n" \ @@ -303,9 +311,8 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags ) "\n" \ USAGE_PSK \ "\n" \ - " renegotiation=%%d default: 1 (enabled)\n" \ " allow_legacy=%%d default: (library default: no)\n" \ - " renegotiate=%%d default: 0 (disabled)\n" \ + USAGE_RENEGO \ " exchanges=%%d default: 1\n" \ " reconnect=%%d default: 0 (disabled)\n" \ USAGE_TIME \ @@ -914,9 +921,11 @@ int main( int argc, char *argv[] ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); - ssl_set_renegotiation( &ssl, opt.renegotiation ); if( opt.allow_legacy != DFL_ALLOW_LEGACY ) ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); +#if defined(POLARSSL_SSL_RENEGOTIATION) + ssl_set_renegotiation( &ssl, opt.renegotiation ); +#endif #if defined(POLARSSL_X509_CRT_PARSE_C) if( strcmp( opt.ca_path, "none" ) != 0 && @@ -1044,6 +1053,7 @@ int main( int argc, char *argv[] ) } #endif /* POLARSSL_X509_CRT_PARSE_C */ +#if defined(POLARSSL_SSL_RENEGOTIATION) if( opt.renegotiate ) { /* @@ -1063,6 +1073,7 @@ int main( int argc, char *argv[] ) } printf( " ok\n" ); } +#endif /* POLARSSL_SSL_RENEGOTIATION */ /* * 6. Write the GET request diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 0cf9bffce..8aee54abe 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -299,6 +299,15 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len ) #define USAGE_ALPN "" #endif /* POLARSSL_SSL_ALPN */ +#if defined(POLARSSL_SSL_RENEGOTIATION) +#define USAGE_RENEGO \ + " renegotiation=%%d default: 0 (disabled)\n" \ + " renegotiate=%%d default: 0 (disabled)\n" \ + " renego_delay=%%d default: -2 (library default)\n" +#else +#define USAGE_RENEGO "" +#endif + #define USAGE \ "\n usage: ssl_server2 param=<>...\n" \ "\n acceptable parameters:\n" \ @@ -315,10 +324,8 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len ) "\n" \ USAGE_PSK \ "\n" \ - " renegotiation=%%d default: 1 (enabled)\n" \ " allow_legacy=%%d default: (library default: no)\n" \ - " renegotiate=%%d default: 0 (disabled)\n" \ - " renego_delay=%%d default: -2 (library default)\n" \ + USAGE_RENEGO \ " exchanges=%%d default: 1\n" \ USAGE_TICKETS \ USAGE_CACHE \ @@ -1314,11 +1321,13 @@ int main( int argc, char *argv[] ) SSL_MINOR_VERSION_3 ); } - ssl_set_renegotiation( &ssl, opt.renegotiation ); if( opt.allow_legacy != DFL_ALLOW_LEGACY ) ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); +#if defined(POLARSSL_SSL_RENEGOTIATION) + ssl_set_renegotiation( &ssl, opt.renegotiation ); if( opt.renego_delay != DFL_RENEGO_DELAY ) ssl_set_renegotiation_enforced( &ssl, opt.renego_delay ); +#endif #if defined(POLARSSL_X509_CRT_PARSE_C) if( strcmp( opt.ca_path, "none" ) != 0 && @@ -1611,6 +1620,7 @@ data_exchange: * 7a. Request renegotiation while client is waiting for input from us. * (only if we're going to exhange more data afterwards) */ +#if defined(POLARSSL_SSL_RENEGOTIATION) if( opt.renegotiate && exchanges > 1 ) { printf( " . Requestion renegotiation..." ); @@ -1628,6 +1638,7 @@ data_exchange: printf( " ok\n" ); } +#endif /* POLARSSL_SSL_RENEGOTIATION */ /* * 7. Write the 200 Response