From 3af37ece199b2e78589a1e0fc66d35f1681620dc Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 10 Aug 2015 21:21:40 +0300 Subject: [PATCH] Add tls_get_tls_unique() to fetch "tls-unique" for channel binding This implements "tls-unique" derivation per RFC 5929, Section 3. This will be needed for channel binding, e.g., with EAP-TEAP. Signed-off-by: Jouni Malinen --- src/crypto/tls.h | 13 +++++++++++++ src/crypto/tls_openssl.c | 18 ++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 9f07e10d9..e199187e8 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -646,4 +646,17 @@ tls_connection_get_success_data(struct tls_connection *conn); void tls_connection_remove_session(struct tls_connection *conn); +/** + * tls_get_tls_unique - Fetch "tls-unique" for channel binding + * @conn: Connection context data from tls_connection_init() + * @buf: Buffer for returning the value + * @max_len: Maximum length of the buffer in bytes + * Returns: Number of bytes written to buf or -1 on error + * + * This function can be used to fetch "tls-unique" (RFC 5929, Section 3) which + * is the first TLS Finished message sent in the most recent TLS handshake of + * the TLS connection. + */ +int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len); + #endif /* TLS_H */ diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 1073f6450..a7a779380 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -5332,3 +5332,21 @@ void tls_connection_remove_session(struct tls_connection *conn) wpa_printf(MSG_DEBUG, "OpenSSL: Removed cached session to disable session resumption"); } + + +int tls_get_tls_unique(struct tls_connection *conn, u8 *buf, size_t max_len) +{ + size_t len; + int reused; + + reused = SSL_session_reused(conn->ssl); + if ((conn->server && !reused) || (!conn->server && reused)) + len = SSL_get_peer_finished(conn->ssl, buf, max_len); + else + len = SSL_get_finished(conn->ssl, buf, max_len); + + if (len == 0 || len > max_len) + return -1; + + return len; +}