mirror of
https://github.com/oxen-io/session-android.git
synced 2024-12-11 18:54:21 +00:00
d83a3d71bc
Merge in RedPhone // FREEBIE
1463 lines
47 KiB
Diff
1463 lines
47 KiB
Diff
diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h
|
|
index 05699ab..d05fa22 100644
|
|
--- a/crypto/bio/bio.h
|
|
+++ b/crypto/bio/bio.h
|
|
@@ -266,6 +266,9 @@ void BIO_clear_flags(BIO *b, int flags);
|
|
#define BIO_RR_CONNECT 0x02
|
|
/* Returned from the accept BIO when an accept would have blocked */
|
|
#define BIO_RR_ACCEPT 0x03
|
|
+/* Returned from the SSL bio when the channel id retrieval code cannot find the
|
|
+ * private key. */
|
|
+#define BIO_RR_SSL_CHANNEL_ID_LOOKUP 0x04
|
|
|
|
/* These are passed by the BIO callback */
|
|
#define BIO_CB_FREE 0x01
|
|
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
|
|
index ea4bed9..5f18d4b 100644
|
|
--- a/crypto/evp/evp.h
|
|
+++ b/crypto/evp/evp.h
|
|
@@ -921,6 +921,7 @@ struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
|
|
#endif
|
|
|
|
EVP_PKEY * EVP_PKEY_new(void);
|
|
+EVP_PKEY * EVP_PKEY_dup(EVP_PKEY *pkey);
|
|
void EVP_PKEY_free(EVP_PKEY *pkey);
|
|
|
|
EVP_PKEY * d2i_PublicKey(int type,EVP_PKEY **a, const unsigned char **pp,
|
|
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
|
|
index a0e14a3..65a4440 100644
|
|
--- a/crypto/evp/p_lib.c
|
|
+++ b/crypto/evp/p_lib.c
|
|
@@ -200,6 +200,12 @@ EVP_PKEY *EVP_PKEY_new(void)
|
|
return(ret);
|
|
}
|
|
|
|
+EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey)
|
|
+ {
|
|
+ CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY);
|
|
+ return pkey;
|
|
+ }
|
|
+
|
|
/* Setup a public key ASN1 method and ENGINE from a NID or a string.
|
|
* If pkey is NULL just return 1 or 0 if the algorithm exists.
|
|
*/
|
|
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
|
|
index e9552ca..06a13de 100644
|
|
--- a/ssl/bio_ssl.c
|
|
+++ b/ssl/bio_ssl.c
|
|
@@ -206,6 +206,10 @@ static int ssl_read(BIO *b, char *out, int outl)
|
|
BIO_set_retry_special(b);
|
|
retry_reason=BIO_RR_SSL_X509_LOOKUP;
|
|
break;
|
|
+ case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP:
|
|
+ BIO_set_retry_special(b);
|
|
+ retry_reason=BIO_RR_SSL_CHANNEL_ID_LOOKUP;
|
|
+ break;
|
|
case SSL_ERROR_WANT_ACCEPT:
|
|
BIO_set_retry_special(b);
|
|
retry_reason=BIO_RR_ACCEPT;
|
|
@@ -280,6 +284,10 @@ static int ssl_write(BIO *b, const char *out, int outl)
|
|
BIO_set_retry_special(b);
|
|
retry_reason=BIO_RR_SSL_X509_LOOKUP;
|
|
break;
|
|
+ case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP:
|
|
+ BIO_set_retry_special(b);
|
|
+ retry_reason=BIO_RR_SSL_CHANNEL_ID_LOOKUP;
|
|
+ break;
|
|
case SSL_ERROR_WANT_CONNECT:
|
|
BIO_set_retry_special(b);
|
|
retry_reason=BIO_RR_CONNECT;
|
|
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
|
|
index 53b9390..c0dac70 100644
|
|
--- a/ssl/s3_both.c
|
|
+++ b/ssl/s3_both.c
|
|
@@ -554,7 +554,8 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
|
|
#endif
|
|
|
|
/* Feed this message into MAC computation. */
|
|
- ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
|
|
+ if (*((unsigned char*) s->init_buf->data) != SSL3_MT_ENCRYPTED_EXTENSIONS)
|
|
+ ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
|
|
if (s->msg_callback)
|
|
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg);
|
|
*ok=1;
|
|
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
|
|
index 3d3fd64..7e0c4d5 100644
|
|
--- a/ssl/s3_clnt.c
|
|
+++ b/ssl/s3_clnt.c
|
|
@@ -465,13 +465,14 @@ int ssl3_connect(SSL *s)
|
|
SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
|
|
if (ret <= 0) goto end;
|
|
|
|
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
|
|
s->state=SSL3_ST_CW_FINISHED_A;
|
|
-#else
|
|
+#if !defined(OPENSSL_NO_TLSEXT)
|
|
+ if (s->s3->tlsext_channel_id_valid)
|
|
+ s->state=SSL3_ST_CW_CHANNEL_ID_A;
|
|
+# if !defined(OPENSSL_NO_NEXTPROTONEG)
|
|
if (s->s3->next_proto_neg_seen)
|
|
s->state=SSL3_ST_CW_NEXT_PROTO_A;
|
|
- else
|
|
- s->state=SSL3_ST_CW_FINISHED_A;
|
|
+# endif
|
|
#endif
|
|
s->init_num=0;
|
|
|
|
@@ -505,6 +506,18 @@ int ssl3_connect(SSL *s)
|
|
case SSL3_ST_CW_NEXT_PROTO_B:
|
|
ret=ssl3_send_next_proto(s);
|
|
if (ret <= 0) goto end;
|
|
+ if (s->s3->tlsext_channel_id_valid)
|
|
+ s->state=SSL3_ST_CW_CHANNEL_ID_A;
|
|
+ else
|
|
+ s->state=SSL3_ST_CW_FINISHED_A;
|
|
+ break;
|
|
+#endif
|
|
+
|
|
+#if !defined(OPENSSL_NO_TLSEXT)
|
|
+ case SSL3_ST_CW_CHANNEL_ID_A:
|
|
+ case SSL3_ST_CW_CHANNEL_ID_B:
|
|
+ ret=ssl3_send_channel_id(s);
|
|
+ if (ret <= 0) goto end;
|
|
s->state=SSL3_ST_CW_FINISHED_A;
|
|
break;
|
|
#endif
|
|
@@ -532,6 +545,18 @@ int ssl3_connect(SSL *s)
|
|
}
|
|
else
|
|
{
|
|
+ /* This is a non-resumption handshake. If it
|
|
+ * involves ChannelID, then record the
|
|
+ * handshake hashes at this point in the
|
|
+ * session so that any resumption of this
|
|
+ * session with ChannelID can sign those
|
|
+ * hashes. */
|
|
+ if (s->s3->tlsext_channel_id_new)
|
|
+ {
|
|
+ ret = tls1_record_handshake_hashes_for_channel_id(s);
|
|
+ if (ret <= 0)
|
|
+ goto end;
|
|
+ }
|
|
if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH)
|
|
&& ssl3_can_cutthrough(s)
|
|
&& s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */
|
|
@@ -3338,7 +3363,8 @@ err:
|
|
return(0);
|
|
}
|
|
|
|
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
|
|
+#if !defined(OPENSSL_NO_TLSEXT)
|
|
+# if !defined(OPENSSL_NO_NEXTPROTONEG)
|
|
int ssl3_send_next_proto(SSL *s)
|
|
{
|
|
unsigned int len, padding_len;
|
|
@@ -3362,7 +3388,135 @@ int ssl3_send_next_proto(SSL *s)
|
|
|
|
return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
|
|
}
|
|
-#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
|
|
+# endif /* !OPENSSL_NO_NEXTPROTONEG */
|
|
+
|
|
+int ssl3_send_channel_id(SSL *s)
|
|
+ {
|
|
+ unsigned char *d;
|
|
+ int ret = -1, public_key_len;
|
|
+ EVP_MD_CTX md_ctx;
|
|
+ size_t sig_len;
|
|
+ ECDSA_SIG *sig = NULL;
|
|
+ unsigned char *public_key = NULL, *derp, *der_sig = NULL;
|
|
+
|
|
+ if (s->state != SSL3_ST_CW_CHANNEL_ID_A)
|
|
+ return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
|
|
+
|
|
+ if (!s->tlsext_channel_id_private && s->ctx->channel_id_cb)
|
|
+ {
|
|
+ EVP_PKEY *key = NULL;
|
|
+ s->ctx->channel_id_cb(s, &key);
|
|
+ if (key != NULL)
|
|
+ {
|
|
+ s->tlsext_channel_id_private = key;
|
|
+ }
|
|
+ }
|
|
+ if (!s->tlsext_channel_id_private)
|
|
+ {
|
|
+ s->rwstate=SSL_CHANNEL_ID_LOOKUP;
|
|
+ return (-1);
|
|
+ }
|
|
+ s->rwstate=SSL_NOTHING;
|
|
+
|
|
+ d = (unsigned char *)s->init_buf->data;
|
|
+ *(d++)=SSL3_MT_ENCRYPTED_EXTENSIONS;
|
|
+ l2n3(2 + 2 + TLSEXT_CHANNEL_ID_SIZE, d);
|
|
+ if (s->s3->tlsext_channel_id_new)
|
|
+ s2n(TLSEXT_TYPE_channel_id_new, d);
|
|
+ else
|
|
+ s2n(TLSEXT_TYPE_channel_id, d);
|
|
+ s2n(TLSEXT_CHANNEL_ID_SIZE, d);
|
|
+
|
|
+ EVP_MD_CTX_init(&md_ctx);
|
|
+
|
|
+ public_key_len = i2d_PublicKey(s->tlsext_channel_id_private, NULL);
|
|
+ if (public_key_len <= 0)
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY);
|
|
+ goto err;
|
|
+ }
|
|
+ /* i2d_PublicKey will produce an ANSI X9.62 public key which, for a
|
|
+ * P-256 key, is 0x04 (meaning uncompressed) followed by the x and y
|
|
+ * field elements as 32-byte, big-endian numbers. */
|
|
+ if (public_key_len != 65)
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CHANNEL_ID_NOT_P256);
|
|
+ goto err;
|
|
+ }
|
|
+ public_key = OPENSSL_malloc(public_key_len);
|
|
+ if (!public_key)
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,ERR_R_MALLOC_FAILURE);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ derp = public_key;
|
|
+ i2d_PublicKey(s->tlsext_channel_id_private, &derp);
|
|
+
|
|
+ if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL,
|
|
+ s->tlsext_channel_id_private) != 1)
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNINIT_FAILED);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ if (!tls1_channel_id_hash(&md_ctx, s))
|
|
+ goto err;
|
|
+
|
|
+ if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len))
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNFINAL_FAILED);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ der_sig = OPENSSL_malloc(sig_len);
|
|
+ if (!der_sig)
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,ERR_R_MALLOC_FAILURE);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ if (!EVP_DigestSignFinal(&md_ctx, der_sig, &sig_len))
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNFINAL_FAILED);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ derp = der_sig;
|
|
+ sig = d2i_ECDSA_SIG(NULL, (const unsigned char**) &derp, sig_len);
|
|
+ if (sig == NULL)
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_D2I_ECDSA_SIG);
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ /* The first byte of public_key will be 0x4, denoting an uncompressed key. */
|
|
+ memcpy(d, public_key + 1, 64);
|
|
+ d += 64;
|
|
+ memset(d, 0, 2 * 32);
|
|
+ BN_bn2bin(sig->r, d + 32 - BN_num_bytes(sig->r));
|
|
+ d += 32;
|
|
+ BN_bn2bin(sig->s, d + 32 - BN_num_bytes(sig->s));
|
|
+ d += 32;
|
|
+
|
|
+ s->state = SSL3_ST_CW_CHANNEL_ID_B;
|
|
+ s->init_num = 4 + 2 + 2 + TLSEXT_CHANNEL_ID_SIZE;
|
|
+ s->init_off = 0;
|
|
+
|
|
+ ret = ssl3_do_write(s, SSL3_RT_HANDSHAKE);
|
|
+
|
|
+err:
|
|
+ EVP_MD_CTX_cleanup(&md_ctx);
|
|
+ if (public_key)
|
|
+ OPENSSL_free(public_key);
|
|
+ if (der_sig)
|
|
+ OPENSSL_free(der_sig);
|
|
+ if (sig)
|
|
+ ECDSA_SIG_free(sig);
|
|
+
|
|
+ return ret;
|
|
+ }
|
|
+#endif /* !OPENSSL_NO_TLSEXT */
|
|
|
|
/* Check to see if handshake is full or resumed. Usually this is just a
|
|
* case of checking to see if a cache hit has occurred. In the case of
|
|
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
|
|
index 1865c70..f801923 100644
|
|
--- a/ssl/s3_lib.c
|
|
+++ b/ssl/s3_lib.c
|
|
@@ -2951,6 +2951,11 @@ int ssl3_new(SSL *s)
|
|
#ifndef OPENSSL_NO_SRP
|
|
SSL_SRP_CTX_init(s);
|
|
#endif
|
|
+#if !defined(OPENSSL_NO_TLSEXT)
|
|
+ s->tlsext_channel_id_enabled = s->ctx->tlsext_channel_id_enabled;
|
|
+ if (s->ctx->tlsext_channel_id_private)
|
|
+ s->tlsext_channel_id_private = EVP_PKEY_dup(s->ctx->tlsext_channel_id_private);
|
|
+#endif
|
|
s->method->ssl_clear(s);
|
|
return(1);
|
|
err:
|
|
@@ -3079,6 +3084,10 @@ void ssl3_clear(SSL *s)
|
|
s->next_proto_negotiated_len = 0;
|
|
}
|
|
#endif
|
|
+
|
|
+#if !defined(OPENSSL_NO_TLSEXT)
|
|
+ s->s3->tlsext_channel_id_valid = 0;
|
|
+#endif
|
|
}
|
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
@@ -3353,6 +3362,33 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
|
|
ret = 1;
|
|
break;
|
|
#endif
|
|
+ case SSL_CTRL_CHANNEL_ID:
|
|
+ s->tlsext_channel_id_enabled = 1;
|
|
+ ret = 1;
|
|
+ break;
|
|
+
|
|
+ case SSL_CTRL_SET_CHANNEL_ID:
|
|
+ if (s->server)
|
|
+ break;
|
|
+ s->tlsext_channel_id_enabled = 1;
|
|
+ if (EVP_PKEY_bits(parg) != 256)
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_CTRL,SSL_R_CHANNEL_ID_NOT_P256);
|
|
+ break;
|
|
+ }
|
|
+ if (s->tlsext_channel_id_private)
|
|
+ EVP_PKEY_free(s->tlsext_channel_id_private);
|
|
+ s->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY*) parg);
|
|
+ ret = 1;
|
|
+ break;
|
|
+
|
|
+ case SSL_CTRL_GET_CHANNEL_ID:
|
|
+ if (!s->server)
|
|
+ break;
|
|
+ if (!s->s3->tlsext_channel_id_valid)
|
|
+ break;
|
|
+ memcpy(parg, s->s3->tlsext_channel_id, larg < 64 ? larg : 64);
|
|
+ return 64;
|
|
|
|
#endif /* !OPENSSL_NO_TLSEXT */
|
|
default:
|
|
@@ -3574,6 +3610,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
|
}
|
|
return 1;
|
|
}
|
|
+ case SSL_CTRL_CHANNEL_ID:
|
|
+ /* must be called on a server */
|
|
+ if (ctx->method->ssl_accept == ssl_undefined_function)
|
|
+ return 0;
|
|
+ ctx->tlsext_channel_id_enabled=1;
|
|
+ return 1;
|
|
|
|
#ifdef TLSEXT_TYPE_opaque_prf_input
|
|
case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG:
|
|
@@ -3642,6 +3684,18 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
|
}
|
|
break;
|
|
|
|
+ case SSL_CTRL_SET_CHANNEL_ID:
|
|
+ ctx->tlsext_channel_id_enabled = 1;
|
|
+ if (EVP_PKEY_bits(parg) != 256)
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_CTX_CTRL,SSL_R_CHANNEL_ID_NOT_P256);
|
|
+ break;
|
|
+ }
|
|
+ if (ctx->tlsext_channel_id_private)
|
|
+ EVP_PKEY_free(ctx->tlsext_channel_id_private);
|
|
+ ctx->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY*) parg);
|
|
+ break;
|
|
+
|
|
default:
|
|
return(0);
|
|
}
|
|
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
|
|
index 323b260..6824ef6 100644
|
|
--- a/ssl/s3_srvr.c
|
|
+++ b/ssl/s3_srvr.c
|
|
@@ -157,8 +157,11 @@
|
|
#include <openssl/buffer.h>
|
|
#include <openssl/rand.h>
|
|
#include <openssl/objects.h>
|
|
+#include <openssl/ec.h>
|
|
+#include <openssl/ecdsa.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/hmac.h>
|
|
+#include <openssl/sha.h>
|
|
#include <openssl/x509.h>
|
|
#ifndef OPENSSL_NO_DH
|
|
#include <openssl/dh.h>
|
|
@@ -615,15 +618,8 @@ int ssl3_accept(SSL *s)
|
|
* the client uses its key from the certificate
|
|
* for key exchange.
|
|
*/
|
|
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
|
|
- s->state=SSL3_ST_SR_FINISHED_A;
|
|
-#else
|
|
- if (s->s3->next_proto_neg_seen)
|
|
- s->state=SSL3_ST_SR_NEXT_PROTO_A;
|
|
- else
|
|
- s->state=SSL3_ST_SR_FINISHED_A;
|
|
-#endif
|
|
s->init_num = 0;
|
|
+ s->state=SSL3_ST_SR_POST_CLIENT_CERT;
|
|
}
|
|
else if (TLS1_get_version(s) >= TLS1_2_VERSION)
|
|
{
|
|
@@ -683,16 +679,28 @@ int ssl3_accept(SSL *s)
|
|
ret=ssl3_get_cert_verify(s);
|
|
if (ret <= 0) goto end;
|
|
|
|
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
|
|
- s->state=SSL3_ST_SR_FINISHED_A;
|
|
-#else
|
|
- if (s->s3->next_proto_neg_seen)
|
|
+ s->state=SSL3_ST_SR_POST_CLIENT_CERT;
|
|
+ s->init_num=0;
|
|
+ break;
|
|
+
|
|
+ case SSL3_ST_SR_POST_CLIENT_CERT: {
|
|
+ char next_proto_neg = 0;
|
|
+ char channel_id = 0;
|
|
+#if !defined(OPENSSL_NO_TLSEXT)
|
|
+# if !defined(OPENSSL_NO_NEXTPROTONEG)
|
|
+ next_proto_neg = s->s3->next_proto_neg_seen;
|
|
+# endif
|
|
+ channel_id = s->s3->tlsext_channel_id_valid;
|
|
+#endif
|
|
+
|
|
+ if (next_proto_neg)
|
|
s->state=SSL3_ST_SR_NEXT_PROTO_A;
|
|
+ else if (channel_id)
|
|
+ s->state=SSL3_ST_SR_CHANNEL_ID_A;
|
|
else
|
|
s->state=SSL3_ST_SR_FINISHED_A;
|
|
-#endif
|
|
- s->init_num=0;
|
|
break;
|
|
+ }
|
|
|
|
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
|
|
case SSL3_ST_SR_NEXT_PROTO_A:
|
|
@@ -700,6 +708,19 @@ int ssl3_accept(SSL *s)
|
|
ret=ssl3_get_next_proto(s);
|
|
if (ret <= 0) goto end;
|
|
s->init_num = 0;
|
|
+ if (s->s3->tlsext_channel_id_valid)
|
|
+ s->state=SSL3_ST_SR_CHANNEL_ID_A;
|
|
+ else
|
|
+ s->state=SSL3_ST_SR_FINISHED_A;
|
|
+ break;
|
|
+#endif
|
|
+
|
|
+#if !defined(OPENSSL_NO_TLSEXT)
|
|
+ case SSL3_ST_SR_CHANNEL_ID_A:
|
|
+ case SSL3_ST_SR_CHANNEL_ID_B:
|
|
+ ret=ssl3_get_channel_id(s);
|
|
+ if (ret <= 0) goto end;
|
|
+ s->init_num = 0;
|
|
s->state=SSL3_ST_SR_FINISHED_A;
|
|
break;
|
|
#endif
|
|
@@ -717,6 +738,15 @@ int ssl3_accept(SSL *s)
|
|
#endif
|
|
else
|
|
s->state=SSL3_ST_SW_CHANGE_A;
|
|
+ /* If this is a full handshake with ChannelID then
|
|
+ * record the hashshake hashes in |s->session| in case
|
|
+ * we need them to verify a ChannelID signature on a
|
|
+ * resumption of this session in the future. */
|
|
+ if (!s->hit && s->s3->tlsext_channel_id_new)
|
|
+ {
|
|
+ ret = tls1_record_handshake_hashes_for_channel_id(s);
|
|
+ if (ret <= 0) goto end;
|
|
+ }
|
|
s->init_num=0;
|
|
break;
|
|
|
|
@@ -771,19 +801,7 @@ int ssl3_accept(SSL *s)
|
|
if (ret <= 0) goto end;
|
|
s->state=SSL3_ST_SW_FLUSH;
|
|
if (s->hit)
|
|
- {
|
|
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
|
|
- s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
|
|
-#else
|
|
- if (s->s3->next_proto_neg_seen)
|
|
- {
|
|
- s->s3->flags |= SSL3_FLAGS_CCS_OK;
|
|
- s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
|
|
- }
|
|
- else
|
|
- s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
|
|
-#endif
|
|
- }
|
|
+ s->s3->tmp.next_state=SSL3_ST_SR_POST_CLIENT_CERT;
|
|
else
|
|
s->s3->tmp.next_state=SSL_ST_OK;
|
|
s->init_num=0;
|
|
@@ -1466,6 +1487,22 @@ int ssl3_send_server_hello(SSL *s)
|
|
|
|
if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
|
|
{
|
|
+ /* We only accept ChannelIDs on connections with ECDHE in order
|
|
+ * to avoid a known attack while we fix ChannelID itself. */
|
|
+ if (s->s3 &&
|
|
+ s->s3->tlsext_channel_id_valid &&
|
|
+ (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kEECDH) == 0)
|
|
+ s->s3->tlsext_channel_id_valid = 0;
|
|
+
|
|
+ /* If this is a resumption and the original handshake didn't
|
|
+ * support ChannelID then we didn't record the original
|
|
+ * handshake hashes in the session and so cannot resume with
|
|
+ * ChannelIDs. */
|
|
+ if (s->hit &&
|
|
+ s->s3->tlsext_channel_id_new &&
|
|
+ s->session->original_handshake_hash_len == 0)
|
|
+ s->s3->tlsext_channel_id_valid = 0;
|
|
+
|
|
buf=(unsigned char *)s->init_buf->data;
|
|
#ifdef OPENSSL_NO_TLSEXT
|
|
p=s->s3->server_random;
|
|
@@ -3632,4 +3669,145 @@ int ssl3_get_next_proto(SSL *s)
|
|
return 1;
|
|
}
|
|
# endif
|
|
+
|
|
+/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */
|
|
+int ssl3_get_channel_id(SSL *s)
|
|
+ {
|
|
+ int ret = -1, ok;
|
|
+ long n;
|
|
+ const unsigned char *p;
|
|
+ unsigned short extension_type, extension_len;
|
|
+ EC_GROUP* p256 = NULL;
|
|
+ EC_KEY* key = NULL;
|
|
+ EC_POINT* point = NULL;
|
|
+ ECDSA_SIG sig;
|
|
+ BIGNUM x, y;
|
|
+ unsigned short expected_extension_type;
|
|
+
|
|
+ if (s->state == SSL3_ST_SR_CHANNEL_ID_A && s->init_num == 0)
|
|
+ {
|
|
+ /* The first time that we're called we take the current
|
|
+ * handshake hash and store it. */
|
|
+ EVP_MD_CTX md_ctx;
|
|
+ unsigned int len;
|
|
+
|
|
+ EVP_MD_CTX_init(&md_ctx);
|
|
+ EVP_DigestInit_ex(&md_ctx, EVP_sha256(), NULL);
|
|
+ if (!tls1_channel_id_hash(&md_ctx, s))
|
|
+ return -1;
|
|
+ len = sizeof(s->s3->tlsext_channel_id);
|
|
+ EVP_DigestFinal(&md_ctx, s->s3->tlsext_channel_id, &len);
|
|
+ EVP_MD_CTX_cleanup(&md_ctx);
|
|
+ }
|
|
+
|
|
+ n = s->method->ssl_get_message(s,
|
|
+ SSL3_ST_SR_CHANNEL_ID_A,
|
|
+ SSL3_ST_SR_CHANNEL_ID_B,
|
|
+ SSL3_MT_ENCRYPTED_EXTENSIONS,
|
|
+ 2 + 2 + TLSEXT_CHANNEL_ID_SIZE,
|
|
+ &ok);
|
|
+
|
|
+ if (!ok)
|
|
+ return((int)n);
|
|
+
|
|
+ ssl3_finish_mac(s, (unsigned char*)s->init_buf->data, s->init_num + 4);
|
|
+
|
|
+ /* s->state doesn't reflect whether ChangeCipherSpec has been received
|
|
+ * in this handshake, but s->s3->change_cipher_spec does (will be reset
|
|
+ * by ssl3_get_finished). */
|
|
+ if (!s->s3->change_cipher_spec)
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (n != 2 + 2 + TLSEXT_CHANNEL_ID_SIZE)
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_INVALID_MESSAGE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ p = (unsigned char *)s->init_msg;
|
|
+
|
|
+ /* The payload looks like:
|
|
+ * uint16 extension_type
|
|
+ * uint16 extension_len;
|
|
+ * uint8 x[32];
|
|
+ * uint8 y[32];
|
|
+ * uint8 r[32];
|
|
+ * uint8 s[32];
|
|
+ */
|
|
+ n2s(p, extension_type);
|
|
+ n2s(p, extension_len);
|
|
+
|
|
+ expected_extension_type = TLSEXT_TYPE_channel_id;
|
|
+ if (s->s3->tlsext_channel_id_new)
|
|
+ expected_extension_type = TLSEXT_TYPE_channel_id_new;
|
|
+
|
|
+ if (extension_type != expected_extension_type ||
|
|
+ extension_len != TLSEXT_CHANNEL_ID_SIZE)
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_INVALID_MESSAGE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ p256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
|
|
+ if (!p256)
|
|
+ {
|
|
+ SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_NO_P256_SUPPORT);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ BN_init(&x);
|
|
+ BN_init(&y);
|
|
+ sig.r = BN_new();
|
|
+ sig.s = BN_new();
|
|
+
|
|
+ if (BN_bin2bn(p + 0, 32, &x) == NULL ||
|
|
+ BN_bin2bn(p + 32, 32, &y) == NULL ||
|
|
+ BN_bin2bn(p + 64, 32, sig.r) == NULL ||
|
|
+ BN_bin2bn(p + 96, 32, sig.s) == NULL)
|
|
+ goto err;
|
|
+
|
|
+ point = EC_POINT_new(p256);
|
|
+ if (!point ||
|
|
+ !EC_POINT_set_affine_coordinates_GFp(p256, point, &x, &y, NULL))
|
|
+ goto err;
|
|
+
|
|
+ key = EC_KEY_new();
|
|
+ if (!key ||
|
|
+ !EC_KEY_set_group(key, p256) ||
|
|
+ !EC_KEY_set_public_key(key, point))
|
|
+ goto err;
|
|
+
|
|
+ /* We stored the handshake hash in |tlsext_channel_id| the first time
|
|
+ * that we were called. */
|
|
+ switch (ECDSA_do_verify(s->s3->tlsext_channel_id, SHA256_DIGEST_LENGTH, &sig, key)) {
|
|
+ case 1:
|
|
+ break;
|
|
+ case 0:
|
|
+ SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
|
|
+ s->s3->tlsext_channel_id_valid = 0;
|
|
+ goto err;
|
|
+ default:
|
|
+ s->s3->tlsext_channel_id_valid = 0;
|
|
+ goto err;
|
|
+ }
|
|
+
|
|
+ memcpy(s->s3->tlsext_channel_id, p, 64);
|
|
+ ret = 1;
|
|
+
|
|
+err:
|
|
+ BN_free(&x);
|
|
+ BN_free(&y);
|
|
+ BN_free(sig.r);
|
|
+ BN_free(sig.s);
|
|
+ if (key)
|
|
+ EC_KEY_free(key);
|
|
+ if (point)
|
|
+ EC_POINT_free(point);
|
|
+ if (p256)
|
|
+ EC_GROUP_free(p256);
|
|
+ return ret;
|
|
+ }
|
|
#endif
|
|
diff --git a/ssl/ssl.h b/ssl/ssl.h
|
|
index 944aea6..e50b8f0 100644
|
|
--- a/ssl/ssl.h
|
|
+++ b/ssl/ssl.h
|
|
@@ -547,6 +547,13 @@ struct ssl_session_st
|
|
#ifndef OPENSSL_NO_SRP
|
|
char *srp_username;
|
|
#endif
|
|
+
|
|
+ /* original_handshake_hash contains the handshake hash (either
|
|
+ * SHA-1+MD5 or SHA-2, depending on TLS version) for the original, full
|
|
+ * handshake that created a session. This is used by Channel IDs during
|
|
+ * resumption. */
|
|
+ unsigned char original_handshake_hash[EVP_MAX_MD_SIZE];
|
|
+ unsigned int original_handshake_hash_len;
|
|
};
|
|
|
|
#endif
|
|
@@ -862,6 +869,9 @@ struct ssl_ctx_st
|
|
/* get client cert callback */
|
|
int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
|
|
|
|
+ /* get channel id callback */
|
|
+ void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey);
|
|
+
|
|
/* cookie generate callback */
|
|
int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
|
|
unsigned int *cookie_len);
|
|
@@ -999,6 +1009,16 @@ struct ssl_ctx_st
|
|
# endif
|
|
/* SRTP profiles we are willing to do from RFC 5764 */
|
|
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
|
|
+
|
|
+ /* If true, a client will advertise the Channel ID extension and a
|
|
+ * server will echo it. */
|
|
+ char tlsext_channel_id_enabled;
|
|
+ /* tlsext_channel_id_enabled_new is a hack to support both old and new
|
|
+ * ChannelID signatures. It indicates that a client should advertise the
|
|
+ * new ChannelID extension number. */
|
|
+ char tlsext_channel_id_enabled_new;
|
|
+ /* The client's Channel ID private key. */
|
|
+ EVP_PKEY *tlsext_channel_id_private;
|
|
#endif
|
|
};
|
|
|
|
@@ -1040,6 +1060,10 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
|
|
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
|
|
#define SSL_CTX_sess_cache_full(ctx) \
|
|
SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
|
|
+/* SSL_CTX_enable_tls_channel_id configures a TLS server to accept TLS client
|
|
+ * IDs from clients. Returns 1 on success. */
|
|
+#define SSL_CTX_enable_tls_channel_id(ctx) \
|
|
+ SSL_CTX_ctrl(ctx,SSL_CTRL_CHANNEL_ID,0,NULL)
|
|
|
|
void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess));
|
|
int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess);
|
|
@@ -1056,6 +1080,8 @@ void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,
|
|
void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
|
|
void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
|
|
int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
|
|
+void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey));
|
|
+void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl, EVP_PKEY **pkey);
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
|
|
#endif
|
|
@@ -1117,5 +1143,6 @@ const char *SSL_get_psk_identity(const SSL *s);
|
|
#define SSL_WRITING 2
|
|
#define SSL_READING 3
|
|
#define SSL_X509_LOOKUP 4
|
|
+#define SSL_CHANNEL_ID_LOOKUP 5
|
|
|
|
/* These will only be used when doing non-blocking IO */
|
|
@@ -1124,5 +1151,6 @@ const char *SSL_get_psk_identity(const SSL *s);
|
|
#define SSL_want_read(s) (SSL_want(s) == SSL_READING)
|
|
#define SSL_want_write(s) (SSL_want(s) == SSL_WRITING)
|
|
#define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
|
|
+#define SSL_want_channel_id_lookup(s) (SSL_want(s) == SSL_CHANNEL_ID_LOOKUP)
|
|
|
|
#define SSL_MAC_FLAG_READ_MAC_STREAM 1
|
|
@@ -1373,6 +1401,13 @@ struct ssl_st
|
|
*/
|
|
unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
|
|
unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */
|
|
+
|
|
+ /* Copied from the SSL_CTX. For a server, means that we'll accept
|
|
+ * Channel IDs from clients. For a client, means that we'll advertise
|
|
+ * support. */
|
|
+ char tlsext_channel_id_enabled;
|
|
+ /* The client's Channel ID private key. */
|
|
+ EVP_PKEY *tlsext_channel_id_private;
|
|
#else
|
|
#define session_ctx ctx
|
|
#endif /* OPENSSL_NO_TLSEXT */
|
|
@@ -1543,5 +1578,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
|
#define SSL_ERROR_ZERO_RETURN 6
|
|
#define SSL_ERROR_WANT_CONNECT 7
|
|
#define SSL_ERROR_WANT_ACCEPT 8
|
|
+#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9
|
|
|
|
#define SSL_CTRL_NEED_TMP_RSA 1
|
|
@@ -1631,6 +1667,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
|
#define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING 86
|
|
#define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS 87
|
|
#endif
|
|
+#define SSL_CTRL_CHANNEL_ID 88
|
|
+#define SSL_CTRL_GET_CHANNEL_ID 89
|
|
+#define SSL_CTRL_SET_CHANNEL_ID 90
|
|
#endif
|
|
|
|
#define DTLS_CTRL_GET_TIMEOUT 73
|
|
@@ -1678,6 +1717,26 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
|
#define SSL_set_tmp_ecdh(ssl,ecdh) \
|
|
SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
|
|
|
|
+/* SSL_enable_tls_channel_id either configures a TLS server to accept TLS client
|
|
+ * IDs from clients, or configure a client to send TLS client IDs to server.
|
|
+ * Returns 1 on success. */
|
|
+#define SSL_enable_tls_channel_id(s) \
|
|
+ SSL_ctrl(s,SSL_CTRL_CHANNEL_ID,0,NULL)
|
|
+/* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to
|
|
+ * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on
|
|
+ * success. */
|
|
+#define SSL_set1_tls_channel_id(s, private_key) \
|
|
+ SSL_ctrl(s,SSL_CTRL_SET_CHANNEL_ID,0,(void*)private_key)
|
|
+#define SSL_CTX_set1_tls_channel_id(ctx, private_key) \
|
|
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHANNEL_ID,0,(void*)private_key)
|
|
+/* SSL_get_tls_channel_id gets the client's TLS Channel ID from a server SSL*
|
|
+ * and copies up to the first |channel_id_len| bytes into |channel_id|. The
|
|
+ * Channel ID consists of the client's P-256 public key as an (x,y) pair where
|
|
+ * each is a 32-byte, big-endian field element. Returns 0 if the client didn't
|
|
+ * offer a Channel ID and the length of the complete Channel ID otherwise. */
|
|
+#define SSL_get_tls_channel_id(ctx, channel_id, channel_id_len) \
|
|
+ SSL_ctrl(ctx,SSL_CTRL_GET_CHANNEL_ID,channel_id_len,(void*)channel_id)
|
|
+
|
|
#define SSL_CTX_add_extra_chain_cert(ctx,x509) \
|
|
SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
|
|
#define SSL_CTX_get_extra_chain_certs(ctx,px509) \
|
|
@@ -2176,6 +2235,7 @@ void ERR_load_SSL_strings(void);
|
|
#define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
|
|
#define SSL_F_SSL3_GET_CERT_STATUS 289
|
|
#define SSL_F_SSL3_GET_CERT_VERIFY 136
|
|
+#define SSL_F_SSL3_GET_CHANNEL_ID 317
|
|
#define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137
|
|
#define SSL_F_SSL3_GET_CLIENT_HELLO 138
|
|
#define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139
|
|
@@ -2195,6 +2255,7 @@ void ERR_load_SSL_strings(void);
|
|
#define SSL_F_SSL3_READ_BYTES 148
|
|
#define SSL_F_SSL3_READ_N 149
|
|
#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150
|
|
+#define SSL_F_SSL3_SEND_CHANNEL_ID 318
|
|
#define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151
|
|
#define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152
|
|
#define SSL_F_SSL3_SEND_CLIENT_VERIFY 153
|
|
@@ -2361,12 +2422,15 @@ void ERR_load_SSL_strings(void);
|
|
#define SSL_R_BIO_NOT_SET 128
|
|
#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129
|
|
#define SSL_R_BN_LIB 130
|
|
+#define SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY 376
|
|
#define SSL_R_CA_DN_LENGTH_MISMATCH 131
|
|
#define SSL_R_CA_DN_TOO_LONG 132
|
|
#define SSL_R_CCS_RECEIVED_EARLY 133
|
|
#define SSL_R_CERTIFICATE_VERIFY_FAILED 134
|
|
#define SSL_R_CERT_LENGTH_MISMATCH 135
|
|
#define SSL_R_CHALLENGE_IS_DIFFERENT 136
|
|
+#define SSL_R_CHANNEL_ID_NOT_P256 375
|
|
+#define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 371
|
|
#define SSL_R_CIPHER_CODE_WRONG_LENGTH 137
|
|
#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138
|
|
#define SSL_R_CIPHER_TABLE_SRC_ERROR 139
|
|
@@ -2379,6 +2443,7 @@ void ERR_load_SSL_strings(void);
|
|
#define SSL_R_CONNECTION_ID_IS_DIFFERENT 143
|
|
#define SSL_R_CONNECTION_TYPE_NOT_SET 144
|
|
#define SSL_R_COOKIE_MISMATCH 308
|
|
+#define SSL_R_D2I_ECDSA_SIG 379
|
|
#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145
|
|
#define SSL_R_DATA_LENGTH_TOO_LONG 146
|
|
#define SSL_R_DECRYPTION_FAILED 147
|
|
@@ -2396,9 +2461,12 @@ void ERR_load_SSL_strings(void);
|
|
#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
|
|
#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282
|
|
#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
|
|
+#define SSL_R_EVP_DIGESTSIGNFINAL_FAILED 377
|
|
+#define SSL_R_EVP_DIGESTSIGNINIT_FAILED 378
|
|
#define SSL_R_EXCESSIVE_MESSAGE_SIZE 152
|
|
#define SSL_R_EXTRA_DATA_IN_MESSAGE 153
|
|
#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154
|
|
+#define SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS 372
|
|
#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 355
|
|
#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 356
|
|
#define SSL_R_HTTPS_PROXY_REQUEST 155
|
|
@@ -2408,6 +2476,7 @@ void ERR_load_SSL_strings(void);
|
|
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
|
|
#define SSL_R_INVALID_COMMAND 280
|
|
#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
|
|
+#define SSL_R_INVALID_MESSAGE 374
|
|
#define SSL_R_INVALID_PURPOSE 278
|
|
#define SSL_R_INVALID_SRP_USERNAME 357
|
|
#define SSL_R_INVALID_STATUS_RESPONSE 328
|
|
@@ -2462,6 +2531,7 @@ void ERR_load_SSL_strings(void);
|
|
#define SSL_R_NO_COMPRESSION_SPECIFIED 187
|
|
#define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 330
|
|
#define SSL_R_NO_METHOD_SPECIFIED 188
|
|
+#define SSL_R_NO_P256_SUPPORT 373
|
|
#define SSL_R_NO_PRIVATEKEY 189
|
|
#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
|
|
#define SSL_R_NO_PROTOCOLS_AVAILABLE 191
|
|
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
|
|
index cf81de0..8502628 100644
|
|
--- a/ssl/ssl3.h
|
|
+++ b/ssl/ssl3.h
|
|
@@ -548,6 +548,22 @@ typedef struct ssl3_state_st
|
|
char is_probably_safari;
|
|
#endif /* !OPENSSL_NO_EC */
|
|
#endif /* !OPENSSL_NO_TLSEXT */
|
|
+
|
|
+ /* In a client, this means that the server supported Channel ID and that
|
|
+ * a Channel ID was sent. In a server it means that we echoed support
|
|
+ * for Channel IDs and that tlsext_channel_id will be valid after the
|
|
+ * handshake. */
|
|
+ char tlsext_channel_id_valid;
|
|
+ /* tlsext_channel_id_new means that the updated Channel ID extension
|
|
+ * was negotiated. This is a temporary hack in the code to support both
|
|
+ * forms of Channel ID extension while we transition to the new format,
|
|
+ * which fixed a security issue. */
|
|
+ char tlsext_channel_id_new;
|
|
+ /* For a server:
|
|
+ * If |tlsext_channel_id_valid| is true, then this contains the
|
|
+ * verified Channel ID from the client: a P256 point, (x,y), where
|
|
+ * each are big-endian values. */
|
|
+ unsigned char tlsext_channel_id[64];
|
|
} SSL3_STATE;
|
|
|
|
#endif
|
|
@@ -592,6 +608,8 @@ typedef struct ssl3_state_st
|
|
#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT)
|
|
#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT)
|
|
#endif
|
|
+#define SSL3_ST_CW_CHANNEL_ID_A (0x210|SSL_ST_CONNECT)
|
|
+#define SSL3_ST_CW_CHANNEL_ID_B (0x211|SSL_ST_CONNECT)
|
|
#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
|
|
#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT)
|
|
/* read from server */
|
|
@@ -646,6 +664,9 @@ typedef struct ssl3_state_st
|
|
#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT)
|
|
#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT)
|
|
#endif
|
|
+#define SSL3_ST_SR_POST_CLIENT_CERT (0x1BF|SSL_ST_ACCEPT)
|
|
+#define SSL3_ST_SR_CHANNEL_ID_A (0x220|SSL_ST_ACCEPT)
|
|
+#define SSL3_ST_SR_CHANNEL_ID_B (0x221|SSL_ST_ACCEPT)
|
|
#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
|
|
#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT)
|
|
/* write to client */
|
|
@@ -673,6 +694,7 @@ typedef struct ssl3_state_st
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
#define SSL3_MT_NEXT_PROTO 67
|
|
#endif
|
|
+#define SSL3_MT_ENCRYPTED_EXTENSIONS 203
|
|
#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
|
|
|
|
|
|
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
|
|
index 8bda011..e579e7c 100644
|
|
--- a/ssl/ssl_asn1.c
|
|
+++ b/ssl/ssl_asn1.c
|
|
@@ -118,11 +118,12 @@ typedef struct ssl_session_asn1_st
|
|
ASN1_OCTET_STRING srp_username;
|
|
#endif /* OPENSSL_NO_SRP */
|
|
+ ASN1_OCTET_STRING original_handshake_hash;
|
|
} SSL_SESSION_ASN1;
|
|
|
|
int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
|
|
{
|
|
#define LSIZE2 (sizeof(long)*2)
|
|
- int v1=0,v2=0,v3=0,v4=0,v5=0,v7=0,v8=0;
|
|
+ int v1=0,v2=0,v3=0,v4=0,v5=0,v7=0,v8=0,v14=0;
|
|
unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
|
|
unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
|
|
#ifndef OPENSSL_NO_TLSEXT
|
|
@@ -280,4 +281,11 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
|
|
}
|
|
+
|
|
+ if (in->original_handshake_hash_len > 0)
|
|
+ {
|
|
+ a.original_handshake_hash.length = in->original_handshake_hash_len;
|
|
+ a.original_handshake_hash.type = V_ASN1_OCTET_STRING;
|
|
+ a.original_handshake_hash.data = in->original_handshake_hash;
|
|
+ }
|
|
#endif /* OPENSSL_NO_PSK */
|
|
#ifndef OPENSSL_NO_SRP
|
|
if (in->srp_username)
|
|
@@ -335,4 +343,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
|
|
#endif /* OPENSSL_NO_SRP */
|
|
+ if (in->original_handshake_hash_len > 0)
|
|
+ M_ASN1_I2D_len_EXP_opt(&(a.original_handshake_hash),i2d_ASN1_OCTET_STRING,14,v14);
|
|
|
|
M_ASN1_I2D_seq_total();
|
|
|
|
@@ -385,4 +395,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
|
|
#endif /* OPENSSL_NO_SRP */
|
|
+ if (in->original_handshake_hash_len > 0)
|
|
+ M_ASN1_I2D_put_EXP_opt(&(a.original_handshake_hash),i2d_ASN1_OCTET_STRING,14,v14);
|
|
M_ASN1_I2D_finish();
|
|
}
|
|
|
|
@@ -661,5 +673,16 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
|
|
os.data = NULL;
|
|
}
|
|
|
|
+ os.length=0;
|
|
+ os.data=NULL;
|
|
+ M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,14);
|
|
+ if (os.data && os.length < (int)sizeof(ret->original_handshake_hash))
|
|
+ {
|
|
+ memcpy(ret->original_handshake_hash, os.data, os.length);
|
|
+ ret->original_handshake_hash_len = os.length;
|
|
+ OPENSSL_free(os.data);
|
|
+ os.data = NULL;
|
|
+ }
|
|
+
|
|
M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
|
|
}
|
|
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
|
|
index 370fb57..b3eee4d 100644
|
|
--- a/ssl/ssl_err.c
|
|
+++ b/ssl/ssl_err.c
|
|
@@ -151,6 +151,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
|
{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"},
|
|
{ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_STATUS"},
|
|
{ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"},
|
|
+{ERR_FUNC(SSL_F_SSL3_GET_CHANNEL_ID), "SSL3_GET_CHANNEL_ID"},
|
|
{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"},
|
|
{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"},
|
|
{ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"},
|
|
@@ -170,6 +171,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
|
{ERR_FUNC(SSL_F_SSL3_READ_BYTES), "SSL3_READ_BYTES"},
|
|
{ERR_FUNC(SSL_F_SSL3_READ_N), "SSL3_READ_N"},
|
|
{ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"},
|
|
+{ERR_FUNC(SSL_F_SSL3_SEND_CHANNEL_ID), "SSL3_SEND_CHANNEL_ID"},
|
|
{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE), "SSL3_SEND_CLIENT_CERTIFICATE"},
|
|
{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"},
|
|
{ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY), "SSL3_SEND_CLIENT_VERIFY"},
|
|
@@ -339,12 +341,15 @@ static ERR_STRING_DATA SSL_str_reasons[]=
|
|
{ERR_REASON(SSL_R_BIO_NOT_SET) ,"bio not set"},
|
|
{ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"},
|
|
{ERR_REASON(SSL_R_BN_LIB) ,"bn lib"},
|
|
+{ERR_REASON(SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY),"cannot serialize public key"},
|
|
{ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"},
|
|
{ERR_REASON(SSL_R_CA_DN_TOO_LONG) ,"ca dn too long"},
|
|
{ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) ,"ccs received early"},
|
|
{ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"},
|
|
{ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) ,"cert length mismatch"},
|
|
{ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"},
|
|
+{ERR_REASON(SSL_R_CHANNEL_ID_NOT_P256) ,"channel id not p256"},
|
|
+{ERR_REASON(SSL_R_CHANNEL_ID_SIGNATURE_INVALID),"Channel ID signature invalid"},
|
|
{ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"},
|
|
{ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"},
|
|
{ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
|
|
@@ -357,6 +362,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
|
|
{ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"},
|
|
{ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"},
|
|
{ERR_REASON(SSL_R_COOKIE_MISMATCH) ,"cookie mismatch"},
|
|
+{ERR_REASON(SSL_R_D2I_ECDSA_SIG) ,"d2i ecdsa sig"},
|
|
{ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"},
|
|
{ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"},
|
|
{ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"},
|
|
@@ -374,9 +380,12 @@ static ERR_STRING_DATA SSL_str_reasons[]=
|
|
{ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
|
|
{ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"},
|
|
{ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"},
|
|
+{ERR_REASON(SSL_R_EVP_DIGESTSIGNFINAL_FAILED),"evp digestsignfinal failed"},
|
|
+{ERR_REASON(SSL_R_EVP_DIGESTSIGNINIT_FAILED),"evp digestsigninit failed"},
|
|
{ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"},
|
|
{ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"},
|
|
{ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"},
|
|
+{ERR_REASON(SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS),"got Channel ID before a ccs"},
|
|
{ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS),"got next proto before a ccs"},
|
|
{ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION),"got next proto without seeing extension"},
|
|
{ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
|
|
@@ -386,6 +395,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
|
|
{ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
|
|
{ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
|
|
{ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},
|
|
+{ERR_REASON(SSL_R_INVALID_MESSAGE) ,"invalid message"},
|
|
{ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"},
|
|
{ERR_REASON(SSL_R_INVALID_SRP_USERNAME) ,"invalid srp username"},
|
|
{ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"},
|
|
@@ -440,6 +450,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
|
|
{ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
|
|
{ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),"Peer haven't sent GOST certificate, required for selected ciphersuite"},
|
|
{ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"},
|
|
+{ERR_REASON(SSL_R_NO_P256_SUPPORT) ,"no p256 support"},
|
|
{ERR_REASON(SSL_R_NO_PRIVATEKEY) ,"no privatekey"},
|
|
{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
|
|
{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
|
|
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
|
|
index 123f925..6938267 100644
|
|
--- a/ssl/ssl_lib.c
|
|
+++ b/ssl/ssl_lib.c
|
|
@@ -562,6 +562,8 @@ void SSL_free(SSL *s)
|
|
sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
|
|
if (s->tlsext_ocsp_resp)
|
|
OPENSSL_free(s->tlsext_ocsp_resp);
|
|
+ if (s->tlsext_channel_id_private)
|
|
+ EVP_PKEY_free(s->tlsext_channel_id_private);
|
|
#endif
|
|
|
|
if (s->client_CA != NULL)
|
|
@@ -1952,6 +1954,11 @@ void SSL_CTX_free(SSL_CTX *a)
|
|
ssl_buf_freelist_free(a->rbuf_freelist);
|
|
#endif
|
|
|
|
+#ifndef OPENSSL_NO_TLSEXT
|
|
+ if (a->tlsext_channel_id_private)
|
|
+ EVP_PKEY_free(a->tlsext_channel_id_private);
|
|
+#endif
|
|
+
|
|
OPENSSL_free(a);
|
|
}
|
|
|
|
@@ -2504,6 +2511,10 @@ int SSL_get_error(const SSL *s,int i)
|
|
{
|
|
return(SSL_ERROR_WANT_X509_LOOKUP);
|
|
}
|
|
+ if ((i < 0) && SSL_want_channel_id_lookup(s))
|
|
+ {
|
|
+ return(SSL_ERROR_WANT_CHANNEL_ID_LOOKUP);
|
|
+ }
|
|
|
|
if (i == 0)
|
|
{
|
|
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
|
|
index fcc6d80..3ce3d60 100644
|
|
--- a/ssl/ssl_locl.h
|
|
+++ b/ssl/ssl_locl.h
|
|
@@ -378,6 +378,7 @@
|
|
* (currently this also goes into algorithm2) */
|
|
#define TLS1_STREAM_MAC 0x04
|
|
|
|
+#define TLSEXT_CHANNEL_ID_SIZE 128
|
|
|
|
|
|
/*
|
|
@@ -1008,6 +1009,7 @@ int ssl3_check_cert_and_algorithm(SSL *s);
|
|
int ssl3_check_finished(SSL *s);
|
|
# ifndef OPENSSL_NO_NEXTPROTONEG
|
|
int ssl3_send_next_proto(SSL *s);
|
|
+int ssl3_send_channel_id(SSL *s);
|
|
# endif
|
|
#endif
|
|
|
|
@@ -1030,6 +1032,7 @@ int ssl3_get_cert_verify(SSL *s);
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
int ssl3_get_next_proto(SSL *s);
|
|
#endif
|
|
+int ssl3_get_channel_id(SSL *s);
|
|
|
|
int dtls1_send_hello_request(SSL *s);
|
|
int dtls1_send_server_hello(SSL *s);
|
|
@@ -1072,6 +1075,7 @@ void ssl_free_wbio_buffer(SSL *s);
|
|
int tls1_change_cipher_state(SSL *s, int which);
|
|
int tls1_setup_key_block(SSL *s);
|
|
int tls1_enc(SSL *s, int snd);
|
|
+int tls1_handshake_digest(SSL *s, unsigned char *out, size_t out_len);
|
|
int tls1_final_finish_mac(SSL *s,
|
|
const char *str, int slen, unsigned char *p);
|
|
int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p);
|
|
@@ -1127,6 +1131,8 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk,
|
|
int tls12_get_sigid(const EVP_PKEY *pk);
|
|
const EVP_MD *tls12_get_hash(unsigned char hash_alg);
|
|
|
|
+int tls1_channel_id_hash(EVP_MD_CTX *ctx, SSL *s);
|
|
+int tls1_record_handshake_hashes_for_channel_id(SSL *s);
|
|
#endif
|
|
|
|
int ssl3_can_cutthrough(const SSL *s);
|
|
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
|
|
index 2a378c3..dd3b4a6 100644
|
|
--- a/ssl/ssl_sess.c
|
|
+++ b/ssl/ssl_sess.c
|
|
@@ -1151,6 +1151,17 @@ int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PK
|
|
return ctx->client_cert_cb;
|
|
}
|
|
|
|
+void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx,
|
|
+ void (*cb)(SSL *ssl, EVP_PKEY **pkey))
|
|
+ {
|
|
+ ctx->channel_id_cb=cb;
|
|
+ }
|
|
+
|
|
+void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL * ssl, EVP_PKEY **pkey)
|
|
+ {
|
|
+ return ctx->channel_id_cb;
|
|
+ }
|
|
+
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
|
|
{
|
|
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
|
|
index 0c4cdde..f396674 100644
|
|
--- a/ssl/t1_enc.c
|
|
+++ b/ssl/t1_enc.c
|
|
@@ -895,54 +895,79 @@ int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
|
|
return((int)ret);
|
|
}
|
|
|
|
+/* tls1_handshake_digest calculates the current handshake hash and writes it to
|
|
+ * |out|, which has space for |out_len| bytes. It returns the number of bytes
|
|
+ * written or -1 in the event of an error. This function works on a copy of the
|
|
+ * underlying digests so can be called multiple times and prior to the final
|
|
+ * update etc. */
|
|
+int tls1_handshake_digest(SSL *s, unsigned char *out, size_t out_len)
|
|
+ {
|
|
+ const EVP_MD *md;
|
|
+ EVP_MD_CTX ctx;
|
|
+ int i, err = 0, len = 0;
|
|
+ long mask;
|
|
+
|
|
+ EVP_MD_CTX_init(&ctx);
|
|
+
|
|
+ for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++)
|
|
+ {
|
|
+ int hash_size;
|
|
+ unsigned int digest_len;
|
|
+ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[i];
|
|
+
|
|
+ if ((mask & ssl_get_algorithm2(s)) == 0)
|
|
+ continue;
|
|
+
|
|
+ hash_size = EVP_MD_size(md);
|
|
+ if (!hdgst || hash_size < 0 || (size_t)hash_size > out_len)
|
|
+ {
|
|
+ err = 1;
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
|
|
+ !EVP_DigestFinal_ex(&ctx, out, &digest_len) ||
|
|
+ digest_len != (unsigned int)hash_size) /* internal error */
|
|
+ {
|
|
+ err = 1;
|
|
+ break;
|
|
+ }
|
|
+ out += digest_len;
|
|
+ out_len -= digest_len;
|
|
+ len += digest_len;
|
|
+ }
|
|
+
|
|
+ EVP_MD_CTX_cleanup(&ctx);
|
|
+
|
|
+ if (err != 0)
|
|
+ return -1;
|
|
+ return len;
|
|
+ }
|
|
+
|
|
int tls1_final_finish_mac(SSL *s,
|
|
const char *str, int slen, unsigned char *out)
|
|
{
|
|
- unsigned int i;
|
|
- EVP_MD_CTX ctx;
|
|
unsigned char buf[2*EVP_MAX_MD_SIZE];
|
|
- unsigned char *q,buf2[12];
|
|
- int idx;
|
|
- long mask;
|
|
+ unsigned char buf2[12];
|
|
int err=0;
|
|
- const EVP_MD *md;
|
|
+ int digests_len;
|
|
|
|
- q=buf;
|
|
-
|
|
- if (s->s3->handshake_buffer)
|
|
+ if (s->s3->handshake_buffer)
|
|
if (!ssl3_digest_cached_records(s))
|
|
return 0;
|
|
|
|
- EVP_MD_CTX_init(&ctx);
|
|
-
|
|
- for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++)
|
|
+ digests_len = tls1_handshake_digest(s, buf, sizeof(buf));
|
|
+ if (digests_len < 0)
|
|
{
|
|
- if (mask & ssl_get_algorithm2(s))
|
|
- {
|
|
- int hashsize = EVP_MD_size(md);
|
|
- EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
|
|
- if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
|
|
- {
|
|
- /* internal error: 'buf' is too small for this cipersuite! */
|
|
- err = 1;
|
|
- }
|
|
- else
|
|
- {
|
|
- if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
|
|
- !EVP_DigestFinal_ex(&ctx,q,&i) ||
|
|
- (i != (unsigned int)hashsize))
|
|
- err = 1;
|
|
- q+=hashsize;
|
|
- }
|
|
- }
|
|
+ err = 1;
|
|
+ digests_len = 0;
|
|
}
|
|
-
|
|
+
|
|
if (!tls1_PRF(ssl_get_algorithm2(s),
|
|
- str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0,
|
|
+ str,slen, buf, digests_len, NULL,0, NULL,0, NULL,0,
|
|
s->session->master_key,s->session->master_key_length,
|
|
out,buf2,sizeof buf2))
|
|
err = 1;
|
|
- EVP_MD_CTX_cleanup(&ctx);
|
|
|
|
if (err)
|
|
return 0;
|
|
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
|
|
index bddffd9..1a56a97 100644
|
|
--- a/ssl/t1_lib.c
|
|
+++ b/ssl/t1_lib.c
|
|
@@ -641,6 +641,19 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
|
}
|
|
#endif
|
|
|
|
+ if (s->tlsext_channel_id_enabled)
|
|
+ {
|
|
+ /* The client advertises an emtpy extension to indicate its
|
|
+ * support for Channel ID. */
|
|
+ if (limit - ret - 4 < 0)
|
|
+ return NULL;
|
|
+ if (s->ctx->tlsext_channel_id_enabled_new)
|
|
+ s2n(TLSEXT_TYPE_channel_id_new,ret);
|
|
+ else
|
|
+ s2n(TLSEXT_TYPE_channel_id,ret);
|
|
+ s2n(0,ret);
|
|
+ }
|
|
+
|
|
#ifndef OPENSSL_NO_SRTP
|
|
if(SSL_get_srtp_profiles(s))
|
|
{
|
|
@@ -881,6 +894,19 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
|
}
|
|
#endif
|
|
|
|
+ /* If the client advertised support for Channel ID, and we have it
|
|
+ * enabled, then we want to echo it back. */
|
|
+ if (s->s3->tlsext_channel_id_valid)
|
|
+ {
|
|
+ if (limit - ret - 4 < 0)
|
|
+ return NULL;
|
|
+ if (s->s3->tlsext_channel_id_new)
|
|
+ s2n(TLSEXT_TYPE_channel_id_new,ret);
|
|
+ else
|
|
+ s2n(TLSEXT_TYPE_channel_id,ret);
|
|
+ s2n(0,ret);
|
|
+ }
|
|
+
|
|
if ((extdatalen = ret-p-2)== 0)
|
|
return p;
|
|
|
|
@@ -1442,6 +1468,16 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
|
}
|
|
#endif
|
|
|
|
+ else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled)
|
|
+ s->s3->tlsext_channel_id_valid = 1;
|
|
+
|
|
+ else if (type == TLSEXT_TYPE_channel_id_new &&
|
|
+ s->tlsext_channel_id_enabled)
|
|
+ {
|
|
+ s->s3->tlsext_channel_id_valid = 1;
|
|
+ s->s3->tlsext_channel_id_new = 1;
|
|
+ }
|
|
+
|
|
/* session ticket processed earlier */
|
|
#ifndef OPENSSL_NO_SRTP
|
|
else if (type == TLSEXT_TYPE_use_srtp)
|
|
@@ -1672,6 +1708,15 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
|
s->s3->next_proto_neg_seen = 1;
|
|
}
|
|
#endif
|
|
+ else if (type == TLSEXT_TYPE_channel_id)
|
|
+ s->s3->tlsext_channel_id_valid = 1;
|
|
+
|
|
+ else if (type == TLSEXT_TYPE_channel_id_new)
|
|
+ {
|
|
+ s->s3->tlsext_channel_id_valid = 1;
|
|
+ s->s3->tlsext_channel_id_new = 1;
|
|
+ }
|
|
+
|
|
else if (type == TLSEXT_TYPE_renegotiate)
|
|
{
|
|
if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
|
|
@@ -2727,3 +2772,74 @@ tls1_heartbeat(SSL *s)
|
|
return ret;
|
|
}
|
|
#endif
|
|
+
|
|
+#if !defined(OPENSSL_NO_TLSEXT)
|
|
+/* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
|
|
+ * SSL connection and writes it to |md|.
|
|
+ */
|
|
+int
|
|
+tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
|
|
+ {
|
|
+ EVP_MD_CTX ctx;
|
|
+ unsigned char temp_digest[EVP_MAX_MD_SIZE];
|
|
+ unsigned temp_digest_len;
|
|
+ int i;
|
|
+ static const char kClientIDMagic[] = "TLS Channel ID signature";
|
|
+
|
|
+ if (s->s3->handshake_buffer)
|
|
+ if (!ssl3_digest_cached_records(s))
|
|
+ return 0;
|
|
+
|
|
+ EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
|
|
+
|
|
+ if (s->hit && s->s3->tlsext_channel_id_new)
|
|
+ {
|
|
+ static const char kResumptionMagic[] = "Resumption";
|
|
+ EVP_DigestUpdate(md, kResumptionMagic,
|
|
+ sizeof(kResumptionMagic));
|
|
+ if (s->session->original_handshake_hash_len == 0)
|
|
+ return 0;
|
|
+ EVP_DigestUpdate(md, s->session->original_handshake_hash,
|
|
+ s->session->original_handshake_hash_len);
|
|
+ }
|
|
+
|
|
+ EVP_MD_CTX_init(&ctx);
|
|
+ for (i = 0; i < SSL_MAX_DIGEST; i++)
|
|
+ {
|
|
+ if (s->s3->handshake_dgst[i] == NULL)
|
|
+ continue;
|
|
+ EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
|
|
+ EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
|
|
+ EVP_DigestUpdate(md, temp_digest, temp_digest_len);
|
|
+ }
|
|
+ EVP_MD_CTX_cleanup(&ctx);
|
|
+
|
|
+ return 1;
|
|
+ }
|
|
+#endif
|
|
+
|
|
+/* tls1_record_handshake_hashes_for_channel_id records the current handshake
|
|
+ * hashes in |s->session| so that Channel ID resumptions can sign that data. */
|
|
+int tls1_record_handshake_hashes_for_channel_id(SSL *s)
|
|
+ {
|
|
+ int digest_len;
|
|
+ /* This function should never be called for a resumed session because
|
|
+ * the handshake hashes that we wish to record are for the original,
|
|
+ * full handshake. */
|
|
+ if (s->hit)
|
|
+ return -1;
|
|
+ /* It only makes sense to call this function if Channel IDs have been
|
|
+ * negotiated. */
|
|
+ if (!s->s3->tlsext_channel_id_new)
|
|
+ return -1;
|
|
+
|
|
+ digest_len = tls1_handshake_digest(
|
|
+ s, s->session->original_handshake_hash,
|
|
+ sizeof(s->session->original_handshake_hash));
|
|
+ if (digest_len < 0)
|
|
+ return -1;
|
|
+
|
|
+ s->session->original_handshake_hash_len = digest_len;
|
|
+
|
|
+ return 1;
|
|
+ }
|
|
diff --git a/ssl/tls1.h b/ssl/tls1.h
|
|
index c992091..12f2f21 100644
|
|
--- a/ssl/tls1.h
|
|
+++ b/ssl/tls1.h
|
|
@@ -254,6 +254,10 @@ extern "C" {
|
|
#define TLSEXT_TYPE_next_proto_neg 13172
|
|
#endif
|
|
|
|
+/* This is not an IANA defined extension number */
|
|
+#define TLSEXT_TYPE_channel_id 30031
|
|
+#define TLSEXT_TYPE_channel_id_new 30032
|
|
+
|
|
/* NameType value from RFC 3546 */
|
|
#define TLSEXT_NAMETYPE_host_name 0
|
|
/* status request value from RFC 3546 */
|
|
--
|
|
1.9.1.423.g4596e3a
|
|
|