[glib-networking: 56/129] connection: avoid dos attacks when asking a renegotation from the client
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking: 56/129] connection: avoid dos attacks when asking a renegotation from the client
- Date: Sat, 2 Feb 2019 22:48:05 +0000 (UTC)
commit 742ea6bc4cfbb42e757d787cc8f4297898cdb61f
Author: Ignacio Casal Quinteiro <qignacio amazon com>
Date: Tue Oct 17 16:21:49 2017 +0200
connection: avoid dos attacks when asking a renegotation from the client
Renegotating is expensive on the server side. If we get asked to renegotiate
the client can produce a dos attack while the server computes the renegotiation.
See CVE-2009-3555.
tls/openssl/gtlsserverconnection-openssl.c | 14 ++++++++++++++
tls/tests/connection.c | 3 +++
2 files changed, 17 insertions(+)
---
diff --git a/tls/openssl/gtlsserverconnection-openssl.c b/tls/openssl/gtlsserverconnection-openssl.c
index faafd3e..9551b9e 100644
--- a/tls/openssl/gtlsserverconnection-openssl.c
+++ b/tls/openssl/gtlsserverconnection-openssl.c
@@ -228,6 +228,18 @@ g_tls_server_connection_openssl_server_connection_interface_init (GTlsServerConn
{
}
+static void
+ssl_info_callback (const SSL *ssl,
+ int type,
+ int val)
+{
+ if ((type & SSL_CB_HANDSHAKE_DONE) != 0)
+ {
+ /* Disable renegotiation (CVE-2009-3555) */
+ ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+ }
+}
+
static gboolean
g_tls_server_connection_openssl_initable_init (GInitable *initable,
GCancellable *cancellable,
@@ -315,6 +327,8 @@ g_tls_server_connection_openssl_initable_init (GInitable *initable,
SSL_CTX_set_cipher_list (priv->ssl_ctx, DEFAULT_CIPHER_LIST);
+ SSL_CTX_set_info_callback (priv->ssl_ctx, ssl_info_callback);
+
priv->ssl = SSL_new (priv->ssl_ctx);
if (priv->ssl == NULL)
{
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index 9e13903..befc8d4 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -961,6 +961,9 @@ static void
test_client_auth_rehandshake (TestConnection *test,
gconstpointer data)
{
+ g_test_skip ("the server avoids rehandshake to avoid the security problem CVE-2009-3555");
+ return;
+
test->rehandshake = TRUE;
test_client_auth_connection (test, data);
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]