1 --- openssl-1.0.1e.orig/crypto/evp/evp.h 2013-03-05 18:49:33.183296743 +0000 2 +++ openssl-1.0.1e/crypto/evp/evp.h 2013-03-05 18:49:33.373298798 +0000 3 @@ -921,6 +921,7 @@ struct ec_key_st *EVP_PKEY_get1_EC_KEY(E 4 #endif 5 6 EVP_PKEY * EVP_PKEY_new(void); 7 +EVP_PKEY * EVP_PKEY_dup(EVP_PKEY *pkey); 8 void EVP_PKEY_free(EVP_PKEY *pkey); 9 10 EVP_PKEY * d2i_PublicKey(int type,EVP_PKEY **a, const unsigned char **pp, 11 --- openssl-1.0.1e.orig/crypto/evp/p_lib.c 2013-03-05 18:49:33.183296743 +0000 12 +++ openssl-1.0.1e/crypto/evp/p_lib.c 2013-03-05 18:49:33.373298798 +0000 13 @@ -200,6 +200,12 @@ EVP_PKEY *EVP_PKEY_new(void) 14 return(ret); 15 } 16 17 +EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey) 18 + { 19 + CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); 20 + return pkey; 21 + } 22 + 23 /* Setup a public key ASN1 method and ENGINE from a NID or a string. 24 * If pkey is NULL just return 1 or 0 if the algorithm exists. 25 */ 26 --- openssl-1.0.1e.orig/ssl/s3_both.c 2013-03-05 18:49:33.233297282 +0000 27 +++ openssl-1.0.1e/ssl/s3_both.c 2013-03-05 18:49:33.413299231 +0000 28 @@ -555,7 +555,8 @@ long ssl3_get_message(SSL *s, int st1, i 29 #endif 30 31 /* Feed this message into MAC computation. */ 32 - ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); 33 + if (*(unsigned char*)s->init_buf->data != SSL3_MT_ENCRYPTED_EXTENSIONS) 34 + ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); 35 if (s->msg_callback) 36 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg); 37 *ok=1; 38 --- openssl-1.0.1e.orig/ssl/s3_clnt.c 2013-03-05 18:49:33.233297282 +0000 39 +++ openssl-1.0.1e/ssl/s3_clnt.c 2013-03-05 18:49:33.413299231 +0000 40 @@ -477,13 +477,14 @@ int ssl3_connect(SSL *s) 41 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 42 if (ret <= 0) goto end; 43 44 -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 45 s->state=SSL3_ST_CW_FINISHED_A; 46 -#else 47 +#if !defined(OPENSSL_NO_TLSEXT) 48 + if (s->s3->tlsext_channel_id_valid) 49 + s->state=SSL3_ST_CW_CHANNEL_ID_A; 50 +# if !defined(OPENSSL_NO_NEXTPROTONEG) 51 if (s->s3->next_proto_neg_seen) 52 s->state=SSL3_ST_CW_NEXT_PROTO_A; 53 - else 54 - s->state=SSL3_ST_CW_FINISHED_A; 55 +# endif 56 #endif 57 s->init_num=0; 58 59 @@ -517,6 +518,18 @@ int ssl3_connect(SSL *s) 60 case SSL3_ST_CW_NEXT_PROTO_B: 61 ret=ssl3_send_next_proto(s); 62 if (ret <= 0) goto end; 63 + if (s->s3->tlsext_channel_id_valid) 64 + s->state=SSL3_ST_CW_CHANNEL_ID_A; 65 + else 66 + s->state=SSL3_ST_CW_FINISHED_A; 67 + break; 68 +#endif 69 + 70 +#if !defined(OPENSSL_NO_TLSEXT) 71 + case SSL3_ST_CW_CHANNEL_ID_A: 72 + case SSL3_ST_CW_CHANNEL_ID_B: 73 + ret=ssl3_send_channel_id(s); 74 + if (ret <= 0) goto end; 75 s->state=SSL3_ST_CW_FINISHED_A; 76 break; 77 #endif 78 @@ -3362,7 +3375,8 @@ err: 79 return(0); 80 } 81 82 -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 83 +#if !defined(OPENSSL_NO_TLSEXT) 84 +# if !defined(OPENSSL_NO_NEXTPROTONEG) 85 int ssl3_send_next_proto(SSL *s) 86 { 87 unsigned int len, padding_len; 88 @@ -3386,7 +3400,116 @@ int ssl3_send_next_proto(SSL *s) 89 90 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 91 } 92 -#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ 93 +# endif /* !OPENSSL_NO_NEXTPROTONEG */ 94 + 95 +int ssl3_send_channel_id(SSL *s) 96 + { 97 + unsigned char *d; 98 + int ret = -1, public_key_len; 99 + EVP_MD_CTX md_ctx; 100 + size_t sig_len; 101 + ECDSA_SIG *sig = NULL; 102 + unsigned char *public_key = NULL, *derp, *der_sig = NULL; 103 + 104 + if (s->state != SSL3_ST_CW_CHANNEL_ID_A) 105 + return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 106 + 107 + d = (unsigned char *)s->init_buf->data; 108 + *(d++)=SSL3_MT_ENCRYPTED_EXTENSIONS; 109 + l2n3(2 + 2 + TLSEXT_CHANNEL_ID_SIZE, d); 110 + s2n(TLSEXT_TYPE_channel_id, d); 111 + s2n(TLSEXT_CHANNEL_ID_SIZE, d); 112 + 113 + EVP_MD_CTX_init(&md_ctx); 114 + 115 + public_key_len = i2d_PublicKey(s->tlsext_channel_id_private, NULL); 116 + if (public_key_len <= 0) 117 + { 118 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY); 119 + goto err; 120 + } 121 + // i2d_PublicKey will produce an ANSI X9.62 public key which, for a 122 + // P-256 key, is 0x04 (meaning uncompressed) followed by the x and y 123 + // field elements as 32-byte, big-endian numbers. 124 + if (public_key_len != 65) 125 + { 126 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CHANNEL_ID_NOT_P256); 127 + goto err; 128 + } 129 + public_key = OPENSSL_malloc(public_key_len); 130 + if (!public_key) 131 + { 132 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,ERR_R_MALLOC_FAILURE); 133 + goto err; 134 + } 135 + 136 + derp = public_key; 137 + i2d_PublicKey(s->tlsext_channel_id_private, &derp); 138 + 139 + if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, 140 + s->tlsext_channel_id_private) != 1) 141 + { 142 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNINIT_FAILED); 143 + goto err; 144 + } 145 + 146 + if (!tls1_channel_id_hash(&md_ctx, s)) 147 + goto err; 148 + 149 + if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len)) 150 + { 151 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNFINAL_FAILED); 152 + goto err; 153 + } 154 + 155 + der_sig = OPENSSL_malloc(sig_len); 156 + if (!der_sig) 157 + { 158 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,ERR_R_MALLOC_FAILURE); 159 + goto err; 160 + } 161 + 162 + if (!EVP_DigestSignFinal(&md_ctx, der_sig, &sig_len)) 163 + { 164 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNFINAL_FAILED); 165 + goto err; 166 + } 167 + 168 + derp = der_sig; 169 + sig = d2i_ECDSA_SIG(NULL, (const unsigned char**)&derp, sig_len); 170 + if (sig == NULL) 171 + { 172 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_D2I_ECDSA_SIG); 173 + goto err; 174 + } 175 + 176 + // The first byte of public_key will be 0x4, denoting an uncompressed key. 177 + memcpy(d, public_key + 1, 64); 178 + d += 64; 179 + memset(d, 0, 2 * 32); 180 + BN_bn2bin(sig->r, d + 32 - BN_num_bytes(sig->r)); 181 + d += 32; 182 + BN_bn2bin(sig->s, d + 32 - BN_num_bytes(sig->s)); 183 + d += 32; 184 + 185 + s->state = SSL3_ST_CW_CHANNEL_ID_B; 186 + s->init_num = 4 + 2 + 2 + TLSEXT_CHANNEL_ID_SIZE; 187 + s->init_off = 0; 188 + 189 + ret = ssl3_do_write(s, SSL3_RT_HANDSHAKE); 190 + 191 +err: 192 + EVP_MD_CTX_cleanup(&md_ctx); 193 + if (public_key) 194 + OPENSSL_free(public_key); 195 + if (der_sig) 196 + OPENSSL_free(der_sig); 197 + if (sig) 198 + ECDSA_SIG_free(sig); 199 + 200 + return ret; 201 + } 202 +#endif /* !OPENSSL_NO_TLSEXT */ 203 204 /* Check to see if handshake is full or resumed. Usually this is just a 205 * case of checking to see if a cache hit has occurred. In the case of 206 --- openssl-1.0.1e.orig/ssl/s3_lib.c 2013-03-05 18:49:33.223297173 +0000 207 +++ openssl-1.0.1e/ssl/s3_lib.c 2013-03-05 18:49:33.413299231 +0000 208 @@ -2951,6 +2951,11 @@ int ssl3_new(SSL *s) 209 #ifndef OPENSSL_NO_SRP 210 SSL_SRP_CTX_init(s); 211 #endif 212 +#if !defined(OPENSSL_NO_TLSEXT) 213 + s->tlsext_channel_id_enabled = s->ctx->tlsext_channel_id_enabled; 214 + if (s->ctx->tlsext_channel_id_private) 215 + s->tlsext_channel_id_private = EVP_PKEY_dup(s->ctx->tlsext_channel_id_private); 216 +#endif 217 s->method->ssl_clear(s); 218 return(1); 219 err: 220 @@ -3074,6 +3079,10 @@ void ssl3_clear(SSL *s) 221 s->next_proto_negotiated_len = 0; 222 } 223 #endif 224 + 225 +#if !defined(OPENSSL_NO_TLSEXT) 226 + s->s3->tlsext_channel_id_valid = 0; 227 +#endif 228 } 229 230 #ifndef OPENSSL_NO_SRP 231 @@ -3348,6 +3357,35 @@ long ssl3_ctrl(SSL *s, int cmd, long lar 232 ret = 1; 233 break; 234 #endif 235 + case SSL_CTRL_CHANNEL_ID: 236 + if (!s->server) 237 + break; 238 + s->tlsext_channel_id_enabled = 1; 239 + ret = 1; 240 + break; 241 + 242 + case SSL_CTRL_SET_CHANNEL_ID: 243 + if (s->server) 244 + break; 245 + s->tlsext_channel_id_enabled = 1; 246 + if (EVP_PKEY_bits(parg) != 256) 247 + { 248 + SSLerr(SSL_F_SSL3_CTRL,SSL_R_CHANNEL_ID_NOT_P256); 249 + break; 250 + } 251 + if (s->tlsext_channel_id_private) 252 + EVP_PKEY_free(s->tlsext_channel_id_private); 253 + s->tlsext_channel_id_private = (EVP_PKEY*) parg; 254 + ret = 1; 255 + break; 256 + 257 + case SSL_CTRL_GET_CHANNEL_ID: 258 + if (!s->server) 259 + break; 260 + if (!s->s3->tlsext_channel_id_valid) 261 + break; 262 + memcpy(parg, s->s3->tlsext_channel_id, larg < 64 ? larg : 64); 263 + return 64; 264 265 #endif /* !OPENSSL_NO_TLSEXT */ 266 default: 267 @@ -3569,6 +3607,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd 268 } 269 return 1; 270 } 271 + case SSL_CTRL_CHANNEL_ID: 272 + /* must be called on a server */ 273 + if (ctx->method->ssl_accept == ssl_undefined_function) 274 + return 0; 275 + ctx->tlsext_channel_id_enabled=1; 276 + return 1; 277 278 #ifdef TLSEXT_TYPE_opaque_prf_input 279 case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG: 280 @@ -3637,6 +3681,18 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd 281 } 282 break; 283 284 + case SSL_CTRL_SET_CHANNEL_ID: 285 + ctx->tlsext_channel_id_enabled = 1; 286 + if (EVP_PKEY_bits(parg) != 256) 287 + { 288 + SSLerr(SSL_F_SSL3_CTX_CTRL,SSL_R_CHANNEL_ID_NOT_P256); 289 + break; 290 + } 291 + if (ctx->tlsext_channel_id_private) 292 + EVP_PKEY_free(ctx->tlsext_channel_id_private); 293 + ctx->tlsext_channel_id_private = (EVP_PKEY*) parg; 294 + break; 295 + 296 default: 297 return(0); 298 } 299 --- openssl-1.0.1e.orig/ssl/s3_srvr.c 2013-03-05 18:49:33.233297282 +0000 300 +++ openssl-1.0.1e/ssl/s3_srvr.c 2013-03-05 18:49:33.413299231 +0000 301 @@ -157,8 +157,11 @@ 302 #include <openssl/buffer.h> 303 #include <openssl/rand.h> 304 #include <openssl/objects.h> 305 +#include <openssl/ec.h> 306 +#include <openssl/ecdsa.h> 307 #include <openssl/evp.h> 308 #include <openssl/hmac.h> 309 +#include <openssl/sha.h> 310 #include <openssl/x509.h> 311 #ifndef OPENSSL_NO_DH 312 #include <openssl/dh.h> 313 @@ -609,15 +612,8 @@ int ssl3_accept(SSL *s) 314 * the client uses its key from the certificate 315 * for key exchange. 316 */ 317 -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 318 - s->state=SSL3_ST_SR_FINISHED_A; 319 -#else 320 - if (s->s3->next_proto_neg_seen) 321 - s->state=SSL3_ST_SR_NEXT_PROTO_A; 322 - else 323 - s->state=SSL3_ST_SR_FINISHED_A; 324 -#endif 325 s->init_num = 0; 326 + s->state=SSL3_ST_SR_POST_CLIENT_CERT; 327 } 328 else if (TLS1_get_version(s) >= TLS1_2_VERSION) 329 { 330 @@ -677,16 +673,28 @@ int ssl3_accept(SSL *s) 331 ret=ssl3_get_cert_verify(s); 332 if (ret <= 0) goto end; 333 334 -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 335 - s->state=SSL3_ST_SR_FINISHED_A; 336 -#else 337 - if (s->s3->next_proto_neg_seen) 338 + s->state=SSL3_ST_SR_POST_CLIENT_CERT; 339 + s->init_num=0; 340 + break; 341 + 342 + case SSL3_ST_SR_POST_CLIENT_CERT: { 343 + char next_proto_neg = 0; 344 + char channel_id = 0; 345 +#if !defined(OPENSSL_NO_TLSEXT) 346 +# if !defined(OPENSSL_NO_NEXTPROTONEG) 347 + next_proto_neg = s->s3->next_proto_neg_seen; 348 +# endif 349 + channel_id = s->s3->tlsext_channel_id_valid; 350 +#endif 351 + 352 + if (next_proto_neg) 353 s->state=SSL3_ST_SR_NEXT_PROTO_A; 354 + else if (channel_id) 355 + s->state=SSL3_ST_SR_CHANNEL_ID_A; 356 else 357 s->state=SSL3_ST_SR_FINISHED_A; 358 -#endif 359 - s->init_num=0; 360 break; 361 + } 362 363 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 364 case SSL3_ST_SR_NEXT_PROTO_A: 365 @@ -694,6 +702,19 @@ int ssl3_accept(SSL *s) 366 ret=ssl3_get_next_proto(s); 367 if (ret <= 0) goto end; 368 s->init_num = 0; 369 + if (s->s3->tlsext_channel_id_valid) 370 + s->state=SSL3_ST_SR_CHANNEL_ID_A; 371 + else 372 + s->state=SSL3_ST_SR_FINISHED_A; 373 + break; 374 +#endif 375 + 376 +#if !defined(OPENSSL_NO_TLSEXT) 377 + case SSL3_ST_SR_CHANNEL_ID_A: 378 + case SSL3_ST_SR_CHANNEL_ID_B: 379 + ret=ssl3_get_channel_id(s); 380 + if (ret <= 0) goto end; 381 + s->init_num = 0; 382 s->state=SSL3_ST_SR_FINISHED_A; 383 break; 384 #endif 385 @@ -765,16 +786,7 @@ int ssl3_accept(SSL *s) 386 if (ret <= 0) goto end; 387 s->state=SSL3_ST_SW_FLUSH; 388 if (s->hit) 389 - { 390 -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 391 - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 392 -#else 393 - if (s->s3->next_proto_neg_seen) 394 - s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; 395 - else 396 - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 397 -#endif 398 - } 399 + s->s3->tmp.next_state=SSL3_ST_SR_POST_CLIENT_CERT; 400 else 401 s->s3->tmp.next_state=SSL_ST_OK; 402 s->init_num=0; 403 @@ -3610,4 +3622,140 @@ int ssl3_get_next_proto(SSL *s) 404 return 1; 405 } 406 # endif 407 + 408 +/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */ 409 +int ssl3_get_channel_id(SSL *s) 410 + { 411 + int ret = -1, ok; 412 + long n; 413 + const unsigned char *p; 414 + unsigned short extension_type, extension_len; 415 + EC_GROUP* p256 = NULL; 416 + EC_KEY* key = NULL; 417 + EC_POINT* point = NULL; 418 + ECDSA_SIG sig; 419 + BIGNUM x, y; 420 + 421 + if (s->state == SSL3_ST_SR_CHANNEL_ID_A && s->init_num == 0) 422 + { 423 + /* The first time that we're called we take the current 424 + * handshake hash and store it. */ 425 + EVP_MD_CTX md_ctx; 426 + unsigned int len; 427 + 428 + EVP_MD_CTX_init(&md_ctx); 429 + EVP_DigestInit_ex(&md_ctx, EVP_sha256(), NULL); 430 + if (!tls1_channel_id_hash(&md_ctx, s)) 431 + return -1; 432 + len = sizeof(s->s3->tlsext_channel_id); 433 + EVP_DigestFinal(&md_ctx, s->s3->tlsext_channel_id, &len); 434 + EVP_MD_CTX_cleanup(&md_ctx); 435 + } 436 + 437 + n = s->method->ssl_get_message(s, 438 + SSL3_ST_SR_CHANNEL_ID_A, 439 + SSL3_ST_SR_CHANNEL_ID_B, 440 + SSL3_MT_ENCRYPTED_EXTENSIONS, 441 + 2 + 2 + TLSEXT_CHANNEL_ID_SIZE, 442 + &ok); 443 + 444 + if (!ok) 445 + return((int)n); 446 + 447 + ssl3_finish_mac(s, (unsigned char*)s->init_buf->data, s->init_num + 4); 448 + 449 + /* s->state doesn't reflect whether ChangeCipherSpec has been received 450 + * in this handshake, but s->s3->change_cipher_spec does (will be reset 451 + * by ssl3_get_finished). */ 452 + if (!s->s3->change_cipher_spec) 453 + { 454 + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS); 455 + return -1; 456 + } 457 + 458 + if (n != 2 + 2 + TLSEXT_CHANNEL_ID_SIZE) 459 + { 460 + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_INVALID_MESSAGE); 461 + return -1; 462 + } 463 + 464 + p = (unsigned char *)s->init_msg; 465 + 466 + /* The payload looks like: 467 + * uint16 extension_type 468 + * uint16 extension_len; 469 + * uint8 x[32]; 470 + * uint8 y[32]; 471 + * uint8 r[32]; 472 + * uint8 s[32]; 473 + */ 474 + n2s(p, extension_type); 475 + n2s(p, extension_len); 476 + 477 + if (extension_type != TLSEXT_TYPE_channel_id || 478 + extension_len != TLSEXT_CHANNEL_ID_SIZE) 479 + { 480 + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_INVALID_MESSAGE); 481 + return -1; 482 + } 483 + 484 + p256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); 485 + if (!p256) 486 + { 487 + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_NO_P256_SUPPORT); 488 + return -1; 489 + } 490 + 491 + BN_init(&x); 492 + BN_init(&y); 493 + sig.r = BN_new(); 494 + sig.s = BN_new(); 495 + 496 + if (BN_bin2bn(p + 0, 32, &x) == NULL || 497 + BN_bin2bn(p + 32, 32, &y) == NULL || 498 + BN_bin2bn(p + 64, 32, sig.r) == NULL || 499 + BN_bin2bn(p + 96, 32, sig.s) == NULL) 500 + goto err; 501 + 502 + point = EC_POINT_new(p256); 503 + if (!point || 504 + !EC_POINT_set_affine_coordinates_GFp(p256, point, &x, &y, NULL)) 505 + goto err; 506 + 507 + key = EC_KEY_new(); 508 + if (!key || 509 + !EC_KEY_set_group(key, p256) || 510 + !EC_KEY_set_public_key(key, point)) 511 + goto err; 512 + 513 + /* We stored the handshake hash in |tlsext_channel_id| the first time 514 + * that we were called. */ 515 + switch (ECDSA_do_verify(s->s3->tlsext_channel_id, SHA256_DIGEST_LENGTH, &sig, key)) { 516 + case 1: 517 + break; 518 + case 0: 519 + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_CHANNEL_ID_SIGNATURE_INVALID); 520 + s->s3->tlsext_channel_id_valid = 0; 521 + goto err; 522 + default: 523 + s->s3->tlsext_channel_id_valid = 0; 524 + goto err; 525 + } 526 + 527 + memcpy(s->s3->tlsext_channel_id, p, 64); 528 + ret = 1; 529 + 530 +err: 531 + BN_free(&x); 532 + BN_free(&y); 533 + BN_free(sig.r); 534 + BN_free(sig.s); 535 + if (key) 536 + EC_KEY_free(key); 537 + if (point) 538 + EC_POINT_free(point); 539 + if (p256) 540 + EC_GROUP_free(p256); 541 + return ret; 542 + } 543 #endif 544 --- openssl-1.0.1e.orig/ssl/ssl.h 2013-03-05 18:49:33.233297282 +0000 545 +++ openssl-1.0.1e/ssl/ssl.h 2013-03-05 18:49:33.413299231 +0000 546 @@ -981,6 +981,12 @@ struct ssl_ctx_st 547 # endif 548 /* SRTP profiles we are willing to do from RFC 5764 */ 549 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; 550 + 551 + /* If true, a client will advertise the Channel ID extension and a 552 + * server will echo it. */ 553 + char tlsext_channel_id_enabled; 554 + /* The client's Channel ID private key. */ 555 + EVP_PKEY *tlsext_channel_id_private; 556 #endif 557 }; 558 559 @@ -1022,6 +1028,10 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions( 560 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL) 561 #define SSL_CTX_sess_cache_full(ctx) \ 562 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL) 563 +/* SSL_CTX_enable_tls_channel_id configures a TLS server to accept TLS client 564 + * IDs from clients. Returns 1 on success. */ 565 +#define SSL_CTX_enable_tls_channel_id(ctx) \ 566 + SSL_CTX_ctrl(ctx,SSL_CTRL_CHANNEL_ID,0,NULL) 567 568 void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess)); 569 int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess); 570 @@ -1348,6 +1358,13 @@ struct ssl_st 571 */ 572 unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */ 573 unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */ 574 + 575 + /* Copied from the SSL_CTX. For a server, means that we'll accept 576 + * Channel IDs from clients. For a client, means that we'll advertise 577 + * support. */ 578 + char tlsext_channel_id_enabled; 579 + /* The client's Channel ID private key. */ 580 + EVP_PKEY *tlsext_channel_id_private; 581 #else 582 #define session_ctx ctx 583 #endif /* OPENSSL_NO_TLSEXT */ 584 @@ -1605,6 +1622,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 585 #define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING 86 586 #define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS 87 587 #endif 588 +#define SSL_CTRL_CHANNEL_ID 88 589 +#define SSL_CTRL_GET_CHANNEL_ID 89 590 +#define SSL_CTRL_SET_CHANNEL_ID 90 591 #endif 592 593 #define DTLS_CTRL_GET_TIMEOUT 73 594 @@ -1652,6 +1672,25 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 595 #define SSL_set_tmp_ecdh(ssl,ecdh) \ 596 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) 597 598 +/* SSL_enable_tls_channel_id configures a TLS server to accept TLS client 599 + * IDs from clients. Returns 1 on success. */ 600 +#define SSL_enable_tls_channel_id(ctx) \ 601 + SSL_ctrl(ctx,SSL_CTRL_CHANNEL_ID,0,NULL) 602 +/* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to 603 + * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on 604 + * success. */ 605 +#define SSL_set1_tls_channel_id(s, private_key) \ 606 + SSL_ctrl(s,SSL_CTRL_SET_CHANNEL_ID,0,(void*)private_key) 607 +#define SSL_CTX_set1_tls_channel_id(ctx, private_key) \ 608 + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHANNEL_ID,0,(void*)private_key) 609 +/* SSL_get_tls_channel_id gets the client's TLS Channel ID from a server SSL* 610 + * and copies up to the first |channel_id_len| bytes into |channel_id|. The 611 + * Channel ID consists of the client's P-256 public key as an (x,y) pair where 612 + * each is a 32-byte, big-endian field element. Returns 0 if the client didn't 613 + * offer a Channel ID and the length of the complete Channel ID otherwise. */ 614 +#define SSL_get_tls_channel_id(ctx, channel_id, channel_id_len) \ 615 + SSL_ctrl(ctx,SSL_CTRL_GET_CHANNEL_ID,channel_id_len,(void*)channel_id) 616 + 617 #define SSL_CTX_add_extra_chain_cert(ctx,x509) \ 618 SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) 619 #define SSL_CTX_get_extra_chain_certs(ctx,px509) \ 620 @@ -1686,6 +1725,7 @@ int SSL_CIPHER_get_bits(const SSL_CIPHER 621 char * SSL_CIPHER_get_version(const SSL_CIPHER *c); 622 const char * SSL_CIPHER_get_name(const SSL_CIPHER *c); 623 unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c); 624 +const char* SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher); 625 626 int SSL_get_fd(const SSL *s); 627 int SSL_get_rfd(const SSL *s); 628 @@ -2149,6 +2189,7 @@ void ERR_load_SSL_strings(void); 629 #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135 630 #define SSL_F_SSL3_GET_CERT_STATUS 289 631 #define SSL_F_SSL3_GET_CERT_VERIFY 136 632 +#define SSL_F_SSL3_GET_CHANNEL_ID 317 633 #define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137 634 #define SSL_F_SSL3_GET_CLIENT_HELLO 138 635 #define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139 636 @@ -2168,6 +2209,7 @@ void ERR_load_SSL_strings(void); 637 #define SSL_F_SSL3_READ_BYTES 148 638 #define SSL_F_SSL3_READ_N 149 639 #define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150 640 +#define SSL_F_SSL3_SEND_CHANNEL_ID 318 641 #define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151 642 #define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152 643 #define SSL_F_SSL3_SEND_CLIENT_VERIFY 153 644 @@ -2335,12 +2377,15 @@ void ERR_load_SSL_strings(void); 645 #define SSL_R_BIO_NOT_SET 128 646 #define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129 647 #define SSL_R_BN_LIB 130 648 +#define SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY 376 649 #define SSL_R_CA_DN_LENGTH_MISMATCH 131 650 #define SSL_R_CA_DN_TOO_LONG 132 651 #define SSL_R_CCS_RECEIVED_EARLY 133 652 #define SSL_R_CERTIFICATE_VERIFY_FAILED 134 653 #define SSL_R_CERT_LENGTH_MISMATCH 135 654 #define SSL_R_CHALLENGE_IS_DIFFERENT 136 655 +#define SSL_R_CHANNEL_ID_NOT_P256 375 656 +#define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 371 657 #define SSL_R_CIPHER_CODE_WRONG_LENGTH 137 658 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138 659 #define SSL_R_CIPHER_TABLE_SRC_ERROR 139 660 @@ -2353,6 +2398,7 @@ void ERR_load_SSL_strings(void); 661 #define SSL_R_CONNECTION_ID_IS_DIFFERENT 143 662 #define SSL_R_CONNECTION_TYPE_NOT_SET 144 663 #define SSL_R_COOKIE_MISMATCH 308 664 +#define SSL_R_D2I_ECDSA_SIG 379 665 #define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145 666 #define SSL_R_DATA_LENGTH_TOO_LONG 146 667 #define SSL_R_DECRYPTION_FAILED 147 668 @@ -2370,9 +2416,12 @@ void ERR_load_SSL_strings(void); 669 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 670 #define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282 671 #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 672 +#define SSL_R_EVP_DIGESTSIGNFINAL_FAILED 377 673 +#define SSL_R_EVP_DIGESTSIGNINIT_FAILED 378 674 #define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 675 #define SSL_R_EXTRA_DATA_IN_MESSAGE 153 676 #define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 677 +#define SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS 372 678 #define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 355 679 #define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 356 680 #define SSL_R_HTTPS_PROXY_REQUEST 155 681 @@ -2382,6 +2431,7 @@ void ERR_load_SSL_strings(void); 682 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 683 #define SSL_R_INVALID_COMMAND 280 684 #define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 685 +#define SSL_R_INVALID_MESSAGE 374 686 #define SSL_R_INVALID_PURPOSE 278 687 #define SSL_R_INVALID_SRP_USERNAME 357 688 #define SSL_R_INVALID_STATUS_RESPONSE 328 689 @@ -2436,6 +2486,7 @@ void ERR_load_SSL_strings(void); 690 #define SSL_R_NO_COMPRESSION_SPECIFIED 187 691 #define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 330 692 #define SSL_R_NO_METHOD_SPECIFIED 188 693 +#define SSL_R_NO_P256_SUPPORT 373 694 #define SSL_R_NO_PRIVATEKEY 189 695 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 696 #define SSL_R_NO_PROTOCOLS_AVAILABLE 191 697 --- openssl-1.0.1e.orig/ssl/ssl3.h 2013-03-05 18:49:33.223297173 +0000 698 +++ openssl-1.0.1e/ssl/ssl3.h 2013-03-05 18:49:33.413299231 +0000 699 @@ -539,6 +539,17 @@ typedef struct ssl3_state_st 700 /* Set if we saw the Next Protocol Negotiation extension from our peer. */ 701 int next_proto_neg_seen; 702 #endif 703 + 704 + /* In a client, this means that the server supported Channel ID and that 705 + * a Channel ID was sent. In a server it means that we echoed support 706 + * for Channel IDs and that tlsext_channel_id will be valid after the 707 + * handshake. */ 708 + char tlsext_channel_id_valid; 709 + /* For a server: 710 + * If |tlsext_channel_id_valid| is true, then this contains the 711 + * verified Channel ID from the client: a P256 point, (x,y), where 712 + * each are big-endian values. */ 713 + unsigned char tlsext_channel_id[64]; 714 } SSL3_STATE; 715 716 #endif 717 @@ -583,6 +594,8 @@ typedef struct ssl3_state_st 718 #define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) 719 #define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) 720 #endif 721 +#define SSL3_ST_CW_CHANNEL_ID_A (0x210|SSL_ST_CONNECT) 722 +#define SSL3_ST_CW_CHANNEL_ID_B (0x211|SSL_ST_CONNECT) 723 #define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) 724 #define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) 725 /* read from server */ 726 @@ -632,10 +645,13 @@ typedef struct ssl3_state_st 727 #define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT) 728 #define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT) 729 #define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT) 730 +#define SSL3_ST_SR_POST_CLIENT_CERT (0x1BF|SSL_ST_ACCEPT) 731 #ifndef OPENSSL_NO_NEXTPROTONEG 732 #define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) 733 #define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) 734 #endif 735 +#define SSL3_ST_SR_CHANNEL_ID_A (0x220|SSL_ST_ACCEPT) 736 +#define SSL3_ST_SR_CHANNEL_ID_B (0x221|SSL_ST_ACCEPT) 737 #define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) 738 #define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT) 739 /* write to client */ 740 @@ -663,6 +679,7 @@ typedef struct ssl3_state_st 741 #ifndef OPENSSL_NO_NEXTPROTONEG 742 #define SSL3_MT_NEXT_PROTO 67 743 #endif 744 +#define SSL3_MT_ENCRYPTED_EXTENSIONS 203 745 #define DTLS1_MT_HELLO_VERIFY_REQUEST 3 746 747 748 --- openssl-1.0.1e.orig/ssl/ssl_err.c 2013-03-05 18:49:33.243297392 +0000 749 +++ openssl-1.0.1e/ssl/ssl_err.c 2013-03-05 18:49:33.413299231 +0000 750 @@ -151,6 +151,7 @@ static ERR_STRING_DATA SSL_str_functs[]= 751 {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"}, 752 {ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_STATUS"}, 753 {ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"}, 754 +{ERR_FUNC(SSL_F_SSL3_GET_CHANNEL_ID), "SSL3_GET_CHANNEL_ID"}, 755 {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"}, 756 {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"}, 757 {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"}, 758 @@ -170,6 +171,7 @@ static ERR_STRING_DATA SSL_str_functs[]= 759 {ERR_FUNC(SSL_F_SSL3_READ_BYTES), "SSL3_READ_BYTES"}, 760 {ERR_FUNC(SSL_F_SSL3_READ_N), "SSL3_READ_N"}, 761 {ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"}, 762 +{ERR_FUNC(SSL_F_SSL3_SEND_CHANNEL_ID), "SSL3_SEND_CHANNEL_ID"}, 763 {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE), "SSL3_SEND_CLIENT_CERTIFICATE"}, 764 {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"}, 765 {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY), "SSL3_SEND_CLIENT_VERIFY"}, 766 @@ -339,12 +341,15 @@ static ERR_STRING_DATA SSL_str_reasons[] 767 {ERR_REASON(SSL_R_BIO_NOT_SET) ,"bio not set"}, 768 {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"}, 769 {ERR_REASON(SSL_R_BN_LIB) ,"bn lib"}, 770 +{ERR_REASON(SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY),"cannot serialize public key"}, 771 {ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"}, 772 {ERR_REASON(SSL_R_CA_DN_TOO_LONG) ,"ca dn too long"}, 773 {ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) ,"ccs received early"}, 774 {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"}, 775 {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) ,"cert length mismatch"}, 776 {ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"}, 777 +{ERR_REASON(SSL_R_CHANNEL_ID_NOT_P256) ,"channel id not p256"}, 778 +{ERR_REASON(SSL_R_CHANNEL_ID_SIGNATURE_INVALID),"Channel ID signature invalid"}, 779 {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"}, 780 {ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"}, 781 {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"}, 782 @@ -357,6 +362,7 @@ static ERR_STRING_DATA SSL_str_reasons[] 783 {ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"}, 784 {ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"}, 785 {ERR_REASON(SSL_R_COOKIE_MISMATCH) ,"cookie mismatch"}, 786 +{ERR_REASON(SSL_R_D2I_ECDSA_SIG) ,"d2i ecdsa sig"}, 787 {ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"}, 788 {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"}, 789 {ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"}, 790 @@ -374,9 +380,12 @@ static ERR_STRING_DATA SSL_str_reasons[] 791 {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"}, 792 {ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"}, 793 {ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"}, 794 +{ERR_REASON(SSL_R_EVP_DIGESTSIGNFINAL_FAILED),"evp digestsignfinal failed"}, 795 +{ERR_REASON(SSL_R_EVP_DIGESTSIGNINIT_FAILED),"evp digestsigninit failed"}, 796 {ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"}, 797 {ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"}, 798 {ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"}, 799 +{ERR_REASON(SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS),"got Channel ID before a ccs"}, 800 {ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS),"got next proto before a ccs"}, 801 {ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION),"got next proto without seeing extension"}, 802 {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, 803 @@ -386,6 +395,7 @@ static ERR_STRING_DATA SSL_str_reasons[] 804 {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"}, 805 {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, 806 {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"}, 807 +{ERR_REASON(SSL_R_INVALID_MESSAGE) ,"invalid message"}, 808 {ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"}, 809 {ERR_REASON(SSL_R_INVALID_SRP_USERNAME) ,"invalid srp username"}, 810 {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"}, 811 @@ -440,6 +450,7 @@ static ERR_STRING_DATA SSL_str_reasons[] 812 {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"}, 813 {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),"Peer haven't sent GOST certificate, required for selected ciphersuite"}, 814 {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"}, 815 +{ERR_REASON(SSL_R_NO_P256_SUPPORT) ,"no p256 support"}, 816 {ERR_REASON(SSL_R_NO_PRIVATEKEY) ,"no privatekey"}, 817 {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"}, 818 {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"}, 819 --- openssl-1.0.1e.orig/ssl/ssl_lib.c 2013-03-05 18:49:33.243297392 +0000 820 +++ openssl-1.0.1e/ssl/ssl_lib.c 2013-03-05 18:49:33.413299231 +0000 821 @@ -579,6 +579,8 @@ void SSL_free(SSL *s) 822 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); 823 if (s->tlsext_ocsp_resp) 824 OPENSSL_free(s->tlsext_ocsp_resp); 825 + if (s->tlsext_channel_id_private) 826 + EVP_PKEY_free(s->tlsext_channel_id_private); 827 #endif 828 829 if (s->client_CA != NULL) 830 @@ -2005,6 +2007,11 @@ void SSL_CTX_free(SSL_CTX *a) 831 ssl_buf_freelist_free(a->rbuf_freelist); 832 #endif 833 834 +#ifndef OPENSSL_NO_TLSEXT 835 + if (a->tlsext_channel_id_private) 836 + EVP_PKEY_free(a->tlsext_channel_id_private); 837 +#endif 838 + 839 OPENSSL_free(a); 840 } 841 842 --- openssl-1.0.1e.orig/ssl/ssl_locl.h 2013-03-05 18:49:33.243297392 +0000 843 +++ openssl-1.0.1e/ssl/ssl_locl.h 2013-03-05 18:49:33.413299231 +0000 844 @@ -378,6 +378,7 @@ 845 * (currently this also goes into algorithm2) */ 846 #define TLS1_STREAM_MAC 0x04 847 848 +#define TLSEXT_CHANNEL_ID_SIZE 128 849 850 851 /* 852 @@ -1004,6 +1005,7 @@ int ssl3_check_cert_and_algorithm(SSL *s 853 int ssl3_check_finished(SSL *s); 854 # ifndef OPENSSL_NO_NEXTPROTONEG 855 int ssl3_send_next_proto(SSL *s); 856 +int ssl3_send_channel_id(SSL *s); 857 # endif 858 #endif 859 860 @@ -1026,6 +1028,7 @@ int ssl3_get_cert_verify(SSL *s); 861 #ifndef OPENSSL_NO_NEXTPROTONEG 862 int ssl3_get_next_proto(SSL *s); 863 #endif 864 +int ssl3_get_channel_id(SSL *s); 865 866 int dtls1_send_hello_request(SSL *s); 867 int dtls1_send_server_hello(SSL *s); 868 @@ -1123,7 +1126,9 @@ int tls12_get_sigandhash(unsigned char * 869 int tls12_get_sigid(const EVP_PKEY *pk); 870 const EVP_MD *tls12_get_hash(unsigned char hash_alg); 871 872 +int tls1_channel_id_hash(EVP_MD_CTX *ctx, SSL *s); 873 #endif 874 + 875 EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ; 876 void ssl_clear_hash_ctx(EVP_MD_CTX **hash); 877 int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, 878 --- openssl-1.0.1e.orig/ssl/t1_lib.c 2013-03-05 18:49:33.173296633 +0000 879 +++ openssl-1.0.1e/ssl/t1_lib.c 2013-03-05 18:49:33.413299231 +0000 880 @@ -649,6 +649,16 @@ unsigned char *ssl_add_clienthello_tlsex 881 } 882 #endif 883 884 + if (s->tlsext_channel_id_enabled) 885 + { 886 + /* The client advertises an emtpy extension to indicate its 887 + * support for Channel ID. */ 888 + if (limit - ret - 4 < 0) 889 + return NULL; 890 + s2n(TLSEXT_TYPE_channel_id,ret); 891 + s2n(0,ret); 892 + } 893 + 894 #ifndef OPENSSL_NO_SRTP 895 if(SSL_get_srtp_profiles(s)) 896 { 897 @@ -859,6 +869,16 @@ unsigned char *ssl_add_serverhello_tlsex 898 } 899 #endif 900 901 + /* If the client advertised support for Channel ID, and we have it 902 + * enabled, then we want to echo it back. */ 903 + if (s->s3->tlsext_channel_id_valid) 904 + { 905 + if (limit - ret - 4 < 0) 906 + return NULL; 907 + s2n(TLSEXT_TYPE_channel_id,ret); 908 + s2n(0,ret); 909 + } 910 + 911 if ((extdatalen = ret-p-2)== 0) 912 return p; 913 914 @@ -1332,6 +1352,9 @@ int ssl_parse_clienthello_tlsext(SSL *s, 915 } 916 #endif 917 918 + else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled) 919 + s->s3->tlsext_channel_id_valid = 1; 920 + 921 /* session ticket processed earlier */ 922 #ifndef OPENSSL_NO_SRTP 923 else if (type == TLSEXT_TYPE_use_srtp) 924 @@ -1562,6 +1585,9 @@ int ssl_parse_serverhello_tlsext(SSL *s, 925 s->s3->next_proto_neg_seen = 1; 926 } 927 #endif 928 + else if (type == TLSEXT_TYPE_channel_id) 929 + s->s3->tlsext_channel_id_valid = 1; 930 + 931 else if (type == TLSEXT_TYPE_renegotiate) 932 { 933 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 934 @@ -2621,3 +2647,37 @@ tls1_heartbeat(SSL *s) 935 return ret; 936 } 937 #endif 938 + 939 +#if !defined(OPENSSL_NO_TLSEXT) 940 +/* tls1_channel_id_hash calculates the signed data for a Channel ID on the given 941 + * SSL connection and writes it to |md|. 942 + */ 943 +int 944 +tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s) 945 + { 946 + EVP_MD_CTX ctx; 947 + unsigned char temp_digest[EVP_MAX_MD_SIZE]; 948 + unsigned temp_digest_len; 949 + int i; 950 + static const char kClientIDMagic[] = "TLS Channel ID signature"; 951 + 952 + if (s->s3->handshake_buffer) 953 + if (!ssl3_digest_cached_records(s)) 954 + return 0; 955 + 956 + EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic)); 957 + 958 + EVP_MD_CTX_init(&ctx); 959 + for (i = 0; i < SSL_MAX_DIGEST; i++) 960 + { 961 + if (s->s3->handshake_dgst[i] == NULL) 962 + continue; 963 + EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]); 964 + EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len); 965 + EVP_DigestUpdate(md, temp_digest, temp_digest_len); 966 + } 967 + EVP_MD_CTX_cleanup(&ctx); 968 + 969 + return 1; 970 + } 971 +#endif 972 --- openssl-1.0.1e.orig/ssl/tls1.h 2013-03-05 18:49:33.173296633 +0000 973 +++ openssl-1.0.1e/ssl/tls1.h 2013-03-05 18:49:33.413299231 +0000 974 @@ -248,6 +248,9 @@ extern "C" { 975 #define TLSEXT_TYPE_next_proto_neg 13172 976 #endif 977 978 +/* This is not an IANA defined extension number */ 979 +#define TLSEXT_TYPE_channel_id 30031 980 + 981 /* NameType value from RFC 3546 */ 982 #define TLSEXT_NAMETYPE_host_name 0 983 /* status request value from RFC 3546 */ 984
