[glib-networking/rufferson/openssl/tests/other: 3/7] Fix OpenSSL re-handshake operation

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib-networking/rufferson/openssl/tests/other: 3/7] Fix OpenSSL re-handshake operation
Date: Mon, 6 Jul 2020 11:57:28 +0000 (UTC)
commit 8fa661be7e22cc6da9302104968a041efc65ded7
Author: Ruslan N. Marchenko <me ruff mobi>
Date:   Fri Jun 19 23:50:26 2020 +0200

    Fix OpenSSL re-handshake operation
    
     * Enable OpenSSL TLS1.3 Renegotiation (KeyUpdate)
     * Make TLS1.2 renegotiation conditional based on whether
       it was negotiated from remote peer and is enabled on local

 tls/openssl/gtlsconnection-openssl.c | 18 ++++++++++++++++--
 tls/tests/connection.c               | 18 ++----------------
 2 files changed, 18 insertions(+), 18 deletions(-)
---
diff --git a/tls/openssl/gtlsconnection-openssl.c b/tls/openssl/gtlsconnection-openssl.c
index 020aa0d..f2c024e 100644
--- a/tls/openssl/gtlsconnection-openssl.c
+++ b/tls/openssl/gtlsconnection-openssl.c
@@ -201,6 +201,14 @@ end_openssl_io (GTlsConnectionOpenssl  *openssl,
       return G_TLS_CONNECTION_BASE_ERROR;
     }
 
+  if (reason == SSL_R_NO_RENEGOTIATION)
+    {
+      g_clear_error (&my_error);
+      g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
+                           _("Secure renegotiation is disabled"));
+      return G_TLS_CONNECTION_BASE_REHANDSHAKE;
+    }
+
   if (my_error)
     g_propagate_error (error, my_error);
   else
@@ -389,7 +397,7 @@ g_tls_connection_openssl_handshake_thread_request_rehandshake (GTlsConnectionBas
   GTlsConnectionOpenssl *openssl;
   GTlsConnectionBaseStatus status;
   SSL *ssl;
-  int ret;
+  int ret = 1; /* always look on the bright side of life */
 
   /* On a client-side connection, SSL_renegotiate() itself will start
    * a rehandshake, so we only need to do something special here for
@@ -403,7 +411,13 @@ g_tls_connection_openssl_handshake_thread_request_rehandshake (GTlsConnectionBas
   ssl = g_tls_connection_openssl_get_ssl (openssl);
 
   BEGIN_OPENSSL_IO (openssl, G_IO_IN | G_IO_OUT, timeout, cancellable);
-  ret = SSL_renegotiate (ssl);
+  if (SSL_version(ssl) >= TLS1_3_VERSION)
+    ret = SSL_key_update (ssl, SSL_KEY_UPDATE_REQUESTED);
+  else if (SSL_get_secure_renegotiation_support (ssl) && !(SSL_get_options(ssl) & SSL_OP_NO_RENEGOTIATION))
+    /* remote and local peers both can rehandshake */
+    ret = SSL_renegotiate (ssl);
+  else
+    g_tls_log_debug (tls, "Secure renegotiation is not supported");
   END_OPENSSL_IO (openssl, G_IO_IN | G_IO_OUT, ret, timeout, status,
                   _("Error performing TLS handshake"), error);
 
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index 83d8853..9c5d068 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -135,6 +135,7 @@ teardown_connection (TestConnection *test, gconstpointer data)
       /* The outstanding accept_async will hold a ref on test->service,
        * which we want to wait for it to release if we're valgrinding.
        */
+      g_socket_listener_close (G_SOCKET_LISTENER (test->service));
       g_object_add_weak_pointer (G_OBJECT (test->service), (gpointer *)&test->service);
       g_object_unref (test->service);
       WAIT_UNTIL_UNSET (test->service);
@@ -1069,12 +1070,6 @@ static void
 test_client_auth_rehandshake (TestConnection *test,
                               gconstpointer   data)
 {
-#ifdef BACKEND_IS_OPENSSL
-  /* FIXME: this doesn't make sense, we should support safe renegotation */
-  g_test_skip ("the server avoids rehandshake to avoid the security problem CVE-2009-3555");
-  return;
-#endif
-
   test->rehandshake = TRUE;
   test_client_auth_connection (test, data);
 }
@@ -1787,11 +1782,6 @@ static void
 test_simultaneous_async_rehandshake (TestConnection *test,
                                      gconstpointer   data)
 {
-#ifdef BACKEND_IS_OPENSSL
-  g_test_skip ("this needs more research on openssl");
-  return;
-#endif
-
   test->rehandshake = TRUE;
   test_simultaneous_async (test, data);
 }
@@ -1886,11 +1876,6 @@ static void
 test_simultaneous_sync_rehandshake (TestConnection *test,
                                     gconstpointer   data)
 {
-#ifdef BACKEND_IS_OPENSSL
-  g_test_skip ("this needs more research on openssl");
-  return;
-#endif
-
   test->rehandshake = TRUE;
   test_simultaneous_sync (test, data);
 }
@@ -1985,6 +1970,7 @@ test_unclean_close_by_server (TestConnection *test,
   g_clear_error (&test->read_error);
   g_clear_object (&test->service);
   g_clear_object (&test->server_connection);
+  g_clear_object (&test->client_connection);
   test->server_ever_handshaked = FALSE;
   start_async_server_service (test, G_TLS_AUTHENTICATION_NONE, HANDSHAKE_ONLY);
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]