[tls] Disable renegotiation unless extended master secret is used

RFC 7627 states that renegotiation becomes no longer secure under
various circumstances when the non-extended master secret is used.
The description of the precise set of circumstances is spread across
various points within the document and is not entirely clear.

Avoid a superset of the circumstances in which renegotiation
apparently becomes insecure by refusing renegotiation completely
unless the extended master secret is used.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/net/tls.c b/src/net/tls.c
index efecf368c180f1f2ac92fa296262e01996a44406..1d5a6c6d87b84757e9cfa739d44a8a917b5a2485 100644 (file)
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2082,7 +2082,7 @@ static int tls_new_hello_request ( struct tls_connection *tls,
        }
 
        /* Fail unless server supports secure renegotiation */
-       if ( ! tls->secure_renegotiation ) {
+       if ( ! ( tls->secure_renegotiation && tls->extended_master_secret ) ) {
                DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n",
                       tls );
                return -EPERM_RENEG_INSECURE;