tls: new parameter 'renegotiation' to enable/disable client renegotiation

- default is 0 (renegotiation disabled), to protect against SSL
  renegotiation attack
- can be enabled by setting it to 1

modules/tls/tls_domain.c

@@ -591,6 +591,40 @@ static int set_verification(tls_domain_t* d)
 }
 
 
+/* This callback function is executed when libssl processes the SSL
+ * handshake and does SSL record layer stuff. It's used to trap
+ * client-initiated renegotiations.
+ */
+
+static void sr_ssl_ctx_info_callback(const SSL *ssl, int event, int ret)
+{
+	struct tls_extra_data* data = 0;
+	int tls_dbg;
+
+	if (event & SSL_CB_HANDSHAKE_START) {
+		tls_dbg = cfg_get(tls, tls_cfg, debug);
+		LOG(tls_dbg, "SSL handshake started\n");
+		if(data==0)
+			data = (struct tls_extra_data*)SSL_get_app_data(ssl);
+		if(data->flags & F_TLS_CON_HANDSHAKED) {
+			LOG(tls_dbg, "SSL renegotiation initiated by client\n");
+			data->flags |= F_TLS_CON_RENEGOTIATION;
+		}
+	}
+	if (event & SSL_CB_HANDSHAKE_DONE) {
+		tls_dbg = cfg_get(tls, tls_cfg, debug);
+		if(data==0)
+			data = (struct tls_extra_data*)SSL_get_app_data(ssl);
+		LOG(tls_dbg, "SSL handshake done\n");
+		/* CVE-2009-3555 - disable renegotiation */
+		if (ssl->s3) {
+			LOG(tls_dbg, "SSL disable renegotiation\n");
+			ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+		}
+		data->flags |= F_TLS_CON_HANDSHAKED;
+	}
+}
+
 /**
  * @brief Configure generic SSL parameters 
  * @param d domain
@@ -635,6 +669,8 @@ static int set_ssl_options(tls_domain_t* d)
 #endif
 	for(i = 0; i < procs_no; i++) {
 		SSL_CTX_set_options(d->ctx[i], options);
+		if(sr_tls_renegotiation==0)
+			SSL_CTX_set_info_callback(d->ctx[i], sr_ssl_ctx_info_callback);
 	}
 	return 0;
 }

modules/tls/tls_mod.c

@@ -175,6 +175,8 @@ tls_domains_cfg_t** tls_domains_cfg = NULL;
 gen_lock_t* tls_domains_cfg_lock = NULL;
 
 
+int sr_tls_renegotiation = 0;
+
 /*
  * Exported functions
  */
@@ -218,6 +220,7 @@ static param_export_t params[] = {
 	{"tls_force_run",       PARAM_INT,    &default_tls_cfg.force_run},
 	{"low_mem_threshold1",  PARAM_INT,    &default_tls_cfg.low_mem_threshold1},
 	{"low_mem_threshold2",  PARAM_INT,    &default_tls_cfg.low_mem_threshold2},
+	{"renegotiation",       PARAM_INT,    &sr_tls_renegotiation},
 	{0, 0, 0}
 };
 

modules/tls/tls_mod.h

@@ -53,4 +53,6 @@ extern tls_domain_t srv_defaults;
 
 extern str tls_domains_cfg_file;
 
+extern int sr_tls_renegotiation;
+
 #endif /* _TLS_MOD_H */

modules/tls/tls_server.c

@@ -209,6 +209,10 @@ static int tls_complete_init(struct tcp_connection* c)
 #endif
 	SSL_set_bio(data->ssl, data->rwbio, data->rwbio);
 	c->extra_data = data;
+
+	/* link the extra data struct inside ssl connection*/
+	SSL_set_app_data(data->ssl, data);
+
 	return 0;
 
  error:
@@ -908,6 +912,7 @@ int tls_read_f(struct tcp_connection* c, int* flags)
 	int n, flush_flags;
 	char* err_src;
 	int x;
+	int tls_dbg;
 	
 	TLS_RD_TRACE("(%p, %p (%d)) start (%s -> %s:%d*)\n",
 					c, flags, *flags,
@@ -1092,15 +1097,26 @@ continue_ssl_read:
 			 *  In the later case, this whole function should be called again
 			 *  once there is more output space (set RD_CONN_REPEAT_READ).
 			 */
-			if (unlikely(n <= 0)) {
-				ssl_error = SSL_get_error(ssl, n);
-				err_src = "TLS read:";
-				/*  errors handled below, outside the lock */
+
+			if (unlikely(tls_c->flags & F_TLS_CON_RENEGOTIATION)) {
+				/* Fix CVE-2009-3555 - disable renegotiation if started by client
+				 * - simulate SSL EOF to force close connection*/
+				tls_dbg = cfg_get(tls, tls_cfg, debug);
+				LOG(tls_dbg, "Reading on a renegotiation of connection (n:%d) (%d)\n",
+						n, SSL_get_error(ssl, n));
+				err_src = "TLS R-N read:";
+				ssl_error = SSL_ERROR_ZERO_RETURN;
 			} else {
-				ssl_error = SSL_ERROR_NONE;
-				r->pos += n;
-				ssl_read += n;
-				bytes_free -=n;
+				if (unlikely(n <= 0)) {
+					ssl_error = SSL_get_error(ssl, n);
+					err_src = "TLS read:";
+					/*  errors handled below, outside the lock */
+				} else {
+					ssl_error = SSL_ERROR_NONE;
+					r->pos += n;
+					ssl_read += n;
+					bytes_free -=n;
+				}
 			}
 			TLS_RD_TRACE("(%p, %p) SSL_read() => %d (err=%d) ssl_read=%d"
 							" *flags=%d tls_c->flags=%d\n",

modules/tls/tls_server.h

@@ -49,7 +49,9 @@ struct tls_rd_buf {
 };
 
 /* tls conn flags */
-#define F_TLS_CON_WR_WANTS_RD 1 /* write wants read */
+#define F_TLS_CON_WR_WANTS_RD    1 /* write wants read */
+#define F_TLS_CON_HANDSHAKED     2 /* connection is handshaked */
+#define F_TLS_CON_RENEGOTIATION  4 /* renegotiation by clinet */
 
 struct tls_extra_data {
 	tls_domains_cfg_t* cfg; /* Configuration used for this connection */