From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: ** X-Spam-Status: No, score=2.3 required=5.0 tests=DATE_IN_PAST_96_XX, DKIM_INVALID,DKIM_SIGNED autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 19978 invoked from network); 19 Jan 2023 09:58:30 -0000 Received: from 9front.inri.net (168.235.81.73) by inbox.vuxu.org with ESMTPUTF8; 19 Jan 2023 09:58:30 -0000 Received: from sendmail.purelymail.com ([34.202.193.197]) by 9front; Thu Jan 19 04:57:34 -0500 2023 DKIM-Signature: a=rsa-sha256; b=oHPqhcum8EIHwdJERv7mMrwgaU9fNDWq62g8s9GVtl609eDTXgBK4ER+yWKsoLvS5rsjqfEYEw3cI1ROhT3Q0kG217gSO5HXa+fuYGmcA6Sl0yIeGForE5UZeeEvX/IXBY3sueA9TSBsoB9+MtgdaAuFfmPRhSQCiFeCM3+VyJ8hCdBuikFoNMp+SWp4C0k622ywsGOcYA66olw0UrMILGy2W/13s+4AhIMzFhMNZbbe/h0Yi7+AFJ+lA3Q6ZGL4ny+VJbx4KpreCc9631WSHhnf6QLhlPuwOdB0eDwdgik00RhTj965X5RkQ4hhQlQu1CAidLOE1b46T3qP9nC5gA==; s=purelymail3; d=pbrane.org; v=1; bh=ue+5OeoXaTWF6wiyMmGV9BhgPw1URhT81sm//DvVeVs=; h=Received:From:Subject:To; DKIM-Signature: a=rsa-sha256; b=iP+2yzbuTFpeOonT1YBPdETva3p5h+bmyWhFBrxLDwlOivZczy1lmE96XvB4GngVJWcMkw865Vk9yn1FBnTl+9huyXp2+03hwqhPNjz3QvG82zbRq9EdBzEiG6t19r9f/oFLqcvu+Z1+IU6dZHM6jZYCi63U0JQcisvzaA72G3IkmryBpTtOI6GTZV/jEKMMVoGD0OxJj6ztvvKTc9zCmy4EcO/7xcGdpSld/Lxf53op166EgIanhmLoQPh6vWuRK2C9l927qoEyeGijZS1XtLWKaODPXocHyM3FYquHj5Hx8goGGdN4STaWVtJ6uVhudDJNgH+jm42k22tXQg4aDQ==; s=purelymail3; d=purelymail.com; v=1; bh=ue+5OeoXaTWF6wiyMmGV9BhgPw1URhT81sm//DvVeVs=; h=Feedback-ID:Received:From:Subject:To; Feedback-ID: 10987:2443:null:purelymail X-Pm-Original-To: 9front@9front.org Received: by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id 843677584 for <9front@9front.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Thu, 19 Jan 2023 09:57:24 +0000 (UTC) From: Anthony Martin Date: Thu, 10 Nov 2022 02:24:40 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable To: 9front@9front.org Message-ID: <4365133EA2FEAE04696BACCDC2F93979@alice> In-Reply-To: X-MIME-Autoconverted: from 8bit to quoted-printable by Purelymail List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: structured browser factory pipelining-oriented frontend Subject: [9front] [PATCH] libsec: add minimal support for the tls renegotiation extension Reply-To: 9front@9front.org Precedence: bulk OpenSSL 3.0 clients refuse to connect to servers that do not support the renegotiation extension (RFC 5746) unless the default configuration is changed to allow it. Since we do not support renegotiation, we only need to make minor changes to the initial handshake to comply with the specification: 1. For tlsClient, simply add the proper SCSV to the ClientHello cipher list (cf. RFC 5746 =C2=A7 3.3); 2. For tlsServer, respond with an empty renegotiation extension in the ServerHello if we received either the SCSV or an empty renegotiation extension in the ClientHello. Since we close the hand file and never open it after the initial handshake, we can rely on tls(3) to send the "no renegotiation" alerts if subsequent handshake records are received. --- diff bb36ba0617b5aa8263ea9b5ece8c1a5249fedc86 20060574cb77ba3655739f67fe290= 270ccc21cb9 --- a/sys/src/libsec/port/tlshand.c=09Tue Jan 17 05:14:06 2023 +++ b/sys/src/libsec/port/tlshand.c=09Wed Nov 9 18:24:40 2022 @@ -68,6 +68,7 @@ =09uchar sec[MasterSecretSize];=09// master secret =09uchar srandom[RandomSize];=09// server random =09uchar crandom[RandomSize];=09// client random +=09int reneg;=09=09=09// secure renegotiation flag =20 =09Namedcurve *nc; // selected curve for ECDHE =09// diffie hellman state @@ -251,6 +252,7 @@ =09TLS_PSK_WITH_AES_128_CBC_SHA=09=09=3D 0x008C, =20 =09TLS_FALLBACK_SCSV =3D 0x5600, +=09TLS_EMPTY_RENEGOTIATION_INFO_SCSV =3D 0x00FF, }; =20 // compression methods @@ -271,6 +273,7 @@ =09Extec =3D 0x000a, =09Extecp =3D 0x000b, =09Extsigalgs =3D 0x000d, +=09Extreneg =3D 0xff01, }; =20 static Algs cipherAlgs[] =3D { @@ -670,6 +673,16 @@ =09=09=09=09=09=09break; =09=09=09=09=09} =09=09=09break; +=09=09case Extreneg: +=09=09=09if(n < 1 || *p !=3D (n -=3D 1)) +=09=09=09=09goto Short; +=09=09=09if(*p !=3D 0){ +=09=09=09=09tlsError(c, EHandshakeFailure, "invalid renegotiation extensio= n"); +=09=09=09=09return -1; +=09=09=09} +=09=09=09c->sec->reneg =3D 1; +=09=09=09p++; + =09=09} =09} =20 @@ -679,13 +692,37 @@ =09return -1;=20 }=20 =20 +static uchar* +tlsServerExtensions(TlsConnection *c, int *plen) +{ +=09uchar *b, *p; +=09int m; + +=09p =3D b =3D nil; + +=09// RFC5746 - Renegotiation Indication +=09if(c->sec->reneg){ +=09=09m =3D p - b; +=09=09b =3D erealloc(b, m + 2+2+1); +=09=09p =3D b + m; + +=09=09put16(p, Extreneg), p +=3D 2;=09/* Type: renegotiation_info */ +=09=09put16(p, 1), p +=3D 2;=09=09/* Length */ +=09=09*p++ =3D 0;=09=09=09/* Renegotiated Connection Length */ +=09} + +=09*plen =3D p - b; +=09return b; +} + static TlsConnection * tlsServer2(int ctl, int hand, =09uchar *cert, int certlen, =09char *pskid, uchar *psk, int psklen, =09int (*trace)(char*fmt, ...), PEMChain *chp) { -=09int cipher, compressor, numcerts, i; +=09int cipher, compressor, numcerts, i, extlen; +=09uchar *ext; =09TlsConnection *c; =09Msg m; =20 @@ -741,6 +778,8 @@ =09=09=09goto Err; =09=09} =09} +=09if(lookupid(m.u.clientHello.ciphers, TLS_EMPTY_RENEGOTIATION_INFO_SCSV)= >=3D 0) +=09=09c->sec->reneg =3D 1; =09if(checkClientExtensions(c, m.u.clientHello.extensions) < 0) =09=09goto Err; =09cipher =3D okCipher(m.u.clientHello.ciphers, psklen > 0, c->sec->nc != =3D nil); @@ -763,6 +802,9 @@ =09m.u.serverHello.cipher =3D cipher; =09m.u.serverHello.compressor =3D compressor; =09m.u.serverHello.sid =3D makebytes(nil, 0); +=09ext =3D tlsServerExtensions(c, &extlen); +=09m.u.serverHello.extensions =3D makebytes(ext, extlen); +=09free(ext); =09if(!msgSend(c, &m, AQueue)) =09=09goto Err; =20 @@ -2273,6 +2315,7 @@ =09for(i =3D 0; i < nelem(cipherAlgs); i++) =09=09if(cipherAlgs[i].ok && isPSK(cipherAlgs[i].tlsid) =3D=3D ispsk) =09=09=09is->data[j++] =3D cipherAlgs[i].tlsid; +=09is->data[j++] =3D TLS_EMPTY_RENEGOTIATION_INFO_SCSV; =09is->len =3D j; =09return is; }