From: Paulo Matias <matias@ufscar.br>
Date: Fri, 19 Jun 2015 03:37:47 +0000 (-0700)
Subject: Hardening against CVE-2009-3555
X-Git-Tag: merge-candidate-3-v1~80
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3834ada42852d6011c5f403140de8909d02f8694;p=thirdparty%2Fsquid.git

Hardening against CVE-2009-3555

Disable client-initiated renegotiation, mitigating a DoS attack which
might be possible with some builds of the OpenSSL library.
---

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index c8a161bb20..f8dcfbac68 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -823,12 +823,28 @@ Ssl::readDHParams(const char *dhfile)
     return dh;
 }
 
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+static void
+ssl_info_cb(const SSL *ssl, int where, int ret)
+{
+    (void)ret;
+    if ((where & SSL_CB_HANDSHAKE_DONE) != 0) {
+        // disable renegotiation (CVE-2009-3555)
+        ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+    }
+}
+#endif
+
 static bool
 configureSslContext(SSL_CTX *sslContext, AnyP::PortCfg &port)
 {
     int ssl_error;
     SSL_CTX_set_options(sslContext, port.sslOptions);
 
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+    SSL_CTX_set_info_callback(sslContext, ssl_info_cb);
+#endif
+
     if (port.sslContextSessionId)
         SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)port.sslContextSessionId, strlen(port.sslContextSessionId));
 
@@ -1045,6 +1061,10 @@ sslCreateClientContext(const char *certfile, const char *keyfile, const char *ci
 
     SSL_CTX_set_options(sslContext, Ssl::parse_options(options));
 
+#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
+    SSL_CTX_set_info_callback(sslContext, ssl_info_cb);
+#endif
+
     if (*cipher) {
         debugs(83, 5, "Using chiper suite " << cipher << ".");