File gnutls-CVE-2020-24659.patch of Package gnutls.32646

Overview Repositories Revisions Requests Users Attributes Meta

File gnutls-CVE-2020-24659.patch of Package gnutls.32646

commit 521e6492b9bbc8ec1519924526942cf2fc719497
Author: Daiki Ueno <ueno@gnu.org>
Date:   Sat Aug 22 17:19:39 2020 +0200

handshake: reject no_renegotiation alert if handshake is incomplete
    
    If the initial handshake is incomplete and the server sends a
    no_renegotiation alert, the client should treat it as a fatal error
    even if its level is warning.  Otherwise the same handshake
    state (e.g., DHE parameters) are reused in the next gnutls_handshake
    call, if it is called in the loop idiom:
    
      do {
              ret = gnutls_handshake(session);
      } while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
    
    Signed-off-by: Daiki Ueno <ueno@gnu.org>

Index: gnutls-3.6.7/lib/gnutls_int.h
===================================================================
--- gnutls-3.6.7.orig/lib/gnutls_int.h	2020-09-14 14:48:26.817591531 +0200
+++ gnutls-3.6.7/lib/gnutls_int.h	2020-09-14 14:48:59.497822903 +0200
@@ -1360,6 +1360,7 @@ typedef struct {
 #define HSK_RECORD_SIZE_LIMIT_NEGOTIATED (1<<24)
 #define HSK_RECORD_SIZE_LIMIT_SENT (1<<25) /* record_size_limit extension was sent */
 #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */
+#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */
 
 	/* The hsk_flags are for use within the ongoing handshake;
 	 * they are reset to zero prior to handshake start by gnutls_handshake. */
Index: gnutls-3.6.7/lib/handshake.c
===================================================================
--- gnutls-3.6.7.orig/lib/handshake.c	2020-09-14 14:48:25.789584252 +0200
+++ gnutls-3.6.7/lib/handshake.c	2020-09-14 14:50:23.626418528 +0200
@@ -2038,6 +2038,8 @@ read_server_hello(gnutls_session_t sessi
 		goto cleanup;
 	}
 
+	session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
+
 cleanup:
 
 	return ret;
@@ -2636,16 +2638,42 @@ int gnutls_rehandshake(gnutls_session_t
 	return 0;
 }
 
+/* This function checks whether the error code should be treated fatal
+ * or not, and also does the necessary state transition.  In
+ * particular, in the case of a rehandshake abort it resets the
+ * handshake's internal state.
+ */
 inline static int
 _gnutls_abort_handshake(gnutls_session_t session, int ret)
 {
-	if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
-	     (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION))
-	    || ret == GNUTLS_E_GOT_APPLICATION_DATA)
-		return 0;
+	switch (ret) {
+	case GNUTLS_E_WARNING_ALERT_RECEIVED:
+		if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
+			/* The server always toleretes a "no_renegotiation" alert. */
+			if (session->security_parameters.entity == GNUTLS_SERVER) {
+				STATE = STATE0;
+				return ret;
+			}
 
-	/* this doesn't matter */
-	return GNUTLS_E_INTERNAL_ERROR;
+			/* The client should tolerete a "no_renegotiation" alert only if:
+			 * - the initial handshake has completed, or
+			 * - a Server Hello is not yet received
+			 */
+			if (session->internals.initial_negotiation_completed ||
+			    !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
+				STATE = STATE0;
+				return ret;
+			}
+
+			return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
+		}
+		return ret;
+	case GNUTLS_E_GOT_APPLICATION_DATA:
+		STATE = STATE0;
+		return ret;
+	default:
+		return ret;
+	}
 }
 
 
@@ -2807,13 +2835,7 @@ int gnutls_handshake(gnutls_session_t se
 	}
 
 	if (ret < 0) {
-		/* In the case of a rehandshake abort
-		 * we should reset the handshake's internal state.
-		 */
-		if (_gnutls_abort_handshake(session, ret) == 0)
-			STATE = STATE0;
-
-		return ret;
+		return _gnutls_abort_handshake(session, ret);
 	}
 
 	/* clear handshake buffer */

Places

File gnutls-CVE-2020-24659.patch of Package gnutls.32646

Places