Forbid renegotiation in TLS 1.3.

Change-Id: I1b34acbbb5528e7e31595ee0cbce7618890f3955 Reviewed-on: https://boringssl-review.googlesource.com/8669 Reviewed-by: David Benjamin <davidben@google.com>
hace 8 años · 397c8e6fb6
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -574,12 +574,14 @@ again:
  ssl_do_msg_callback(ssl, 0 /* read */, ssl->version, SSL3_RT_HANDSHAKE,
                      ssl->init_buf->data, ssl->init_buf->length);

  /* Ignore stray HelloRequest messages. Per RFC 5246, section 7.4.1.1, the
   * server may send HelloRequest at any time. */
  static const uint8_t kHelloRequest[4] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0};
  if (!ssl->server && ssl->init_buf->length == sizeof(kHelloRequest) &&
  if (!ssl->server &&
      (!ssl->s3->have_version ||
       ssl3_protocol_version(ssl) < TLS1_3_VERSION) &&
      ssl->init_buf->length == sizeof(kHelloRequest) &&
      memcmp(kHelloRequest, ssl->init_buf->data, sizeof(kHelloRequest)) == 0) {
    /* The server may always send 'Hello Request' messages -- we are doing a
     * handshake anyway now, so ignore them if their format is correct.  Does
     * not count for 'Finished' MAC. */
    goto again;
  }

--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -353,6 +353,10 @@ void ssl3_read_close_notify(SSL *ssl) {
 }

 static int ssl3_can_renegotiate(SSL *ssl) {
  if (ssl->server || ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
    return 0;
  }

  switch (ssl->renegotiate_mode) {
    case ssl_renegotiate_never:
      return 0;
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -4542,7 +4542,7 @@ func addRenegotiationTests() {
 		},
 	})

 	// Stray HelloRequests during the handshake are ignored.
 	// Stray HelloRequests during the handshake are ignored in TLS 1.2.
 	testCases = append(testCases, testCase{
 		name: "StrayHelloRequest",
 		config: Config{
@@ -4563,7 +4563,32 @@ func addRenegotiationTests() {
 		},
 	})

 	// TODO(davidben): Add a test that HelloRequests are illegal in TLS 1.3.
 	// Renegotiation is forbidden in TLS 1.3.
 	testCases = append(testCases, testCase{
 		name: "Renegotiate-Client-TLS13",
 		config: Config{
 			MaxVersion: VersionTLS13,
 		},
 		renegotiate: 1,
 		flags: []string{
 			"-renegotiate-freely",
 		},
 		shouldFail:    true,
 		expectedError: ":NO_RENEGOTIATION:",
 	})

 	// Stray HelloRequests during the handshake are forbidden in TLS 1.3.
 	testCases = append(testCases, testCase{
 		name: "StrayHelloRequest-TLS13",
 		config: Config{
 			MaxVersion: VersionTLS13,
 			Bugs: ProtocolBugs{
 				SendHelloRequestBeforeEveryHandshakeMessage: true,
 			},
 		},
 		shouldFail:    true,
 		expectedError: ":UNEXPECTED_MESSAGE:",
 	})
 }

 func addDTLSReplayTests() {