From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: ****
X-Spam-Status: No, score=4.8 required=5.0 tests=RCVD_IN_BL_SPAMCOP_NET,
	RCVD_IN_SBL_CSS autolearn=no autolearn_force=no version=3.4.4
Received: (qmail 20114 invoked from network); 10 Nov 2022 04:31:39 -0000
Received: from 9front.inri.net (168.235.81.73)
  by inbox.vuxu.org with ESMTPUTF8; 10 Nov 2022 04:31:39 -0000
Received: from MTA-05-3.privateemail.com ([68.65.122.15]) by 9front; Wed Nov  9 23:30:25 -0500 2022
Received: from mta-05.privateemail.com (localhost [127.0.0.1])
	by mta-05.privateemail.com (Postfix) with ESMTP id 1A0B218000AD
	for <9front@9front.org>; Wed,  9 Nov 2022 23:30:24 -0500 (EST)
Received: from localhost (tor-exit-47.for-privacy.net [185.220.101.47])
	by mta-05.privateemail.com (Postfix) with ESMTPA id 3FC1D18000A4
	for <9front@9front.org>; Wed,  9 Nov 2022 23:30:23 -0500 (EST)
X-Mailbox-Line: From d75905c2e41425e0add855e77527b016384c46ec Mon Sep 17 00:00:00 2001
From: Anthony Martin <ality@pbrane.org>
Date: Thu, 10 Nov 2022 02:24:40 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
To: 9front@9front.org
Message-ID: <87988F72F1C2D20B16DE8DA47FB8C262@alice>
X-Virus-Scanned: ClamAV using ClamSMTP
Content-Transfer-Encoding: quoted-printable
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: progressive firewall-aware singleton 
Subject: [9front] [PATCH] libsec: add minimal support for the tls renegotiation
 extension
Reply-To: 9front@9front.org
Precedence: bulk

OpenSSL 3.0 clients refuse to connect to servers that do not
support the renegotiation extension (RFC 5746) unless the default
configuration is changed to allow it. Since we do not support
renegotiation, we only need to make minor changes to the initial
handshake to comply with the specification:

1. For tlsClient, simply add the proper SCSV to the ClientHello
cipher list (cf. RFC 5746 =C2=A7 3.3);

2. For tlsServer, respond with an empty renegotiation extension
in the ServerHello if we received either the SCSV or an empty
renegotiation extension in the ClientHello.

Since we close the hand file and never open it after the initial
handshake, we can rely on tls(3) to send the "no renegotiation"
alerts if subsequent handshake records are received.

---
diff e5d29a2bd91951a24fccecd958416856cecef444 d75905c2e41425e0add855e7752=
7b016384c46ec
--- a/sys/src/libsec/port/tlshand.c	Tue Nov 8 14:11:29 2022
+++ b/sys/src/libsec/port/tlshand.c	Wed Nov 9 18:24:40 2022
@@ -68,6 +68,7 @@
 	uchar sec[MasterSecretSize];	// master secret
 	uchar srandom[RandomSize];	// server random
 	uchar crandom[RandomSize];	// client random
+	int reneg;			// secure renegotiation flag
=20
 	Namedcurve *nc; // selected curve for ECDHE
 	// diffie hellman state
@@ -251,6 +252,7 @@
 	TLS_PSK_WITH_AES_128_CBC_SHA		=3D 0x008C,
=20
 	TLS_FALLBACK_SCSV =3D 0x5600,
+	TLS_EMPTY_RENEGOTIATION_INFO_SCSV =3D 0x00FF,
 };
=20
 // compression methods
@@ -271,6 +273,7 @@
 	Extec =3D 0x000a,
 	Extecp =3D 0x000b,
 	Extsigalgs =3D 0x000d,
+	Extreneg =3D 0xff01,
 };
=20
 static Algs cipherAlgs[] =3D {
@@ -670,6 +673,16 @@
 						break;
 					}
 			break;
+		case Extreneg:
+			if(n < 1 || *p !=3D (n -=3D 1))
+				goto Short;
+			if(*p !=3D 0){
+				tlsError(c, EHandshakeFailure, "invalid renegotiation extension");
+				return -1;
+			}
+			c->sec->reneg =3D 1;
+			p++;
+
 		}
 	}
=20
@@ -679,13 +692,37 @@
 	return -1;=20
 }=20
=20
+static uchar*
+tlsServerExtensions(TlsConnection *c, int *plen)
+{
+	uchar *b, *p;
+	int m;
+
+	p =3D b =3D nil;
+
+	// RFC5746 - Renegotiation Indication
+	if(c->sec->reneg){
+		m =3D p - b;
+		b =3D erealloc(b, m + 2+2+1);
+		p =3D b + m;
+
+		put16(p, Extreneg), p +=3D 2;	/* Type: renegotiation_info */
+		put16(p, 1), p +=3D 2;		/* Length */
+		*p++ =3D 0;			/* Renegotiated Connection Length */
+	}
+
+	*plen =3D p - b;
+	return b;
+}
+
 static TlsConnection *
 tlsServer2(int ctl, int hand,
 	uchar *cert, int certlen,
 	char *pskid, uchar *psk, int psklen,
 	int (*trace)(char*fmt, ...), PEMChain *chp)
 {
-	int cipher, compressor, numcerts, i;
+	int cipher, compressor, numcerts, i, extlen;
+	uchar *ext;
 	TlsConnection *c;
 	Msg m;
=20
@@ -741,8 +778,11 @@
 			goto Err;
 		}
 	}
+	if(lookupid(m.u.clientHello.ciphers, TLS_EMPTY_RENEGOTIATION_INFO_SCSV)=
 >=3D 0)
+		c->sec->reneg =3D 1;
 	if(checkClientExtensions(c, m.u.clientHello.extensions) < 0)
 		goto Err;
+	ext =3D tlsServerExtensions(c, &extlen);
 	cipher =3D okCipher(m.u.clientHello.ciphers, psklen > 0, c->sec->nc !=3D=
 nil);
 	if(cipher < 0 || !setAlgs(c, cipher)) {
 		tlsError(c, EHandshakeFailure, "no matching cipher suite");
@@ -763,6 +803,7 @@
 	m.u.serverHello.cipher =3D cipher;
 	m.u.serverHello.compressor =3D compressor;
 	m.u.serverHello.sid =3D makebytes(nil, 0);
+	m.u.serverHello.extensions =3D makebytes(ext, extlen);
 	if(!msgSend(c, &m, AQueue))
 		goto Err;
=20
@@ -2273,6 +2314,7 @@
 	for(i =3D 0; i < nelem(cipherAlgs); i++)
 		if(cipherAlgs[i].ok && isPSK(cipherAlgs[i].tlsid) =3D=3D ispsk)
 			is->data[j++] =3D cipherAlgs[i].tlsid;
+	is->data[j++] =3D TLS_EMPTY_RENEGOTIATION_INFO_SCSV;
 	is->len =3D j;
 	return is;
 }