commit 9fb6e2e203786096c4bdb9c2c16845fbeb85d5d4
author Hanno Becker <hanno.becker@arm.com> Tue Feb 05 17:00:50 2019 +0000
committer Hanno Becker <hanno.becker@arm.com> Wed Jun 19 10:25:01 2019 +0100
tree f64d432fe9fe01cd0ca4795af6e2e9c22bc6aa42
parent c88289a64d211c27a0b307566ebfffa629077ecb

Extend mbedtls_ssl_session by buffer holding peer CRT digest

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 9ae3ee1..5df5eb1 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -812,6 +812,22 @@
 typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl );
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
 
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN  48
+#if defined(MBEDTLS_SHA256_C)
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA256
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN  32
+#elif defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA384
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN  48
+#elif defined(MBEDTLS_SHA1_C)
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA1
+#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN  20
+#else
+#error "Bad configuration - need SHA-1, SHA-256 or SHA-512 enabled to compute digest of peer CRT."
+#endif
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
 /*
  * This structure is used for storing current session data.
  *
@@ -835,7 +851,14 @@
     unsigned char master[48];   /*!< the master secret  */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
-    mbedtls_x509_crt *peer_cert;        /*!< peer X.509 cert chain */
+    mbedtls_x509_crt *peer_cert;       /*!< peer X.509 cert chain */
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    /*! The digest of the peer's end-CRT. This must be kept to detect CRT
+     *  changes during renegotiation, mitigating the triple handshake attack. */
+    unsigned char *peer_cert_digest;
+    size_t peer_cert_digest_len;
+    mbedtls_md_type_t peer_cert_digest_type;
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
     uint32_t verify_result;          /*!<  verification result     */
 

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 4d7c624..2fa48b6 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -393,6 +393,22 @@
             return( ret );
         }
     }
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    if( src->peer_cert_digest != NULL )
+    {
+        dst->peer_cert_digest_len = src->peer_cert_digest_len;
+        dst->peer_cert_digest =
+            mbedtls_calloc( 1, dst->peer_cert_digest_len );
+        if( dst->peer_cert_digest == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        memcpy( dst->peer_cert_digest, src->peer_cert_digest,
+                src->peer_cert_digest_len );
+        dst->peer_cert_digest_type = src->peer_cert_digest_type;
+    }
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
@@ -6147,6 +6163,17 @@
         mbedtls_free( session->peer_cert );
         session->peer_cert = NULL;
     }
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    if( session->peer_cert_digest != NULL )
+    {
+        /* Zeroization is not necessary. */
+        mbedtls_free( session->peer_cert_digest );
+        session->peer_cert_digest      = NULL;
+        session->peer_cert_digest_type = MBEDTLS_MD_NONE;
+        session->peer_cert_digest_len  = 0;
+    }
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 }
 
 /*