Skip to content

Make sure we check an incoming reneg ClientHello in DTLS (1.1.0) #5191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mattcaswell wants to merge 1 commit into from
Closed

Make sure we check an incoming reneg ClientHello in DTLS (1.1.0) #5191

mattcaswell wants to merge 1 commit into from

Conversation

@mattcaswell
Copy link
Member

@mattcaswell mattcaswell commented Jan 29, 2018

In TLS we have a check to make sure an incoming reneg ClientHello is
acceptable. The equivalent check is missing in the DTLS code. This means
that if a client does not signal the ability to handle secure reneg in the
initial handshake, then a subsequent reneg handshake should be rejected by
the server. In the DTLS case the reneg was being allowed if the the 2nd
ClientHello had a renegotiation_info extension. This is incorrect.

While incorrect, this does not represent a security issue because if
the renegotiation_info extension is present in the second ClientHello it
also has to be correct. Therefore this will only work if both the client
and server believe they are renegotiating, and both know the previous
Finished result. This is not the case in an insecure rengotiation attack.

I have also tidied up the check in the TLS code and given a better check
for determining whether we are renegotiating or not.

This is related to PR #5190, but the same approach used there can't be used in 1.1.0 or below.

This was referenced Jan 29, 2018
Closed
Closed
richsalz
richsalz approved these changes Jan 29, 2018
View reviewed changes
ssl/record/rec_layer_d1.c Outdated
Copy link
Contributor

@richsalz richsalz Jan 29, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

side-note: what's the meaning of 4? reneg message len?

Copy link
Member Author

@mattcaswell mattcaswell Jan 29, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question. This is the size of a handshake header message. Probably the 4 here should be SSL3_HM_HEADER_LENGTH. Mind if I change it before I push?

Copy link
Contributor

@richsalz richsalz Jan 29, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please do. and in the other PR's too, if applicable. reconfirmed.

@mattcaswell
Make sure we check an incoming reneg ClientHello in DTLS
d62ef9e 
In TLS we have a check to make sure an incoming reneg ClientHello is
acceptable. The equivalent check is missing in the DTLS code. This means
that if a client does not signal the ability to handle secure reneg in the
initial handshake, then a subsequent reneg handshake should be rejected by
the server. In the DTLS case the reneg was being allowed if the the 2nd
ClientHello had a renegotiation_info extension. This is incorrect.

While incorrect, this does not represent a security issue because if
the renegotiation_info extension is present in the second ClientHello it
also has to be *correct*. Therefore this will only work if both the client
and server believe they are renegotiating, and both know the previous
Finished result. This is not the case in an insecure rengotiation attack.

I have also tidied up the check in the TLS code and given a better check
for determining whether we are renegotiating or not.
@mattcaswell
Copy link
Member Author

mattcaswell commented Jan 30, 2018

Grrr. Replacing the magic 4 value (as per above discussion) made me realise that there was a copy&paste error in this code. In TLS the value is SSL3_HM_HEADER_LENGTH (4), but in DTLS it needs to be DTLS1_HM_HEADER_LENGTH (12). Please reconfirm.

@richsalz
Copy link
Contributor

richsalz commented Jan 30, 2018

:) reconfirm.

@richsalz
Copy link
Contributor

richsalz commented Jan 30, 2018

magic numbers are bad, sometimes for unexpected reasons :) reconfirm.

@mattcaswell
Copy link
Member Author

mattcaswell commented Jan 30, 2018

Pushed. Thanks.

levitte pushed a commit that referenced this pull request Jan 30, 2018
@mattcaswell
Make sure we check an incoming reneg ClientHello in DTLS
1249258 
In TLS we have a check to make sure an incoming reneg ClientHello is
acceptable. The equivalent check is missing in the DTLS code. This means
that if a client does not signal the ability to handle secure reneg in the
initial handshake, then a subsequent reneg handshake should be rejected by
the server. In the DTLS case the reneg was being allowed if the the 2nd
ClientHello had a renegotiation_info extension. This is incorrect.

While incorrect, this does not represent a security issue because if
the renegotiation_info extension is present in the second ClientHello it
also has to be *correct*. Therefore this will only work if both the client
and server believe they are renegotiating, and both know the previous
Finished result. This is not the case in an insecure rengotiation attack.

I have also tidied up the check in the TLS code and given a better check
for determining whether we are renegotiating or not.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from #5191)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@richsalz richsalz richsalz approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mattcaswell @richsalz