summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2025-03-12 14:03:55 +0000
committerjsing <>2025-03-12 14:03:55 +0000
commitcc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af (patch)
tree115a09cea80866af43519a40dfdd3e9409e4cc96
parent93373bbf82b95dab0336951cf191b5fecde0597c (diff)
downloadopenbsd-cc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af.tar.gz
openbsd-cc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af.tar.bz2
openbsd-cc5a28ea6d2a0de9bcd56f07684bdc53cdfd10af.zip
Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION.
In January 2017 we added SSL_OP_NO_CLIENT_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION fatal alert if a ClientHello message is seen on an active connection (client initiated renegotation). Then in May 2017 OpenSSL added SSL_OP_NO_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION warning alert if a server receives a ClientHello on an active connection (client initiated renegotation), or a client receives a HelloRequest (server requested renegotation). This option also causes calls to SSL_renegotiate() and SSL_renegotiate_abbreviated() to fail. Then in 2021, OpenSSL also added SSL_OP_ALLOW_CLIENT_RENEGOTIATION, which trumps SSL_OP_NO_RENEGOTIATION but only for incoming ClientHello messages (apparently unsetting SSL_OP_NO_RENEGOTIATION is too hard). Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION, primarily to make life easier for ports. If SSL_OP_NO_CLIENT_RENEGOTIATION is set it will take precedence and render SSL_OP_ALLOW_CLIENT_RENEGOTIATION ineffective. The rest of the behaviour should match OpenSSL, with the exception of ClientHellos triggering fatal alerts instead of warnings. ok tb@
-rw-r--r--src/lib/libssl/d1_pkt.c12
-rw-r--r--src/lib/libssl/ssl.h6
-rw-r--r--src/lib/libssl/ssl_lib.c12
-rw-r--r--src/lib/libssl/ssl_pkt.c12
4 files changed, 36 insertions, 6 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index cf32ca8cd6..8ba0bb0bcf 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_pkt.c,v 1.129 2024/07/20 04:04:23 jsing Exp $ */ 1/* $OpenBSD: d1_pkt.c,v 1.130 2025/03/12 14:03:55 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -592,6 +592,12 @@ dtls1_read_handshake_unexpected(SSL *s)
592 tls_content_clear(s->s3->rcontent); 592 tls_content_clear(s->s3->rcontent);
593 s->s3->rrec.length = 0; 593 s->s3->rrec.length = 0;
594 594
595 if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) {
596 ssl3_send_alert(s, SSL3_AL_WARNING,
597 SSL_AD_NO_RENEGOTIATION);
598 return 1;
599 }
600
595 /* 601 /*
596 * It should be impossible to hit this, but keep the safety 602 * It should be impossible to hit this, but keep the safety
597 * harness for now... 603 * harness for now...
@@ -644,7 +650,9 @@ dtls1_read_handshake_unexpected(SSL *s)
644 return -1; 650 return -1;
645 } 651 }
646 652
647 if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) { 653 if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0 ||
654 ((s->options & SSL_OP_NO_RENEGOTIATION) != 0 &&
655 (s->options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) == 0)) {
648 ssl3_send_alert(s, SSL3_AL_FATAL, 656 ssl3_send_alert(s, SSL3_AL_FATAL,
649 SSL_AD_NO_RENEGOTIATION); 657 SSL_AD_NO_RENEGOTIATION);
650 return -1; 658 return -1;
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 062c6dcbb9..a1ed22b778 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl.h,v 1.246 2025/03/09 15:53:36 tb Exp $ */ 1/* $OpenBSD: ssl.h,v 1.247 2025/03/12 14:03:55 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -389,6 +389,10 @@ typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
389#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L 389#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
390/* Disallow client initiated renegotiation. */ 390/* Disallow client initiated renegotiation. */
391#define SSL_OP_NO_CLIENT_RENEGOTIATION 0x00020000L 391#define SSL_OP_NO_CLIENT_RENEGOTIATION 0x00020000L
392/* Disallow client and server initiated renegotiation. */
393#define SSL_OP_NO_RENEGOTIATION 0x00040000L
394/* Allow client initiated renegotiation. */
395#define SSL_OP_ALLOW_CLIENT_RENEGOTIATION 0x00080000L
392/* If set, always create a new key when using tmp_dh parameters */ 396/* If set, always create a new key when using tmp_dh parameters */
393#define SSL_OP_SINGLE_DH_USE 0x00100000L 397#define SSL_OP_SINGLE_DH_USE 0x00100000L
394/* Set on servers to choose the cipher according to the server's 398/* Set on servers to choose the cipher according to the server's
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 63d72baf8e..ce68981493 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.330 2024/09/22 14:59:48 tb Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.331 2025/03/12 14:03:55 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1308,6 +1308,11 @@ LSSL_ALIAS(SSL_shutdown);
1308int 1308int
1309SSL_renegotiate(SSL *s) 1309SSL_renegotiate(SSL *s)
1310{ 1310{
1311 if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) {
1312 SSLerror(s, SSL_R_NO_RENEGOTIATION);
1313 return 0;
1314 }
1315
1311 if (s->renegotiate == 0) 1316 if (s->renegotiate == 0)
1312 s->renegotiate = 1; 1317 s->renegotiate = 1;
1313 1318
@@ -1320,6 +1325,11 @@ LSSL_ALIAS(SSL_renegotiate);
1320int 1325int
1321SSL_renegotiate_abbreviated(SSL *s) 1326SSL_renegotiate_abbreviated(SSL *s)
1322{ 1327{
1328 if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) {
1329 SSLerror(s, SSL_R_NO_RENEGOTIATION);
1330 return 0;
1331 }
1332
1323 if (s->renegotiate == 0) 1333 if (s->renegotiate == 0)
1324 s->renegotiate = 1; 1334 s->renegotiate = 1;
1325 1335
diff --git a/src/lib/libssl/ssl_pkt.c b/src/lib/libssl/ssl_pkt.c
index 740fe97192..7032175aac 100644
--- a/src/lib/libssl/ssl_pkt.c
+++ b/src/lib/libssl/ssl_pkt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_pkt.c,v 1.68 2024/07/22 14:47:15 jsing Exp $ */ 1/* $OpenBSD: ssl_pkt.c,v 1.69 2025/03/12 14:03:55 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -900,6 +900,12 @@ ssl3_read_handshake_unexpected(SSL *s)
900 tls_buffer_free(s->s3->handshake_fragment); 900 tls_buffer_free(s->s3->handshake_fragment);
901 s->s3->handshake_fragment = NULL; 901 s->s3->handshake_fragment = NULL;
902 902
903 if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) {
904 ssl3_send_alert(s, SSL3_AL_WARNING,
905 SSL_AD_NO_RENEGOTIATION);
906 return 1;
907 }
908
903 /* 909 /*
904 * It should be impossible to hit this, but keep the safety 910 * It should be impossible to hit this, but keep the safety
905 * harness for now... 911 * harness for now...
@@ -947,7 +953,9 @@ ssl3_read_handshake_unexpected(SSL *s)
947 return -1; 953 return -1;
948 } 954 }
949 955
950 if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) { 956 if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0 ||
957 ((s->options & SSL_OP_NO_RENEGOTIATION) != 0 &&
958 (s->options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) == 0)) {
951 ssl3_send_alert(s, SSL3_AL_FATAL, 959 ssl3_send_alert(s, SSL3_AL_FATAL,
952 SSL_AD_NO_RENEGOTIATION); 960 SSL_AD_NO_RENEGOTIATION);
953 return -1; 961 return -1;