Forbid renegotiation in TLS 1.3.

Change-Id: I1b34acbbb5528e7e31595ee0cbce7618890f3955 Reviewed-on: https://boringssl-review.googlesource.com/8669 Reviewed-by: David Benjamin <davidben@google.com>
2016-07-08 14:14:36 -07:00 · 2016-07-08 14:14:36 -07:00 · 397c8e6fb6
commit 397c8e6fb6
parent 71dd6660e8
3 changed files with 37 additions and 6 deletions
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@ -574,12 +574,14 @@ again:
  ssl_do_msg_callback(ssl, 0 /* read */, ssl->version, SSL3_RT_HANDSHAKE,
                      ssl->init_buf->data, ssl->init_buf->length);

+  /* Ignore stray HelloRequest messages. Per RFC 5246, section 7.4.1.1, the
+   * server may send HelloRequest at any time. */
  static const uint8_t kHelloRequest[4] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
-  if (!ssl->server && ssl->init_buf->length == sizeof(kHelloRequest) &&
+  if (!ssl->server &&
+      (!ssl->s3->have_version ||
+       ssl3_protocol_version(ssl) < TLS1_3_VERSION) &&
+      ssl->init_buf->length == sizeof(kHelloRequest) &&
      memcmp(kHelloRequest, ssl->init_buf->data, sizeof(kHelloRequest)) == 0) {
-    /* The server may always send 'Hello Request' messages -- we are doing a
-     * handshake anyway now, so ignore them if their format is correct.  Does
-     * not count for 'Finished' MAC. */
    goto again;
  }

--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@ -353,6 +353,10 @@ void ssl3_read_close_notify(SSL *ssl) {
 }

 static int ssl3_can_renegotiate(SSL *ssl) {
+  if (ssl->server || ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+    return 0;
+  }
+
  switch (ssl->renegotiate_mode) {
    case ssl_renegotiate_never:
      return 0;
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@ -4542,7 +4542,7 @@ func addRenegotiationTests() {
 		},
 	})

-	// Stray HelloRequests during the handshake are ignored.
+	// Stray HelloRequests during the handshake are ignored in TLS 1.2.
 	testCases = append(testCases, testCase{
 		name: "StrayHelloRequest",
 		config: Config{
@ -4563,7 +4563,32 @@ func addRenegotiationTests() {
 		},
 	})

-	// TODO(davidben): Add a test that HelloRequests are illegal in TLS 1.3.
+	// Renegotiation is forbidden in TLS 1.3.
+	testCases = append(testCases, testCase{
+		name: "Renegotiate-Client-TLS13",
+		config: Config{
+			MaxVersion: VersionTLS13,
+		},
+		renegotiate: 1,
+		flags: []string{
+			"-renegotiate-freely",
+		},
+		shouldFail:    true,
+		expectedError: ":NO_RENEGOTIATION:",
+	})
+
+	// Stray HelloRequests during the handshake are forbidden in TLS 1.3.
+	testCases = append(testCases, testCase{
+		name: "StrayHelloRequest-TLS13",
+		config: Config{
+			MaxVersion: VersionTLS13,
+			Bugs: ProtocolBugs{
+				SendHelloRequestBeforeEveryHandshakeMessage: true,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":UNEXPECTED_MESSAGE:",
+	})
 }

 func addDTLSReplayTests() {