patch to add a switch for renegotiation

[Guan Jun He]

Hello,

   Add a switch to renegotiation, so that renegotiation can be controled by 
program. 
And it provides a way to programmer to implement some sort of custom throttling.
Basically, this patch is produced with the background of CVE-2011-1473,
the DoS against renegotiation.You guys must have known it.Maybe the patch is 
not that 
useful for some use cases.But, it's the first step, and it gives apps a easy 
choise 
to fight against DoS. 
And, maybe the second steps can also be done in openssl, add a simple monitor 
to monitor
client initiatd renegotiations(for each session or just globally), and 
according to the 
monitoring result to set the renegotiation switch for a time slice.the monitor 
can be
as simple as just a counter,I'm still seeking an efficient way to do this.And 
ask for 
comments and advices from you guys.


Regards,
Guanjun

diff -Nupr openssl.orig//ssl/t1_lib.c openssl//ssl/t1_lib.c
--- openssl.orig//ssl/t1_lib.c  2011-11-15 16:52:13.0 +0800
+++ openssl//ssl/t1_lib.c   2011-11-15 17:00:53.0 +0800
@@ -1052,6 +1052,10 @@ int ssl_parse_clienthello_tlsext(SSL *s,
}
else if (type == TLSEXT_TYPE_renegotiate)
{
+   if (getenv(OPENSSL_NO_RENEGOTIATION) != NULL)
+   {
+   return 0;
+   }
if(!ssl_parse_clienthello_renegotiate_ext(s, data, 
size, al))
return 0;
renegotiate_seen = 1;

Re: patch to add a switch for renegotiation

[Hanno Böck]

Am Tue, 15 Nov 2011 02:48:28 -0700
schrieb Guan Jun He g...@suse.com:

Add a switch to renegotiation, so that renegotiation can be
 controled by program. And it provides a way to programmer to
 implement some sort of custom throttling. Basically, this patch is
 produced with the background of CVE-2011-1473, the DoS against
 renegotiation.You guys must have known it.Maybe the patch is not that
 useful for some use cases.But, it's the first step, and it gives apps
 a easy choise to fight against DoS. And, maybe the second steps can
 also be done in openssl, add a simple monitor to monitor client
 initiatd renegotiations(for each session or just globally), and
 according to the monitoring result to set the renegotiation switch
 for a time slice.the monitor can be as simple as just a counter,I'm
 still seeking an efficient way to do this.And ask for comments and
 advices from you guys.

If I understood the THC DoS, this is completely pointless. Their tool
uses renegotiation, but there's absolutely nothing special about
renegotiation, the attack works also with normal connections.

See THC on this matter:
SSL-DOS released. Some organizations already found out
about this release a while ago and mistakenly identified it as an
SSL-RENEGOTIATION BUG. This is not true. The tool can be modified to
work without SSL-RENEGOTIATION by just establishing a new TCP
connection for every new handshake. 
http://www.thc.org/thc-ssl-dos/


Also, there's been a lot of mixup with old and new renegotiation and
wrong infos floating around. The THC DoS is not really related to that.

It's not easy to find a clean way to mitigate those issues - the core
problem is that a connection causes more load on the server than on the
initiating client - changing that would be possible only in the TLS
design. Connection limits can help (though they shouldn't be
limited to renegotiation), but it's not really a nice solution.

-- 
Hanno Böck  mail/jabber: ha...@hboeck.de
GPG: BBB51E42   http://www.hboeck.de/


signature.asc
Description: PGP signature

[openssl.org #1794] [PATCH] SRP in OpenSSL 0.9.9

[Peter Sylvester via RT]

Enclosed a second patch to make ssl conformant to rfc 5054.

patch is to the stable snapshot of 11/14

Changes are:

- removal of the addition state after client hello
- removal of all pre-rfc srp alert ids
- sending a fatal alert when there is no srp extension but when the 
server wants SRP
- removal of unnecessary code in the client.

have fun

diff -r -c openssl-1.0.1-stable-SNAP-2014/include/openssl/ssl3.h openssl-1.0.1-stable-SNAP-2014PS/include/openssl/ssl3.h
*** openssl-1.0.1-stable-SNAP-2014/include/openssl/ssl3.h	2011-11-13 23:00:19.0 +0100
--- openssl-1.0.1-stable-SNAP-2014PS/include/openssl/ssl3.h	2011-11-15 17:14:49.427741000 +0100
***
*** 581,588 
  #define SSL3_ST_SR_CLNT_HELLO_A		(0x110|SSL_ST_ACCEPT)
  #define SSL3_ST_SR_CLNT_HELLO_B		(0x111|SSL_ST_ACCEPT)
  #define SSL3_ST_SR_CLNT_HELLO_C		(0x112|SSL_ST_ACCEPT)
- /* a new state to remember that we have already receive a ClientHello without srp username extension */
- #define SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME (0x1E2|SSL_ST_ACCEPT)
  /* write to client */
  #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
  #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
--- 581,586 
diff -r -c openssl-1.0.1-stable-SNAP-2014/include/openssl/ssl.h openssl-1.0.1-stable-SNAP-2014PS/include/openssl/ssl.h
*** openssl-1.0.1-stable-SNAP-2014/include/openssl/ssl.h	2011-11-13 23:00:19.0 +0100
--- openssl-1.0.1-stable-SNAP-2014PS/include/openssl/ssl.h	2011-11-14 18:08:23.751741000 +0100
***
*** 1468,1475 
  #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
  #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
  #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
- #define SSL_AD_UNKNOWN_SRP_USERNAME	TLS1_AD_UNKNOWN_SRP_USERNAME
- #define SSL_AD_MISSING_SRP_USERNAME	TLS1_AD_MISSING_SRP_USERNAME
  
  #define SSL_ERROR_NONE			0
  #define SSL_ERROR_SSL			1
--- 1468,1473 
diff -r -c openssl-1.0.1-stable-SNAP-2014/include/openssl/tls1.h openssl-1.0.1-stable-SNAP-2014PS/include/openssl/tls1.h
*** openssl-1.0.1-stable-SNAP-2014/include/openssl/tls1.h	2011-11-13 23:00:19.0 +0100
--- openssl-1.0.1-stable-SNAP-2014PS/include/openssl/tls1.h	2011-11-14 18:20:29.071741000 +0100
***
*** 196,203 
  #define TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113
  #define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114
  #define TLS1_AD_UNKNOWN_PSK_IDENTITY	115	/* fatal */
- #define TLS1_AD_UNKNOWN_SRP_USERNAME 120 /* fatal */
- #define TLS1_AD_MISSING_SRP_USERNAME 121
  
  /* ExtensionType values from RFC3546 / RFC4366 */
  #define TLSEXT_TYPE_server_name			0
--- 196,201 
diff -r -c openssl-1.0.1-stable-SNAP-2014/ssl/s3_clnt.c openssl-1.0.1-stable-SNAP-2014PS/ssl/s3_clnt.c
*** openssl-1.0.1-stable-SNAP-2014/ssl/s3_clnt.c	2011-11-13 23:00:19.0 +0100
--- openssl-1.0.1-stable-SNAP-2014PS/ssl/s3_clnt.c	2011-11-15 17:26:16.731741000 +0100
***
*** 280,299 
  		case SSL3_ST_CR_SRVR_HELLO_A:
  		case SSL3_ST_CR_SRVR_HELLO_B:
  			ret=ssl3_get_server_hello(s);
- #ifndef OPENSSL_NO_SRP
- 			if (ret == 0  s-s3-warn_alert == SSL_AD_MISSING_SRP_USERNAME)
- {
- if (!SRP_have_to_put_srp_username(s))
- 	{
- 	SSLerr(SSL_F_SSL3_CONNECT,SSL_R_MISSING_SRP_USERNAME);
- 	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_USER_CANCELLED);
- 	goto end;
- 	}
- s-state=SSL3_ST_CW_CLNT_HELLO_A;
- if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
- break;
- }
- #endif
  			if (ret = 0) goto end;
  
  			if (s-hit)
--- 280,285 
diff -r -c openssl-1.0.1-stable-SNAP-2014/ssl/s3_srvr.c openssl-1.0.1-stable-SNAP-2014PS/ssl/s3_srvr.c
*** openssl-1.0.1-stable-SNAP-2014/ssl/s3_srvr.c	2011-11-13 23:00:19.0 +0100
--- openssl-1.0.1-stable-SNAP-2014PS/ssl/s3_srvr.c	2011-11-15 17:13:55.327741000 +0100
***
*** 180,190 
  	}
  
  #ifndef OPENSSL_NO_SRP
! static int SSL_check_srp_ext_ClientHello(SSL *s, int *ad)
  	{
  	int ret = SSL_ERROR_NONE;
  
! 	*ad = SSL_AD_UNRECOGNIZED_NAME;
  
  	if ((s-s3-tmp.new_cipher-algorithm_mkey  SSL_kSRP) 
  	(s-srp_ctx.TLS_ext_srp_username_callback != NULL))
--- 180,190 
  	}
  
  #ifndef OPENSSL_NO_SRP
! static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
  	{
  	int ret = SSL_ERROR_NONE;
  
! 	*al = SSL_AD_UNRECOGNIZED_NAME;
  
  	if ((s-s3-tmp.new_cipher-algorithm_mkey  SSL_kSRP) 
  	(s-srp_ctx.TLS_ext_srp_username_callback != NULL))
***
*** 192,203 
  		if(s-srp_ctx.login == NULL)
  			{
  			/* There isn't any srp login extension !!! */
! 			ret = SSL3_AL_WARNING;
! 			*ad = SSL_AD_MISSING_SRP_USERNAME;
  			}
  		else
  			{
! 			ret = SSL_srp_server_param_with_username(s,ad);
  			}
  		}
  	return ret;
--- 192,203 
  		if(s-srp_ctx.login == NULL)
  			{
  			/* There isn't any srp login extension