]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
Revert "Always allow initial negotiation. Disable subsequent unsafe renegotiations."
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Fri, 22 Jan 2010 21:21:16 +0000 (22:21 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Fri, 22 Jan 2010 21:21:16 +0000 (22:21 +0100)
This reverts commit 1e4981cfbec360a19cfb7470ce96093aaa95b32e.

Ah, this was to twart the attack (description by Daniel Kahn Gilmor):
The problem, as i understand it, is that the client is incapable of
telling whether the plaintext prefix injection attack has already
happened.  I don't think disabling renegotiation for the session
resolves the problem.

For a server which does not announce and enforce safe renegotiation,
what the client sees as an initial connection may unknowingly actually
be renegotiating an existing session that was started by an attacker.

The concern isn't that the (legitimate) client will have their session
re-negotiated by an attacker; it's that the MITM attacker can trick the
server into viewing the client's initial authentication as a
re-negotiation of a TLS session already underway.

for servers which do odd things like apply the credentials of the
post-renegotiation client to the traffic that happened before the
renegotiation (e.g. HTTPS, with client-side certificates required only
for certain subdirectories), a safe-renegotiation-aware client *should*
refuse to connect to servers which do not announce safe renegotiation if
they want to resist this attack.

lib/gnutls_handshake.c

index fc9de23d71c69727f428f61291a57bdb3c19c2cb..c0bf83b9b6c9462f709ef17e8f854d8d0868d9ad 100644 (file)
@@ -2428,7 +2428,9 @@ _gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen)
          return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
        }
 
-      if (session->internals.initial_negotiation_completed != 0)
+      /* Clients can't tell if it's an initial negotiation */
+      if (session->internals.initial_negotiation_completed ||
+         session->security_parameters.entity == GNUTLS_CLIENT)
        {
          if (session->internals.priorities.unsafe_renegotiation != 0)
            {