Extended master secret support.
This change implements support for the extended master secret. See
https://tools.ietf.org/html/draft-ietf-tls-session-hash-01
https://secure-resumption.com/
Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93
Reviewed-on: https://boringssl-review.googlesource.com/1930
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/bytestring.h b/include/openssl/bytestring.h
index 9d2b4a9..d5e6cf9 100644
--- a/include/openssl/bytestring.h
+++ b/include/openssl/bytestring.h
@@ -193,6 +193,14 @@
unsigned tag,
uint64_t default_value);
+/* CBS_get_optional_asn1_bool gets an optional, explicitly-tagged BOOLEAN from
+ * |cbs|. If present, it sets |*out| to either zero or one, based on the
+ * boolean. Otherwise, it sets |*out| to |default_value|. It returns one on
+ * success, whether or not the element was present, and zero on decode
+ * failure. */
+OPENSSL_EXPORT int CBS_get_optional_asn1_bool(CBS *cbs, int *out, unsigned tag,
+ int default_value);
+
/* CRYPTO ByteBuilder.
*
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 10fdb1f..858d2fd 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -432,6 +432,11 @@
* resumption. */
unsigned char original_handshake_hash[EVP_MAX_MD_SIZE];
unsigned int original_handshake_hash_len;
+
+ /* extended_master_secret is true if the master secret in this session
+ * was generated using EMS and thus isn't vulnerable to the Triple
+ * Handshake attack. */
+ char extended_master_secret;
};
#endif
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 2a201aa..3d62763 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -485,6 +485,15 @@
* this extension to the client. */
uint16_t *peer_ellipticcurvelist;
size_t peer_ellipticcurvelist_length;
+
+ /* extended_master_secret indicates whether the extended master
+ * secret computation is used in this handshake. Note that this
+ * is different from whether it was used for the current
+ * session. If this is a resumption handshake then EMS might be
+ * negotiated in the client and server hello messages, but it
+ * doesn't matter if the session that's being resumed didn't
+ * use it to create the master secret initially. */
+ char extended_master_secret;
} tmp;
/* Connection binding to prevent renegotiation attacks */
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 08ad8e8..d2682dd 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -240,6 +240,9 @@
*/
#define TLSEXT_TYPE_padding 21
+/* https://tools.ietf.org/html/draft-ietf-tls-session-hash-01 */
+#define TLSEXT_TYPE_extended_master_secret 23
+
/* ExtensionType value from RFC4507 */
#define TLSEXT_TYPE_session_ticket 35
@@ -704,6 +707,8 @@
#define TLS_MD_IV_BLOCK_CONST_SIZE 8
#define TLS_MD_MASTER_SECRET_CONST "master secret"
#define TLS_MD_MASTER_SECRET_CONST_SIZE 13
+#define TLS_MD_EXTENDED_MASTER_SECRET_CONST "extended master secret"
+#define TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE 22
/* TLS Session Ticket extension struct */
