mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-21 01:15:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add extms support to master key generation.

Browse Source 
Update master secret calculation to support extended master secret.
TLS 1.2 client authentication adds a complication because we need to
cache the handshake messages. This is simpllified however because
the point at which the handshake hashes are calculated for extended
master secret is identical to that required for TLS 1.2 client
authentication (immediately after client key exchange which is also
immediately before certificate verify).
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
This commit is contained in:
Dr. Stephen Henson 2015-01-23 02:49:16 +00:00
parent ddc06b3556
commit 0cfb0e75b9
5 changed files with 73 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ssl/d1_srvr.c
View File

@ -655,17 +655,19 @@ int dtls1_accept(SSL *s)
s->init_num = 0; s->init_num = 0;
if (!s->session->peer) if (!s->session->peer)
break; break;
/*
* For sigalgs freeze the handshake buffer at this point and
* digest cached records.
*/
if (!s->s3->handshake_buffer) { if (!s->s3->handshake_buffer) {
SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
return -1; return -1;
} }
s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; /*
if (!ssl3_digest_cached_records(s)) * For sigalgs freeze the handshake buffer. If we support
return -1; * extms we've done this already.
*/
if (!(s->s3->flags & SSL_SESS_FLAG_EXTMS)) {
s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
if (!ssl3_digest_cached_records(s))
return -1;
}
} else { } else {
s->state = SSL3_ST_SR_CERT_VRFY_A; s->state = SSL3_ST_SR_CERT_VRFY_A;
s->init_num = 0; s->init_num = 0;

10
ssl/s3_clnt.c
View File

@ -3150,7 +3150,15 @@ int ssl3_send_client_verify(SSL *s)
} }
s2n(u, p); s2n(u, p);
n = u + 4; n = u + 4;
if (!ssl3_digest_cached_records(s)) /*
* For extended master secret we've already digested cached
* records.
*/
if (s->session->flags & SSL_SESS_FLAG_EXTMS) {
BIO_free(s->s3->handshake_buffer);
s->s3->handshake_buffer = NULL;
s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE;
} else if (!ssl3_digest_cached_records(s))
goto err; goto err;
} else } else
#ifndef OPENSSL_NO_RSA #ifndef OPENSSL_NO_RSA

16
ssl/s3_srvr.c
View File

@ -620,17 +620,19 @@ int ssl3_accept(SSL *s)
s->init_num = 0; s->init_num = 0;
if (!s->session->peer) if (!s->session->peer)
break; break;
/*
* For sigalgs freeze the handshake buffer at this point and
* digest cached records.
*/
if (!s->s3->handshake_buffer) { if (!s->s3->handshake_buffer) {
SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
return -1; return -1;
} }
s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; /*
if (!ssl3_digest_cached_records(s)) * For sigalgs freeze the handshake buffer. If we support
return -1; * extms we've done this already.
*/
if (!(s->s3->flags & SSL_SESS_FLAG_EXTMS)) {
s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
if (!ssl3_digest_cached_records(s))
return -1;
}
} else { } else {
int offset = 0; int offset = 0;
int dgst_num; int dgst_num;

45
ssl/t1_enc.c
View File

@ -1070,13 +1070,41 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
len); len);
#endif /* KSSL_DEBUG */ #endif /* KSSL_DEBUG */
if (s->session->flags & SSL_SESS_FLAG_EXTMS) {
tls1_PRF(ssl_get_algorithm2(s), unsigned char hash[EVP_MAX_MD_SIZE * 2];
TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, int hashlen;
s->s3->client_random, SSL3_RANDOM_SIZE, /* If we don't have any digests cache records */
co, col, if (s->s3->handshake_buffer) {
s->s3->server_random, SSL3_RANDOM_SIZE, /*
so, sol, p, len, s->session->master_key, buff, sizeof buff); * keep record buffer: this wont affect client auth because we're
* freezing the buffer at the same point (after client key
* exchange and before certificate verify)
*/
s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
ssl3_digest_cached_records(s);
}
hashlen = ssl_handshake_hash(s, hash, sizeof(hash));
#ifdef SSL_DEBUG
fprintf(stderr, "Handshake hashes:\n");
BIO_dump_fp(stderr, (char *)hash, hashlen);
#endif
tls1_PRF(ssl_get_algorithm2(s),
TLS_MD_EXTENDED_MASTER_SECRET_CONST,
TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE,
hash, hashlen,
co, col,
NULL, 0,
so, sol, p, len, s->session->master_key, buff, sizeof buff);
OPENSSL_cleanse(hash, hashlen);
} else {
tls1_PRF(ssl_get_algorithm2(s),
TLS_MD_MASTER_SECRET_CONST,
TLS_MD_MASTER_SECRET_CONST_SIZE,
s->s3->client_random, SSL3_RANDOM_SIZE,
co, col,
s->s3->server_random, SSL3_RANDOM_SIZE,
so, sol, p, len, s->session->master_key, buff, sizeof buff);
}
#ifdef SSL_DEBUG #ifdef SSL_DEBUG
fprintf(stderr, "Premaster Secret:\n"); fprintf(stderr, "Premaster Secret:\n");
BIO_dump_fp(stderr, (char *)p, len); BIO_dump_fp(stderr, (char *)p, len);
@ -1175,6 +1203,9 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
goto err1; goto err1;
if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST,
TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0)
goto err1;
if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
goto err1; goto err1;

9
ssl/tls1.h
View File

@ -782,7 +782,7 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
# define TLS1_FINISH_MAC_LENGTH 12 # define TLS1_FINISH_MAC_LENGTH 12
# define TLS_MD_MAX_CONST_SIZE 20 # define TLS_MD_MAX_CONST_SIZE 22
# define TLS_MD_CLIENT_FINISH_CONST "client finished" # define TLS_MD_CLIENT_FINISH_CONST "client finished"
# define TLS_MD_CLIENT_FINISH_CONST_SIZE 15 # define TLS_MD_CLIENT_FINISH_CONST_SIZE 15
# define TLS_MD_SERVER_FINISH_CONST "server finished" # define TLS_MD_SERVER_FINISH_CONST "server finished"
@ -797,6 +797,8 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
# define TLS_MD_IV_BLOCK_CONST_SIZE 8 # define TLS_MD_IV_BLOCK_CONST_SIZE 8
# define TLS_MD_MASTER_SECRET_CONST "master secret" # define TLS_MD_MASTER_SECRET_CONST "master secret"
# define TLS_MD_MASTER_SECRET_CONST_SIZE 13 # define TLS_MD_MASTER_SECRET_CONST_SIZE 13
# define TLS_MD_EXTENDED_MASTER_SECRET_CONST "extended master secret"
# define TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE 22
# ifdef CHARSET_EBCDIC # ifdef CHARSET_EBCDIC
# undef TLS_MD_CLIENT_FINISH_CONST # undef TLS_MD_CLIENT_FINISH_CONST
@ -846,6 +848,11 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
* master secret * master secret
*/ */
# define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" # define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74"
# undef TLS_MD_EXTENDED_MASTER_SECRET_CONST
/*
* extended master secret
*/
# define TLS_MD_EXTENDED_MASTER_SECRET_CONST "\x65\x78\x74\x65\x63\x64\x65\x64\x20\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74"
# endif # endif
/* TLS Session Ticket extension struct */ /* TLS Session Ticket extension struct */