Make renegotiation a compile-time option

This commit is contained in:
Manuel Pégourié-Gonnard 2014-11-03 08:23:14 +01:00
parent 85d915b81d
commit 615e677c0b
7 changed files with 196 additions and 73 deletions

View File

@ -821,6 +821,19 @@
*/ */
//#define POLARSSL_SSL_HW_RECORD_ACCEL //#define POLARSSL_SSL_HW_RECORD_ACCEL
/**
* \def POLARSSL_SSL_RENEGOTIATION
*
* Enable support for TLS renegotiation.
*
* The two main uses of renegotiation are (1) refresh keys on long-lived
* connections and (2) client authentication after the initial handshake.
* If you don't need renegotiation, it's probably better to disable it, since
* it has been associated with security issues in the past and is easy to
* misuse/misunderstand.
*/
#define POLARSSL_SSL_RENEGOTIATION
/** /**
* \def POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO * \def POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
* *

View File

@ -687,7 +687,9 @@ struct _ssl_context
*/ */
int state; /*!< SSL handshake: current state */ int state; /*!< SSL handshake: current state */
int renegotiation; /*!< Initial or renegotiation */ int renegotiation; /*!< Initial or renegotiation */
#if defined(POLARSSL_SSL_RENEGOTIATION)
int renego_records_seen; /*!< Records since renego request */ int renego_records_seen; /*!< Records since renego request */
#endif
int major_ver; /*!< equal to SSL_MAJOR_VERSION_3 */ int major_ver; /*!< equal to SSL_MAJOR_VERSION_3 */
int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */ int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */
@ -810,9 +812,11 @@ struct _ssl_context
int authmode; /*!< verification mode */ int authmode; /*!< verification mode */
int client_auth; /*!< flag for client auth. */ int client_auth; /*!< flag for client auth. */
int verify_result; /*!< verification result */ int verify_result; /*!< verification result */
#if defined(POLARSSL_SSL_RENEGOTIATION)
int disable_renegotiation; /*!< enable/disable renegotiation */ int disable_renegotiation; /*!< enable/disable renegotiation */
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
int renego_max_records; /*!< grace period for renegotiation */ int renego_max_records; /*!< grace period for renegotiation */
#endif
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */ const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
#if defined(POLARSSL_SSL_SET_CURVES) #if defined(POLARSSL_SSL_SET_CURVES)
const ecp_group_id *curve_list; /*!< allowed curves */ const ecp_group_id *curve_list; /*!< allowed curves */
@ -861,9 +865,11 @@ struct _ssl_context
*/ */
int secure_renegotiation; /*!< does peer support legacy or int secure_renegotiation; /*!< does peer support legacy or
secure renegotiation */ secure renegotiation */
#if defined(POLARSSL_SSL_RENEGOTIATION)
size_t verify_data_len; /*!< length of verify data stored */ size_t verify_data_len; /*!< length of verify data stored */
char own_verify_data[36]; /*!< previous handshake verify data */ char own_verify_data[36]; /*!< previous handshake verify data */
char peer_verify_data[36]; /*!< previous handshake verify data */ char peer_verify_data[36]; /*!< previous handshake verify data */
#endif
}; };
#if defined(POLARSSL_SSL_HW_RECORD_ACCEL) #if defined(POLARSSL_SSL_HW_RECORD_ACCEL)
@ -1446,6 +1452,7 @@ int ssl_set_session_tickets( ssl_context *ssl, int use_tickets );
void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime ); void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime );
#endif /* POLARSSL_SSL_SESSION_TICKETS */ #endif /* POLARSSL_SSL_SESSION_TICKETS */
#if defined(POLARSSL_SSL_RENEGOTIATION)
/** /**
* \brief Enable / Disable renegotiation support for connection when * \brief Enable / Disable renegotiation support for connection when
* initiated by peer * initiated by peer
@ -1460,6 +1467,7 @@ void ssl_set_session_ticket_lifetime( ssl_context *ssl, int lifetime );
* SSL_RENEGOTIATION_DISABLED) * SSL_RENEGOTIATION_DISABLED)
*/ */
void ssl_set_renegotiation( ssl_context *ssl, int renegotiation ); void ssl_set_renegotiation( ssl_context *ssl, int renegotiation );
#endif /* POLARSSL_SSL_RENEGOTIATION */
/** /**
* \brief Prevent or allow legacy renegotiation. * \brief Prevent or allow legacy renegotiation.
@ -1490,8 +1498,9 @@ void ssl_set_renegotiation( ssl_context *ssl, int renegotiation );
*/ */
void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy ); void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy );
#if defined(POLARSSL_SSL_RENEGOTIATION)
/** /**
* \brief Enforce server-requested renegotiation. * \brief Enforce requested renegotiation.
* (Default: enforced, max_records = 16) * (Default: enforced, max_records = 16)
* *
* When we request a renegotiation, the peer can comply or * When we request a renegotiation, the peer can comply or
@ -1519,6 +1528,7 @@ void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy );
* it but allow for a grace period of max_records records. * it but allow for a grace period of max_records records.
*/ */
void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records ); void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records );
#endif /* POLARSSL_SSL_RENEGOTIATION */
/** /**
* \brief Return the number of data bytes available to read * \brief Return the number of data bytes available to read
@ -1620,6 +1630,7 @@ int ssl_handshake( ssl_context *ssl );
*/ */
int ssl_handshake_step( ssl_context *ssl ); int ssl_handshake_step( ssl_context *ssl );
#if defined(POLARSSL_SSL_RENEGOTIATION)
/** /**
* \brief Initiate an SSL renegotiation on the running connection. * \brief Initiate an SSL renegotiation on the running connection.
* Client: perform the renegotiation right now. * Client: perform the renegotiation right now.
@ -1631,6 +1642,7 @@ int ssl_handshake_step( ssl_context *ssl );
* \return 0 if successful, or any ssl_handshake() return value. * \return 0 if successful, or any ssl_handshake() return value.
*/ */
int ssl_renegotiate( ssl_context *ssl ); int ssl_renegotiate( ssl_context *ssl );
#endif /* POLARSSL_SSL_RENEGOTIATION */
/** /**
* \brief Read at most 'len' application data bytes * \brief Read at most 'len' application data bytes

View File

@ -114,6 +114,7 @@ static void ssl_write_hostname_ext( ssl_context *ssl,
} }
#endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */ #endif /* POLARSSL_SSL_SERVER_NAME_INDICATION */
#if defined(POLARSSL_SSL_RENEGOTIATION)
static void ssl_write_renegotiation_ext( ssl_context *ssl, static void ssl_write_renegotiation_ext( ssl_context *ssl,
unsigned char *buf, unsigned char *buf,
size_t *olen ) size_t *olen )
@ -141,6 +142,7 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
*olen = 5 + ssl->verify_data_len; *olen = 5 + ssl->verify_data_len;
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
#if defined(POLARSSL_SSL_PROTO_TLS1_2) #if defined(POLARSSL_SSL_PROTO_TLS1_2)
static void ssl_write_signature_algorithms_ext( ssl_context *ssl, static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
@ -464,7 +466,9 @@ static int ssl_write_client_hello( ssl_context *ssl )
return( POLARSSL_ERR_SSL_NO_RNG ); return( POLARSSL_ERR_SSL_NO_RNG );
} }
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
#endif
{ {
ssl->major_ver = ssl->min_major_ver; ssl->major_ver = ssl->min_major_ver;
ssl->minor_ver = ssl->min_minor_ver; ssl->minor_ver = ssl->min_minor_ver;
@ -528,7 +532,10 @@ static int ssl_write_client_hello( ssl_context *ssl )
*/ */
n = ssl->session_negotiate->length; n = ssl->session_negotiate->length;
if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || n < 16 || n > 32 || if( n < 16 || n > 32 ||
#if defined(POLARSSL_SSL_RENEGOTIATION)
ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
#endif
ssl->handshake->resume == 0 ) ssl->handshake->resume == 0 )
{ {
n = 0; n = 0;
@ -539,8 +546,10 @@ static int ssl_write_client_hello( ssl_context *ssl )
* RFC 5077 section 3.4: "When presenting a ticket, the client MAY * RFC 5077 section 3.4: "When presenting a ticket, the client MAY
* generate and include a Session ID in the TLS ClientHello." * generate and include a Session ID in the TLS ClientHello."
*/ */
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE && #if defined(POLARSSL_SSL_RENEGOTIATION)
ssl->session_negotiate->ticket != NULL && if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
#endif
if( ssl->session_negotiate->ticket != NULL &&
ssl->session_negotiate->ticket_len != 0 ) ssl->session_negotiate->ticket_len != 0 )
{ {
ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 ); ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
@ -570,7 +579,9 @@ static int ssl_write_client_hello( ssl_context *ssl )
/* /*
* Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*/ */
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
#endif
{ {
*p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
*p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO ); *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
@ -625,8 +636,10 @@ static int ssl_write_client_hello( ssl_context *ssl )
ext_len += olen; ext_len += olen;
#endif #endif
#if defined(POLARSSL_SSL_RENEGOTIATION)
ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen ); ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen; ext_len += olen;
#endif
#if defined(POLARSSL_SSL_PROTO_TLS1_2) #if defined(POLARSSL_SSL_PROTO_TLS1_2)
ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen ); ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
@ -694,21 +707,8 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl,
{ {
int ret; int ret;
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) #if defined(POLARSSL_SSL_RENEGOTIATION)
{ if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
if( len != 1 || buf[0] != 0x0 )
{
SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) );
if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
return( ret );
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
}
ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
}
else
{ {
/* Check verify-data in constant-time. The length OTOH is no secret */ /* Check verify-data in constant-time. The length OTOH is no secret */
if( len != 1 + ssl->verify_data_len * 2 || if( len != 1 + ssl->verify_data_len * 2 ||
@ -718,7 +718,7 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl,
safer_memcmp( buf + 1 + ssl->verify_data_len, safer_memcmp( buf + 1 + ssl->verify_data_len,
ssl->peer_verify_data, ssl->verify_data_len ) != 0 ) ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
{ {
SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) ); SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
return( ret ); return( ret );
@ -726,6 +726,21 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl,
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
} }
} }
else
#endif /* POLARSSL_SSL_RENEGOTIATION */
{
if( len != 1 || buf[0] != 0x00 )
{
SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
return( ret );
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
}
ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
}
return( 0 ); return( 0 );
} }
@ -902,6 +917,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
if( ssl->in_msgtype != SSL_MSG_HANDSHAKE ) if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
{ {
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_RENEGOTIATION ) if( ssl->renegotiation == SSL_RENEGOTIATION )
{ {
ssl->renego_records_seen++; ssl->renego_records_seen++;
@ -917,6 +933,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) ); SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO ); return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
@ -1025,8 +1042,10 @@ static int ssl_parse_server_hello( ssl_context *ssl )
/* /*
* Check if the session can be resumed * Check if the session can be resumed
*/ */
if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE || if( ssl->handshake->resume == 0 || n == 0 ||
ssl->handshake->resume == 0 || n == 0 || #if defined(POLARSSL_SSL_RENEGOTIATION)
ssl->renegotiation != SSL_INITIAL_HANDSHAKE ||
#endif
ssl->session_negotiate->ciphersuite != i || ssl->session_negotiate->ciphersuite != i ||
ssl->session_negotiate->compression != comp || ssl->session_negotiate->compression != comp ||
ssl->session_negotiate->length != n || ssl->session_negotiate->length != n ||
@ -1201,6 +1220,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
handshake_failure = 1; handshake_failure = 1;
} }
#if defined(POLARSSL_SSL_RENEGOTIATION)
else if( ssl->renegotiation == SSL_RENEGOTIATION && else if( ssl->renegotiation == SSL_RENEGOTIATION &&
ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION && ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
renegotiation_info_seen == 0 ) renegotiation_info_seen == 0 )
@ -1222,6 +1242,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
handshake_failure = 1; handshake_failure = 1;
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
if( handshake_failure == 1 ) if( handshake_failure == 1 )
{ {

View File

@ -431,11 +431,29 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl,
{ {
int ret; int ret;
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) #if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
{
/* Check verify-data in constant-time. The length OTOH is no secret */
if( len != 1 + ssl->verify_data_len ||
buf[0] != ssl->verify_data_len ||
safer_memcmp( buf + 1, ssl->peer_verify_data,
ssl->verify_data_len ) != 0 )
{
SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
return( ret );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
}
else
#endif /* POLARSSL_SSL_RENEGOTIATION */
{ {
if( len != 1 || buf[0] != 0x0 ) if( len != 1 || buf[0] != 0x0 )
{ {
SSL_DEBUG_MSG( 1, ( "non-zero length renegotiated connection field" ) ); SSL_DEBUG_MSG( 1, ( "non-zero length renegotiation info" ) );
if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
return( ret ); return( ret );
@ -445,22 +463,6 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl,
ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
} }
else
{
/* Check verify-data in constant-time. The length OTOH is no secret */
if( len != 1 + ssl->verify_data_len ||
buf[0] != ssl->verify_data_len ||
safer_memcmp( buf + 1, ssl->peer_verify_data,
ssl->verify_data_len ) != 0 )
{
SSL_DEBUG_MSG( 1, ( "non-matching renegotiated connection field" ) );
if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
return( ret );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
}
return( 0 ); return( 0 );
} }
@ -653,11 +655,13 @@ static int ssl_parse_session_ticket_ext( ssl_context *ssl,
if( len == 0 ) if( len == 0 )
return( 0 ); return( 0 );
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
{ {
SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) ); SSL_DEBUG_MSG( 3, ( "ticket rejected: renegotiating" ) );
return( 0 ); return( 0 );
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
/* /*
* Failures are ok: just ignore the ticket and proceed. * Failures are ok: just ignore the ticket and proceed.
@ -893,6 +897,7 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE ) if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
{ {
SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) ); SSL_DEBUG_MSG( 1, ( "client hello v2 illegal for renegotiation" ) );
@ -902,6 +907,7 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
buf = ssl->in_hdr; buf = ssl->in_hdr;
@ -1038,15 +1044,18 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO ) if( p[0] == 0 && p[1] == 0 && p[2] == SSL_EMPTY_RENEGOTIATION_INFO )
{ {
SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_RENEGOTIATION ) if( ssl->renegotiation == SSL_RENEGOTIATION )
{ {
SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) ); SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV "
"during renegotiation" ) );
if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 ) if( ( ret = ssl_send_fatal_handshake_failure( ssl ) ) != 0 )
return( ret ); return( ret );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
break; break;
} }
@ -1126,8 +1135,10 @@ static int ssl_parse_client_hello( ssl_context *ssl )
SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE && #if defined(POLARSSL_SSL_RENEGOTIATION)
( ret = ssl_fetch_input( ssl, 5 ) ) != 0 ) if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
#endif
if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
{ {
SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
return( ret ); return( ret );
@ -1177,18 +1188,22 @@ static int ssl_parse_client_hello( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
} }
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE && #if defined(POLARSSL_SSL_RENEGOTIATION)
( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 ) if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
#endif
if( ( ret = ssl_fetch_input( ssl, 5 + n ) ) != 0 )
{ {
SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
return( ret ); return( ret );
} }
buf = ssl->in_msg; buf = ssl->in_msg;
if( !ssl->renegotiation ) #if defined(POLARSSL_SSL_RENEGOTIATION)
n = ssl->in_left - 5; if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
else
n = ssl->in_msglen; n = ssl->in_msglen;
else
#endif
n = ssl->in_left - 5;
ssl->handshake->update_checksum( ssl, buf, n ); ssl->handshake->update_checksum( ssl, buf, n );
@ -1351,6 +1366,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO ) if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
{ {
SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) ); SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_RENEGOTIATION ) if( ssl->renegotiation == SSL_RENEGOTIATION )
{ {
SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) ); SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
@ -1360,7 +1376,9 @@ static int ssl_parse_client_hello( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION; ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
renegotiation_info_seen = 1;
break; break;
} }
} }
@ -1405,8 +1423,10 @@ static int ssl_parse_client_hello( ssl_context *ssl )
#if defined(POLARSSL_SSL_PROTO_TLS1_2) #if defined(POLARSSL_SSL_PROTO_TLS1_2)
case TLS_EXT_SIG_ALG: case TLS_EXT_SIG_ALG:
SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_RENEGOTIATION ) if( ssl->renegotiation == SSL_RENEGOTIATION )
break; break;
#endif
ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
if( ret != 0 ) if( ret != 0 )
@ -1491,12 +1511,13 @@ static int ssl_parse_client_hello( ssl_context *ssl )
/* /*
* Renegotiation security checks * Renegotiation security checks
*/ */
if( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && if( ssl->secure_renegotiation != SSL_SECURE_RENEGOTIATION &&
ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE ) ssl->allow_legacy_renegotiation == SSL_LEGACY_BREAK_HANDSHAKE )
{ {
SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) ); SSL_DEBUG_MSG( 1, ( "legacy renegotiation, breaking off handshake" ) );
handshake_failure = 1; handshake_failure = 1;
} }
#if defined(POLARSSL_SSL_RENEGOTIATION)
else if( ssl->renegotiation == SSL_RENEGOTIATION && else if( ssl->renegotiation == SSL_RENEGOTIATION &&
ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION && ssl->secure_renegotiation == SSL_SECURE_RENEGOTIATION &&
renegotiation_info_seen == 0 ) renegotiation_info_seen == 0 )
@ -1518,6 +1539,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) ); SSL_DEBUG_MSG( 1, ( "renegotiation_info extension present (legacy)" ) );
handshake_failure = 1; handshake_failure = 1;
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
if( handshake_failure == 1 ) if( handshake_failure == 1 )
{ {
@ -1644,6 +1666,9 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
*p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO >> 8 ) & 0xFF );
*p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF ); *p++ = (unsigned char)( ( TLS_EXT_RENEGOTIATION_INFO ) & 0xFF );
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation != SSL_INITIAL_HANDSHAKE )
{
*p++ = 0x00; *p++ = 0x00;
*p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF; *p++ = ( ssl->verify_data_len * 2 + 1 ) & 0xFF;
*p++ = ssl->verify_data_len * 2 & 0xFF; *p++ = ssl->verify_data_len * 2 & 0xFF;
@ -1655,6 +1680,16 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
*olen = 5 + ssl->verify_data_len * 2; *olen = 5 + ssl->verify_data_len * 2;
} }
else
#endif /* POLARSSL_SSL_RENEGOTIATION */
{
*p++ = 0x00;
*p++ = 0x01;
*p++ = 0x00;
*olen = 5;
}
}
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH) #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
static void ssl_write_max_fragment_length_ext( ssl_context *ssl, static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
@ -1812,7 +1847,9 @@ static int ssl_write_server_hello( ssl_context *ssl )
* If not, try looking up session ID in our cache. * If not, try looking up session ID in our cache.
*/ */
if( ssl->handshake->resume == 0 && if( ssl->handshake->resume == 0 &&
#if defined(POLARSSL_SSL_RENEGOTIATION)
ssl->renegotiation == SSL_INITIAL_HANDSHAKE && ssl->renegotiation == SSL_INITIAL_HANDSHAKE &&
#endif
ssl->session_negotiate->length != 0 && ssl->session_negotiate->length != 0 &&
ssl->f_get_cache != NULL && ssl->f_get_cache != NULL &&
ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 ) ssl->f_get_cache( ssl->p_get_cache, ssl->session_negotiate ) == 0 )

View File

@ -2595,6 +2595,7 @@ int ssl_parse_certificate( ssl_context *ssl )
SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert ); SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
#if defined(POLARSSL_SSL_RENEGOTIATION)
/* /*
* On client, make sure the server cert doesn't change during renego to * On client, make sure the server cert doesn't change during renego to
* avoid "triple handshake" attack: https://secure-resumption.com/ * avoid "triple handshake" attack: https://secure-resumption.com/
@ -2618,6 +2619,7 @@ int ssl_parse_certificate( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE ); return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
} }
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
if( ssl->authmode != SSL_VERIFY_NONE ) if( ssl->authmode != SSL_VERIFY_NONE )
{ {
@ -3060,11 +3062,13 @@ void ssl_handshake_wrapup( ssl_context *ssl )
polarssl_free( ssl->handshake ); polarssl_free( ssl->handshake );
ssl->handshake = NULL; ssl->handshake = NULL;
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_RENEGOTIATION ) if( ssl->renegotiation == SSL_RENEGOTIATION )
{ {
ssl->renegotiation = SSL_RENEGOTIATION_DONE; ssl->renegotiation = SSL_RENEGOTIATION_DONE;
ssl->renego_records_seen = 0; ssl->renego_records_seen = 0;
} }
#endif
/* /*
* Switch in our now active transform context * Switch in our now active transform context
@ -3123,8 +3127,10 @@ int ssl_write_finished( ssl_context *ssl )
// TODO TLS/1.2 Hash length is determined by cipher suite (Page 63) // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12; hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;
#if defined(POLARSSL_SSL_RENEGOTIATION)
ssl->verify_data_len = hash_len; ssl->verify_data_len = hash_len;
memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len ); memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
#endif
ssl->out_msglen = 4 + hash_len; ssl->out_msglen = 4 + hash_len;
ssl->out_msgtype = SSL_MSG_HANDSHAKE; ssl->out_msgtype = SSL_MSG_HANDSHAKE;
@ -3244,8 +3250,10 @@ int ssl_parse_finished( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_FINISHED ); return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
} }
#if defined(POLARSSL_SSL_RENEGOTIATION)
ssl->verify_data_len = hash_len; ssl->verify_data_len = hash_len;
memcpy( ssl->peer_verify_data, buf, hash_len ); memcpy( ssl->peer_verify_data, buf, hash_len );
#endif
if( ssl->handshake->resume != 0 ) if( ssl->handshake->resume != 0 )
{ {
@ -3394,7 +3402,9 @@ int ssl_init( ssl_context *ssl )
ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() ); ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() );
#if defined(POLARSSL_SSL_RENEGOTIATION)
ssl->renego_max_records = SSL_RENEGO_MAX_RECORDS_DEFAULT; ssl->renego_max_records = SSL_RENEGO_MAX_RECORDS_DEFAULT;
#endif
#if defined(POLARSSL_DHM_C) #if defined(POLARSSL_DHM_C)
if( ( ret = mpi_read_string( &ssl->dhm_P, 16, if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
@ -3460,12 +3470,16 @@ int ssl_session_reset( ssl_context *ssl )
int ret; int ret;
ssl->state = SSL_HELLO_REQUEST; ssl->state = SSL_HELLO_REQUEST;
#if defined(POLARSSL_SSL_RENEGOTIATION)
ssl->renegotiation = SSL_INITIAL_HANDSHAKE; ssl->renegotiation = SSL_INITIAL_HANDSHAKE;
ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION; ssl->renego_records_seen = 0;
ssl->verify_data_len = 0; ssl->verify_data_len = 0;
memset( ssl->own_verify_data, 0, 36 ); memset( ssl->own_verify_data, 0, 36 );
memset( ssl->peer_verify_data, 0, 36 ); memset( ssl->peer_verify_data, 0, 36 );
#endif
ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION;
ssl->in_offt = NULL; ssl->in_offt = NULL;
@ -3486,8 +3500,6 @@ int ssl_session_reset( ssl_context *ssl )
ssl->transform_in = NULL; ssl->transform_in = NULL;
ssl->transform_out = NULL; ssl->transform_out = NULL;
ssl->renego_records_seen = 0;
memset( ssl->out_ctr, 0, SSL_BUFFER_LEN ); memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );
memset( ssl->in_ctr, 0, SSL_BUFFER_LEN ); memset( ssl->in_ctr, 0, SSL_BUFFER_LEN );
@ -4004,20 +4016,22 @@ int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
} }
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */ #endif /* POLARSSL_SSL_TRUNCATED_HMAC */
void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
{
ssl->disable_renegotiation = renegotiation;
}
void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy ) void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
{ {
ssl->allow_legacy_renegotiation = allow_legacy; ssl->allow_legacy_renegotiation = allow_legacy;
} }
#if defined(POLARSSL_SSL_RENEGOTIATION)
void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
{
ssl->disable_renegotiation = renegotiation;
}
void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records ) void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records )
{ {
ssl->renego_max_records = max_records; ssl->renego_max_records = max_records;
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
#if defined(POLARSSL_SSL_SESSION_TICKETS) #if defined(POLARSSL_SSL_SESSION_TICKETS)
int ssl_set_session_tickets( ssl_context *ssl, int use_tickets ) int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
@ -4147,6 +4161,7 @@ int ssl_handshake( ssl_context *ssl )
return( ret ); return( ret );
} }
#if defined(POLARSSL_SSL_RENEGOTIATION)
#if defined(POLARSSL_SSL_SRV_C) #if defined(POLARSSL_SSL_SRV_C)
/* /*
* Write HelloRequest to request renegotiation on server * Write HelloRequest to request renegotiation on server
@ -4258,6 +4273,7 @@ int ssl_renegotiate( ssl_context *ssl )
return( ret ); return( ret );
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
/* /*
* Receive application data decrypted from the SSL layer * Receive application data decrypted from the SSL layer
@ -4313,6 +4329,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
} }
} }
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->in_msgtype == SSL_MSG_HANDSHAKE ) if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
{ {
SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
@ -4393,6 +4410,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
} }
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
/* Fatal and closure alerts handled by ssl_read_record() */ /* Fatal and closure alerts handled by ssl_read_record() */
if( ssl->in_msgtype == SSL_MSG_ALERT ) if( ssl->in_msgtype == SSL_MSG_ALERT )

View File

@ -284,6 +284,14 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags )
#define USAGE_ALPN "" #define USAGE_ALPN ""
#endif /* POLARSSL_SSL_ALPN */ #endif /* POLARSSL_SSL_ALPN */
#if defined(POLARSSL_SSL_RENEGOTIATION)
#define USAGE_RENEGO \
" renegotiation=%%d default: 0 (disabled)\n" \
" renegotiate=%%d default: 0 (disabled)\n"
#else
#define USAGE_RENEGO ""
#endif
#define USAGE \ #define USAGE \
"\n usage: ssl_client2 param=<>...\n" \ "\n usage: ssl_client2 param=<>...\n" \
"\n acceptable parameters:\n" \ "\n acceptable parameters:\n" \
@ -303,9 +311,8 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags )
"\n" \ "\n" \
USAGE_PSK \ USAGE_PSK \
"\n" \ "\n" \
" renegotiation=%%d default: 1 (enabled)\n" \
" allow_legacy=%%d default: (library default: no)\n" \ " allow_legacy=%%d default: (library default: no)\n" \
" renegotiate=%%d default: 0 (disabled)\n" \ USAGE_RENEGO \
" exchanges=%%d default: 1\n" \ " exchanges=%%d default: 1\n" \
" reconnect=%%d default: 0 (disabled)\n" \ " reconnect=%%d default: 0 (disabled)\n" \
USAGE_TIME \ USAGE_TIME \
@ -914,9 +921,11 @@ int main( int argc, char *argv[] )
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
ssl_set_renegotiation( &ssl, opt.renegotiation );
if( opt.allow_legacy != DFL_ALLOW_LEGACY ) if( opt.allow_legacy != DFL_ALLOW_LEGACY )
ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
#if defined(POLARSSL_SSL_RENEGOTIATION)
ssl_set_renegotiation( &ssl, opt.renegotiation );
#endif
#if defined(POLARSSL_X509_CRT_PARSE_C) #if defined(POLARSSL_X509_CRT_PARSE_C)
if( strcmp( opt.ca_path, "none" ) != 0 && if( strcmp( opt.ca_path, "none" ) != 0 &&
@ -1044,6 +1053,7 @@ int main( int argc, char *argv[] )
} }
#endif /* POLARSSL_X509_CRT_PARSE_C */ #endif /* POLARSSL_X509_CRT_PARSE_C */
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( opt.renegotiate ) if( opt.renegotiate )
{ {
/* /*
@ -1063,6 +1073,7 @@ int main( int argc, char *argv[] )
} }
printf( " ok\n" ); printf( " ok\n" );
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
/* /*
* 6. Write the GET request * 6. Write the GET request

View File

@ -299,6 +299,15 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
#define USAGE_ALPN "" #define USAGE_ALPN ""
#endif /* POLARSSL_SSL_ALPN */ #endif /* POLARSSL_SSL_ALPN */
#if defined(POLARSSL_SSL_RENEGOTIATION)
#define USAGE_RENEGO \
" renegotiation=%%d default: 0 (disabled)\n" \
" renegotiate=%%d default: 0 (disabled)\n" \
" renego_delay=%%d default: -2 (library default)\n"
#else
#define USAGE_RENEGO ""
#endif
#define USAGE \ #define USAGE \
"\n usage: ssl_server2 param=<>...\n" \ "\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \ "\n acceptable parameters:\n" \
@ -315,10 +324,8 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
"\n" \ "\n" \
USAGE_PSK \ USAGE_PSK \
"\n" \ "\n" \
" renegotiation=%%d default: 1 (enabled)\n" \
" allow_legacy=%%d default: (library default: no)\n" \ " allow_legacy=%%d default: (library default: no)\n" \
" renegotiate=%%d default: 0 (disabled)\n" \ USAGE_RENEGO \
" renego_delay=%%d default: -2 (library default)\n" \
" exchanges=%%d default: 1\n" \ " exchanges=%%d default: 1\n" \
USAGE_TICKETS \ USAGE_TICKETS \
USAGE_CACHE \ USAGE_CACHE \
@ -1314,11 +1321,13 @@ int main( int argc, char *argv[] )
SSL_MINOR_VERSION_3 ); SSL_MINOR_VERSION_3 );
} }
ssl_set_renegotiation( &ssl, opt.renegotiation );
if( opt.allow_legacy != DFL_ALLOW_LEGACY ) if( opt.allow_legacy != DFL_ALLOW_LEGACY )
ssl_legacy_renegotiation( &ssl, opt.allow_legacy ); ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
#if defined(POLARSSL_SSL_RENEGOTIATION)
ssl_set_renegotiation( &ssl, opt.renegotiation );
if( opt.renego_delay != DFL_RENEGO_DELAY ) if( opt.renego_delay != DFL_RENEGO_DELAY )
ssl_set_renegotiation_enforced( &ssl, opt.renego_delay ); ssl_set_renegotiation_enforced( &ssl, opt.renego_delay );
#endif
#if defined(POLARSSL_X509_CRT_PARSE_C) #if defined(POLARSSL_X509_CRT_PARSE_C)
if( strcmp( opt.ca_path, "none" ) != 0 && if( strcmp( opt.ca_path, "none" ) != 0 &&
@ -1611,6 +1620,7 @@ data_exchange:
* 7a. Request renegotiation while client is waiting for input from us. * 7a. Request renegotiation while client is waiting for input from us.
* (only if we're going to exhange more data afterwards) * (only if we're going to exhange more data afterwards)
*/ */
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( opt.renegotiate && exchanges > 1 ) if( opt.renegotiate && exchanges > 1 )
{ {
printf( " . Requestion renegotiation..." ); printf( " . Requestion renegotiation..." );
@ -1628,6 +1638,7 @@ data_exchange:
printf( " ok\n" ); printf( " ok\n" );
} }
#endif /* POLARSSL_SSL_RENEGOTIATION */
/* /*
* 7. Write the 200 Response * 7. Write the 200 Response