OLD | NEW |
| (Empty) |
1 diff -burN android-openssl.orig/crypto/bio/bio.h android-openssl/crypto/bio/bio.
h | |
2 --- android-openssl.orig/crypto/bio/bio.h 2013-02-11 16:26:04.000000000 +0
100 | |
3 +++ android-openssl/crypto/bio/bio.h 2013-10-22 18:22:42.080337200 +0200 | |
4 @@ -266,6 +266,9 @@ | |
5 #define BIO_RR_CONNECT 0x02 | |
6 /* Returned from the accept BIO when an accept would have blocked */ | |
7 #define BIO_RR_ACCEPT 0x03 | |
8 +/* Returned from the SSL bio when the channel id retrieval code cannot find the | |
9 + * private key. */ | |
10 +#define BIO_RR_SSL_CHANNEL_ID_LOOKUP 0x04 | |
11 | |
12 /* These are passed by the BIO callback */ | |
13 #define BIO_CB_FREE 0x01 | |
14 diff -burN android-openssl.orig/include/openssl/bio.h android-openssl/include/op
enssl/bio.h | |
15 --- android-openssl.orig/include/openssl/bio.h 2013-10-22 18:20:42.249270230 +0
200 | |
16 +++ android-openssl/include/openssl/bio.h 2013-10-22 18:22:42.080337200 +0
200 | |
17 @@ -266,6 +266,9 @@ | |
18 #define BIO_RR_CONNECT 0x02 | |
19 /* Returned from the accept BIO when an accept would have blocked */ | |
20 #define BIO_RR_ACCEPT 0x03 | |
21 +/* Returned from the SSL bio when the channel id retrieval code cannot find the | |
22 + * private key. */ | |
23 +#define BIO_RR_SSL_CHANNEL_ID_LOOKUP 0x04 | |
24 | |
25 /* These are passed by the BIO callback */ | |
26 #define BIO_CB_FREE 0x01 | |
27 diff -burN android-openssl.orig/include/openssl/ssl.h android-openssl/include/op
enssl/ssl.h | |
28 --- android-openssl.orig/include/openssl/ssl.h 2013-10-22 18:20:42.259270320 +0
200 | |
29 +++ android-openssl/include/openssl/ssl.h 2013-10-22 18:24:14.771162612 +0
200 | |
30 @@ -848,6 +848,9 @@ | |
31 /* get client cert callback */ | |
32 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); | |
33 | |
34 + /* get channel id callback */ | |
35 + void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey); | |
36 + | |
37 /* cookie generate callback */ | |
38 int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, | |
39 unsigned int *cookie_len); | |
40 @@ -1043,6 +1046,8 @@ | |
41 void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val
); | |
42 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X
509 **x509, EVP_PKEY **pkey)); | |
43 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY
**pkey); | |
44 +void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EV
P_PKEY **pkey)); | |
45 +void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl, EVP_PKEY **pkey); | |
46 #ifndef OPENSSL_NO_ENGINE | |
47 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e); | |
48 #endif | |
49 @@ -1104,12 +1109,14 @@ | |
50 #define SSL_WRITING 2 | |
51 #define SSL_READING 3 | |
52 #define SSL_X509_LOOKUP 4 | |
53 +#define SSL_CHANNEL_ID_LOOKUP 5 | |
54 | |
55 /* These will only be used when doing non-blocking IO */ | |
56 #define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) | |
57 #define SSL_want_read(s) (SSL_want(s) == SSL_READING) | |
58 #define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) | |
59 #define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) | |
60 +#define SSL_want_channel_id_lookup(s) (SSL_want(s) == SSL_CHANNEL_ID_LOOKUP) | |
61 | |
62 #define SSL_MAC_FLAG_READ_MAC_STREAM 1 | |
63 #define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 | |
64 @@ -1535,6 +1542,7 @@ | |
65 #define SSL_ERROR_ZERO_RETURN 6 | |
66 #define SSL_ERROR_WANT_CONNECT 7 | |
67 #define SSL_ERROR_WANT_ACCEPT 8 | |
68 +#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9 | |
69 | |
70 #define SSL_CTRL_NEED_TMP_RSA 1 | |
71 #define SSL_CTRL_SET_TMP_RSA 2 | |
72 @@ -1672,10 +1680,11 @@ | |
73 #define SSL_set_tmp_ecdh(ssl,ecdh) \ | |
74 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) | |
75 | |
76 -/* SSL_enable_tls_channel_id configures a TLS server to accept TLS client | |
77 - * IDs from clients. Returns 1 on success. */ | |
78 -#define SSL_enable_tls_channel_id(ctx) \ | |
79 - SSL_ctrl(ctx,SSL_CTRL_CHANNEL_ID,0,NULL) | |
80 +/* SSL_enable_tls_channel_id either configures a TLS server to accept TLS clien
t | |
81 + * IDs from clients, or configure a client to send TLS client IDs to server. | |
82 + * Returns 1 on success. */ | |
83 +#define SSL_enable_tls_channel_id(s) \ | |
84 + SSL_ctrl(s,SSL_CTRL_CHANNEL_ID,0,NULL) | |
85 /* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to | |
86 * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on | |
87 * success. */ | |
88 diff -burN android-openssl.orig/ssl/bio_ssl.c android-openssl/ssl/bio_ssl.c | |
89 --- android-openssl.orig/ssl/bio_ssl.c 2013-02-11 16:26:04.000000000 +0100 | |
90 +++ android-openssl/ssl/bio_ssl.c 2013-10-22 18:22:42.090337290 +0200 | |
91 @@ -206,6 +206,10 @@ | |
92 BIO_set_retry_special(b); | |
93 retry_reason=BIO_RR_SSL_X509_LOOKUP; | |
94 break; | |
95 + case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: | |
96 + BIO_set_retry_special(b); | |
97 + retry_reason=BIO_RR_SSL_CHANNEL_ID_LOOKUP; | |
98 + break; | |
99 case SSL_ERROR_WANT_ACCEPT: | |
100 BIO_set_retry_special(b); | |
101 retry_reason=BIO_RR_ACCEPT; | |
102 @@ -280,6 +284,10 @@ | |
103 BIO_set_retry_special(b); | |
104 retry_reason=BIO_RR_SSL_X509_LOOKUP; | |
105 break; | |
106 + case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: | |
107 + BIO_set_retry_special(b); | |
108 + retry_reason=BIO_RR_SSL_CHANNEL_ID_LOOKUP; | |
109 + break; | |
110 case SSL_ERROR_WANT_CONNECT: | |
111 BIO_set_retry_special(b); | |
112 retry_reason=BIO_RR_CONNECT; | |
113 diff -burN android-openssl.orig/ssl/s3_clnt.c android-openssl/ssl/s3_clnt.c | |
114 --- android-openssl.orig/ssl/s3_clnt.c 2013-10-22 18:20:40.289252781 +0200 | |
115 +++ android-openssl/ssl/s3_clnt.c 2013-10-22 18:22:42.090337290 +0200 | |
116 @@ -3414,6 +3414,22 @@ | |
117 if (s->state != SSL3_ST_CW_CHANNEL_ID_A) | |
118 return ssl3_do_write(s, SSL3_RT_HANDSHAKE); | |
119 | |
120 + if (!s->tlsext_channel_id_private && s->ctx->channel_id_cb) | |
121 + { | |
122 + EVP_PKEY *key = NULL; | |
123 + s->ctx->channel_id_cb(s, &key); | |
124 + if (key != NULL) | |
125 + { | |
126 + s->tlsext_channel_id_private = key; | |
127 + } | |
128 + } | |
129 + if (!s->tlsext_channel_id_private) | |
130 + { | |
131 + s->rwstate=SSL_CHANNEL_ID_LOOKUP; | |
132 + return (-1); | |
133 + } | |
134 + s->rwstate=SSL_NOTHING; | |
135 + | |
136 d = (unsigned char *)s->init_buf->data; | |
137 *(d++)=SSL3_MT_ENCRYPTED_EXTENSIONS; | |
138 l2n3(2 + 2 + TLSEXT_CHANNEL_ID_SIZE, d); | |
139 diff -burN android-openssl.orig/ssl/s3_lib.c android-openssl/ssl/s3_lib.c | |
140 --- android-openssl.orig/ssl/s3_lib.c 2013-10-22 18:20:40.289252781 +0200 | |
141 +++ android-openssl/ssl/s3_lib.c 2013-10-22 18:22:42.090337290 +0200 | |
142 @@ -3358,8 +3358,6 @@ | |
143 break; | |
144 #endif | |
145 case SSL_CTRL_CHANNEL_ID: | |
146 - if (!s->server) | |
147 - break; | |
148 s->tlsext_channel_id_enabled = 1; | |
149 ret = 1; | |
150 break; | |
151 @@ -3375,7 +3373,7 @@ | |
152 } | |
153 if (s->tlsext_channel_id_private) | |
154 EVP_PKEY_free(s->tlsext_channel_id_private); | |
155 - s->tlsext_channel_id_private = (EVP_PKEY*) parg; | |
156 + s->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY*) parg); | |
157 ret = 1; | |
158 break; | |
159 | |
160 @@ -3690,7 +3688,7 @@ | |
161 } | |
162 if (ctx->tlsext_channel_id_private) | |
163 EVP_PKEY_free(ctx->tlsext_channel_id_private); | |
164 - ctx->tlsext_channel_id_private = (EVP_PKEY*) parg; | |
165 + ctx->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY*) parg); | |
166 break; | |
167 | |
168 default: | |
169 diff -burN android-openssl.orig/ssl/ssl.h android-openssl/ssl/ssl.h | |
170 --- android-openssl.orig/ssl/ssl.h 2013-10-22 18:20:40.299252871 +0200 | |
171 +++ android-openssl/ssl/ssl.h 2013-10-22 18:24:24.121245879 +0200 | |
172 @@ -848,6 +848,9 @@ | |
173 /* get client cert callback */ | |
174 int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); | |
175 | |
176 + /* get channel id callback */ | |
177 + void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey); | |
178 + | |
179 /* cookie generate callback */ | |
180 int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, | |
181 unsigned int *cookie_len); | |
182 @@ -1043,6 +1046,8 @@ | |
183 void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val
); | |
184 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X
509 **x509, EVP_PKEY **pkey)); | |
185 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY
**pkey); | |
186 +void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EV
P_PKEY **pkey)); | |
187 +void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl, EVP_PKEY **pkey); | |
188 #ifndef OPENSSL_NO_ENGINE | |
189 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e); | |
190 #endif | |
191 @@ -1104,12 +1109,14 @@ | |
192 #define SSL_WRITING 2 | |
193 #define SSL_READING 3 | |
194 #define SSL_X509_LOOKUP 4 | |
195 +#define SSL_CHANNEL_ID_LOOKUP 5 | |
196 | |
197 /* These will only be used when doing non-blocking IO */ | |
198 #define SSL_want_nothing(s) (SSL_want(s) == SSL_NOTHING) | |
199 #define SSL_want_read(s) (SSL_want(s) == SSL_READING) | |
200 #define SSL_want_write(s) (SSL_want(s) == SSL_WRITING) | |
201 #define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP) | |
202 +#define SSL_want_channel_id_lookup(s) (SSL_want(s) == SSL_CHANNEL_ID_LOOKUP) | |
203 | |
204 #define SSL_MAC_FLAG_READ_MAC_STREAM 1 | |
205 #define SSL_MAC_FLAG_WRITE_MAC_STREAM 2 | |
206 @@ -1535,6 +1542,7 @@ | |
207 #define SSL_ERROR_ZERO_RETURN 6 | |
208 #define SSL_ERROR_WANT_CONNECT 7 | |
209 #define SSL_ERROR_WANT_ACCEPT 8 | |
210 +#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9 | |
211 | |
212 #define SSL_CTRL_NEED_TMP_RSA 1 | |
213 #define SSL_CTRL_SET_TMP_RSA 2 | |
214 @@ -1672,10 +1680,11 @@ | |
215 #define SSL_set_tmp_ecdh(ssl,ecdh) \ | |
216 SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh) | |
217 | |
218 -/* SSL_enable_tls_channel_id configures a TLS server to accept TLS client | |
219 - * IDs from clients. Returns 1 on success. */ | |
220 -#define SSL_enable_tls_channel_id(ctx) \ | |
221 - SSL_ctrl(ctx,SSL_CTRL_CHANNEL_ID,0,NULL) | |
222 +/* SSL_enable_tls_channel_id either configures a TLS server to accept TLS clien
t | |
223 + * IDs from clients, or configure a client to send TLS client IDs to server. | |
224 + * Returns 1 on success. */ | |
225 +#define SSL_enable_tls_channel_id(s) \ | |
226 + SSL_ctrl(s,SSL_CTRL_CHANNEL_ID,0,NULL) | |
227 /* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to | |
228 * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on | |
229 * success. */ | |
230 diff -burN android-openssl.orig/ssl/ssl_lib.c android-openssl/ssl/ssl_lib.c | |
231 --- android-openssl.orig/ssl/ssl_lib.c 2013-10-22 18:20:40.299252871 +0200 | |
232 +++ android-openssl/ssl/ssl_lib.c 2013-10-22 18:22:42.090337290 +0200 | |
233 @@ -2561,6 +2561,10 @@ | |
234 { | |
235 return(SSL_ERROR_WANT_X509_LOOKUP); | |
236 } | |
237 + if ((i < 0) && SSL_want_channel_id_lookup(s)) | |
238 + { | |
239 + return(SSL_ERROR_WANT_CHANNEL_ID_LOOKUP); | |
240 + } | |
241 | |
242 if (i == 0) | |
243 { | |
244 diff -burN android-openssl.orig/ssl/ssl_sess.c android-openssl/ssl/ssl_sess.c | |
245 --- android-openssl.orig/ssl/ssl_sess.c 2013-10-22 18:20:40.289252781 +0200 | |
246 +++ android-openssl/ssl/ssl_sess.c 2013-10-22 18:22:42.090337290 +0200 | |
247 @@ -1132,6 +1132,17 @@ | |
248 return ctx->client_cert_cb; | |
249 } | |
250 | |
251 +void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, | |
252 + void (*cb)(SSL *ssl, EVP_PKEY **pkey)) | |
253 + { | |
254 + ctx->channel_id_cb=cb; | |
255 + } | |
256 + | |
257 +void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL * ssl, EVP_PKEY **pkey) | |
258 + { | |
259 + return ctx->channel_id_cb; | |
260 + } | |
261 + | |
262 #ifndef OPENSSL_NO_ENGINE | |
263 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) | |
264 { | |
OLD | NEW |