1 diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h 2 index 05699ab..d05fa22 100644 3 --- a/crypto/bio/bio.h 4 +++ b/crypto/bio/bio.h 5 @@ -266,6 +266,9 @@ void BIO_clear_flags(BIO *b, int flags); 6 #define BIO_RR_CONNECT 0x02 7 /* Returned from the accept BIO when an accept would have blocked */ 8 #define BIO_RR_ACCEPT 0x03 9 +/* Returned from the SSL bio when the channel id retrieval code cannot find the 10 + * private key. */ 11 +#define BIO_RR_SSL_CHANNEL_ID_LOOKUP 0x04 12 13 /* These are passed by the BIO callback */ 14 #define BIO_CB_FREE 0x01 15 diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h 16 index ea4bed9..5f18d4b 100644 17 --- a/crypto/evp/evp.h 18 +++ b/crypto/evp/evp.h 19 @@ -921,6 +921,7 @@ struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey); 20 #endif 21 22 EVP_PKEY * EVP_PKEY_new(void); 23 +EVP_PKEY * EVP_PKEY_dup(EVP_PKEY *pkey); 24 void EVP_PKEY_free(EVP_PKEY *pkey); 25 26 EVP_PKEY * d2i_PublicKey(int type,EVP_PKEY **a, const unsigned char **pp, 27 diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c 28 index a0e14a3..65a4440 100644 29 --- a/crypto/evp/p_lib.c 30 +++ b/crypto/evp/p_lib.c 31 @@ -200,6 +200,12 @@ EVP_PKEY *EVP_PKEY_new(void) 32 return(ret); 33 } 34 35 +EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey) 36 + { 37 + CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY); 38 + return pkey; 39 + } 40 + 41 /* Setup a public key ASN1 method and ENGINE from a NID or a string. 42 * If pkey is NULL just return 1 or 0 if the algorithm exists. 43 */ 44 diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c 45 index e9552ca..06a13de 100644 46 --- a/ssl/bio_ssl.c 47 +++ b/ssl/bio_ssl.c 48 @@ -206,6 +206,10 @@ static int ssl_read(BIO *b, char *out, int outl) 49 BIO_set_retry_special(b); 50 retry_reason=BIO_RR_SSL_X509_LOOKUP; 51 break; 52 + case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: 53 + BIO_set_retry_special(b); 54 + retry_reason=BIO_RR_SSL_CHANNEL_ID_LOOKUP; 55 + break; 56 case SSL_ERROR_WANT_ACCEPT: 57 BIO_set_retry_special(b); 58 retry_reason=BIO_RR_ACCEPT; 59 @@ -280,6 +284,10 @@ static int ssl_write(BIO *b, const char *out, int outl) 60 BIO_set_retry_special(b); 61 retry_reason=BIO_RR_SSL_X509_LOOKUP; 62 break; 63 + case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: 64 + BIO_set_retry_special(b); 65 + retry_reason=BIO_RR_SSL_CHANNEL_ID_LOOKUP; 66 + break; 67 case SSL_ERROR_WANT_CONNECT: 68 BIO_set_retry_special(b); 69 retry_reason=BIO_RR_CONNECT; 70 diff --git a/ssl/s3_both.c b/ssl/s3_both.c 71 index 53b9390..c0dac70 100644 72 --- a/ssl/s3_both.c 73 +++ b/ssl/s3_both.c 74 @@ -554,7 +554,8 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) 75 #endif 76 77 /* Feed this message into MAC computation. */ 78 - ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); 79 + if (*((unsigned char*) s->init_buf->data) != SSL3_MT_ENCRYPTED_EXTENSIONS) 80 + ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); 81 if (s->msg_callback) 82 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg); 83 *ok=1; 84 diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c 85 index 3d3fd64..7e0c4d5 100644 86 --- a/ssl/s3_clnt.c 87 +++ b/ssl/s3_clnt.c 88 @@ -465,13 +465,14 @@ int ssl3_connect(SSL *s) 89 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 90 if (ret <= 0) goto end; 91 92 -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 93 s->state=SSL3_ST_CW_FINISHED_A; 94 -#else 95 +#if !defined(OPENSSL_NO_TLSEXT) 96 + if (s->s3->tlsext_channel_id_valid) 97 + s->state=SSL3_ST_CW_CHANNEL_ID_A; 98 +# if !defined(OPENSSL_NO_NEXTPROTONEG) 99 if (s->s3->next_proto_neg_seen) 100 s->state=SSL3_ST_CW_NEXT_PROTO_A; 101 - else 102 - s->state=SSL3_ST_CW_FINISHED_A; 103 +# endif 104 #endif 105 s->init_num=0; 106 107 @@ -505,6 +506,18 @@ int ssl3_connect(SSL *s) 108 case SSL3_ST_CW_NEXT_PROTO_B: 109 ret=ssl3_send_next_proto(s); 110 if (ret <= 0) goto end; 111 + if (s->s3->tlsext_channel_id_valid) 112 + s->state=SSL3_ST_CW_CHANNEL_ID_A; 113 + else 114 + s->state=SSL3_ST_CW_FINISHED_A; 115 + break; 116 +#endif 117 + 118 +#if !defined(OPENSSL_NO_TLSEXT) 119 + case SSL3_ST_CW_CHANNEL_ID_A: 120 + case SSL3_ST_CW_CHANNEL_ID_B: 121 + ret=ssl3_send_channel_id(s); 122 + if (ret <= 0) goto end; 123 s->state=SSL3_ST_CW_FINISHED_A; 124 break; 125 #endif 126 @@ -532,6 +545,18 @@ int ssl3_connect(SSL *s) 127 } 128 else 129 { 130 + /* This is a non-resumption handshake. If it 131 + * involves ChannelID, then record the 132 + * handshake hashes at this point in the 133 + * session so that any resumption of this 134 + * session with ChannelID can sign those 135 + * hashes. */ 136 + if (s->s3->tlsext_channel_id_new) 137 + { 138 + ret = tls1_record_handshake_hashes_for_channel_id(s); 139 + if (ret <= 0) 140 + goto end; 141 + } 142 if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) 143 && ssl3_can_cutthrough(s) 144 && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */ 145 @@ -3338,7 +3363,8 @@ err: 146 return(0); 147 } 148 149 -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 150 +#if !defined(OPENSSL_NO_TLSEXT) 151 +# if !defined(OPENSSL_NO_NEXTPROTONEG) 152 int ssl3_send_next_proto(SSL *s) 153 { 154 unsigned int len, padding_len; 155 @@ -3362,7 +3388,135 @@ int ssl3_send_next_proto(SSL *s) 156 157 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 158 } 159 -#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ 160 +# endif /* !OPENSSL_NO_NEXTPROTONEG */ 161 + 162 +int ssl3_send_channel_id(SSL *s) 163 + { 164 + unsigned char *d; 165 + int ret = -1, public_key_len; 166 + EVP_MD_CTX md_ctx; 167 + size_t sig_len; 168 + ECDSA_SIG *sig = NULL; 169 + unsigned char *public_key = NULL, *derp, *der_sig = NULL; 170 + 171 + if (s->state != SSL3_ST_CW_CHANNEL_ID_A) 172 + return ssl3_do_write(s, SSL3_RT_HANDSHAKE); 173 + 174 + if (!s->tlsext_channel_id_private && s->ctx->channel_id_cb) 175 + { 176 + EVP_PKEY *key = NULL; 177 + s->ctx->channel_id_cb(s, &key); 178 + if (key != NULL) 179 + { 180 + s->tlsext_channel_id_private = key; 181 + } 182 + } 183 + if (!s->tlsext_channel_id_private) 184 + { 185 + s->rwstate=SSL_CHANNEL_ID_LOOKUP; 186 + return (-1); 187 + } 188 + s->rwstate=SSL_NOTHING; 189 + 190 + d = (unsigned char *)s->init_buf->data; 191 + *(d++)=SSL3_MT_ENCRYPTED_EXTENSIONS; 192 + l2n3(2 + 2 + TLSEXT_CHANNEL_ID_SIZE, d); 193 + if (s->s3->tlsext_channel_id_new) 194 + s2n(TLSEXT_TYPE_channel_id_new, d); 195 + else 196 + s2n(TLSEXT_TYPE_channel_id, d); 197 + s2n(TLSEXT_CHANNEL_ID_SIZE, d); 198 + 199 + EVP_MD_CTX_init(&md_ctx); 200 + 201 + public_key_len = i2d_PublicKey(s->tlsext_channel_id_private, NULL); 202 + if (public_key_len <= 0) 203 + { 204 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY); 205 + goto err; 206 + } 207 + /* i2d_PublicKey will produce an ANSI X9.62 public key which, for a 208 + * P-256 key, is 0x04 (meaning uncompressed) followed by the x and y 209 + * field elements as 32-byte, big-endian numbers. */ 210 + if (public_key_len != 65) 211 + { 212 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CHANNEL_ID_NOT_P256); 213 + goto err; 214 + } 215 + public_key = OPENSSL_malloc(public_key_len); 216 + if (!public_key) 217 + { 218 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,ERR_R_MALLOC_FAILURE); 219 + goto err; 220 + } 221 + 222 + derp = public_key; 223 + i2d_PublicKey(s->tlsext_channel_id_private, &derp); 224 + 225 + if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, 226 + s->tlsext_channel_id_private) != 1) 227 + { 228 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNINIT_FAILED); 229 + goto err; 230 + } 231 + 232 + if (!tls1_channel_id_hash(&md_ctx, s)) 233 + goto err; 234 + 235 + if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len)) 236 + { 237 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNFINAL_FAILED); 238 + goto err; 239 + } 240 + 241 + der_sig = OPENSSL_malloc(sig_len); 242 + if (!der_sig) 243 + { 244 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,ERR_R_MALLOC_FAILURE); 245 + goto err; 246 + } 247 + 248 + if (!EVP_DigestSignFinal(&md_ctx, der_sig, &sig_len)) 249 + { 250 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNFINAL_FAILED); 251 + goto err; 252 + } 253 + 254 + derp = der_sig; 255 + sig = d2i_ECDSA_SIG(NULL, (const unsigned char**) &derp, sig_len); 256 + if (sig == NULL) 257 + { 258 + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_D2I_ECDSA_SIG); 259 + goto err; 260 + } 261 + 262 + /* The first byte of public_key will be 0x4, denoting an uncompressed key. */ 263 + memcpy(d, public_key + 1, 64); 264 + d += 64; 265 + memset(d, 0, 2 * 32); 266 + BN_bn2bin(sig->r, d + 32 - BN_num_bytes(sig->r)); 267 + d += 32; 268 + BN_bn2bin(sig->s, d + 32 - BN_num_bytes(sig->s)); 269 + d += 32; 270 + 271 + s->state = SSL3_ST_CW_CHANNEL_ID_B; 272 + s->init_num = 4 + 2 + 2 + TLSEXT_CHANNEL_ID_SIZE; 273 + s->init_off = 0; 274 + 275 + ret = ssl3_do_write(s, SSL3_RT_HANDSHAKE); 276 + 277 +err: 278 + EVP_MD_CTX_cleanup(&md_ctx); 279 + if (public_key) 280 + OPENSSL_free(public_key); 281 + if (der_sig) 282 + OPENSSL_free(der_sig); 283 + if (sig) 284 + ECDSA_SIG_free(sig); 285 + 286 + return ret; 287 + } 288 +#endif /* !OPENSSL_NO_TLSEXT */ 289 290 /* Check to see if handshake is full or resumed. Usually this is just a 291 * case of checking to see if a cache hit has occurred. In the case of 292 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c 293 index 1865c70..f801923 100644 294 --- a/ssl/s3_lib.c 295 +++ b/ssl/s3_lib.c 296 @@ -2951,6 +2951,11 @@ int ssl3_new(SSL *s) 297 #ifndef OPENSSL_NO_SRP 298 SSL_SRP_CTX_init(s); 299 #endif 300 +#if !defined(OPENSSL_NO_TLSEXT) 301 + s->tlsext_channel_id_enabled = s->ctx->tlsext_channel_id_enabled; 302 + if (s->ctx->tlsext_channel_id_private) 303 + s->tlsext_channel_id_private = EVP_PKEY_dup(s->ctx->tlsext_channel_id_private); 304 +#endif 305 s->method->ssl_clear(s); 306 return(1); 307 err: 308 @@ -3079,6 +3084,10 @@ void ssl3_clear(SSL *s) 309 s->next_proto_negotiated_len = 0; 310 } 311 #endif 312 + 313 +#if !defined(OPENSSL_NO_TLSEXT) 314 + s->s3->tlsext_channel_id_valid = 0; 315 +#endif 316 } 317 318 #ifndef OPENSSL_NO_SRP 319 @@ -3353,6 +3362,33 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) 320 ret = 1; 321 break; 322 #endif 323 + case SSL_CTRL_CHANNEL_ID: 324 + s->tlsext_channel_id_enabled = 1; 325 + ret = 1; 326 + break; 327 + 328 + case SSL_CTRL_SET_CHANNEL_ID: 329 + if (s->server) 330 + break; 331 + s->tlsext_channel_id_enabled = 1; 332 + if (EVP_PKEY_bits(parg) != 256) 333 + { 334 + SSLerr(SSL_F_SSL3_CTRL,SSL_R_CHANNEL_ID_NOT_P256); 335 + break; 336 + } 337 + if (s->tlsext_channel_id_private) 338 + EVP_PKEY_free(s->tlsext_channel_id_private); 339 + s->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY*) parg); 340 + ret = 1; 341 + break; 342 + 343 + case SSL_CTRL_GET_CHANNEL_ID: 344 + if (!s->server) 345 + break; 346 + if (!s->s3->tlsext_channel_id_valid) 347 + break; 348 + memcpy(parg, s->s3->tlsext_channel_id, larg < 64 ? larg : 64); 349 + return 64; 350 351 #endif /* !OPENSSL_NO_TLSEXT */ 352 default: 353 @@ -3574,6 +3610,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 354 } 355 return 1; 356 } 357 + case SSL_CTRL_CHANNEL_ID: 358 + /* must be called on a server */ 359 + if (ctx->method->ssl_accept == ssl_undefined_function) 360 + return 0; 361 + ctx->tlsext_channel_id_enabled=1; 362 + return 1; 363 364 #ifdef TLSEXT_TYPE_opaque_prf_input 365 case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG: 366 @@ -3642,6 +3684,18 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) 367 } 368 break; 369 370 + case SSL_CTRL_SET_CHANNEL_ID: 371 + ctx->tlsext_channel_id_enabled = 1; 372 + if (EVP_PKEY_bits(parg) != 256) 373 + { 374 + SSLerr(SSL_F_SSL3_CTX_CTRL,SSL_R_CHANNEL_ID_NOT_P256); 375 + break; 376 + } 377 + if (ctx->tlsext_channel_id_private) 378 + EVP_PKEY_free(ctx->tlsext_channel_id_private); 379 + ctx->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY*) parg); 380 + break; 381 + 382 default: 383 return(0); 384 } 385 diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c 386 index 323b260..6824ef6 100644 387 --- a/ssl/s3_srvr.c 388 +++ b/ssl/s3_srvr.c 389 @@ -157,8 +157,11 @@ 390 #include <openssl/buffer.h> 391 #include <openssl/rand.h> 392 #include <openssl/objects.h> 393 +#include <openssl/ec.h> 394 +#include <openssl/ecdsa.h> 395 #include <openssl/evp.h> 396 #include <openssl/hmac.h> 397 +#include <openssl/sha.h> 398 #include <openssl/x509.h> 399 #ifndef OPENSSL_NO_DH 400 #include <openssl/dh.h> 401 @@ -615,15 +618,8 @@ int ssl3_accept(SSL *s) 402 * the client uses its key from the certificate 403 * for key exchange. 404 */ 405 -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 406 - s->state=SSL3_ST_SR_FINISHED_A; 407 -#else 408 - if (s->s3->next_proto_neg_seen) 409 - s->state=SSL3_ST_SR_NEXT_PROTO_A; 410 - else 411 - s->state=SSL3_ST_SR_FINISHED_A; 412 -#endif 413 s->init_num = 0; 414 + s->state=SSL3_ST_SR_POST_CLIENT_CERT; 415 } 416 else if (TLS1_get_version(s) >= TLS1_2_VERSION) 417 { 418 @@ -683,16 +679,28 @@ int ssl3_accept(SSL *s) 419 ret=ssl3_get_cert_verify(s); 420 if (ret <= 0) goto end; 421 422 -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 423 - s->state=SSL3_ST_SR_FINISHED_A; 424 -#else 425 - if (s->s3->next_proto_neg_seen) 426 + s->state=SSL3_ST_SR_POST_CLIENT_CERT; 427 + s->init_num=0; 428 + break; 429 + 430 + case SSL3_ST_SR_POST_CLIENT_CERT: { 431 + char next_proto_neg = 0; 432 + char channel_id = 0; 433 +#if !defined(OPENSSL_NO_TLSEXT) 434 +# if !defined(OPENSSL_NO_NEXTPROTONEG) 435 + next_proto_neg = s->s3->next_proto_neg_seen; 436 +# endif 437 + channel_id = s->s3->tlsext_channel_id_valid; 438 +#endif 439 + 440 + if (next_proto_neg) 441 s->state=SSL3_ST_SR_NEXT_PROTO_A; 442 + else if (channel_id) 443 + s->state=SSL3_ST_SR_CHANNEL_ID_A; 444 else 445 s->state=SSL3_ST_SR_FINISHED_A; 446 -#endif 447 - s->init_num=0; 448 break; 449 + } 450 451 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 452 case SSL3_ST_SR_NEXT_PROTO_A: 453 @@ -700,6 +708,19 @@ int ssl3_accept(SSL *s) 454 ret=ssl3_get_next_proto(s); 455 if (ret <= 0) goto end; 456 s->init_num = 0; 457 + if (s->s3->tlsext_channel_id_valid) 458 + s->state=SSL3_ST_SR_CHANNEL_ID_A; 459 + else 460 + s->state=SSL3_ST_SR_FINISHED_A; 461 + break; 462 +#endif 463 + 464 +#if !defined(OPENSSL_NO_TLSEXT) 465 + case SSL3_ST_SR_CHANNEL_ID_A: 466 + case SSL3_ST_SR_CHANNEL_ID_B: 467 + ret=ssl3_get_channel_id(s); 468 + if (ret <= 0) goto end; 469 + s->init_num = 0; 470 s->state=SSL3_ST_SR_FINISHED_A; 471 break; 472 #endif 473 @@ -717,6 +738,15 @@ int ssl3_accept(SSL *s) 474 #endif 475 else 476 s->state=SSL3_ST_SW_CHANGE_A; 477 + /* If this is a full handshake with ChannelID then 478 + * record the hashshake hashes in |s->session| in case 479 + * we need them to verify a ChannelID signature on a 480 + * resumption of this session in the future. */ 481 + if (!s->hit && s->s3->tlsext_channel_id_new) 482 + { 483 + ret = tls1_record_handshake_hashes_for_channel_id(s); 484 + if (ret <= 0) goto end; 485 + } 486 s->init_num=0; 487 break; 488 489 @@ -771,19 +801,7 @@ int ssl3_accept(SSL *s) 490 if (ret <= 0) goto end; 491 s->state=SSL3_ST_SW_FLUSH; 492 if (s->hit) 493 - { 494 -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 495 - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 496 -#else 497 - if (s->s3->next_proto_neg_seen) 498 - { 499 - s->s3->flags |= SSL3_FLAGS_CCS_OK; 500 - s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; 501 - } 502 - else 503 - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 504 -#endif 505 - } 506 + s->s3->tmp.next_state=SSL3_ST_SR_POST_CLIENT_CERT; 507 else 508 s->s3->tmp.next_state=SSL_ST_OK; 509 s->init_num=0; 510 @@ -1466,6 +1487,22 @@ int ssl3_send_server_hello(SSL *s) 511 512 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 513 { 514 + /* We only accept ChannelIDs on connections with ECDHE in order 515 + * to avoid a known attack while we fix ChannelID itself. */ 516 + if (s->s3 && 517 + s->s3->tlsext_channel_id_valid && 518 + (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kEECDH) == 0) 519 + s->s3->tlsext_channel_id_valid = 0; 520 + 521 + /* If this is a resumption and the original handshake didn't 522 + * support ChannelID then we didn't record the original 523 + * handshake hashes in the session and so cannot resume with 524 + * ChannelIDs. */ 525 + if (s->hit && 526 + s->s3->tlsext_channel_id_new && 527 + s->session->original_handshake_hash_len == 0) 528 + s->s3->tlsext_channel_id_valid = 0; 529 + 530 buf=(unsigned char *)s->init_buf->data; 531 #ifdef OPENSSL_NO_TLSEXT 532 p=s->s3->server_random; 533 @@ -3632,4 +3669,145 @@ int ssl3_get_next_proto(SSL *s) 534 return 1; 535 } 536 # endif 537 + 538 +/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */ 539 +int ssl3_get_channel_id(SSL *s) 540 + { 541 + int ret = -1, ok; 542 + long n; 543 + const unsigned char *p; 544 + unsigned short extension_type, extension_len; 545 + EC_GROUP* p256 = NULL; 546 + EC_KEY* key = NULL; 547 + EC_POINT* point = NULL; 548 + ECDSA_SIG sig; 549 + BIGNUM x, y; 550 + unsigned short expected_extension_type; 551 + 552 + if (s->state == SSL3_ST_SR_CHANNEL_ID_A && s->init_num == 0) 553 + { 554 + /* The first time that we're called we take the current 555 + * handshake hash and store it. */ 556 + EVP_MD_CTX md_ctx; 557 + unsigned int len; 558 + 559 + EVP_MD_CTX_init(&md_ctx); 560 + EVP_DigestInit_ex(&md_ctx, EVP_sha256(), NULL); 561 + if (!tls1_channel_id_hash(&md_ctx, s)) 562 + return -1; 563 + len = sizeof(s->s3->tlsext_channel_id); 564 + EVP_DigestFinal(&md_ctx, s->s3->tlsext_channel_id, &len); 565 + EVP_MD_CTX_cleanup(&md_ctx); 566 + } 567 + 568 + n = s->method->ssl_get_message(s, 569 + SSL3_ST_SR_CHANNEL_ID_A, 570 + SSL3_ST_SR_CHANNEL_ID_B, 571 + SSL3_MT_ENCRYPTED_EXTENSIONS, 572 + 2 + 2 + TLSEXT_CHANNEL_ID_SIZE, 573 + &ok); 574 + 575 + if (!ok) 576 + return((int)n); 577 + 578 + ssl3_finish_mac(s, (unsigned char*)s->init_buf->data, s->init_num + 4); 579 + 580 + /* s->state doesn't reflect whether ChangeCipherSpec has been received 581 + * in this handshake, but s->s3->change_cipher_spec does (will be reset 582 + * by ssl3_get_finished). */ 583 + if (!s->s3->change_cipher_spec) 584 + { 585 + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS); 586 + return -1; 587 + } 588 + 589 + if (n != 2 + 2 + TLSEXT_CHANNEL_ID_SIZE) 590 + { 591 + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_INVALID_MESSAGE); 592 + return -1; 593 + } 594 + 595 + p = (unsigned char *)s->init_msg; 596 + 597 + /* The payload looks like: 598 + * uint16 extension_type 599 + * uint16 extension_len; 600 + * uint8 x[32]; 601 + * uint8 y[32]; 602 + * uint8 r[32]; 603 + * uint8 s[32]; 604 + */ 605 + n2s(p, extension_type); 606 + n2s(p, extension_len); 607 + 608 + expected_extension_type = TLSEXT_TYPE_channel_id; 609 + if (s->s3->tlsext_channel_id_new) 610 + expected_extension_type = TLSEXT_TYPE_channel_id_new; 611 + 612 + if (extension_type != expected_extension_type || 613 + extension_len != TLSEXT_CHANNEL_ID_SIZE) 614 + { 615 + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_INVALID_MESSAGE); 616 + return -1; 617 + } 618 + 619 + p256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); 620 + if (!p256) 621 + { 622 + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_NO_P256_SUPPORT); 623 + return -1; 624 + } 625 + 626 + BN_init(&x); 627 + BN_init(&y); 628 + sig.r = BN_new(); 629 + sig.s = BN_new(); 630 + 631 + if (BN_bin2bn(p + 0, 32, &x) == NULL || 632 + BN_bin2bn(p + 32, 32, &y) == NULL || 633 + BN_bin2bn(p + 64, 32, sig.r) == NULL || 634 + BN_bin2bn(p + 96, 32, sig.s) == NULL) 635 + goto err; 636 + 637 + point = EC_POINT_new(p256); 638 + if (!point || 639 + !EC_POINT_set_affine_coordinates_GFp(p256, point, &x, &y, NULL)) 640 + goto err; 641 + 642 + key = EC_KEY_new(); 643 + if (!key || 644 + !EC_KEY_set_group(key, p256) || 645 + !EC_KEY_set_public_key(key, point)) 646 + goto err; 647 + 648 + /* We stored the handshake hash in |tlsext_channel_id| the first time 649 + * that we were called. */ 650 + switch (ECDSA_do_verify(s->s3->tlsext_channel_id, SHA256_DIGEST_LENGTH, &sig, key)) { 651 + case 1: 652 + break; 653 + case 0: 654 + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_CHANNEL_ID_SIGNATURE_INVALID); 655 + s->s3->tlsext_channel_id_valid = 0; 656 + goto err; 657 + default: 658 + s->s3->tlsext_channel_id_valid = 0; 659 + goto err; 660 + } 661 + 662 + memcpy(s->s3->tlsext_channel_id, p, 64); 663 + ret = 1; 664 + 665 +err: 666 + BN_free(&x); 667 + BN_free(&y); 668 + BN_free(sig.r); 669 + BN_free(sig.s); 670 + if (key) 671 + EC_KEY_free(key); 672 + if (point) 673 + EC_POINT_free(point); 674 + if (p256) 675 + EC_GROUP_free(p256); 676 + return ret; 677 + } 678 #endif 679 diff --git a/ssl/ssl.h b/ssl/ssl.h 680 index 944aea6..e50b8f0 100644 681 --- a/ssl/ssl.h 682 +++ b/ssl/ssl.h 683 @@ -547,6 +547,13 @@ struct ssl_session_st 684 #ifndef OPENSSL_NO_SRP 685 char *srp_username; 686 #endif 687 + 688 + /* original_handshake_hash contains the handshake hash (either 689 + * SHA-1+MD5 or SHA-2, depending on TLS version) for the original, full 690 + * handshake that created a session. This is used by Channel IDs during 691 + * resumption. */ 692 + unsigned char original_handshake_hash[EVP_MAX_MD_SIZE]; 693 + unsigned int original_handshake_hash_len; 694 }; 695 696 #endif 697 @@ -862,6 +869,9 @@ struct ssl_ctx_st 698 /* get client cert callback */ 699 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); 700 701 + /* get channel id callback */ 702 + void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey); 703 + 704 /* cookie generate callback */ 705 int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, 706 unsigned int *cookie_len); 707 @@ -999,6 +1009,16 @@ struct ssl_ctx_st 708 # endif 709 /* SRTP profiles we are willing to do from RFC 5764 */ 710 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; 711 + 712 + /* If true, a client will advertise the Channel ID extension and a 713 + * server will echo it. */ 714 + char tlsext_channel_id_enabled; 715 + /* tlsext_channel_id_enabled_new is a hack to support both old and new 716 + * ChannelID signatures. It indicates that a client should advertise the 717 + * new ChannelID extension number. */ 718 + char tlsext_channel_id_enabled_new; 719 + /* The client's Channel ID private key. */ 720 + EVP_PKEY *tlsext_channel_id_private; 721 #endif 722 }; 723 724 @@ -1040,6 +1060,10 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx); 725 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL) 726 #define SSL_CTX_sess_cache_full(ctx) \ 727 SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL) 728 +/* SSL_CTX_enable_tls_channel_id configures a TLS server to accept TLS client 729 + * IDs from clients. Returns 1 on success. */ 730 +#define SSL_CTX_enable_tls_channel_id(ctx) \ 731 + SSL_CTX_ctrl(ctx,SSL_CTRL_CHANNEL_ID,0,NULL) 732 733 void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess)); 734 int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess); 735 @@ -1056,6 +1080,8 @@ void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type, 736 void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val); 737 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)); 738 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey); 739 +void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey)); 740 +void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl, EVP_PKEY **pkey); 741 #ifndef OPENSSL_NO_ENGINE 742 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e); 743 #endif 744 @@ -1117,5 +1143,6 @@ const char *SSL_get_psk_identity(const SSL *s); 745 #define SSL_WRITING 2 746 #define SSL_READING 3 747 #define SSL_X509_LOOKUP 4 748 +#define SSL_CHANNEL_ID_LOOKUP 5 749 750 /* These will only be used when doing non-blocking IO */ 751 @@ -1124,5 +1151,6 @@ const char *SSL_get_psk_identity(const SSL *s); 752 #define SSL_want_read(s) (SSL_want(s) == SSL_READING) 753 #define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) 754 #define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) 755 +#define SSL_want_channel_id_lookup(s) (SSL_want(s) == SSL_CHANNEL_ID_LOOKUP) 756 757 #define SSL_MAC_FLAG_READ_MAC_STREAM 1 758 @@ -1373,6 +1401,13 @@ struct ssl_st 759 */ 760 unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */ 761 unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */ 762 + 763 + /* Copied from the SSL_CTX. For a server, means that we'll accept 764 + * Channel IDs from clients. For a client, means that we'll advertise 765 + * support. */ 766 + char tlsext_channel_id_enabled; 767 + /* The client's Channel ID private key. */ 768 + EVP_PKEY *tlsext_channel_id_private; 769 #else 770 #define session_ctx ctx 771 #endif /* OPENSSL_NO_TLSEXT */ 772 @@ -1543,5 +1578,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 773 #define SSL_ERROR_ZERO_RETURN 6 774 #define SSL_ERROR_WANT_CONNECT 7 775 #define SSL_ERROR_WANT_ACCEPT 8 776 +#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9 777 778 #define SSL_CTRL_NEED_TMP_RSA 1 779 @@ -1631,6 +1667,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 780 #define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING 86 781 #define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS 87 782 #endif 783 +#define SSL_CTRL_CHANNEL_ID 88 784 +#define SSL_CTRL_GET_CHANNEL_ID 89 785 +#define SSL_CTRL_SET_CHANNEL_ID 90 786 #endif 787 788 #define DTLS_CTRL_GET_TIMEOUT 73 789 @@ -1678,6 +1717,26 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) 790 #define SSL_set_tmp_ecdh(ssl,ecdh) \ 791 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) 792 793 +/* SSL_enable_tls_channel_id either configures a TLS server to accept TLS client 794 + * IDs from clients, or configure a client to send TLS client IDs to server. 795 + * Returns 1 on success. */ 796 +#define SSL_enable_tls_channel_id(s) \ 797 + SSL_ctrl(s,SSL_CTRL_CHANNEL_ID,0,NULL) 798 +/* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to 799 + * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on 800 + * success. */ 801 +#define SSL_set1_tls_channel_id(s, private_key) \ 802 + SSL_ctrl(s,SSL_CTRL_SET_CHANNEL_ID,0,(void*)private_key) 803 +#define SSL_CTX_set1_tls_channel_id(ctx, private_key) \ 804 + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHANNEL_ID,0,(void*)private_key) 805 +/* SSL_get_tls_channel_id gets the client's TLS Channel ID from a server SSL* 806 + * and copies up to the first |channel_id_len| bytes into |channel_id|. The 807 + * Channel ID consists of the client's P-256 public key as an (x,y) pair where 808 + * each is a 32-byte, big-endian field element. Returns 0 if the client didn't 809 + * offer a Channel ID and the length of the complete Channel ID otherwise. */ 810 +#define SSL_get_tls_channel_id(ctx, channel_id, channel_id_len) \ 811 + SSL_ctrl(ctx,SSL_CTRL_GET_CHANNEL_ID,channel_id_len,(void*)channel_id) 812 + 813 #define SSL_CTX_add_extra_chain_cert(ctx,x509) \ 814 SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) 815 #define SSL_CTX_get_extra_chain_certs(ctx,px509) \ 816 @@ -2176,6 +2235,7 @@ void ERR_load_SSL_strings(void); 817 #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135 818 #define SSL_F_SSL3_GET_CERT_STATUS 289 819 #define SSL_F_SSL3_GET_CERT_VERIFY 136 820 +#define SSL_F_SSL3_GET_CHANNEL_ID 317 821 #define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137 822 #define SSL_F_SSL3_GET_CLIENT_HELLO 138 823 #define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139 824 @@ -2195,6 +2255,7 @@ void ERR_load_SSL_strings(void); 825 #define SSL_F_SSL3_READ_BYTES 148 826 #define SSL_F_SSL3_READ_N 149 827 #define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150 828 +#define SSL_F_SSL3_SEND_CHANNEL_ID 318 829 #define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151 830 #define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152 831 #define SSL_F_SSL3_SEND_CLIENT_VERIFY 153 832 @@ -2361,12 +2422,15 @@ void ERR_load_SSL_strings(void); 833 #define SSL_R_BIO_NOT_SET 128 834 #define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129 835 #define SSL_R_BN_LIB 130 836 +#define SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY 376 837 #define SSL_R_CA_DN_LENGTH_MISMATCH 131 838 #define SSL_R_CA_DN_TOO_LONG 132 839 #define SSL_R_CCS_RECEIVED_EARLY 133 840 #define SSL_R_CERTIFICATE_VERIFY_FAILED 134 841 #define SSL_R_CERT_LENGTH_MISMATCH 135 842 #define SSL_R_CHALLENGE_IS_DIFFERENT 136 843 +#define SSL_R_CHANNEL_ID_NOT_P256 375 844 +#define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 371 845 #define SSL_R_CIPHER_CODE_WRONG_LENGTH 137 846 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138 847 #define SSL_R_CIPHER_TABLE_SRC_ERROR 139 848 @@ -2379,6 +2443,7 @@ void ERR_load_SSL_strings(void); 849 #define SSL_R_CONNECTION_ID_IS_DIFFERENT 143 850 #define SSL_R_CONNECTION_TYPE_NOT_SET 144 851 #define SSL_R_COOKIE_MISMATCH 308 852 +#define SSL_R_D2I_ECDSA_SIG 379 853 #define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145 854 #define SSL_R_DATA_LENGTH_TOO_LONG 146 855 #define SSL_R_DECRYPTION_FAILED 147 856 @@ -2396,9 +2461,12 @@ void ERR_load_SSL_strings(void); 857 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 858 #define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282 859 #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 860 +#define SSL_R_EVP_DIGESTSIGNFINAL_FAILED 377 861 +#define SSL_R_EVP_DIGESTSIGNINIT_FAILED 378 862 #define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 863 #define SSL_R_EXTRA_DATA_IN_MESSAGE 153 864 #define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 865 +#define SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS 372 866 #define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 355 867 #define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 356 868 #define SSL_R_HTTPS_PROXY_REQUEST 155 869 @@ -2408,6 +2476,7 @@ void ERR_load_SSL_strings(void); 870 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 871 #define SSL_R_INVALID_COMMAND 280 872 #define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 873 +#define SSL_R_INVALID_MESSAGE 374 874 #define SSL_R_INVALID_PURPOSE 278 875 #define SSL_R_INVALID_SRP_USERNAME 357 876 #define SSL_R_INVALID_STATUS_RESPONSE 328 877 @@ -2462,6 +2531,7 @@ void ERR_load_SSL_strings(void); 878 #define SSL_R_NO_COMPRESSION_SPECIFIED 187 879 #define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 330 880 #define SSL_R_NO_METHOD_SPECIFIED 188 881 +#define SSL_R_NO_P256_SUPPORT 380 882 #define SSL_R_NO_PRIVATEKEY 189 883 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 884 #define SSL_R_NO_PROTOCOLS_AVAILABLE 191 885 diff --git a/ssl/ssl3.h b/ssl/ssl3.h 886 index cf81de0..8502628 100644 887 --- a/ssl/ssl3.h 888 +++ b/ssl/ssl3.h 889 @@ -548,6 +548,22 @@ typedef struct ssl3_state_st 890 char is_probably_safari; 891 #endif /* !OPENSSL_NO_EC */ 892 #endif /* !OPENSSL_NO_TLSEXT */ 893 + 894 + /* In a client, this means that the server supported Channel ID and that 895 + * a Channel ID was sent. In a server it means that we echoed support 896 + * for Channel IDs and that tlsext_channel_id will be valid after the 897 + * handshake. */ 898 + char tlsext_channel_id_valid; 899 + /* tlsext_channel_id_new means that the updated Channel ID extension 900 + * was negotiated. This is a temporary hack in the code to support both 901 + * forms of Channel ID extension while we transition to the new format, 902 + * which fixed a security issue. */ 903 + char tlsext_channel_id_new; 904 + /* For a server: 905 + * If |tlsext_channel_id_valid| is true, then this contains the 906 + * verified Channel ID from the client: a P256 point, (x,y), where 907 + * each are big-endian values. */ 908 + unsigned char tlsext_channel_id[64]; 909 } SSL3_STATE; 910 911 #endif 912 @@ -592,6 +608,8 @@ typedef struct ssl3_state_st 913 #define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) 914 #define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) 915 #endif 916 +#define SSL3_ST_CW_CHANNEL_ID_A (0x210|SSL_ST_CONNECT) 917 +#define SSL3_ST_CW_CHANNEL_ID_B (0x211|SSL_ST_CONNECT) 918 #define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) 919 #define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) 920 /* read from server */ 921 @@ -646,6 +664,9 @@ typedef struct ssl3_state_st 922 #define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) 923 #define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) 924 #endif 925 +#define SSL3_ST_SR_POST_CLIENT_CERT (0x1BF|SSL_ST_ACCEPT) 926 +#define SSL3_ST_SR_CHANNEL_ID_A (0x220|SSL_ST_ACCEPT) 927 +#define SSL3_ST_SR_CHANNEL_ID_B (0x221|SSL_ST_ACCEPT) 928 #define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) 929 #define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT) 930 /* write to client */ 931 @@ -673,6 +694,7 @@ typedef struct ssl3_state_st 932 #ifndef OPENSSL_NO_NEXTPROTONEG 933 #define SSL3_MT_NEXT_PROTO 67 934 #endif 935 +#define SSL3_MT_ENCRYPTED_EXTENSIONS 203 936 #define DTLS1_MT_HELLO_VERIFY_REQUEST 3 937 938 939 diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c 940 index 8bda011..e579e7c 100644 941 --- a/ssl/ssl_asn1.c 942 +++ b/ssl/ssl_asn1.c 943 @@ -118,11 +118,12 @@ typedef struct ssl_session_asn1_st 944 ASN1_OCTET_STRING srp_username; 945 #endif /* OPENSSL_NO_SRP */ 946 + ASN1_OCTET_STRING original_handshake_hash; 947 } SSL_SESSION_ASN1; 948 949 int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) 950 { 951 #define LSIZE2 (sizeof(long)*2) 952 - int v1=0,v2=0,v3=0,v4=0,v5=0,v7=0,v8=0; 953 + int v1=0,v2=0,v3=0,v4=0,v5=0,v7=0,v8=0,v14=0; 954 unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2]; 955 unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2]; 956 #ifndef OPENSSL_NO_TLSEXT 957 @@ -280,4 +281,11 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) 958 } 959 + 960 + if (in->original_handshake_hash_len > 0) 961 + { 962 + a.original_handshake_hash.length = in->original_handshake_hash_len; 963 + a.original_handshake_hash.type = V_ASN1_OCTET_STRING; 964 + a.original_handshake_hash.data = in->original_handshake_hash; 965 + } 966 #endif /* OPENSSL_NO_PSK */ 967 #ifndef OPENSSL_NO_SRP 968 if (in->srp_username) 969 @@ -335,4 +343,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) 970 #endif /* OPENSSL_NO_SRP */ 971 + if (in->original_handshake_hash_len > 0) 972 + M_ASN1_I2D_len_EXP_opt(&(a.original_handshake_hash),i2d_ASN1_OCTET_STRING,14,v14); 973 974 M_ASN1_I2D_seq_total(); 975 976 @@ -385,4 +395,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) 977 #endif /* OPENSSL_NO_SRP */ 978 + if (in->original_handshake_hash_len > 0) 979 + M_ASN1_I2D_put_EXP_opt(&(a.original_handshake_hash),i2d_ASN1_OCTET_STRING,14,v14); 980 M_ASN1_I2D_finish(); 981 } 982 983 @@ -661,5 +673,16 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, 984 os.data = NULL; 985 } 986 987 + os.length=0; 988 + os.data=NULL; 989 + M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,14); 990 + if (os.data && os.length < (int)sizeof(ret->original_handshake_hash)) 991 + { 992 + memcpy(ret->original_handshake_hash, os.data, os.length); 993 + ret->original_handshake_hash_len = os.length; 994 + OPENSSL_free(os.data); 995 + os.data = NULL; 996 + } 997 + 998 M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION); 999 } 1000 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c 1001 index 370fb57..b3eee4d 100644 1002 --- a/ssl/ssl_err.c 1003 +++ b/ssl/ssl_err.c 1004 @@ -151,6 +151,7 @@ static ERR_STRING_DATA SSL_str_functs[]= 1005 {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"}, 1006 {ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_STATUS"}, 1007 {ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"}, 1008 +{ERR_FUNC(SSL_F_SSL3_GET_CHANNEL_ID), "SSL3_GET_CHANNEL_ID"}, 1009 {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"}, 1010 {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"}, 1011 {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"}, 1012 @@ -170,6 +171,7 @@ static ERR_STRING_DATA SSL_str_functs[]= 1013 {ERR_FUNC(SSL_F_SSL3_READ_BYTES), "SSL3_READ_BYTES"}, 1014 {ERR_FUNC(SSL_F_SSL3_READ_N), "SSL3_READ_N"}, 1015 {ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"}, 1016 +{ERR_FUNC(SSL_F_SSL3_SEND_CHANNEL_ID), "SSL3_SEND_CHANNEL_ID"}, 1017 {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE), "SSL3_SEND_CLIENT_CERTIFICATE"}, 1018 {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"}, 1019 {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY), "SSL3_SEND_CLIENT_VERIFY"}, 1020 @@ -339,12 +341,15 @@ static ERR_STRING_DATA SSL_str_reasons[]= 1021 {ERR_REASON(SSL_R_BIO_NOT_SET) ,"bio not set"}, 1022 {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"}, 1023 {ERR_REASON(SSL_R_BN_LIB) ,"bn lib"}, 1024 +{ERR_REASON(SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY),"cannot serialize public key"}, 1025 {ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"}, 1026 {ERR_REASON(SSL_R_CA_DN_TOO_LONG) ,"ca dn too long"}, 1027 {ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) ,"ccs received early"}, 1028 {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"}, 1029 {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) ,"cert length mismatch"}, 1030 {ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"}, 1031 +{ERR_REASON(SSL_R_CHANNEL_ID_NOT_P256) ,"channel id not p256"}, 1032 +{ERR_REASON(SSL_R_CHANNEL_ID_SIGNATURE_INVALID),"Channel ID signature invalid"}, 1033 {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"}, 1034 {ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"}, 1035 {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"}, 1036 @@ -357,6 +362,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= 1037 {ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"}, 1038 {ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"}, 1039 {ERR_REASON(SSL_R_COOKIE_MISMATCH) ,"cookie mismatch"}, 1040 +{ERR_REASON(SSL_R_D2I_ECDSA_SIG) ,"d2i ecdsa sig"}, 1041 {ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"}, 1042 {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"}, 1043 {ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"}, 1044 @@ -374,9 +380,12 @@ static ERR_STRING_DATA SSL_str_reasons[]= 1045 {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"}, 1046 {ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"}, 1047 {ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"}, 1048 +{ERR_REASON(SSL_R_EVP_DIGESTSIGNFINAL_FAILED),"evp digestsignfinal failed"}, 1049 +{ERR_REASON(SSL_R_EVP_DIGESTSIGNINIT_FAILED),"evp digestsigninit failed"}, 1050 {ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"}, 1051 {ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"}, 1052 {ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"}, 1053 +{ERR_REASON(SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS),"got Channel ID before a ccs"}, 1054 {ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS),"got next proto before a ccs"}, 1055 {ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION),"got next proto without seeing extension"}, 1056 {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, 1057 @@ -386,6 +395,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= 1058 {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"}, 1059 {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, 1060 {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"}, 1061 +{ERR_REASON(SSL_R_INVALID_MESSAGE) ,"invalid message"}, 1062 {ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"}, 1063 {ERR_REASON(SSL_R_INVALID_SRP_USERNAME) ,"invalid srp username"}, 1064 {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"}, 1065 @@ -440,6 +450,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= 1066 {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"}, 1067 {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),"Peer haven't sent GOST certificate, required for selected ciphersuite"}, 1068 {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"}, 1069 +{ERR_REASON(SSL_R_NO_P256_SUPPORT) ,"no p256 support"}, 1070 {ERR_REASON(SSL_R_NO_PRIVATEKEY) ,"no privatekey"}, 1071 {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"}, 1072 {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"}, 1073 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c 1074 index 123f925..6938267 100644 1075 --- a/ssl/ssl_lib.c 1076 +++ b/ssl/ssl_lib.c 1077 @@ -562,6 +562,8 @@ void SSL_free(SSL *s) 1078 sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); 1079 if (s->tlsext_ocsp_resp) 1080 OPENSSL_free(s->tlsext_ocsp_resp); 1081 + if (s->tlsext_channel_id_private) 1082 + EVP_PKEY_free(s->tlsext_channel_id_private); 1083 #endif 1084 1085 if (s->client_CA != NULL) 1086 @@ -1952,6 +1954,11 @@ void SSL_CTX_free(SSL_CTX *a) 1087 ssl_buf_freelist_free(a->rbuf_freelist); 1088 #endif 1089 1090 +#ifndef OPENSSL_NO_TLSEXT 1091 + if (a->tlsext_channel_id_private) 1092 + EVP_PKEY_free(a->tlsext_channel_id_private); 1093 +#endif 1094 + 1095 OPENSSL_free(a); 1096 } 1097 1098 @@ -2504,6 +2511,10 @@ int SSL_get_error(const SSL *s,int i) 1099 { 1100 return(SSL_ERROR_WANT_X509_LOOKUP); 1101 } 1102 + if ((i < 0) && SSL_want_channel_id_lookup(s)) 1103 + { 1104 + return(SSL_ERROR_WANT_CHANNEL_ID_LOOKUP); 1105 + } 1106 1107 if (i == 0) 1108 { 1109 diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h 1110 index fcc6d80..3ce3d60 100644 1111 --- a/ssl/ssl_locl.h 1112 +++ b/ssl/ssl_locl.h 1113 @@ -378,6 +378,7 @@ 1114 * (currently this also goes into algorithm2) */ 1115 #define TLS1_STREAM_MAC 0x04 1116 1117 +#define TLSEXT_CHANNEL_ID_SIZE 128 1118 1119 1120 /* 1121 @@ -1008,6 +1009,7 @@ int ssl3_check_cert_and_algorithm(SSL *s); 1122 int ssl3_check_finished(SSL *s); 1123 # ifndef OPENSSL_NO_NEXTPROTONEG 1124 int ssl3_send_next_proto(SSL *s); 1125 +int ssl3_send_channel_id(SSL *s); 1126 # endif 1127 #endif 1128 1129 @@ -1030,6 +1032,7 @@ int ssl3_get_cert_verify(SSL *s); 1130 #ifndef OPENSSL_NO_NEXTPROTONEG 1131 int ssl3_get_next_proto(SSL *s); 1132 #endif 1133 +int ssl3_get_channel_id(SSL *s); 1134 1135 int dtls1_send_hello_request(SSL *s); 1136 int dtls1_send_server_hello(SSL *s); 1137 @@ -1072,6 +1075,7 @@ void ssl_free_wbio_buffer(SSL *s); 1138 int tls1_change_cipher_state(SSL *s, int which); 1139 int tls1_setup_key_block(SSL *s); 1140 int tls1_enc(SSL *s, int snd); 1141 +int tls1_handshake_digest(SSL *s, unsigned char *out, size_t out_len); 1142 int tls1_final_finish_mac(SSL *s, 1143 const char *str, int slen, unsigned char *p); 1144 int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p); 1145 @@ -1127,6 +1131,8 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, 1146 int tls12_get_sigid(const EVP_PKEY *pk); 1147 const EVP_MD *tls12_get_hash(unsigned char hash_alg); 1148 1149 +int tls1_channel_id_hash(EVP_MD_CTX *ctx, SSL *s); 1150 +int tls1_record_handshake_hashes_for_channel_id(SSL *s); 1151 #endif 1152 1153 int ssl3_can_cutthrough(const SSL *s); 1154 diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c 1155 index 2a378c3..dd3b4a6 100644 1156 --- a/ssl/ssl_sess.c 1157 +++ b/ssl/ssl_sess.c 1158 @@ -1151,6 +1151,17 @@ int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PK 1159 return ctx->client_cert_cb; 1160 } 1161 1162 +void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, 1163 + void (*cb)(SSL *ssl, EVP_PKEY **pkey)) 1164 + { 1165 + ctx->channel_id_cb=cb; 1166 + } 1167 + 1168 +void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL * ssl, EVP_PKEY **pkey) 1169 + { 1170 + return ctx->channel_id_cb; 1171 + } 1172 + 1173 #ifndef OPENSSL_NO_ENGINE 1174 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) 1175 { 1176 diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c 1177 index 0c4cdde..f396674 100644 1178 --- a/ssl/t1_enc.c 1179 +++ b/ssl/t1_enc.c 1180 @@ -895,54 +895,79 @@ int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) 1181 return((int)ret); 1182 } 1183 1184 +/* tls1_handshake_digest calculates the current handshake hash and writes it to 1185 + * |out|, which has space for |out_len| bytes. It returns the number of bytes 1186 + * written or -1 in the event of an error. This function works on a copy of the 1187 + * underlying digests so can be called multiple times and prior to the final 1188 + * update etc. */ 1189 +int tls1_handshake_digest(SSL *s, unsigned char *out, size_t out_len) 1190 + { 1191 + const EVP_MD *md; 1192 + EVP_MD_CTX ctx; 1193 + int i, err = 0, len = 0; 1194 + long mask; 1195 + 1196 + EVP_MD_CTX_init(&ctx); 1197 + 1198 + for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) 1199 + { 1200 + int hash_size; 1201 + unsigned int digest_len; 1202 + EVP_MD_CTX *hdgst = s->s3->handshake_dgst[i]; 1203 + 1204 + if ((mask & ssl_get_algorithm2(s)) == 0) 1205 + continue; 1206 + 1207 + hash_size = EVP_MD_size(md); 1208 + if (!hdgst || hash_size < 0 || (size_t)hash_size > out_len) 1209 + { 1210 + err = 1; 1211 + break; 1212 + } 1213 + 1214 + if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || 1215 + !EVP_DigestFinal_ex(&ctx, out, &digest_len) || 1216 + digest_len != (unsigned int)hash_size) /* internal error */ 1217 + { 1218 + err = 1; 1219 + break; 1220 + } 1221 + out += digest_len; 1222 + out_len -= digest_len; 1223 + len += digest_len; 1224 + } 1225 + 1226 + EVP_MD_CTX_cleanup(&ctx); 1227 + 1228 + if (err != 0) 1229 + return -1; 1230 + return len; 1231 + } 1232 + 1233 int tls1_final_finish_mac(SSL *s, 1234 const char *str, int slen, unsigned char *out) 1235 { 1236 - unsigned int i; 1237 - EVP_MD_CTX ctx; 1238 unsigned char buf[2*EVP_MAX_MD_SIZE]; 1239 - unsigned char *q,buf2[12]; 1240 - int idx; 1241 - long mask; 1242 + unsigned char buf2[12]; 1243 int err=0; 1244 - const EVP_MD *md; 1245 + int digests_len; 1246 1247 - q=buf; 1248 - 1249 - if (s->s3->handshake_buffer) 1250 + if (s->s3->handshake_buffer) 1251 if (!ssl3_digest_cached_records(s)) 1252 return 0; 1253 1254 - EVP_MD_CTX_init(&ctx); 1255 - 1256 - for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++) 1257 + digests_len = tls1_handshake_digest(s, buf, sizeof(buf)); 1258 + if (digests_len < 0) 1259 { 1260 - if (mask & ssl_get_algorithm2(s)) 1261 - { 1262 - int hashsize = EVP_MD_size(md); 1263 - EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; 1264 - if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) 1265 - { 1266 - /* internal error: 'buf' is too small for this cipersuite! */ 1267 - err = 1; 1268 - } 1269 - else 1270 - { 1271 - if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || 1272 - !EVP_DigestFinal_ex(&ctx,q,&i) || 1273 - (i != (unsigned int)hashsize)) 1274 - err = 1; 1275 - q+=hashsize; 1276 - } 1277 - } 1278 + err = 1; 1279 + digests_len = 0; 1280 } 1281 - 1282 + 1283 if (!tls1_PRF(ssl_get_algorithm2(s), 1284 - str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0, 1285 + str,slen, buf, digests_len, NULL,0, NULL,0, NULL,0, 1286 s->session->master_key,s->session->master_key_length, 1287 out,buf2,sizeof buf2)) 1288 err = 1; 1289 - EVP_MD_CTX_cleanup(&ctx); 1290 1291 if (err) 1292 return 0; 1293 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c 1294 index bddffd9..1a56a97 100644 1295 --- a/ssl/t1_lib.c 1296 +++ b/ssl/t1_lib.c 1297 @@ -641,6 +641,19 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha 1298 } 1299 #endif 1300 1301 + if (s->tlsext_channel_id_enabled) 1302 + { 1303 + /* The client advertises an emtpy extension to indicate its 1304 + * support for Channel ID. */ 1305 + if (limit - ret - 4 < 0) 1306 + return NULL; 1307 + if (s->ctx->tlsext_channel_id_enabled_new) 1308 + s2n(TLSEXT_TYPE_channel_id_new,ret); 1309 + else 1310 + s2n(TLSEXT_TYPE_channel_id,ret); 1311 + s2n(0,ret); 1312 + } 1313 + 1314 #ifndef OPENSSL_NO_SRTP 1315 if(SSL_get_srtp_profiles(s)) 1316 { 1317 @@ -881,6 +894,19 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha 1318 } 1319 #endif 1320 1321 + /* If the client advertised support for Channel ID, and we have it 1322 + * enabled, then we want to echo it back. */ 1323 + if (s->s3->tlsext_channel_id_valid) 1324 + { 1325 + if (limit - ret - 4 < 0) 1326 + return NULL; 1327 + if (s->s3->tlsext_channel_id_new) 1328 + s2n(TLSEXT_TYPE_channel_id_new,ret); 1329 + else 1330 + s2n(TLSEXT_TYPE_channel_id,ret); 1331 + s2n(0,ret); 1332 + } 1333 + 1334 if ((extdatalen = ret-orig-2)== 0) 1335 return p; 1336 1337 @@ -1442,6 +1468,16 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in 1338 } 1339 #endif 1340 1341 + else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled) 1342 + s->s3->tlsext_channel_id_valid = 1; 1343 + 1344 + else if (type == TLSEXT_TYPE_channel_id_new && 1345 + s->tlsext_channel_id_enabled) 1346 + { 1347 + s->s3->tlsext_channel_id_valid = 1; 1348 + s->s3->tlsext_channel_id_new = 1; 1349 + } 1350 + 1351 /* session ticket processed earlier */ 1352 #ifndef OPENSSL_NO_SRTP 1353 else if (type == TLSEXT_TYPE_use_srtp) 1354 @@ -1672,6 +1708,15 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in 1355 s->s3->next_proto_neg_seen = 1; 1356 } 1357 #endif 1358 + else if (type == TLSEXT_TYPE_channel_id) 1359 + s->s3->tlsext_channel_id_valid = 1; 1360 + 1361 + else if (type == TLSEXT_TYPE_channel_id_new) 1362 + { 1363 + s->s3->tlsext_channel_id_valid = 1; 1364 + s->s3->tlsext_channel_id_new = 1; 1365 + } 1366 + 1367 else if (type == TLSEXT_TYPE_renegotiate) 1368 { 1369 if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) 1370 @@ -2727,3 +2772,74 @@ tls1_heartbeat(SSL *s) 1371 return ret; 1372 } 1373 #endif 1374 + 1375 +#if !defined(OPENSSL_NO_TLSEXT) 1376 +/* tls1_channel_id_hash calculates the signed data for a Channel ID on the given 1377 + * SSL connection and writes it to |md|. 1378 + */ 1379 +int 1380 +tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s) 1381 + { 1382 + EVP_MD_CTX ctx; 1383 + unsigned char temp_digest[EVP_MAX_MD_SIZE]; 1384 + unsigned temp_digest_len; 1385 + int i; 1386 + static const char kClientIDMagic[] = "TLS Channel ID signature"; 1387 + 1388 + if (s->s3->handshake_buffer) 1389 + if (!ssl3_digest_cached_records(s)) 1390 + return 0; 1391 + 1392 + EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic)); 1393 + 1394 + if (s->hit && s->s3->tlsext_channel_id_new) 1395 + { 1396 + static const char kResumptionMagic[] = "Resumption"; 1397 + EVP_DigestUpdate(md, kResumptionMagic, 1398 + sizeof(kResumptionMagic)); 1399 + if (s->session->original_handshake_hash_len == 0) 1400 + return 0; 1401 + EVP_DigestUpdate(md, s->session->original_handshake_hash, 1402 + s->session->original_handshake_hash_len); 1403 + } 1404 + 1405 + EVP_MD_CTX_init(&ctx); 1406 + for (i = 0; i < SSL_MAX_DIGEST; i++) 1407 + { 1408 + if (s->s3->handshake_dgst[i] == NULL) 1409 + continue; 1410 + EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]); 1411 + EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len); 1412 + EVP_DigestUpdate(md, temp_digest, temp_digest_len); 1413 + } 1414 + EVP_MD_CTX_cleanup(&ctx); 1415 + 1416 + return 1; 1417 + } 1418 +#endif 1419 + 1420 +/* tls1_record_handshake_hashes_for_channel_id records the current handshake 1421 + * hashes in |s->session| so that Channel ID resumptions can sign that data. */ 1422 +int tls1_record_handshake_hashes_for_channel_id(SSL *s) 1423 + { 1424 + int digest_len; 1425 + /* This function should never be called for a resumed session because 1426 + * the handshake hashes that we wish to record are for the original, 1427 + * full handshake. */ 1428 + if (s->hit) 1429 + return -1; 1430 + /* It only makes sense to call this function if Channel IDs have been 1431 + * negotiated. */ 1432 + if (!s->s3->tlsext_channel_id_new) 1433 + return -1; 1434 + 1435 + digest_len = tls1_handshake_digest( 1436 + s, s->session->original_handshake_hash, 1437 + sizeof(s->session->original_handshake_hash)); 1438 + if (digest_len < 0) 1439 + return -1; 1440 + 1441 + s->session->original_handshake_hash_len = digest_len; 1442 + 1443 + return 1; 1444 + } 1445 diff --git a/ssl/tls1.h b/ssl/tls1.h 1446 index c992091..12f2f21 100644 1447 --- a/ssl/tls1.h 1448 +++ b/ssl/tls1.h 1449 @@ -254,6 +254,10 @@ extern "C" { 1450 #define TLSEXT_TYPE_next_proto_neg 13172 1451 #endif 1452 1453 +/* This is not an IANA defined extension number */ 1454 +#define TLSEXT_TYPE_channel_id 30031 1455 +#define TLSEXT_TYPE_channel_id_new 30032 1456 + 1457 /* NameType value from RFC 3546 */ 1458 #define TLSEXT_NAMETYPE_host_name 0 1459 /* status request value from RFC 3546 */ 1460 -- 1461 1.9.1.423.g4596e3a 1462 1463
