Reject renegotiations in SSLClientSocket by default.

net/socket/ssl_client_socket_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file includes code SSLClientSocketNSS::DoVerifyCertComplete() derived
 // from AuthCertificateCallback() in
 // mozilla/security/manager/ssl/src/nsNSSCallbacks.cpp.
 
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
@@ skipping 552 matching lines @@
                                      CERTDistNames* ca_names,
                                      CERTCertificate** result_certificate,
                                      SECKEYPrivateKey** result_private_key);
 
   // Called by NSS to determine if we can False Start.
   // |arg| contains a pointer to the current SSLClientSocketNSS::Core.
   static SECStatus CanFalseStartCallback(PRFileDesc* socket,
                                          void* arg,
                                          PRBool* can_false_start);
 
-  // Called by NSS once the handshake has completed.
+  // Called by NSS each time a handshake completely finishes.
   // |arg| contains a pointer to the current SSLClientSocketNSS::Core.
   static void HandshakeCallback(PRFileDesc* socket, void* arg);
 
-  // Called once the handshake has succeeded.
-  void HandshakeSucceeded();
+  // Called once for each successful handshake. If the initial handshake false
+  // starts, it is called when it false starts and not when it completely
+  // finishes. is_initial is true if this is the initial handshake.
+  void HandshakeSucceeded(bool is_initial);
 
   // Handles an NSS error generated while handshaking or performing IO.
   // Returns a network error code mapped from the original NSS error.
   int HandleNSSError(PRErrorCode error);
 
   int DoHandshakeLoop(int last_io_result);
   int DoReadLoop(int result);
   int DoWriteLoop(int result);
 
   int DoHandshake();
@@ skipping 41 matching lines @@
   void UpdateConnectionStatus();
   // Record histograms for channel id support during full handshakes - resumed
   // handshakes are ignored.
   void RecordChannelIDSupportOnNSSTaskRunner();
   // UpdateNextProto gets any application-layer protocol that may have been
   // negotiated by the TLS connection.
   void UpdateNextProto();
   // Record TLS extension used for protocol negotiation (NPN or ALPN).
   void UpdateExtensionUsed();
 
+  // Returns true if renegotiations are allowed.
+  bool IsRenegotiationAllowed() const;
+
   ////////////////////////////////////////////////////////////////////////////
   // Methods that are ONLY called on the network task runner:
   ////////////////////////////////////////////////////////////////////////////
   int DoBufferRecv(IOBuffer* buffer, int len);
   int DoBufferSend(IOBuffer* buffer, int len);
   int DoGetChannelID(const std::string& host);
 
   void OnGetChannelIDComplete(int result);
   void OnHandshakeStateUpdated(const HandshakeState& state);
   void OnNSSBufferUpdated(int amount_in_read_buffer);
@@ skipping 84 matching lines @@
   std::vector<std::string> predicted_certs_;
 
   State next_handshake_state_;
 
   // True if channel ID extension was negotiated.
   bool channel_id_xtn_negotiated_;
   // True if the handshake state machine was interrupted for channel ID.
   bool channel_id_needed_;
   // True if the handshake state machine was interrupted for client auth.
   bool client_auth_cert_needed_;
-  // True if NSS has False Started.
+  // True if NSS has False Started in the initial handshake, but the initial
+  // handshake has not yet completely finished..
   bool false_started_;
   // True if NSS has called HandshakeCallback.
   bool handshake_callback_called_;
 
   HandshakeState nss_handshake_state_;
 
   bool transport_recv_busy_;
   bool transport_recv_eof_;
   bool transport_send_busy_;
 
@@ skipping 518 matching lines @@
   return SSL_RecommendedCanFalseStart(socket, can_false_start);
 }
 
 // static
 void SSLClientSocketNSS::Core::HandshakeCallback(
     PRFileDesc* socket,
     void* arg) {
   Core* core = reinterpret_cast<Core*>(arg);
   DCHECK(core->OnNSSTaskRunner());
 
+  bool is_initial = !core->handshake_callback_called_;
   core->handshake_callback_called_ = true;
   if (core->false_started_) {
     core->false_started_ = false;
     // If the connection was False Started, then at the time of this callback,
     // the peer's certificate will have been verified or the caller will have
     // accepted the error.
     // This is guaranteed when using False Start because this callback will
     // not be invoked until processing the peer's Finished message, which
     // will only happen in a PR_Read/PR_Write call, which can only happen
     // after the peer's certificate is verified.
     SSL_CacheSessionUnlocked(socket);
 
     // Additionally, when False Starting, DoHandshake() will have already
     // called HandshakeSucceeded(), so return now.
     return;
   }
-  core->HandshakeSucceeded();
+  core->HandshakeSucceeded(is_initial);
 }
 
-void SSLClientSocketNSS::Core::HandshakeSucceeded() {
+void SSLClientSocketNSS::Core::HandshakeSucceeded(bool is_initial) {
   DCHECK(OnNSSTaskRunner());
 
   PRBool last_handshake_resumed;
   SECStatus rv = SSL_HandshakeResumedSession(nss_fd_, &last_handshake_resumed);
   if (rv == SECSuccess && last_handshake_resumed) {
     nss_handshake_state_.resumed_handshake = true;
   } else {
     nss_handshake_state_.resumed_handshake = false;
   }
 
   RecordChannelIDSupportOnNSSTaskRunner();
   UpdateServerCert();
   UpdateSignedCertTimestamps();
   UpdateStapledOCSPResponse();
   UpdateConnectionStatus();
   UpdateNextProto();
   UpdateExtensionUsed();
 
+  if (is_initial && IsRenegotiationAllowed()) {
+    // For compatibility, do not enforce RFC 5746 support. Per section 4.1,
+    // enforcement falls largely on the server.
+    //
+    // This is done in a callback rather than after SSL_ForceHandshake returns
+    // because SSL_ForceHandshake will otherwise greedly consume renegotiations
+    // before returning if Finished and HelloRequest are in the same
+    // record.
+    //
+    // Note that SSL_OptionSet should only be called for an initial
+    // handshake. See https://crbug.com/125299.
+    SECStatus rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
+                                 SSL_RENEGOTIATE_TRANSITIONAL);
+    DCHECK_EQ(SECSuccess, rv);
+  }
+
   // Update the network task runners view of the handshake state whenever
   // a handshake has completed.
   PostOrRunCallback(
       FROM_HERE, base::Bind(&Core::OnHandshakeStateUpdated, this,
                             nss_handshake_state_));
 }
 
 int SSLClientSocketNSS::Core::HandleNSSError(PRErrorCode nss_error) {
   DCHECK(OnNSSTaskRunner());
 
@@ skipping 110 matching lines @@
   } else if (client_auth_cert_needed_) {
     net_error = ERR_SSL_CLIENT_AUTH_CERT_NEEDED;
     PostOrRunCallback(
         FROM_HERE,
         base::Bind(&AddLogEventWithCallback, weak_net_log_,
                    NetLog::TYPE_SSL_HANDSHAKE_ERROR,
                    CreateNetLogSSLErrorCallback(net_error, 0)));
   } else if (rv == SECSuccess) {
     if (!handshake_callback_called_) {
       false_started_ = true;
-      HandshakeSucceeded();
+      HandshakeSucceeded(true);
     }
   } else {
     PRErrorCode prerr = PR_GetError();
     net_error = HandleNSSError(prerr);
 
     // If not done, stay in this state
     if (net_error == ERR_IO_PENDING) {
       GotoState(STATE_HANDSHAKE);
     } else {
       PostOrRunCallback(
@@ skipping 652 matching lines @@
   } else {
     rv = SSL_HandshakeNegotiatedExtension(nss_fd_,
                                           ssl_next_proto_nego_xtn,
                                           &negotiated_extension);
     if (rv == SECSuccess && negotiated_extension) {
       nss_handshake_state_.negotiation_extension_ = kExtensionNPN;
     }
   }
 }
 
+bool SSLClientSocketNSS::Core::IsRenegotiationAllowed() const {
+  DCHECK(OnNSSTaskRunner());
+
+  if (nss_handshake_state_.next_proto_status == kNextProtoUnsupported)
+    return ssl_config_.renego_allowed_default;
+
+  NextProto next_proto = NextProtoFromString(nss_handshake_state_.next_proto);
+  for (NextProto allowed : ssl_config_.renego_allowed_for_protos) {
+    if (next_proto == allowed)
+      return true;
+  }
+  return false;
+}
+
 void SSLClientSocketNSS::Core::RecordChannelIDSupportOnNSSTaskRunner() {
   DCHECK(OnNSSTaskRunner());
   if (nss_handshake_state_.resumed_handshake)
     return;
 
   // Copy the NSS task runner-only state to the network task runner and
   // log histograms from there, since the histograms also need access to the
   // network task runner state.
   PostOrRunCallback(
       FROM_HERE,
@@ skipping 651 matching lines @@
   if (rv != SECSuccess) {
     LogFailedNSSFunction(
         net_log_, "SSL_OptionSet", "SSL_ENABLE_SESSION_TICKETS");
   }
 
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_FALSE_START,
                      ssl_config_.false_start_enabled);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_FALSE_START");
 
-  // We allow servers to request renegotiation. Since we're a client,
-  // prohibiting this is rather a waste of time. Only servers are in a
-  // position to prevent renegotiation attacks.
-  // http://extendedsubset.com/?p=8
-
-  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION,
-                     SSL_RENEGOTIATE_TRANSITIONAL);
+  // By default, renegotiations are rejected. After the initial handshake
+  // completes, some application protocols may re-enable it.
+  rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_NEVER);
   if (rv != SECSuccess) {
     LogFailedNSSFunction(
         net_log_, "SSL_OptionSet", "SSL_ENABLE_RENEGOTIATION");
   }
 
   rv = SSL_OptionSet(nss_fd_, SSL_CBC_RANDOM_IV, PR_TRUE);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_CBC_RANDOM_IV");
 
 // Added in NSS 3.15
@@ skipping 363 matching lines @@
 scoped_refptr<X509Certificate>
 SSLClientSocketNSS::GetUnverifiedServerCertificateChain() const {
   return core_->state().server_cert.get();
 }
 
 ChannelIDService* SSLClientSocketNSS::GetChannelIDService() const {
   return channel_id_service_;
 }
 
 }  // namespace net