reject no_renegotiation alert if handshake is incomplete

2020-09-04 15:50:04 +08:00 · 2020-09-04 15:50:04 +08:00 · 549f30e471
commit 549f30e471
parent be82632434
2 changed files with 119 additions and 1 deletions
--- a/gnutls.spec
+++ b/gnutls.spec
@ -1,6 +1,6 @@
 Name: gnutls
 Version: 3.6.14
-Release: 1
+Release: 2
 Summary: The GNU Secure Communication Protocol Library

 License: LGPLv2.1+ and GPLv3+
@ -8,6 +8,7 @@ URL: https://www.gnutls.org/
 Source0: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz
 Source1: https://www.gnupg.org/ftp/gcrypt/%{name}/v3.6/%{name}-%{version}.tar.xz.sig
 Patch0: fix-ipv6-handshake-failed.patch
+Patch1: handshake-reject-no_renegotiation-alert-if-handshake.patch

 %bcond_without dane
 %bcond_with guile
@ -194,6 +195,9 @@ make check %{?_smp_mflags}
 %endif

 %changelog
+* Fri Sep 4 2020 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 3.6.14-2
+- reject no_renegotiation alert if handshake is incomplete
+
 * Mon Jul 27 2020 wangchen <wangchen137@huawei.com> - 3.6.14-1
 - update to 3.6.14

--- a/handshake-reject-no_renegotiation-alert-if-handshake.patch
+++ b/handshake-reject-no_renegotiation-alert-if-handshake.patch
@ -0,0 +1,114 @@
+From 29ee67c205855e848a0a26e6d0e4f65b6b943e0a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Sat, 22 Aug 2020 17:19:39 +0200
+Subject: [PATCH 223/223] handshake: reject no_renegotiation alert if handshake
+ is incomplete
+
+If the initial handshake is incomplete and the server sends a
+no_renegotiation alert, the client should treat it as a fatal error
+even if its level is warning.  Otherwise the same handshake
+state (e.g., DHE parameters) are reused in the next gnutls_handshake
+call, if it is called in the loop idiom:
+
+  do {
+          ret = gnutls_handshake(session);
+  } while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ lib/gnutls_int.h                                   |   1 +
+ lib/handshake.c                                    |  48 +++++++++++++++------
+ 2 files changed, 36 insertions(+), 13 deletions(-)
+
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index bb6c197..31cec5c 100644
+--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
+@@ -1370,6 +1370,7 @@ typedef struct {
+ #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */
+ #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */
+ #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */
+#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */
+ 
+ 	/* The hsk_flags are for use within the ongoing handshake;
+ 	 * they are reset to zero prior to handshake start by gnutls_handshake. */
+diff --git a/lib/handshake.c b/lib/handshake.c
+index b40f84b..ce2d160 100644
+--- a/lib/handshake.c
+++ b/lib/handshake.c
+@@ -2061,6 +2061,8 @@ read_server_hello(gnutls_session_t session,
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+ 
+	session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
+
+ 	return 0;
+ }
+ 
+@@ -2585,16 +2587,42 @@ int gnutls_rehandshake(gnutls_session_t session)
+ 	return 0;
+ }
+ 
+/* This function checks whether the error code should be treated fatal
+ * or not, and also does the necessary state transition.  In
+ * particular, in the case of a rehandshake abort it resets the
+ * handshake's internal state.
+ */
+ inline static int
+ _gnutls_abort_handshake(gnutls_session_t session, int ret)
+ {
+-	if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
+-	     (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION))
+-	    || ret == GNUTLS_E_GOT_APPLICATION_DATA)
+-		return 0;
+	switch (ret) {
+	case GNUTLS_E_WARNING_ALERT_RECEIVED:
+		if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
+			/* The server always toleretes a "no_renegotiation" alert. */
+			if (session->security_parameters.entity == GNUTLS_SERVER) {
+				STATE = STATE0;
+				return ret;
+			}
+
+			/* The client should tolerete a "no_renegotiation" alert only if:
+			 * - the initial handshake has completed, or
+			 * - a Server Hello is not yet received
+			 */
+			if (session->internals.initial_negotiation_completed ||
+			    !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
+				STATE = STATE0;
+				return ret;
+			}
+ 
+-	/* this doesn't matter */
+-	return GNUTLS_E_INTERNAL_ERROR;
+			return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
+		}
+		return ret;
+	case GNUTLS_E_GOT_APPLICATION_DATA:
+		STATE = STATE0;
+		return ret;
+	default:
+		return ret;
+	}
+ }
+ 
+ 
+@@ -2756,13 +2784,7 @@ int gnutls_handshake(gnutls_session_t session)
+ 	}
+ 
+ 	if (ret < 0) {
+-		/* In the case of a rehandshake abort
+-		 * we should reset the handshake's internal state.
+-		 */
+-		if (_gnutls_abort_handshake(session, ret) == 0)
+-			STATE = STATE0;
+-
+-		return ret;
+		return _gnutls_abort_handshake(session, ret);
+ 	}
+ 
+ 	/* clear handshake buffer */
+-- 
+1.8.3.1
+