Reject renegotiations in SSLClientSocket by default.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 552 matching lines @@
                                      CERTDistNames* ca_names,
                                      CERTCertificate** result_certificate,
                                      SECKEYPrivateKey** result_private_key);
 
   // Called by NSS to determine if we can False Start.
   // |arg| contains a pointer to the current SSLClientSocketNSS::Core.
   static SECStatus CanFalseStartCallback(PRFileDesc* socket,
                                          void* arg,
                                          PRBool* can_false_start);
 
-  // Called by NSS once the handshake has completed.
+  // Called by NSS each time a handshake completely finishes.
   // |arg| contains a pointer to the current SSLClientSocketNSS::Core.
   static void HandshakeCallback(PRFileDesc* socket, void* arg);
 
-  // Called once the handshake has succeeded.
+  // Called once for each successful handshake. If the initial handshake false
+  // starts, it is called when it false starts and not when it completely
+  // finishes.
   void HandshakeSucceeded();
 
   // Handles an NSS error generated while handshaking or performing IO.
   // Returns a network error code mapped from the original NSS error.
   int HandleNSSError(PRErrorCode error);
 
   int DoHandshakeLoop(int last_io_result);
   int DoReadLoop(int result);
   int DoWriteLoop(int result);
 
@@ skipping 42 matching lines @@
   void UpdateConnectionStatus();
   // Record histograms for channel id support during full handshakes - resumed
   // handshakes are ignored.
   void RecordChannelIDSupportOnNSSTaskRunner();
   // UpdateNextProto gets any application-layer protocol that may have been
   // negotiated by the TLS connection.
   void UpdateNextProto();
   // Record TLS extension used for protocol negotiation (NPN or ALPN).
   void UpdateExtensionUsed();
 
+  // Returns true if renegotiations are allowed.
+  bool IsRenegotiationAllowed() const;
+
   ////////////////////////////////////////////////////////////////////////////
   // Methods that are ONLY called on the network task runner:
   ////////////////////////////////////////////////////////////////////////////
   int DoBufferRecv(IOBuffer* buffer, int len);
   int DoBufferSend(IOBuffer* buffer, int len);
   int DoGetChannelID(const std::string& host);
 
   void OnGetChannelIDComplete(int result);
   void OnHandshakeStateUpdated(const HandshakeState& state);
   void OnNSSBufferUpdated(int amount_in_read_buffer);
@@ skipping 84 matching lines @@
   std::vector<std::string> predicted_certs_;
 
   State next_handshake_state_;
 
   // True if channel ID extension was negotiated.
   bool channel_id_xtn_negotiated_;
   // True if the handshake state machine was interrupted for channel ID.
   bool channel_id_needed_;
   // True if the handshake state machine was interrupted for client auth.
   bool client_auth_cert_needed_;
-  // True if NSS has False Started.
+  // True if NSS has False Started in the initial handshake, but the initial
+  // handshake has not yet completely finished..
   bool false_started_;
   // True if NSS has called HandshakeCallback.
   bool handshake_callback_called_;
 
   HandshakeState nss_handshake_state_;
 
   bool transport_recv_busy_;
   bool transport_recv_eof_;
   bool transport_send_busy_;
 
@@ skipping 688 matching lines @@
     PostOrRunCallback(
         FROM_HERE,
         base::Bind(&AddLogEventWithCallback, weak_net_log_,
                    NetLog::TYPE_SSL_HANDSHAKE_ERROR,
                    CreateNetLogSSLErrorCallback(net_error, 0)));
   } else if (rv == SECSuccess) {
     if (!handshake_callback_called_) {
       false_started_ = true;
       HandshakeSucceeded();
     }
+
+    if (IsRenegotiationAllowed()) {
+      // For compatibility, do not enforce RFC 5746 support. Per section 4.1,
+      // enforcement falls largely on the server.
+      SECStatus rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
+                                   SSL_RENEGOTIATE_TRANSITIONAL);
+      DCHECK_EQ(SECSuccess, rv);
+    }
   } else {
     PRErrorCode prerr = PR_GetError();
     net_error = HandleNSSError(prerr);
 
     // If not done, stay in this state
     if (net_error == ERR_IO_PENDING) {
       GotoState(STATE_HANDSHAKE);
     } else {
       PostOrRunCallback(
           FROM_HERE,
@@ skipping 651 matching lines @@
   } else {
     rv = SSL_HandshakeNegotiatedExtension(nss_fd_,
                                           ssl_next_proto_nego_xtn,
                                           &negotiated_extension);
     if (rv == SECSuccess && negotiated_extension) {
       nss_handshake_state_.negotiation_extension_ = kExtensionNPN;
     }
   }
 }
 
+bool SSLClientSocketNSS::Core::IsRenegotiationAllowed() const {
+  DCHECK(OnNSSTaskRunner());
+
+  if (nss_handshake_state_.next_proto_status == kNextProtoUnsupported)
+    return ssl_config_.renego_allowed_default;
+
+  NextProto next_proto = NextProtoFromString(nss_handshake_state_.next_proto);
+  for (NextProto allowed : ssl_config_.renego_allowed_for_protos) {
+    if (next_proto == allowed)
+      return true;
+  }
+  return false;
+}
+
 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() {
   DCHECK(OnNSSTaskRunner());
   if (nss_handshake_state_.resumed_handshake)
     return;
 
   // Copy the NSS task runner-only state to the network task runner and
   // log histograms from there, since the histograms also need access to the
   // network task runner state.
   PostOrRunCallback(
       FROM_HERE,
@@ skipping 651 matching lines @@
   if (rv != SECSuccess) {
     LogFailedNSSFunction(
         net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS");
   }
 
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START,
                      ssl_config_.false_start_enabled);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
 
-  // We allow servers to request renegotiation. Since we're a client,
-  // prohibiting this is rather a waste of time. Only servers are in a
-  // position to prevent renegotiation attacks.
-  // http://extendedsubset.com/?p=8
-
-  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
-                     SSL_RENEGOTIATE_TRANSITIONAL);
+  // By default, renegotiations are rejected. After the initial handshake
+  // completes, some application protocols may re-enable it.
+  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_NEVER);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(
         net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
   }
 
   rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
 
 // Added in NSS 3.15
@@ skipping 363 matching lines @@
 scoped_refptr<X509Certificate>
 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
   return core_->state().server_cert.get();
 }
 
 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
   return channel_id_service_;
 }
 
 }  // namespace net