Merge commit 'f6080b8' into dtls

* commit 'f6080b8': Fix warning in reduced configs Adapt to "negative" switch for renego Add tests for periodic renegotiation Make renego period configurable Auto-renegotiate before sequence number wrapping Update Changelog for compile-option renegotiation Switch from an enable to a disable flag Save 48 bytes if SSLv3 is not defined Make renegotiation a compile-time option Add tests for renego security enforcement Conflicts: include/polarssl/ssl.h library/ssl_cli.c library/ssl_srv.c library/ssl_tls.c programs/ssl/ssl_server2.c tests/ssl-opt.sh
2015-01-21 11:44:33 +00:00 · 2015-01-21 11:44:33 +00:00 · 0af1ba3521
commit 0af1ba3521
parent edb7ed3a43 f6080b8557
14 changed files with 492 additions and 91 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -3942,7 +3942,7 @@ int ssl_parse_certificate( ssl_context *ssl )
     * On client, make sure the server cert doesn't change during renego to
     * avoid "triple handshake" attack: https://secure-resumption.com/
     */
-#if defined(POLARSSL_SSL_CLI_C)
+#if defined(POLARSSL_SSL_RENEGOTIATION) && defined(POLARSSL_SSL_CLI_C)
    if( ssl->endpoint == SSL_IS_CLIENT &&
        ssl->renegotiation == SSL_RENEGOTIATION )
    {
@ -3962,7 +3962,7 @@ int ssl_parse_certificate( ssl_context *ssl )
            return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE );
        }
    }
-#endif /* POLARSSL_SSL_CLI_C */
+#endif /* POLARSSL_SSL_RENEGOTIATION && POLARSSL_SSL_CLI_C */

    if( ssl->authmode != SSL_VERIFY_NONE )
    {
@ -4488,11 +4488,13 @@ void ssl_handshake_wrapup( ssl_context *ssl )

    SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );

+#if defined(POLARSSL_SSL_RENEGOTIATION)
    if( ssl->renegotiation == SSL_RENEGOTIATION )
    {
        ssl->renegotiation =  SSL_RENEGOTIATION_DONE;
        ssl->renego_records_seen = 0;
    }
+#endif

    /*
     * Free the previous session and switch in the current one
@ -4564,8 +4566,10 @@ int ssl_write_finished( ssl_context *ssl )
    // TODO TLS/1.2 Hash length is determined by cipher suite (Page 63)
    hash_len = ( ssl->minor_ver == SSL_MINOR_VERSION_0 ) ? 36 : 12;

+#if defined(POLARSSL_SSL_RENEGOTIATION)
    ssl->verify_data_len = hash_len;
    memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
+#endif

    ssl->out_msglen  = 4 + hash_len;
    ssl->out_msgtype = SSL_MSG_HANDSHAKE;
@ -4703,8 +4707,10 @@ int ssl_parse_finished( ssl_context *ssl )
        return( POLARSSL_ERR_SSL_BAD_HS_FINISHED );
    }

+#if defined(POLARSSL_SSL_RENEGOTIATION)
    ssl->verify_data_len = hash_len;
    memcpy( ssl->peer_verify_data, buf, hash_len );
+#endif

    if( ssl->handshake->resume != 0 )
    {
@ -4904,7 +4910,11 @@ int ssl_init( ssl_context *ssl )

    ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() );

+#if defined(POLARSSL_SSL_RENEGOTIATION)
    ssl->renego_max_records = SSL_RENEGO_MAX_RECORDS_DEFAULT;
+    memset( ssl->renego_period, 0xFF, 7 );
+    ssl->renego_period[7] = 0x00;
+#endif

 #if defined(POLARSSL_DHM_C)
    if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
@ -4984,12 +4994,16 @@ int ssl_session_reset( ssl_context *ssl )
    int ret;

    ssl->state = SSL_HELLO_REQUEST;
+
+#if defined(POLARSSL_SSL_RENEGOTIATION)
    ssl->renegotiation = SSL_INITIAL_HANDSHAKE;
-    ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION;
+    ssl->renego_records_seen = 0;

    ssl->verify_data_len = 0;
-    memset( ssl->own_verify_data, 0, 36 );
-    memset( ssl->peer_verify_data, 0, 36 );
+    memset( ssl->own_verify_data, 0, SSL_VERIFY_DATA_MAX_LEN );
+    memset( ssl->peer_verify_data, 0, SSL_VERIFY_DATA_MAX_LEN );
+#endif
+    ssl->secure_renegotiation = SSL_LEGACY_RENEGOTIATION;

    ssl->in_offt = NULL;

@ -5017,8 +5031,6 @@ int ssl_session_reset( ssl_context *ssl )
    ssl->transform_in = NULL;
    ssl->transform_out = NULL;

-    ssl->renego_records_seen = 0;
-
    memset( ssl->out_buf, 0, SSL_BUFFER_LEN );
    memset( ssl->in_buf, 0, SSL_BUFFER_LEN );

@ -5685,21 +5697,29 @@ int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
 }
 #endif /* POLARSSL_SSL_TRUNCATED_HMAC */

-void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
-{
-    ssl->disable_renegotiation = renegotiation;
-}
-
 void ssl_legacy_renegotiation( ssl_context *ssl, int allow_legacy )
 {
    ssl->allow_legacy_renegotiation = allow_legacy;
 }

+#if defined(POLARSSL_SSL_RENEGOTIATION)
+void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
+{
+    ssl->disable_renegotiation = renegotiation;
+}
+
 void ssl_set_renegotiation_enforced( ssl_context *ssl, int max_records )
 {
    ssl->renego_max_records = max_records;
 }

+void ssl_set_renegotiation_period( ssl_context *ssl,
+                                   const unsigned char period[8] )
+{
+    memcpy( ssl->renego_period, period, 8 );
+}
+#endif /* POLARSSL_SSL_RENEGOTIATION */
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
 int ssl_set_session_tickets( ssl_context *ssl, int use_tickets )
 {
@ -5884,6 +5904,7 @@ int ssl_handshake( ssl_context *ssl )
    return( ret );
 }

+#if defined(POLARSSL_SSL_RENEGOTIATION)
 #if defined(POLARSSL_SSL_SRV_C)
 /*
 * Write HelloRequest to request renegotiation on server
@ -6009,6 +6030,30 @@ int ssl_renegotiate( ssl_context *ssl )
    return( ret );
 }

+/*
+ * Check record counters and renegotiate if they're above the limit.
+ */
+static int ssl_check_ctr_renegotiate( ssl_context *ssl )
+{
+    if( ssl->state != SSL_HANDSHAKE_OVER ||
+        ssl->renegotiation == SSL_RENEGOTIATION_PENDING ||
+        ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED )
+    {
+        return( 0 );
+    }
+
+    // TODO: adapt for DTLS
+    if( memcmp( ssl->in_ctr,  ssl->renego_period, 8 ) <= 0 &&
+        memcmp( ssl->out_ctr, ssl->renego_period, 8 ) <= 0 )
+    {
+        return( 0 );
+    }
+
+    SSL_DEBUG_MSG( 0, ( "record counter limit reached: renegotiate" ) );
+    return( ssl_renegotiate( ssl ) );
+}
+#endif /* POLARSSL_SSL_RENEGOTIATION */
+
 /*
 * Receive application data decrypted from the SSL layer
 */
@ -6034,6 +6079,14 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
    }
 #endif

+#if defined(POLARSSL_SSL_RENEGOTIATION)
+    if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
+    {
+        SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
+        return( ret );
+    }
+#endif
+
    if( ssl->state != SSL_HANDSHAKE_OVER )
    {
        ret = ssl_handshake( ssl );
@ -6084,6 +6137,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
            }
        }

+#if defined(POLARSSL_SSL_RENEGOTIATION)
        if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
        {
            SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
@ -6194,6 +6248,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
                }
            }
        }
+#endif /* POLARSSL_SSL_RENEGOTIATION */

        /* Fatal and closure alerts handled by ssl_read_record() */
        if( ssl->in_msgtype == SSL_MSG_ALERT )
@ -6263,6 +6318,14 @@ int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )

    SSL_DEBUG_MSG( 2, ( "=> write" ) );

+#if defined(POLARSSL_SSL_RENEGOTIATION)
+    if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
+    {
+        SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
+        return( ret );
+    }
+#endif
+
    if( ssl->state != SSL_HANDSHAKE_OVER )
    {
        if( ( ret = ssl_handshake( ssl ) ) != 0 )