httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: TLS renegotiation attack, mod_ssl and OpenSSL
Date Fri, 06 Nov 2009 00:00:06 GMT
On Thu, Nov 05, 2009 at 09:31:00PM +0000, Joe Orton wrote:
> * we can detect in mod_ssl when the client is renegotiating by using the 
> callback installed using SSL_CTX_set_info_callback(), in conjunction 
> with suitable flags in the SSLConnRec to detect the cases where this is 
> either a server-initiated renegotiation or the initial handshake on the 
> connection.

Here is a very rough first hack (for discussion/testing purposes only!):

Index: ssl_private.h
===================================================================
--- ssl_private.h	(revision 832979)
+++ ssl_private.h	(working copy)
@@ -335,6 +335,14 @@
     int is_proxy;
     int disabled;
     int non_ssl_request;
+    enum { 
+        RENEG_INIT = 0, /* before initial handshake. */
+        RENEG_ALLOW, /* a server-initated renegotiation is taking place */
+        RENEG_REJECT, /* after initial handshake; any client-initiated
+                       * renegotiation should be rejected. */
+        RENEG_ABORT /* renegotiation initiated by client, abort abort */
+    } reneg_state;
+    
     server_rec *server;
 } SSLConnRec;
 
Index: ssl_engine_init.c
===================================================================
--- ssl_engine_init.c	(revision 832979)
+++ ssl_engine_init.c	(working copy)
@@ -520,7 +520,7 @@
     SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
 
-    if (s->loglevel >= APLOG_DEBUG) {
+    if (1 || s->loglevel >= APLOG_DEBUG) {
         /* this callback only logs if LogLevel >= info */
         SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
     }
Index: ssl_engine_io.c
===================================================================
--- ssl_engine_io.c	(revision 832979)
+++ ssl_engine_io.c	(working copy)
@@ -190,10 +190,27 @@
     return -1;
 }
 
+static int conn_in_reneg(conn_rec *c)
+{
+    SSLConnRec *scr = myConnConfig(c);
+    
+    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
+                  "reneg_state == %s", scr->reneg_state == RENEG_INIT ? "INIT" :
+                  scr->reneg_state == RENEG_REJECT ? "REJECT" :
+                  scr->reneg_state == RENEG_ALLOW ? "ALLOW" : "ABORT");
+
+    return scr->reneg_state == RENEG_ABORT;
+}
+
 static int bio_filter_out_write(BIO *bio, const char *in, int inl)
 {
     bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
-
+    
+    if (conn_in_reneg(outctx->c)) {
+        outctx->rc = APR_EACCES;
+        return -1;
+    }
+    
     /* when handshaking we'll have a small number of bytes.
      * max size SSL will pass us here is about 16k.
      * (16413 bytes to be exact)
@@ -476,6 +493,11 @@
     if (!in)
         return 0;
 
+    if (conn_in_reneg(inctx->f->c)) {
+        inctx->rc = APR_EACCES;
+        return -1;
+    }
+
     /* In theory, OpenSSL should flush as necessary, but it is known
      * not to do so correctly in some cases; see PR 46952.
      *
Index: ssl_engine_kernel.c
===================================================================
--- ssl_engine_kernel.c	(revision 832979)
+++ ssl_engine_kernel.c	(working copy)
@@ -733,6 +733,8 @@
                                        (unsigned char *)&id,
                                        sizeof(id));
 
+            sslconn->reneg_state = RENEG_ALLOW;
+            
             SSL_renegotiate(ssl);
             SSL_do_handshake(ssl);
 
@@ -754,6 +756,8 @@
             SSL_set_state(ssl, SSL_ST_ACCEPT);
             SSL_do_handshake(ssl);
 
+            sslconn->reneg_state = RENEG_REJECT;
+
             if (SSL_get_state(ssl) != SSL_ST_OK) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                               "Re-negotiation handshake failed: "
@@ -1824,7 +1828,8 @@
     conn_rec *c;
     server_rec *s;
     SSLSrvConfigRec *sc;
-
+    SSLConnRec *scr;
+    
     /*
      * find corresponding server
      */
@@ -1837,6 +1842,18 @@
         return;
     }
 
+    scr = myConnConfig(c);
+
+    {
+        int state = SSL_get_state(ssl);
+        
+        if (scr->reneg_state == RENEG_REJECT
+            && (state == SSL3_ST_SR_CLNT_HELLO_A
+                || state == SSL23_ST_SR_CLNT_HELLO_A)) {
+            scr->reneg_state = RENEG_ABORT;
+        }
+    }
+    
     /*
      * create the various trace messages
      */
@@ -1900,6 +1917,9 @@
                      ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER"),
                      ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_USEKEYSIZE"),
                      ssl_var_lookup(NULL, s, c, NULL, "SSL_CIPHER_ALGKEYSIZE"));
+        if (scr->reneg_state == RENEG_INIT) {
+            scr->reneg_state = RENEG_REJECT;
+        }
     }
 }
 

Mime
View raw message