From 1332f35a4eadb89a066e8a3fe8ea9f18c59ad372 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Feb 2019 15:06:15 +0000 Subject: [PATCH] Don't reuse CRT from initial handshake during renegotiation After mitigating the 'triple handshake attack' by checking that the peer's end-CRT didn't change during renegotation, the current code avoids re-parsing the CRT by moving the CRT-pointer from the old session to the new one. While efficient, this will no longer work once only the hash of the peer's CRT is stored beyond the handshake. This commit removes the code-path moving the old CRT, and instead frees the entire peer CRT chain from the initial handshake as soon as the 'triple handshake attack' protection has completed. --- library/ssl_tls.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a5c8c33f9..b6f1d9326 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6315,18 +6315,12 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ); } - /* Move CRT chain structure to new session instance. */ - ssl->session_negotiate->peer_cert = ssl->session->peer_cert; - ssl->session->peer_cert = NULL; + /* Now we can safely free the original chain. */ + mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); + mbedtls_free( ssl->session_negotiate->peer_cert ); + ssl->session_negotiate->peer_cert = NULL; - /* Delete all remaining CRTs from the original CRT chain. */ - mbedtls_x509_crt_free( - ssl->session_negotiate->peer_cert->next ); - mbedtls_free( ssl->session_negotiate->peer_cert->next ); - ssl->session_negotiate->peer_cert->next = NULL; - - i += n; - continue; + /* Intentional fallthrough. */ } #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */