Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1 | diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h |
| 2 | index 05699ab..d05fa22 100644 |
| 3 | --- a/crypto/bio/bio.h |
| 4 | +++ b/crypto/bio/bio.h |
| 5 | @@ -266,6 +266,9 @@ void BIO_clear_flags(BIO *b, int flags); |
| 6 | #define BIO_RR_CONNECT 0x02 |
| 7 | /* Returned from the accept BIO when an accept would have blocked */ |
| 8 | #define BIO_RR_ACCEPT 0x03 |
| 9 | +/* Returned from the SSL bio when the channel id retrieval code cannot find the |
| 10 | + * private key. */ |
| 11 | +#define BIO_RR_SSL_CHANNEL_ID_LOOKUP 0x04 |
| 12 | |
| 13 | /* These are passed by the BIO callback */ |
| 14 | #define BIO_CB_FREE 0x01 |
| 15 | diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h |
| 16 | index ea4bed9..5f18d4b 100644 |
| 17 | --- a/crypto/evp/evp.h |
| 18 | +++ b/crypto/evp/evp.h |
| 19 | @@ -921,6 +921,7 @@ struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 20 | #endif |
| 21 | |
| 22 | EVP_PKEY * EVP_PKEY_new(void); |
| 23 | +EVP_PKEY * EVP_PKEY_dup(EVP_PKEY *pkey); |
| 24 | void EVP_PKEY_free(EVP_PKEY *pkey); |
| 25 | |
| 26 | EVP_PKEY * d2i_PublicKey(int type,EVP_PKEY **a, const unsigned char **pp, |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 27 | diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c |
| 28 | index a0e14a3..65a4440 100644 |
| 29 | --- a/crypto/evp/p_lib.c |
| 30 | +++ b/crypto/evp/p_lib.c |
David 'Digit' Turner | 365d7e8 | 2013-03-05 19:52:51 +0100 | [diff] [blame] | 31 | @@ -200,6 +200,12 @@ EVP_PKEY *EVP_PKEY_new(void) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 32 | return(ret); |
| 33 | } |
| 34 | |
| 35 | +EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey) |
| 36 | + { |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 37 | + CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 38 | + return pkey; |
| 39 | + } |
| 40 | + |
| 41 | /* Setup a public key ASN1 method and ENGINE from a NID or a string. |
| 42 | * If pkey is NULL just return 1 or 0 if the algorithm exists. |
| 43 | */ |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 44 | diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c |
| 45 | index e9552ca..06a13de 100644 |
| 46 | --- a/ssl/bio_ssl.c |
| 47 | +++ b/ssl/bio_ssl.c |
| 48 | @@ -206,6 +206,10 @@ static int ssl_read(BIO *b, char *out, int outl) |
| 49 | BIO_set_retry_special(b); |
| 50 | retry_reason=BIO_RR_SSL_X509_LOOKUP; |
| 51 | break; |
| 52 | + case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: |
| 53 | + BIO_set_retry_special(b); |
| 54 | + retry_reason=BIO_RR_SSL_CHANNEL_ID_LOOKUP; |
| 55 | + break; |
| 56 | case SSL_ERROR_WANT_ACCEPT: |
| 57 | BIO_set_retry_special(b); |
| 58 | retry_reason=BIO_RR_ACCEPT; |
| 59 | @@ -280,6 +284,10 @@ static int ssl_write(BIO *b, const char *out, int outl) |
| 60 | BIO_set_retry_special(b); |
| 61 | retry_reason=BIO_RR_SSL_X509_LOOKUP; |
| 62 | break; |
| 63 | + case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: |
| 64 | + BIO_set_retry_special(b); |
| 65 | + retry_reason=BIO_RR_SSL_CHANNEL_ID_LOOKUP; |
| 66 | + break; |
| 67 | case SSL_ERROR_WANT_CONNECT: |
| 68 | BIO_set_retry_special(b); |
| 69 | retry_reason=BIO_RR_CONNECT; |
| 70 | diff --git a/ssl/s3_both.c b/ssl/s3_both.c |
| 71 | index 53b9390..c0dac70 100644 |
| 72 | --- a/ssl/s3_both.c |
| 73 | +++ b/ssl/s3_both.c |
| 74 | @@ -554,7 +554,8 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 75 | #endif |
David 'Digit' Turner | 365d7e8 | 2013-03-05 19:52:51 +0100 | [diff] [blame] | 76 | |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 77 | /* Feed this message into MAC computation. */ |
| 78 | - ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 79 | + if (*((unsigned char*) s->init_buf->data) != SSL3_MT_ENCRYPTED_EXTENSIONS) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 80 | + ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); |
| 81 | if (s->msg_callback) |
| 82 | s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg); |
| 83 | *ok=1; |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 84 | diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c |
| 85 | index 3d3fd64..7e0c4d5 100644 |
| 86 | --- a/ssl/s3_clnt.c |
| 87 | +++ b/ssl/s3_clnt.c |
| 88 | @@ -465,13 +465,14 @@ int ssl3_connect(SSL *s) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 89 | SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); |
| 90 | if (ret <= 0) goto end; |
| 91 | |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 92 | -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) |
| 93 | s->state=SSL3_ST_CW_FINISHED_A; |
| 94 | -#else |
| 95 | +#if !defined(OPENSSL_NO_TLSEXT) |
| 96 | + if (s->s3->tlsext_channel_id_valid) |
| 97 | + s->state=SSL3_ST_CW_CHANNEL_ID_A; |
| 98 | +# if !defined(OPENSSL_NO_NEXTPROTONEG) |
| 99 | if (s->s3->next_proto_neg_seen) |
| 100 | s->state=SSL3_ST_CW_NEXT_PROTO_A; |
| 101 | - else |
| 102 | - s->state=SSL3_ST_CW_FINISHED_A; |
| 103 | +# endif |
| 104 | #endif |
| 105 | s->init_num=0; |
| 106 | |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 107 | @@ -505,6 +506,18 @@ int ssl3_connect(SSL *s) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 108 | case SSL3_ST_CW_NEXT_PROTO_B: |
| 109 | ret=ssl3_send_next_proto(s); |
| 110 | if (ret <= 0) goto end; |
| 111 | + if (s->s3->tlsext_channel_id_valid) |
| 112 | + s->state=SSL3_ST_CW_CHANNEL_ID_A; |
| 113 | + else |
| 114 | + s->state=SSL3_ST_CW_FINISHED_A; |
| 115 | + break; |
| 116 | +#endif |
| 117 | + |
| 118 | +#if !defined(OPENSSL_NO_TLSEXT) |
| 119 | + case SSL3_ST_CW_CHANNEL_ID_A: |
| 120 | + case SSL3_ST_CW_CHANNEL_ID_B: |
| 121 | + ret=ssl3_send_channel_id(s); |
| 122 | + if (ret <= 0) goto end; |
| 123 | s->state=SSL3_ST_CW_FINISHED_A; |
| 124 | break; |
| 125 | #endif |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 126 | @@ -532,6 +545,18 @@ int ssl3_connect(SSL *s) |
| 127 | } |
| 128 | else |
| 129 | { |
| 130 | + /* This is a non-resumption handshake. If it |
| 131 | + * involves ChannelID, then record the |
| 132 | + * handshake hashes at this point in the |
| 133 | + * session so that any resumption of this |
| 134 | + * session with ChannelID can sign those |
| 135 | + * hashes. */ |
| 136 | + if (s->s3->tlsext_channel_id_new) |
| 137 | + { |
| 138 | + ret = tls1_record_handshake_hashes_for_channel_id(s); |
| 139 | + if (ret <= 0) |
| 140 | + goto end; |
| 141 | + } |
| 142 | if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) |
| 143 | && ssl3_can_cutthrough(s) |
| 144 | && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */ |
| 145 | @@ -3338,7 +3363,8 @@ err: |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 146 | return(0); |
| 147 | } |
| 148 | |
| 149 | -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) |
| 150 | +#if !defined(OPENSSL_NO_TLSEXT) |
| 151 | +# if !defined(OPENSSL_NO_NEXTPROTONEG) |
| 152 | int ssl3_send_next_proto(SSL *s) |
| 153 | { |
| 154 | unsigned int len, padding_len; |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 155 | @@ -3362,7 +3388,135 @@ int ssl3_send_next_proto(SSL *s) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 156 | |
| 157 | return ssl3_do_write(s, SSL3_RT_HANDSHAKE); |
| 158 | } |
| 159 | -#endif /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */ |
| 160 | +# endif /* !OPENSSL_NO_NEXTPROTONEG */ |
| 161 | + |
| 162 | +int ssl3_send_channel_id(SSL *s) |
| 163 | + { |
| 164 | + unsigned char *d; |
| 165 | + int ret = -1, public_key_len; |
| 166 | + EVP_MD_CTX md_ctx; |
| 167 | + size_t sig_len; |
| 168 | + ECDSA_SIG *sig = NULL; |
| 169 | + unsigned char *public_key = NULL, *derp, *der_sig = NULL; |
| 170 | + |
| 171 | + if (s->state != SSL3_ST_CW_CHANNEL_ID_A) |
| 172 | + return ssl3_do_write(s, SSL3_RT_HANDSHAKE); |
| 173 | + |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 174 | + if (!s->tlsext_channel_id_private && s->ctx->channel_id_cb) |
| 175 | + { |
| 176 | + EVP_PKEY *key = NULL; |
| 177 | + s->ctx->channel_id_cb(s, &key); |
| 178 | + if (key != NULL) |
| 179 | + { |
| 180 | + s->tlsext_channel_id_private = key; |
| 181 | + } |
| 182 | + } |
| 183 | + if (!s->tlsext_channel_id_private) |
| 184 | + { |
| 185 | + s->rwstate=SSL_CHANNEL_ID_LOOKUP; |
| 186 | + return (-1); |
| 187 | + } |
| 188 | + s->rwstate=SSL_NOTHING; |
| 189 | + |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 190 | + d = (unsigned char *)s->init_buf->data; |
| 191 | + *(d++)=SSL3_MT_ENCRYPTED_EXTENSIONS; |
| 192 | + l2n3(2 + 2 + TLSEXT_CHANNEL_ID_SIZE, d); |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 193 | + if (s->s3->tlsext_channel_id_new) |
| 194 | + s2n(TLSEXT_TYPE_channel_id_new, d); |
| 195 | + else |
| 196 | + s2n(TLSEXT_TYPE_channel_id, d); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 197 | + s2n(TLSEXT_CHANNEL_ID_SIZE, d); |
| 198 | + |
| 199 | + EVP_MD_CTX_init(&md_ctx); |
| 200 | + |
| 201 | + public_key_len = i2d_PublicKey(s->tlsext_channel_id_private, NULL); |
| 202 | + if (public_key_len <= 0) |
| 203 | + { |
| 204 | + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY); |
| 205 | + goto err; |
| 206 | + } |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 207 | + /* i2d_PublicKey will produce an ANSI X9.62 public key which, for a |
| 208 | + * P-256 key, is 0x04 (meaning uncompressed) followed by the x and y |
| 209 | + * field elements as 32-byte, big-endian numbers. */ |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 210 | + if (public_key_len != 65) |
| 211 | + { |
| 212 | + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CHANNEL_ID_NOT_P256); |
| 213 | + goto err; |
| 214 | + } |
| 215 | + public_key = OPENSSL_malloc(public_key_len); |
| 216 | + if (!public_key) |
| 217 | + { |
| 218 | + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,ERR_R_MALLOC_FAILURE); |
| 219 | + goto err; |
| 220 | + } |
| 221 | + |
| 222 | + derp = public_key; |
| 223 | + i2d_PublicKey(s->tlsext_channel_id_private, &derp); |
| 224 | + |
| 225 | + if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, |
| 226 | + s->tlsext_channel_id_private) != 1) |
| 227 | + { |
| 228 | + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNINIT_FAILED); |
| 229 | + goto err; |
| 230 | + } |
| 231 | + |
| 232 | + if (!tls1_channel_id_hash(&md_ctx, s)) |
| 233 | + goto err; |
| 234 | + |
| 235 | + if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len)) |
| 236 | + { |
| 237 | + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNFINAL_FAILED); |
| 238 | + goto err; |
| 239 | + } |
| 240 | + |
| 241 | + der_sig = OPENSSL_malloc(sig_len); |
| 242 | + if (!der_sig) |
| 243 | + { |
| 244 | + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,ERR_R_MALLOC_FAILURE); |
| 245 | + goto err; |
| 246 | + } |
| 247 | + |
| 248 | + if (!EVP_DigestSignFinal(&md_ctx, der_sig, &sig_len)) |
| 249 | + { |
| 250 | + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNFINAL_FAILED); |
| 251 | + goto err; |
| 252 | + } |
| 253 | + |
| 254 | + derp = der_sig; |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 255 | + sig = d2i_ECDSA_SIG(NULL, (const unsigned char**) &derp, sig_len); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 256 | + if (sig == NULL) |
| 257 | + { |
| 258 | + SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_D2I_ECDSA_SIG); |
| 259 | + goto err; |
| 260 | + } |
| 261 | + |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 262 | + /* The first byte of public_key will be 0x4, denoting an uncompressed key. */ |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 263 | + memcpy(d, public_key + 1, 64); |
| 264 | + d += 64; |
| 265 | + memset(d, 0, 2 * 32); |
| 266 | + BN_bn2bin(sig->r, d + 32 - BN_num_bytes(sig->r)); |
| 267 | + d += 32; |
| 268 | + BN_bn2bin(sig->s, d + 32 - BN_num_bytes(sig->s)); |
| 269 | + d += 32; |
| 270 | + |
| 271 | + s->state = SSL3_ST_CW_CHANNEL_ID_B; |
| 272 | + s->init_num = 4 + 2 + 2 + TLSEXT_CHANNEL_ID_SIZE; |
| 273 | + s->init_off = 0; |
| 274 | + |
| 275 | + ret = ssl3_do_write(s, SSL3_RT_HANDSHAKE); |
| 276 | + |
| 277 | +err: |
| 278 | + EVP_MD_CTX_cleanup(&md_ctx); |
| 279 | + if (public_key) |
| 280 | + OPENSSL_free(public_key); |
| 281 | + if (der_sig) |
| 282 | + OPENSSL_free(der_sig); |
| 283 | + if (sig) |
| 284 | + ECDSA_SIG_free(sig); |
| 285 | + |
| 286 | + return ret; |
| 287 | + } |
| 288 | +#endif /* !OPENSSL_NO_TLSEXT */ |
| 289 | |
| 290 | /* Check to see if handshake is full or resumed. Usually this is just a |
| 291 | * case of checking to see if a cache hit has occurred. In the case of |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 292 | diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c |
| 293 | index 1865c70..f801923 100644 |
| 294 | --- a/ssl/s3_lib.c |
| 295 | +++ b/ssl/s3_lib.c |
David 'Digit' Turner | 365d7e8 | 2013-03-05 19:52:51 +0100 | [diff] [blame] | 296 | @@ -2951,6 +2951,11 @@ int ssl3_new(SSL *s) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 297 | #ifndef OPENSSL_NO_SRP |
| 298 | SSL_SRP_CTX_init(s); |
| 299 | #endif |
| 300 | +#if !defined(OPENSSL_NO_TLSEXT) |
| 301 | + s->tlsext_channel_id_enabled = s->ctx->tlsext_channel_id_enabled; |
| 302 | + if (s->ctx->tlsext_channel_id_private) |
| 303 | + s->tlsext_channel_id_private = EVP_PKEY_dup(s->ctx->tlsext_channel_id_private); |
| 304 | +#endif |
| 305 | s->method->ssl_clear(s); |
| 306 | return(1); |
| 307 | err: |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 308 | @@ -3079,6 +3084,10 @@ void ssl3_clear(SSL *s) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 309 | s->next_proto_negotiated_len = 0; |
| 310 | } |
| 311 | #endif |
| 312 | + |
| 313 | +#if !defined(OPENSSL_NO_TLSEXT) |
| 314 | + s->s3->tlsext_channel_id_valid = 0; |
| 315 | +#endif |
| 316 | } |
| 317 | |
| 318 | #ifndef OPENSSL_NO_SRP |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 319 | @@ -3353,6 +3362,33 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 320 | ret = 1; |
| 321 | break; |
| 322 | #endif |
| 323 | + case SSL_CTRL_CHANNEL_ID: |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 324 | + s->tlsext_channel_id_enabled = 1; |
| 325 | + ret = 1; |
| 326 | + break; |
| 327 | + |
| 328 | + case SSL_CTRL_SET_CHANNEL_ID: |
| 329 | + if (s->server) |
| 330 | + break; |
| 331 | + s->tlsext_channel_id_enabled = 1; |
| 332 | + if (EVP_PKEY_bits(parg) != 256) |
| 333 | + { |
| 334 | + SSLerr(SSL_F_SSL3_CTRL,SSL_R_CHANNEL_ID_NOT_P256); |
| 335 | + break; |
| 336 | + } |
| 337 | + if (s->tlsext_channel_id_private) |
| 338 | + EVP_PKEY_free(s->tlsext_channel_id_private); |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 339 | + s->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY*) parg); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 340 | + ret = 1; |
| 341 | + break; |
| 342 | + |
| 343 | + case SSL_CTRL_GET_CHANNEL_ID: |
| 344 | + if (!s->server) |
| 345 | + break; |
| 346 | + if (!s->s3->tlsext_channel_id_valid) |
| 347 | + break; |
| 348 | + memcpy(parg, s->s3->tlsext_channel_id, larg < 64 ? larg : 64); |
| 349 | + return 64; |
| 350 | |
| 351 | #endif /* !OPENSSL_NO_TLSEXT */ |
| 352 | default: |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 353 | @@ -3574,6 +3610,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 354 | } |
| 355 | return 1; |
| 356 | } |
| 357 | + case SSL_CTRL_CHANNEL_ID: |
| 358 | + /* must be called on a server */ |
| 359 | + if (ctx->method->ssl_accept == ssl_undefined_function) |
| 360 | + return 0; |
| 361 | + ctx->tlsext_channel_id_enabled=1; |
| 362 | + return 1; |
| 363 | |
| 364 | #ifdef TLSEXT_TYPE_opaque_prf_input |
| 365 | case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG: |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 366 | @@ -3642,6 +3684,18 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 367 | } |
| 368 | break; |
| 369 | |
| 370 | + case SSL_CTRL_SET_CHANNEL_ID: |
| 371 | + ctx->tlsext_channel_id_enabled = 1; |
| 372 | + if (EVP_PKEY_bits(parg) != 256) |
| 373 | + { |
| 374 | + SSLerr(SSL_F_SSL3_CTX_CTRL,SSL_R_CHANNEL_ID_NOT_P256); |
| 375 | + break; |
| 376 | + } |
| 377 | + if (ctx->tlsext_channel_id_private) |
| 378 | + EVP_PKEY_free(ctx->tlsext_channel_id_private); |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 379 | + ctx->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY*) parg); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 380 | + break; |
| 381 | + |
| 382 | default: |
| 383 | return(0); |
| 384 | } |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 385 | diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c |
| 386 | index 323b260..6824ef6 100644 |
| 387 | --- a/ssl/s3_srvr.c |
| 388 | +++ b/ssl/s3_srvr.c |
David 'Digit' Turner | 365d7e8 | 2013-03-05 19:52:51 +0100 | [diff] [blame] | 389 | @@ -157,8 +157,11 @@ |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 390 | #include <openssl/buffer.h> |
| 391 | #include <openssl/rand.h> |
| 392 | #include <openssl/objects.h> |
| 393 | +#include <openssl/ec.h> |
| 394 | +#include <openssl/ecdsa.h> |
| 395 | #include <openssl/evp.h> |
| 396 | #include <openssl/hmac.h> |
| 397 | +#include <openssl/sha.h> |
| 398 | #include <openssl/x509.h> |
| 399 | #ifndef OPENSSL_NO_DH |
| 400 | #include <openssl/dh.h> |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 401 | @@ -615,15 +618,8 @@ int ssl3_accept(SSL *s) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 402 | * the client uses its key from the certificate |
| 403 | * for key exchange. |
| 404 | */ |
| 405 | -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) |
| 406 | - s->state=SSL3_ST_SR_FINISHED_A; |
| 407 | -#else |
| 408 | - if (s->s3->next_proto_neg_seen) |
| 409 | - s->state=SSL3_ST_SR_NEXT_PROTO_A; |
| 410 | - else |
| 411 | - s->state=SSL3_ST_SR_FINISHED_A; |
| 412 | -#endif |
| 413 | s->init_num = 0; |
| 414 | + s->state=SSL3_ST_SR_POST_CLIENT_CERT; |
| 415 | } |
| 416 | else if (TLS1_get_version(s) >= TLS1_2_VERSION) |
| 417 | { |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 418 | @@ -683,16 +679,28 @@ int ssl3_accept(SSL *s) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 419 | ret=ssl3_get_cert_verify(s); |
| 420 | if (ret <= 0) goto end; |
| 421 | |
| 422 | -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) |
| 423 | - s->state=SSL3_ST_SR_FINISHED_A; |
| 424 | -#else |
| 425 | - if (s->s3->next_proto_neg_seen) |
| 426 | + s->state=SSL3_ST_SR_POST_CLIENT_CERT; |
| 427 | + s->init_num=0; |
| 428 | + break; |
| 429 | + |
| 430 | + case SSL3_ST_SR_POST_CLIENT_CERT: { |
| 431 | + char next_proto_neg = 0; |
| 432 | + char channel_id = 0; |
| 433 | +#if !defined(OPENSSL_NO_TLSEXT) |
| 434 | +# if !defined(OPENSSL_NO_NEXTPROTONEG) |
| 435 | + next_proto_neg = s->s3->next_proto_neg_seen; |
| 436 | +# endif |
| 437 | + channel_id = s->s3->tlsext_channel_id_valid; |
| 438 | +#endif |
| 439 | + |
| 440 | + if (next_proto_neg) |
| 441 | s->state=SSL3_ST_SR_NEXT_PROTO_A; |
| 442 | + else if (channel_id) |
| 443 | + s->state=SSL3_ST_SR_CHANNEL_ID_A; |
| 444 | else |
| 445 | s->state=SSL3_ST_SR_FINISHED_A; |
| 446 | -#endif |
| 447 | - s->init_num=0; |
| 448 | break; |
| 449 | + } |
| 450 | |
| 451 | #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) |
| 452 | case SSL3_ST_SR_NEXT_PROTO_A: |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 453 | @@ -700,6 +708,19 @@ int ssl3_accept(SSL *s) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 454 | ret=ssl3_get_next_proto(s); |
| 455 | if (ret <= 0) goto end; |
| 456 | s->init_num = 0; |
| 457 | + if (s->s3->tlsext_channel_id_valid) |
| 458 | + s->state=SSL3_ST_SR_CHANNEL_ID_A; |
| 459 | + else |
| 460 | + s->state=SSL3_ST_SR_FINISHED_A; |
| 461 | + break; |
| 462 | +#endif |
| 463 | + |
| 464 | +#if !defined(OPENSSL_NO_TLSEXT) |
| 465 | + case SSL3_ST_SR_CHANNEL_ID_A: |
| 466 | + case SSL3_ST_SR_CHANNEL_ID_B: |
| 467 | + ret=ssl3_get_channel_id(s); |
| 468 | + if (ret <= 0) goto end; |
| 469 | + s->init_num = 0; |
| 470 | s->state=SSL3_ST_SR_FINISHED_A; |
| 471 | break; |
| 472 | #endif |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 473 | @@ -717,6 +738,15 @@ int ssl3_accept(SSL *s) |
| 474 | #endif |
| 475 | else |
| 476 | s->state=SSL3_ST_SW_CHANGE_A; |
| 477 | + /* If this is a full handshake with ChannelID then |
| 478 | + * record the hashshake hashes in |s->session| in case |
| 479 | + * we need them to verify a ChannelID signature on a |
| 480 | + * resumption of this session in the future. */ |
| 481 | + if (!s->hit && s->s3->tlsext_channel_id_new) |
| 482 | + { |
| 483 | + ret = tls1_record_handshake_hashes_for_channel_id(s); |
| 484 | + if (ret <= 0) goto end; |
| 485 | + } |
| 486 | s->init_num=0; |
| 487 | break; |
| 488 | |
| 489 | @@ -771,19 +801,7 @@ int ssl3_accept(SSL *s) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 490 | if (ret <= 0) goto end; |
| 491 | s->state=SSL3_ST_SW_FLUSH; |
| 492 | if (s->hit) |
| 493 | - { |
| 494 | -#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) |
| 495 | - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; |
| 496 | -#else |
| 497 | - if (s->s3->next_proto_neg_seen) |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 498 | - { |
| 499 | - s->s3->flags |= SSL3_FLAGS_CCS_OK; |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 500 | - s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 501 | - } |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 502 | - else |
| 503 | - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; |
| 504 | -#endif |
| 505 | - } |
| 506 | + s->s3->tmp.next_state=SSL3_ST_SR_POST_CLIENT_CERT; |
| 507 | else |
| 508 | s->s3->tmp.next_state=SSL_ST_OK; |
| 509 | s->init_num=0; |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 510 | @@ -1466,6 +1487,22 @@ int ssl3_send_server_hello(SSL *s) |
| 511 | |
| 512 | if (s->state == SSL3_ST_SW_SRVR_HELLO_A) |
| 513 | { |
| 514 | + /* We only accept ChannelIDs on connections with ECDHE in order |
| 515 | + * to avoid a known attack while we fix ChannelID itself. */ |
| 516 | + if (s->s3 && |
| 517 | + s->s3->tlsext_channel_id_valid && |
| 518 | + (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kEECDH) == 0) |
| 519 | + s->s3->tlsext_channel_id_valid = 0; |
| 520 | + |
| 521 | + /* If this is a resumption and the original handshake didn't |
| 522 | + * support ChannelID then we didn't record the original |
| 523 | + * handshake hashes in the session and so cannot resume with |
| 524 | + * ChannelIDs. */ |
| 525 | + if (s->hit && |
| 526 | + s->s3->tlsext_channel_id_new && |
| 527 | + s->session->original_handshake_hash_len == 0) |
| 528 | + s->s3->tlsext_channel_id_valid = 0; |
| 529 | + |
| 530 | buf=(unsigned char *)s->init_buf->data; |
| 531 | #ifdef OPENSSL_NO_TLSEXT |
| 532 | p=s->s3->server_random; |
| 533 | @@ -3632,4 +3669,145 @@ int ssl3_get_next_proto(SSL *s) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 534 | return 1; |
| 535 | } |
| 536 | # endif |
| 537 | + |
| 538 | +/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */ |
| 539 | +int ssl3_get_channel_id(SSL *s) |
| 540 | + { |
| 541 | + int ret = -1, ok; |
| 542 | + long n; |
| 543 | + const unsigned char *p; |
| 544 | + unsigned short extension_type, extension_len; |
| 545 | + EC_GROUP* p256 = NULL; |
| 546 | + EC_KEY* key = NULL; |
| 547 | + EC_POINT* point = NULL; |
| 548 | + ECDSA_SIG sig; |
| 549 | + BIGNUM x, y; |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 550 | + unsigned short expected_extension_type; |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 551 | + |
| 552 | + if (s->state == SSL3_ST_SR_CHANNEL_ID_A && s->init_num == 0) |
| 553 | + { |
| 554 | + /* The first time that we're called we take the current |
| 555 | + * handshake hash and store it. */ |
| 556 | + EVP_MD_CTX md_ctx; |
| 557 | + unsigned int len; |
| 558 | + |
| 559 | + EVP_MD_CTX_init(&md_ctx); |
| 560 | + EVP_DigestInit_ex(&md_ctx, EVP_sha256(), NULL); |
| 561 | + if (!tls1_channel_id_hash(&md_ctx, s)) |
| 562 | + return -1; |
| 563 | + len = sizeof(s->s3->tlsext_channel_id); |
| 564 | + EVP_DigestFinal(&md_ctx, s->s3->tlsext_channel_id, &len); |
| 565 | + EVP_MD_CTX_cleanup(&md_ctx); |
| 566 | + } |
| 567 | + |
| 568 | + n = s->method->ssl_get_message(s, |
| 569 | + SSL3_ST_SR_CHANNEL_ID_A, |
| 570 | + SSL3_ST_SR_CHANNEL_ID_B, |
| 571 | + SSL3_MT_ENCRYPTED_EXTENSIONS, |
| 572 | + 2 + 2 + TLSEXT_CHANNEL_ID_SIZE, |
| 573 | + &ok); |
| 574 | + |
| 575 | + if (!ok) |
| 576 | + return((int)n); |
| 577 | + |
| 578 | + ssl3_finish_mac(s, (unsigned char*)s->init_buf->data, s->init_num + 4); |
| 579 | + |
| 580 | + /* s->state doesn't reflect whether ChangeCipherSpec has been received |
| 581 | + * in this handshake, but s->s3->change_cipher_spec does (will be reset |
| 582 | + * by ssl3_get_finished). */ |
| 583 | + if (!s->s3->change_cipher_spec) |
| 584 | + { |
| 585 | + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS); |
| 586 | + return -1; |
| 587 | + } |
| 588 | + |
| 589 | + if (n != 2 + 2 + TLSEXT_CHANNEL_ID_SIZE) |
| 590 | + { |
| 591 | + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_INVALID_MESSAGE); |
| 592 | + return -1; |
| 593 | + } |
| 594 | + |
| 595 | + p = (unsigned char *)s->init_msg; |
| 596 | + |
| 597 | + /* The payload looks like: |
| 598 | + * uint16 extension_type |
| 599 | + * uint16 extension_len; |
| 600 | + * uint8 x[32]; |
| 601 | + * uint8 y[32]; |
| 602 | + * uint8 r[32]; |
| 603 | + * uint8 s[32]; |
| 604 | + */ |
| 605 | + n2s(p, extension_type); |
| 606 | + n2s(p, extension_len); |
| 607 | + |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 608 | + expected_extension_type = TLSEXT_TYPE_channel_id; |
| 609 | + if (s->s3->tlsext_channel_id_new) |
| 610 | + expected_extension_type = TLSEXT_TYPE_channel_id_new; |
| 611 | + |
| 612 | + if (extension_type != expected_extension_type || |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 613 | + extension_len != TLSEXT_CHANNEL_ID_SIZE) |
| 614 | + { |
| 615 | + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_INVALID_MESSAGE); |
| 616 | + return -1; |
| 617 | + } |
| 618 | + |
| 619 | + p256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); |
| 620 | + if (!p256) |
| 621 | + { |
| 622 | + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_NO_P256_SUPPORT); |
| 623 | + return -1; |
| 624 | + } |
| 625 | + |
| 626 | + BN_init(&x); |
| 627 | + BN_init(&y); |
| 628 | + sig.r = BN_new(); |
| 629 | + sig.s = BN_new(); |
| 630 | + |
| 631 | + if (BN_bin2bn(p + 0, 32, &x) == NULL || |
| 632 | + BN_bin2bn(p + 32, 32, &y) == NULL || |
| 633 | + BN_bin2bn(p + 64, 32, sig.r) == NULL || |
| 634 | + BN_bin2bn(p + 96, 32, sig.s) == NULL) |
| 635 | + goto err; |
| 636 | + |
| 637 | + point = EC_POINT_new(p256); |
| 638 | + if (!point || |
| 639 | + !EC_POINT_set_affine_coordinates_GFp(p256, point, &x, &y, NULL)) |
| 640 | + goto err; |
| 641 | + |
| 642 | + key = EC_KEY_new(); |
| 643 | + if (!key || |
| 644 | + !EC_KEY_set_group(key, p256) || |
| 645 | + !EC_KEY_set_public_key(key, point)) |
| 646 | + goto err; |
| 647 | + |
| 648 | + /* We stored the handshake hash in |tlsext_channel_id| the first time |
| 649 | + * that we were called. */ |
| 650 | + switch (ECDSA_do_verify(s->s3->tlsext_channel_id, SHA256_DIGEST_LENGTH, &sig, key)) { |
| 651 | + case 1: |
| 652 | + break; |
| 653 | + case 0: |
| 654 | + SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_CHANNEL_ID_SIGNATURE_INVALID); |
| 655 | + s->s3->tlsext_channel_id_valid = 0; |
| 656 | + goto err; |
| 657 | + default: |
| 658 | + s->s3->tlsext_channel_id_valid = 0; |
| 659 | + goto err; |
| 660 | + } |
| 661 | + |
| 662 | + memcpy(s->s3->tlsext_channel_id, p, 64); |
| 663 | + ret = 1; |
| 664 | + |
| 665 | +err: |
| 666 | + BN_free(&x); |
| 667 | + BN_free(&y); |
| 668 | + BN_free(sig.r); |
| 669 | + BN_free(sig.s); |
| 670 | + if (key) |
| 671 | + EC_KEY_free(key); |
| 672 | + if (point) |
| 673 | + EC_POINT_free(point); |
| 674 | + if (p256) |
| 675 | + EC_GROUP_free(p256); |
| 676 | + return ret; |
| 677 | + } |
| 678 | #endif |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 679 | diff --git a/ssl/ssl.h b/ssl/ssl.h |
| 680 | index 944aea6..e50b8f0 100644 |
| 681 | --- a/ssl/ssl.h |
| 682 | +++ b/ssl/ssl.h |
| 683 | @@ -547,6 +547,13 @@ struct ssl_session_st |
| 684 | #ifndef OPENSSL_NO_SRP |
| 685 | char *srp_username; |
| 686 | #endif |
| 687 | + |
| 688 | + /* original_handshake_hash contains the handshake hash (either |
| 689 | + * SHA-1+MD5 or SHA-2, depending on TLS version) for the original, full |
| 690 | + * handshake that created a session. This is used by Channel IDs during |
| 691 | + * resumption. */ |
| 692 | + unsigned char original_handshake_hash[EVP_MAX_MD_SIZE]; |
| 693 | + unsigned int original_handshake_hash_len; |
| 694 | }; |
| 695 | |
| 696 | #endif |
| 697 | @@ -862,6 +869,9 @@ struct ssl_ctx_st |
| 698 | /* get client cert callback */ |
| 699 | int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); |
| 700 | |
| 701 | + /* get channel id callback */ |
| 702 | + void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey); |
| 703 | + |
| 704 | /* cookie generate callback */ |
| 705 | int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, |
| 706 | unsigned int *cookie_len); |
| 707 | @@ -999,6 +1009,16 @@ struct ssl_ctx_st |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 708 | # endif |
| 709 | /* SRTP profiles we are willing to do from RFC 5764 */ |
| 710 | STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles; |
| 711 | + |
| 712 | + /* If true, a client will advertise the Channel ID extension and a |
| 713 | + * server will echo it. */ |
| 714 | + char tlsext_channel_id_enabled; |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 715 | + /* tlsext_channel_id_enabled_new is a hack to support both old and new |
| 716 | + * ChannelID signatures. It indicates that a client should advertise the |
| 717 | + * new ChannelID extension number. */ |
| 718 | + char tlsext_channel_id_enabled_new; |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 719 | + /* The client's Channel ID private key. */ |
| 720 | + EVP_PKEY *tlsext_channel_id_private; |
| 721 | #endif |
| 722 | }; |
| 723 | |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 724 | @@ -1040,6 +1060,10 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 725 | SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL) |
| 726 | #define SSL_CTX_sess_cache_full(ctx) \ |
| 727 | SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL) |
| 728 | +/* SSL_CTX_enable_tls_channel_id configures a TLS server to accept TLS client |
| 729 | + * IDs from clients. Returns 1 on success. */ |
| 730 | +#define SSL_CTX_enable_tls_channel_id(ctx) \ |
| 731 | + SSL_CTX_ctrl(ctx,SSL_CTRL_CHANNEL_ID,0,NULL) |
| 732 | |
| 733 | void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess)); |
| 734 | int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess); |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 735 | @@ -1056,6 +1080,8 @@ void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type, |
| 736 | void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val); |
| 737 | void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)); |
| 738 | int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey); |
| 739 | +void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey)); |
| 740 | +void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl, EVP_PKEY **pkey); |
| 741 | #ifndef OPENSSL_NO_ENGINE |
| 742 | int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e); |
| 743 | #endif |
| 744 | @@ -1117,5 +1143,6 @@ const char *SSL_get_psk_identity(const SSL *s); |
| 745 | #define SSL_WRITING 2 |
| 746 | #define SSL_READING 3 |
| 747 | #define SSL_X509_LOOKUP 4 |
| 748 | +#define SSL_CHANNEL_ID_LOOKUP 5 |
| 749 | |
| 750 | /* These will only be used when doing non-blocking IO */ |
| 751 | @@ -1124,5 +1151,6 @@ const char *SSL_get_psk_identity(const SSL *s); |
| 752 | #define SSL_want_read(s) (SSL_want(s) == SSL_READING) |
| 753 | #define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) |
| 754 | #define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) |
| 755 | +#define SSL_want_channel_id_lookup(s) (SSL_want(s) == SSL_CHANNEL_ID_LOOKUP) |
| 756 | |
| 757 | #define SSL_MAC_FLAG_READ_MAC_STREAM 1 |
| 758 | @@ -1373,6 +1401,13 @@ struct ssl_st |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 759 | */ |
| 760 | unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */ |
| 761 | unsigned int tlsext_hb_seq; /* HeartbeatRequest sequence number */ |
| 762 | + |
| 763 | + /* Copied from the SSL_CTX. For a server, means that we'll accept |
| 764 | + * Channel IDs from clients. For a client, means that we'll advertise |
| 765 | + * support. */ |
| 766 | + char tlsext_channel_id_enabled; |
| 767 | + /* The client's Channel ID private key. */ |
| 768 | + EVP_PKEY *tlsext_channel_id_private; |
| 769 | #else |
| 770 | #define session_ctx ctx |
| 771 | #endif /* OPENSSL_NO_TLSEXT */ |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 772 | @@ -1543,5 +1578,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) |
| 773 | #define SSL_ERROR_ZERO_RETURN 6 |
| 774 | #define SSL_ERROR_WANT_CONNECT 7 |
| 775 | #define SSL_ERROR_WANT_ACCEPT 8 |
| 776 | +#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9 |
| 777 | |
| 778 | #define SSL_CTRL_NEED_TMP_RSA 1 |
| 779 | @@ -1631,6 +1667,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 780 | #define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING 86 |
| 781 | #define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS 87 |
| 782 | #endif |
| 783 | +#define SSL_CTRL_CHANNEL_ID 88 |
| 784 | +#define SSL_CTRL_GET_CHANNEL_ID 89 |
| 785 | +#define SSL_CTRL_SET_CHANNEL_ID 90 |
| 786 | #endif |
| 787 | |
| 788 | #define DTLS_CTRL_GET_TIMEOUT 73 |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 789 | @@ -1678,6 +1717,26 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 790 | #define SSL_set_tmp_ecdh(ssl,ecdh) \ |
| 791 | SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) |
| 792 | |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 793 | +/* SSL_enable_tls_channel_id either configures a TLS server to accept TLS client |
| 794 | + * IDs from clients, or configure a client to send TLS client IDs to server. |
| 795 | + * Returns 1 on success. */ |
| 796 | +#define SSL_enable_tls_channel_id(s) \ |
| 797 | + SSL_ctrl(s,SSL_CTRL_CHANNEL_ID,0,NULL) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 798 | +/* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to |
| 799 | + * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on |
| 800 | + * success. */ |
| 801 | +#define SSL_set1_tls_channel_id(s, private_key) \ |
| 802 | + SSL_ctrl(s,SSL_CTRL_SET_CHANNEL_ID,0,(void*)private_key) |
| 803 | +#define SSL_CTX_set1_tls_channel_id(ctx, private_key) \ |
| 804 | + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHANNEL_ID,0,(void*)private_key) |
| 805 | +/* SSL_get_tls_channel_id gets the client's TLS Channel ID from a server SSL* |
| 806 | + * and copies up to the first |channel_id_len| bytes into |channel_id|. The |
| 807 | + * Channel ID consists of the client's P-256 public key as an (x,y) pair where |
| 808 | + * each is a 32-byte, big-endian field element. Returns 0 if the client didn't |
| 809 | + * offer a Channel ID and the length of the complete Channel ID otherwise. */ |
| 810 | +#define SSL_get_tls_channel_id(ctx, channel_id, channel_id_len) \ |
| 811 | + SSL_ctrl(ctx,SSL_CTRL_GET_CHANNEL_ID,channel_id_len,(void*)channel_id) |
| 812 | + |
| 813 | #define SSL_CTX_add_extra_chain_cert(ctx,x509) \ |
| 814 | SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) |
| 815 | #define SSL_CTX_get_extra_chain_certs(ctx,px509) \ |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 816 | @@ -2176,6 +2235,7 @@ void ERR_load_SSL_strings(void); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 817 | #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135 |
| 818 | #define SSL_F_SSL3_GET_CERT_STATUS 289 |
| 819 | #define SSL_F_SSL3_GET_CERT_VERIFY 136 |
| 820 | +#define SSL_F_SSL3_GET_CHANNEL_ID 317 |
| 821 | #define SSL_F_SSL3_GET_CLIENT_CERTIFICATE 137 |
| 822 | #define SSL_F_SSL3_GET_CLIENT_HELLO 138 |
| 823 | #define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE 139 |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 824 | @@ -2195,6 +2255,7 @@ void ERR_load_SSL_strings(void); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 825 | #define SSL_F_SSL3_READ_BYTES 148 |
| 826 | #define SSL_F_SSL3_READ_N 149 |
| 827 | #define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150 |
| 828 | +#define SSL_F_SSL3_SEND_CHANNEL_ID 318 |
| 829 | #define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE 151 |
| 830 | #define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE 152 |
| 831 | #define SSL_F_SSL3_SEND_CLIENT_VERIFY 153 |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 832 | @@ -2361,12 +2422,15 @@ void ERR_load_SSL_strings(void); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 833 | #define SSL_R_BIO_NOT_SET 128 |
| 834 | #define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 129 |
| 835 | #define SSL_R_BN_LIB 130 |
| 836 | +#define SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY 376 |
| 837 | #define SSL_R_CA_DN_LENGTH_MISMATCH 131 |
| 838 | #define SSL_R_CA_DN_TOO_LONG 132 |
| 839 | #define SSL_R_CCS_RECEIVED_EARLY 133 |
| 840 | #define SSL_R_CERTIFICATE_VERIFY_FAILED 134 |
| 841 | #define SSL_R_CERT_LENGTH_MISMATCH 135 |
| 842 | #define SSL_R_CHALLENGE_IS_DIFFERENT 136 |
| 843 | +#define SSL_R_CHANNEL_ID_NOT_P256 375 |
| 844 | +#define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 371 |
| 845 | #define SSL_R_CIPHER_CODE_WRONG_LENGTH 137 |
| 846 | #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 138 |
| 847 | #define SSL_R_CIPHER_TABLE_SRC_ERROR 139 |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 848 | @@ -2379,6 +2443,7 @@ void ERR_load_SSL_strings(void); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 849 | #define SSL_R_CONNECTION_ID_IS_DIFFERENT 143 |
| 850 | #define SSL_R_CONNECTION_TYPE_NOT_SET 144 |
| 851 | #define SSL_R_COOKIE_MISMATCH 308 |
| 852 | +#define SSL_R_D2I_ECDSA_SIG 379 |
| 853 | #define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145 |
| 854 | #define SSL_R_DATA_LENGTH_TOO_LONG 146 |
| 855 | #define SSL_R_DECRYPTION_FAILED 147 |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 856 | @@ -2396,9 +2461,12 @@ void ERR_load_SSL_strings(void); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 857 | #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 |
| 858 | #define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282 |
| 859 | #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151 |
| 860 | +#define SSL_R_EVP_DIGESTSIGNFINAL_FAILED 377 |
| 861 | +#define SSL_R_EVP_DIGESTSIGNINIT_FAILED 378 |
| 862 | #define SSL_R_EXCESSIVE_MESSAGE_SIZE 152 |
| 863 | #define SSL_R_EXTRA_DATA_IN_MESSAGE 153 |
| 864 | #define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 |
| 865 | +#define SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS 372 |
| 866 | #define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 355 |
| 867 | #define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 356 |
| 868 | #define SSL_R_HTTPS_PROXY_REQUEST 155 |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 869 | @@ -2408,6 +2476,7 @@ void ERR_load_SSL_strings(void); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 870 | #define SSL_R_INVALID_CHALLENGE_LENGTH 158 |
| 871 | #define SSL_R_INVALID_COMMAND 280 |
| 872 | #define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 |
| 873 | +#define SSL_R_INVALID_MESSAGE 374 |
| 874 | #define SSL_R_INVALID_PURPOSE 278 |
| 875 | #define SSL_R_INVALID_SRP_USERNAME 357 |
| 876 | #define SSL_R_INVALID_STATUS_RESPONSE 328 |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 877 | @@ -2462,6 +2531,7 @@ void ERR_load_SSL_strings(void); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 878 | #define SSL_R_NO_COMPRESSION_SPECIFIED 187 |
| 879 | #define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 330 |
| 880 | #define SSL_R_NO_METHOD_SPECIFIED 188 |
Kenny Root | fc6ed15 | 2014-11-17 12:30:18 -0800 | [diff] [blame] | 881 | +#define SSL_R_NO_P256_SUPPORT 380 |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 882 | #define SSL_R_NO_PRIVATEKEY 189 |
| 883 | #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 |
| 884 | #define SSL_R_NO_PROTOCOLS_AVAILABLE 191 |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 885 | diff --git a/ssl/ssl3.h b/ssl/ssl3.h |
| 886 | index cf81de0..8502628 100644 |
| 887 | --- a/ssl/ssl3.h |
| 888 | +++ b/ssl/ssl3.h |
| 889 | @@ -548,6 +548,22 @@ typedef struct ssl3_state_st |
| 890 | char is_probably_safari; |
Kenny Root | ff41a4b | 2014-01-07 10:19:10 -0800 | [diff] [blame] | 891 | #endif /* !OPENSSL_NO_EC */ |
| 892 | #endif /* !OPENSSL_NO_TLSEXT */ |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 893 | + |
| 894 | + /* In a client, this means that the server supported Channel ID and that |
| 895 | + * a Channel ID was sent. In a server it means that we echoed support |
| 896 | + * for Channel IDs and that tlsext_channel_id will be valid after the |
| 897 | + * handshake. */ |
| 898 | + char tlsext_channel_id_valid; |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 899 | + /* tlsext_channel_id_new means that the updated Channel ID extension |
| 900 | + * was negotiated. This is a temporary hack in the code to support both |
| 901 | + * forms of Channel ID extension while we transition to the new format, |
| 902 | + * which fixed a security issue. */ |
| 903 | + char tlsext_channel_id_new; |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 904 | + /* For a server: |
| 905 | + * If |tlsext_channel_id_valid| is true, then this contains the |
| 906 | + * verified Channel ID from the client: a P256 point, (x,y), where |
| 907 | + * each are big-endian values. */ |
| 908 | + unsigned char tlsext_channel_id[64]; |
| 909 | } SSL3_STATE; |
| 910 | |
| 911 | #endif |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 912 | @@ -592,6 +608,8 @@ typedef struct ssl3_state_st |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 913 | #define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) |
| 914 | #define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) |
Brian Carlstrom | 04ef91b | 2013-02-05 09:20:38 -0800 | [diff] [blame] | 915 | #endif |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 916 | +#define SSL3_ST_CW_CHANNEL_ID_A (0x210|SSL_ST_CONNECT) |
| 917 | +#define SSL3_ST_CW_CHANNEL_ID_B (0x211|SSL_ST_CONNECT) |
| 918 | #define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) |
| 919 | #define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) |
| 920 | /* read from server */ |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 921 | @@ -646,6 +664,9 @@ typedef struct ssl3_state_st |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 922 | #define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) |
| 923 | #define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) |
Brian Carlstrom | 04ef91b | 2013-02-05 09:20:38 -0800 | [diff] [blame] | 924 | #endif |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 925 | +#define SSL3_ST_SR_POST_CLIENT_CERT (0x1BF|SSL_ST_ACCEPT) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 926 | +#define SSL3_ST_SR_CHANNEL_ID_A (0x220|SSL_ST_ACCEPT) |
| 927 | +#define SSL3_ST_SR_CHANNEL_ID_B (0x221|SSL_ST_ACCEPT) |
| 928 | #define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) |
| 929 | #define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT) |
| 930 | /* write to client */ |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 931 | @@ -673,6 +694,7 @@ typedef struct ssl3_state_st |
David 'Digit' Turner | 365d7e8 | 2013-03-05 19:52:51 +0100 | [diff] [blame] | 932 | #ifndef OPENSSL_NO_NEXTPROTONEG |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 933 | #define SSL3_MT_NEXT_PROTO 67 |
Brian Carlstrom | 04ef91b | 2013-02-05 09:20:38 -0800 | [diff] [blame] | 934 | #endif |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 935 | +#define SSL3_MT_ENCRYPTED_EXTENSIONS 203 |
| 936 | #define DTLS1_MT_HELLO_VERIFY_REQUEST 3 |
| 937 | |
| 938 | |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 939 | diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c |
| 940 | index 8bda011..e579e7c 100644 |
| 941 | --- a/ssl/ssl_asn1.c |
| 942 | +++ b/ssl/ssl_asn1.c |
| 943 | @@ -118,11 +118,12 @@ typedef struct ssl_session_asn1_st |
| 944 | ASN1_OCTET_STRING srp_username; |
| 945 | #endif /* OPENSSL_NO_SRP */ |
| 946 | + ASN1_OCTET_STRING original_handshake_hash; |
| 947 | } SSL_SESSION_ASN1; |
| 948 | |
| 949 | int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) |
| 950 | { |
| 951 | #define LSIZE2 (sizeof(long)*2) |
| 952 | - int v1=0,v2=0,v3=0,v4=0,v5=0,v7=0,v8=0; |
| 953 | + int v1=0,v2=0,v3=0,v4=0,v5=0,v7=0,v8=0,v14=0; |
| 954 | unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2]; |
| 955 | unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2]; |
| 956 | #ifndef OPENSSL_NO_TLSEXT |
| 957 | @@ -280,4 +281,11 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) |
| 958 | } |
| 959 | + |
| 960 | + if (in->original_handshake_hash_len > 0) |
| 961 | + { |
| 962 | + a.original_handshake_hash.length = in->original_handshake_hash_len; |
| 963 | + a.original_handshake_hash.type = V_ASN1_OCTET_STRING; |
| 964 | + a.original_handshake_hash.data = in->original_handshake_hash; |
| 965 | + } |
| 966 | #endif /* OPENSSL_NO_PSK */ |
| 967 | #ifndef OPENSSL_NO_SRP |
| 968 | if (in->srp_username) |
| 969 | @@ -335,4 +343,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) |
| 970 | #endif /* OPENSSL_NO_SRP */ |
| 971 | + if (in->original_handshake_hash_len > 0) |
| 972 | + M_ASN1_I2D_len_EXP_opt(&(a.original_handshake_hash),i2d_ASN1_OCTET_STRING,14,v14); |
| 973 | |
| 974 | M_ASN1_I2D_seq_total(); |
| 975 | |
| 976 | @@ -385,4 +395,6 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) |
| 977 | #endif /* OPENSSL_NO_SRP */ |
| 978 | + if (in->original_handshake_hash_len > 0) |
| 979 | + M_ASN1_I2D_put_EXP_opt(&(a.original_handshake_hash),i2d_ASN1_OCTET_STRING,14,v14); |
| 980 | M_ASN1_I2D_finish(); |
| 981 | } |
| 982 | |
| 983 | @@ -661,5 +673,16 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, |
| 984 | os.data = NULL; |
| 985 | } |
| 986 | |
| 987 | + os.length=0; |
| 988 | + os.data=NULL; |
| 989 | + M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,14); |
| 990 | + if (os.data && os.length < (int)sizeof(ret->original_handshake_hash)) |
| 991 | + { |
| 992 | + memcpy(ret->original_handshake_hash, os.data, os.length); |
| 993 | + ret->original_handshake_hash_len = os.length; |
| 994 | + OPENSSL_free(os.data); |
| 995 | + os.data = NULL; |
| 996 | + } |
| 997 | + |
| 998 | M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION); |
| 999 | } |
| 1000 | diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c |
| 1001 | index 370fb57..b3eee4d 100644 |
| 1002 | --- a/ssl/ssl_err.c |
| 1003 | +++ b/ssl/ssl_err.c |
David 'Digit' Turner | 365d7e8 | 2013-03-05 19:52:51 +0100 | [diff] [blame] | 1004 | @@ -151,6 +151,7 @@ static ERR_STRING_DATA SSL_str_functs[]= |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1005 | {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"}, |
| 1006 | {ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_STATUS"}, |
| 1007 | {ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY), "SSL3_GET_CERT_VERIFY"}, |
| 1008 | +{ERR_FUNC(SSL_F_SSL3_GET_CHANNEL_ID), "SSL3_GET_CHANNEL_ID"}, |
| 1009 | {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE), "SSL3_GET_CLIENT_CERTIFICATE"}, |
| 1010 | {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO), "SSL3_GET_CLIENT_HELLO"}, |
| 1011 | {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE), "SSL3_GET_CLIENT_KEY_EXCHANGE"}, |
David 'Digit' Turner | 365d7e8 | 2013-03-05 19:52:51 +0100 | [diff] [blame] | 1012 | @@ -170,6 +171,7 @@ static ERR_STRING_DATA SSL_str_functs[]= |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1013 | {ERR_FUNC(SSL_F_SSL3_READ_BYTES), "SSL3_READ_BYTES"}, |
| 1014 | {ERR_FUNC(SSL_F_SSL3_READ_N), "SSL3_READ_N"}, |
| 1015 | {ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST), "SSL3_SEND_CERTIFICATE_REQUEST"}, |
| 1016 | +{ERR_FUNC(SSL_F_SSL3_SEND_CHANNEL_ID), "SSL3_SEND_CHANNEL_ID"}, |
| 1017 | {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE), "SSL3_SEND_CLIENT_CERTIFICATE"}, |
| 1018 | {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE), "SSL3_SEND_CLIENT_KEY_EXCHANGE"}, |
| 1019 | {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY), "SSL3_SEND_CLIENT_VERIFY"}, |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1020 | @@ -339,12 +341,15 @@ static ERR_STRING_DATA SSL_str_reasons[]= |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1021 | {ERR_REASON(SSL_R_BIO_NOT_SET) ,"bio not set"}, |
| 1022 | {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"}, |
| 1023 | {ERR_REASON(SSL_R_BN_LIB) ,"bn lib"}, |
| 1024 | +{ERR_REASON(SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY),"cannot serialize public key"}, |
| 1025 | {ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"}, |
| 1026 | {ERR_REASON(SSL_R_CA_DN_TOO_LONG) ,"ca dn too long"}, |
| 1027 | {ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) ,"ccs received early"}, |
| 1028 | {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"}, |
| 1029 | {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) ,"cert length mismatch"}, |
| 1030 | {ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"}, |
| 1031 | +{ERR_REASON(SSL_R_CHANNEL_ID_NOT_P256) ,"channel id not p256"}, |
| 1032 | +{ERR_REASON(SSL_R_CHANNEL_ID_SIGNATURE_INVALID),"Channel ID signature invalid"}, |
| 1033 | {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"}, |
| 1034 | {ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"}, |
| 1035 | {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"}, |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1036 | @@ -357,6 +362,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1037 | {ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"}, |
| 1038 | {ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"}, |
| 1039 | {ERR_REASON(SSL_R_COOKIE_MISMATCH) ,"cookie mismatch"}, |
| 1040 | +{ERR_REASON(SSL_R_D2I_ECDSA_SIG) ,"d2i ecdsa sig"}, |
| 1041 | {ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"}, |
| 1042 | {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"}, |
| 1043 | {ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"}, |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1044 | @@ -374,9 +380,12 @@ static ERR_STRING_DATA SSL_str_reasons[]= |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1045 | {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"}, |
| 1046 | {ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"}, |
| 1047 | {ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"}, |
| 1048 | +{ERR_REASON(SSL_R_EVP_DIGESTSIGNFINAL_FAILED),"evp digestsignfinal failed"}, |
| 1049 | +{ERR_REASON(SSL_R_EVP_DIGESTSIGNINIT_FAILED),"evp digestsigninit failed"}, |
| 1050 | {ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"}, |
| 1051 | {ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"}, |
| 1052 | {ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"}, |
| 1053 | +{ERR_REASON(SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS),"got Channel ID before a ccs"}, |
| 1054 | {ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS),"got next proto before a ccs"}, |
| 1055 | {ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION),"got next proto without seeing extension"}, |
| 1056 | {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1057 | @@ -386,6 +395,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1058 | {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"}, |
| 1059 | {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, |
| 1060 | {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"}, |
| 1061 | +{ERR_REASON(SSL_R_INVALID_MESSAGE) ,"invalid message"}, |
| 1062 | {ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"}, |
| 1063 | {ERR_REASON(SSL_R_INVALID_SRP_USERNAME) ,"invalid srp username"}, |
| 1064 | {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"}, |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1065 | @@ -440,6 +450,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1066 | {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"}, |
| 1067 | {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),"Peer haven't sent GOST certificate, required for selected ciphersuite"}, |
| 1068 | {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"}, |
| 1069 | +{ERR_REASON(SSL_R_NO_P256_SUPPORT) ,"no p256 support"}, |
| 1070 | {ERR_REASON(SSL_R_NO_PRIVATEKEY) ,"no privatekey"}, |
| 1071 | {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"}, |
| 1072 | {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"}, |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1073 | diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c |
| 1074 | index 123f925..6938267 100644 |
| 1075 | --- a/ssl/ssl_lib.c |
| 1076 | +++ b/ssl/ssl_lib.c |
| 1077 | @@ -562,6 +562,8 @@ void SSL_free(SSL *s) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1078 | sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); |
| 1079 | if (s->tlsext_ocsp_resp) |
| 1080 | OPENSSL_free(s->tlsext_ocsp_resp); |
| 1081 | + if (s->tlsext_channel_id_private) |
| 1082 | + EVP_PKEY_free(s->tlsext_channel_id_private); |
| 1083 | #endif |
| 1084 | |
| 1085 | if (s->client_CA != NULL) |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1086 | @@ -1952,6 +1954,11 @@ void SSL_CTX_free(SSL_CTX *a) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1087 | ssl_buf_freelist_free(a->rbuf_freelist); |
| 1088 | #endif |
| 1089 | |
| 1090 | +#ifndef OPENSSL_NO_TLSEXT |
| 1091 | + if (a->tlsext_channel_id_private) |
| 1092 | + EVP_PKEY_free(a->tlsext_channel_id_private); |
| 1093 | +#endif |
| 1094 | + |
| 1095 | OPENSSL_free(a); |
| 1096 | } |
| 1097 | |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1098 | @@ -2504,6 +2511,10 @@ int SSL_get_error(const SSL *s,int i) |
| 1099 | { |
| 1100 | return(SSL_ERROR_WANT_X509_LOOKUP); |
| 1101 | } |
| 1102 | + if ((i < 0) && SSL_want_channel_id_lookup(s)) |
| 1103 | + { |
| 1104 | + return(SSL_ERROR_WANT_CHANNEL_ID_LOOKUP); |
| 1105 | + } |
| 1106 | |
| 1107 | if (i == 0) |
| 1108 | { |
| 1109 | diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h |
| 1110 | index fcc6d80..3ce3d60 100644 |
| 1111 | --- a/ssl/ssl_locl.h |
| 1112 | +++ b/ssl/ssl_locl.h |
David 'Digit' Turner | 365d7e8 | 2013-03-05 19:52:51 +0100 | [diff] [blame] | 1113 | @@ -378,6 +378,7 @@ |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1114 | * (currently this also goes into algorithm2) */ |
| 1115 | #define TLS1_STREAM_MAC 0x04 |
| 1116 | |
| 1117 | +#define TLSEXT_CHANNEL_ID_SIZE 128 |
| 1118 | |
| 1119 | |
| 1120 | /* |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1121 | @@ -1008,6 +1009,7 @@ int ssl3_check_cert_and_algorithm(SSL *s); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1122 | int ssl3_check_finished(SSL *s); |
| 1123 | # ifndef OPENSSL_NO_NEXTPROTONEG |
| 1124 | int ssl3_send_next_proto(SSL *s); |
| 1125 | +int ssl3_send_channel_id(SSL *s); |
| 1126 | # endif |
| 1127 | #endif |
| 1128 | |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1129 | @@ -1030,6 +1032,7 @@ int ssl3_get_cert_verify(SSL *s); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1130 | #ifndef OPENSSL_NO_NEXTPROTONEG |
| 1131 | int ssl3_get_next_proto(SSL *s); |
| 1132 | #endif |
| 1133 | +int ssl3_get_channel_id(SSL *s); |
| 1134 | |
| 1135 | int dtls1_send_hello_request(SSL *s); |
| 1136 | int dtls1_send_server_hello(SSL *s); |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1137 | @@ -1072,6 +1075,7 @@ void ssl_free_wbio_buffer(SSL *s); |
| 1138 | int tls1_change_cipher_state(SSL *s, int which); |
| 1139 | int tls1_setup_key_block(SSL *s); |
| 1140 | int tls1_enc(SSL *s, int snd); |
| 1141 | +int tls1_handshake_digest(SSL *s, unsigned char *out, size_t out_len); |
| 1142 | int tls1_final_finish_mac(SSL *s, |
| 1143 | const char *str, int slen, unsigned char *p); |
| 1144 | int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p); |
| 1145 | @@ -1127,6 +1131,8 @@ int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1146 | int tls12_get_sigid(const EVP_PKEY *pk); |
| 1147 | const EVP_MD *tls12_get_hash(unsigned char hash_alg); |
| 1148 | |
| 1149 | +int tls1_channel_id_hash(EVP_MD_CTX *ctx, SSL *s); |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1150 | +int tls1_record_handshake_hashes_for_channel_id(SSL *s); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1151 | #endif |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1152 | |
| 1153 | int ssl3_can_cutthrough(const SSL *s); |
| 1154 | diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c |
| 1155 | index 2a378c3..dd3b4a6 100644 |
| 1156 | --- a/ssl/ssl_sess.c |
| 1157 | +++ b/ssl/ssl_sess.c |
| 1158 | @@ -1151,6 +1151,17 @@ int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PK |
| 1159 | return ctx->client_cert_cb; |
| 1160 | } |
| 1161 | |
| 1162 | +void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, |
| 1163 | + void (*cb)(SSL *ssl, EVP_PKEY **pkey)) |
| 1164 | + { |
| 1165 | + ctx->channel_id_cb=cb; |
| 1166 | + } |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1167 | + |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1168 | +void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL * ssl, EVP_PKEY **pkey) |
| 1169 | + { |
| 1170 | + return ctx->channel_id_cb; |
| 1171 | + } |
| 1172 | + |
| 1173 | #ifndef OPENSSL_NO_ENGINE |
| 1174 | int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) |
| 1175 | { |
| 1176 | diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c |
| 1177 | index 0c4cdde..f396674 100644 |
| 1178 | --- a/ssl/t1_enc.c |
| 1179 | +++ b/ssl/t1_enc.c |
| 1180 | @@ -895,54 +895,79 @@ int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) |
| 1181 | return((int)ret); |
| 1182 | } |
| 1183 | |
| 1184 | +/* tls1_handshake_digest calculates the current handshake hash and writes it to |
| 1185 | + * |out|, which has space for |out_len| bytes. It returns the number of bytes |
| 1186 | + * written or -1 in the event of an error. This function works on a copy of the |
| 1187 | + * underlying digests so can be called multiple times and prior to the final |
| 1188 | + * update etc. */ |
| 1189 | +int tls1_handshake_digest(SSL *s, unsigned char *out, size_t out_len) |
| 1190 | + { |
| 1191 | + const EVP_MD *md; |
| 1192 | + EVP_MD_CTX ctx; |
| 1193 | + int i, err = 0, len = 0; |
| 1194 | + long mask; |
| 1195 | + |
| 1196 | + EVP_MD_CTX_init(&ctx); |
| 1197 | + |
| 1198 | + for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) |
| 1199 | + { |
| 1200 | + int hash_size; |
| 1201 | + unsigned int digest_len; |
| 1202 | + EVP_MD_CTX *hdgst = s->s3->handshake_dgst[i]; |
| 1203 | + |
| 1204 | + if ((mask & ssl_get_algorithm2(s)) == 0) |
| 1205 | + continue; |
| 1206 | + |
| 1207 | + hash_size = EVP_MD_size(md); |
| 1208 | + if (!hdgst || hash_size < 0 || (size_t)hash_size > out_len) |
| 1209 | + { |
| 1210 | + err = 1; |
| 1211 | + break; |
| 1212 | + } |
| 1213 | + |
| 1214 | + if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || |
| 1215 | + !EVP_DigestFinal_ex(&ctx, out, &digest_len) || |
| 1216 | + digest_len != (unsigned int)hash_size) /* internal error */ |
| 1217 | + { |
| 1218 | + err = 1; |
| 1219 | + break; |
| 1220 | + } |
| 1221 | + out += digest_len; |
| 1222 | + out_len -= digest_len; |
| 1223 | + len += digest_len; |
| 1224 | + } |
| 1225 | + |
| 1226 | + EVP_MD_CTX_cleanup(&ctx); |
| 1227 | + |
| 1228 | + if (err != 0) |
| 1229 | + return -1; |
| 1230 | + return len; |
| 1231 | + } |
| 1232 | + |
| 1233 | int tls1_final_finish_mac(SSL *s, |
| 1234 | const char *str, int slen, unsigned char *out) |
| 1235 | { |
| 1236 | - unsigned int i; |
| 1237 | - EVP_MD_CTX ctx; |
| 1238 | unsigned char buf[2*EVP_MAX_MD_SIZE]; |
| 1239 | - unsigned char *q,buf2[12]; |
| 1240 | - int idx; |
| 1241 | - long mask; |
| 1242 | + unsigned char buf2[12]; |
| 1243 | int err=0; |
| 1244 | - const EVP_MD *md; |
| 1245 | + int digests_len; |
| 1246 | |
| 1247 | - q=buf; |
| 1248 | - |
| 1249 | - if (s->s3->handshake_buffer) |
| 1250 | + if (s->s3->handshake_buffer) |
| 1251 | if (!ssl3_digest_cached_records(s)) |
| 1252 | return 0; |
| 1253 | |
| 1254 | - EVP_MD_CTX_init(&ctx); |
| 1255 | - |
| 1256 | - for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++) |
| 1257 | + digests_len = tls1_handshake_digest(s, buf, sizeof(buf)); |
| 1258 | + if (digests_len < 0) |
| 1259 | { |
| 1260 | - if (mask & ssl_get_algorithm2(s)) |
| 1261 | - { |
| 1262 | - int hashsize = EVP_MD_size(md); |
| 1263 | - EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; |
| 1264 | - if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) |
| 1265 | - { |
| 1266 | - /* internal error: 'buf' is too small for this cipersuite! */ |
| 1267 | - err = 1; |
| 1268 | - } |
| 1269 | - else |
| 1270 | - { |
| 1271 | - if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || |
| 1272 | - !EVP_DigestFinal_ex(&ctx,q,&i) || |
| 1273 | - (i != (unsigned int)hashsize)) |
| 1274 | - err = 1; |
| 1275 | - q+=hashsize; |
| 1276 | - } |
| 1277 | - } |
| 1278 | + err = 1; |
| 1279 | + digests_len = 0; |
| 1280 | } |
| 1281 | - |
| 1282 | + |
| 1283 | if (!tls1_PRF(ssl_get_algorithm2(s), |
| 1284 | - str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0, |
| 1285 | + str,slen, buf, digests_len, NULL,0, NULL,0, NULL,0, |
| 1286 | s->session->master_key,s->session->master_key_length, |
| 1287 | out,buf2,sizeof buf2)) |
| 1288 | err = 1; |
| 1289 | - EVP_MD_CTX_cleanup(&ctx); |
| 1290 | |
| 1291 | if (err) |
| 1292 | return 0; |
| 1293 | diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c |
| 1294 | index bddffd9..1a56a97 100644 |
| 1295 | --- a/ssl/t1_lib.c |
| 1296 | +++ b/ssl/t1_lib.c |
| 1297 | @@ -641,6 +641,19 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1298 | } |
| 1299 | #endif |
| 1300 | |
| 1301 | + if (s->tlsext_channel_id_enabled) |
| 1302 | + { |
| 1303 | + /* The client advertises an emtpy extension to indicate its |
| 1304 | + * support for Channel ID. */ |
| 1305 | + if (limit - ret - 4 < 0) |
| 1306 | + return NULL; |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1307 | + if (s->ctx->tlsext_channel_id_enabled_new) |
| 1308 | + s2n(TLSEXT_TYPE_channel_id_new,ret); |
| 1309 | + else |
| 1310 | + s2n(TLSEXT_TYPE_channel_id,ret); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1311 | + s2n(0,ret); |
| 1312 | + } |
| 1313 | + |
Brian Carlstrom | eefface | 2013-02-11 09:54:43 -0800 | [diff] [blame] | 1314 | #ifndef OPENSSL_NO_SRTP |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1315 | if(SSL_get_srtp_profiles(s)) |
| 1316 | { |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1317 | @@ -881,6 +894,19 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1318 | } |
| 1319 | #endif |
| 1320 | |
| 1321 | + /* If the client advertised support for Channel ID, and we have it |
| 1322 | + * enabled, then we want to echo it back. */ |
| 1323 | + if (s->s3->tlsext_channel_id_valid) |
| 1324 | + { |
| 1325 | + if (limit - ret - 4 < 0) |
| 1326 | + return NULL; |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1327 | + if (s->s3->tlsext_channel_id_new) |
| 1328 | + s2n(TLSEXT_TYPE_channel_id_new,ret); |
| 1329 | + else |
| 1330 | + s2n(TLSEXT_TYPE_channel_id,ret); |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1331 | + s2n(0,ret); |
| 1332 | + } |
| 1333 | + |
Kenny Root | c64f6fe | 2014-11-06 10:31:23 -0800 | [diff] [blame] | 1334 | if ((extdatalen = ret-orig-2)== 0) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1335 | return p; |
| 1336 | |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1337 | @@ -1442,6 +1468,16 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1338 | } |
| 1339 | #endif |
| 1340 | |
| 1341 | + else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled) |
| 1342 | + s->s3->tlsext_channel_id_valid = 1; |
| 1343 | + |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1344 | + else if (type == TLSEXT_TYPE_channel_id_new && |
| 1345 | + s->tlsext_channel_id_enabled) |
| 1346 | + { |
| 1347 | + s->s3->tlsext_channel_id_valid = 1; |
| 1348 | + s->s3->tlsext_channel_id_new = 1; |
| 1349 | + } |
| 1350 | + |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1351 | /* session ticket processed earlier */ |
David 'Digit' Turner | 365d7e8 | 2013-03-05 19:52:51 +0100 | [diff] [blame] | 1352 | #ifndef OPENSSL_NO_SRTP |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1353 | else if (type == TLSEXT_TYPE_use_srtp) |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1354 | @@ -1672,6 +1708,15 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1355 | s->s3->next_proto_neg_seen = 1; |
| 1356 | } |
| 1357 | #endif |
| 1358 | + else if (type == TLSEXT_TYPE_channel_id) |
| 1359 | + s->s3->tlsext_channel_id_valid = 1; |
| 1360 | + |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1361 | + else if (type == TLSEXT_TYPE_channel_id_new) |
| 1362 | + { |
| 1363 | + s->s3->tlsext_channel_id_valid = 1; |
| 1364 | + s->s3->tlsext_channel_id_new = 1; |
| 1365 | + } |
| 1366 | + |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1367 | else if (type == TLSEXT_TYPE_renegotiate) |
| 1368 | { |
| 1369 | if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1370 | @@ -2727,3 +2772,74 @@ tls1_heartbeat(SSL *s) |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1371 | return ret; |
| 1372 | } |
| 1373 | #endif |
| 1374 | + |
| 1375 | +#if !defined(OPENSSL_NO_TLSEXT) |
| 1376 | +/* tls1_channel_id_hash calculates the signed data for a Channel ID on the given |
| 1377 | + * SSL connection and writes it to |md|. |
| 1378 | + */ |
| 1379 | +int |
| 1380 | +tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s) |
| 1381 | + { |
| 1382 | + EVP_MD_CTX ctx; |
| 1383 | + unsigned char temp_digest[EVP_MAX_MD_SIZE]; |
| 1384 | + unsigned temp_digest_len; |
| 1385 | + int i; |
| 1386 | + static const char kClientIDMagic[] = "TLS Channel ID signature"; |
| 1387 | + |
| 1388 | + if (s->s3->handshake_buffer) |
| 1389 | + if (!ssl3_digest_cached_records(s)) |
| 1390 | + return 0; |
| 1391 | + |
| 1392 | + EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic)); |
| 1393 | + |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1394 | + if (s->hit && s->s3->tlsext_channel_id_new) |
| 1395 | + { |
| 1396 | + static const char kResumptionMagic[] = "Resumption"; |
| 1397 | + EVP_DigestUpdate(md, kResumptionMagic, |
| 1398 | + sizeof(kResumptionMagic)); |
| 1399 | + if (s->session->original_handshake_hash_len == 0) |
| 1400 | + return 0; |
| 1401 | + EVP_DigestUpdate(md, s->session->original_handshake_hash, |
| 1402 | + s->session->original_handshake_hash_len); |
| 1403 | + } |
| 1404 | + |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1405 | + EVP_MD_CTX_init(&ctx); |
| 1406 | + for (i = 0; i < SSL_MAX_DIGEST; i++) |
| 1407 | + { |
| 1408 | + if (s->s3->handshake_dgst[i] == NULL) |
| 1409 | + continue; |
| 1410 | + EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]); |
| 1411 | + EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len); |
| 1412 | + EVP_DigestUpdate(md, temp_digest, temp_digest_len); |
| 1413 | + } |
| 1414 | + EVP_MD_CTX_cleanup(&ctx); |
| 1415 | + |
| 1416 | + return 1; |
| 1417 | + } |
| 1418 | +#endif |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1419 | + |
| 1420 | +/* tls1_record_handshake_hashes_for_channel_id records the current handshake |
| 1421 | + * hashes in |s->session| so that Channel ID resumptions can sign that data. */ |
| 1422 | +int tls1_record_handshake_hashes_for_channel_id(SSL *s) |
| 1423 | + { |
| 1424 | + int digest_len; |
| 1425 | + /* This function should never be called for a resumed session because |
| 1426 | + * the handshake hashes that we wish to record are for the original, |
| 1427 | + * full handshake. */ |
| 1428 | + if (s->hit) |
| 1429 | + return -1; |
| 1430 | + /* It only makes sense to call this function if Channel IDs have been |
| 1431 | + * negotiated. */ |
| 1432 | + if (!s->s3->tlsext_channel_id_new) |
| 1433 | + return -1; |
| 1434 | + |
| 1435 | + digest_len = tls1_handshake_digest( |
| 1436 | + s, s->session->original_handshake_hash, |
| 1437 | + sizeof(s->session->original_handshake_hash)); |
| 1438 | + if (digest_len < 0) |
| 1439 | + return -1; |
| 1440 | + |
| 1441 | + s->session->original_handshake_hash_len = digest_len; |
| 1442 | + |
| 1443 | + return 1; |
| 1444 | + } |
| 1445 | diff --git a/ssl/tls1.h b/ssl/tls1.h |
| 1446 | index c992091..12f2f21 100644 |
| 1447 | --- a/ssl/tls1.h |
| 1448 | +++ b/ssl/tls1.h |
| 1449 | @@ -254,6 +254,10 @@ extern "C" { |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1450 | #define TLSEXT_TYPE_next_proto_neg 13172 |
| 1451 | #endif |
| 1452 | |
| 1453 | +/* This is not an IANA defined extension number */ |
| 1454 | +#define TLSEXT_TYPE_channel_id 30031 |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1455 | +#define TLSEXT_TYPE_channel_id_new 30032 |
Adam Langley | 45bcfbc | 2013-01-16 13:43:53 -0800 | [diff] [blame] | 1456 | + |
| 1457 | /* NameType value from RFC 3546 */ |
| 1458 | #define TLSEXT_NAMETYPE_host_name 0 |
| 1459 | /* status request value from RFC 3546 */ |
Kenny Root | 77c6be7 | 2014-06-12 10:08:29 -0700 | [diff] [blame] | 1460 | -- |
| 1461 | 1.9.1.423.g4596e3a |
| 1462 | |