• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1--- openssl-1.0.1e.orig/crypto/evp/evp.h	2013-03-05 18:49:33.183296743 +0000
2+++ openssl-1.0.1e/crypto/evp/evp.h	2013-03-05 18:49:33.373298798 +0000
3@@ -921,6 +921,7 @@ struct ec_key_st *EVP_PKEY_get1_EC_KEY(E
4 #endif
5
6 EVP_PKEY *	EVP_PKEY_new(void);
7+EVP_PKEY *	EVP_PKEY_dup(EVP_PKEY *pkey);
8 void		EVP_PKEY_free(EVP_PKEY *pkey);
9
10 EVP_PKEY *	d2i_PublicKey(int type,EVP_PKEY **a, const unsigned char **pp,
11--- openssl-1.0.1e.orig/crypto/evp/p_lib.c	2013-03-05 18:49:33.183296743 +0000
12+++ openssl-1.0.1e/crypto/evp/p_lib.c	2013-03-05 18:49:33.373298798 +0000
13@@ -200,6 +200,12 @@ EVP_PKEY *EVP_PKEY_new(void)
14 	return(ret);
15 	}
16
17+EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey)
18+	{
19+	CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
20+	return pkey;
21+	}
22+
23 /* Setup a public key ASN1 method and ENGINE from a NID or a string.
24  * If pkey is NULL just return 1 or 0 if the algorithm exists.
25  */
26--- openssl-1.0.1e.orig/ssl/s3_both.c	2013-03-05 18:49:33.233297282 +0000
27+++ openssl-1.0.1e/ssl/s3_both.c	2013-03-05 18:49:33.413299231 +0000
28@@ -555,7 +555,8 @@ long ssl3_get_message(SSL *s, int st1, i
29 #endif
30
31 	/* Feed this message into MAC computation. */
32-	ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
33+	if (*(unsigned char*)s->init_buf->data != SSL3_MT_ENCRYPTED_EXTENSIONS)
34+		ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
35 	if (s->msg_callback)
36 		s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, (size_t)s->init_num + 4, s, s->msg_callback_arg);
37 	*ok=1;
38--- openssl-1.0.1e.orig/ssl/s3_clnt.c	2013-03-05 18:49:33.233297282 +0000
39+++ openssl-1.0.1e/ssl/s3_clnt.c	2013-03-05 18:49:33.413299231 +0000
40@@ -477,13 +477,14 @@ int ssl3_connect(SSL *s)
41 				SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
42 			if (ret <= 0) goto end;
43
44-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
45 			s->state=SSL3_ST_CW_FINISHED_A;
46-#else
47+#if !defined(OPENSSL_NO_TLSEXT)
48+			if (s->s3->tlsext_channel_id_valid)
49+				s->state=SSL3_ST_CW_CHANNEL_ID_A;
50+# if !defined(OPENSSL_NO_NEXTPROTONEG)
51 			if (s->s3->next_proto_neg_seen)
52 				s->state=SSL3_ST_CW_NEXT_PROTO_A;
53-			else
54-				s->state=SSL3_ST_CW_FINISHED_A;
55+# endif
56 #endif
57 			s->init_num=0;
58
59@@ -517,6 +518,18 @@ int ssl3_connect(SSL *s)
60 		case SSL3_ST_CW_NEXT_PROTO_B:
61 			ret=ssl3_send_next_proto(s);
62 			if (ret <= 0) goto end;
63+			if (s->s3->tlsext_channel_id_valid)
64+				s->state=SSL3_ST_CW_CHANNEL_ID_A;
65+			else
66+				s->state=SSL3_ST_CW_FINISHED_A;
67+			break;
68+#endif
69+
70+#if !defined(OPENSSL_NO_TLSEXT)
71+		case SSL3_ST_CW_CHANNEL_ID_A:
72+		case SSL3_ST_CW_CHANNEL_ID_B:
73+			ret=ssl3_send_channel_id(s);
74+			if (ret <= 0) goto end;
75 			s->state=SSL3_ST_CW_FINISHED_A;
76 			break;
77 #endif
78@@ -3362,7 +3375,8 @@ err:
79 	return(0);
80 	}
81
82-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
83+#if !defined(OPENSSL_NO_TLSEXT)
84+# if !defined(OPENSSL_NO_NEXTPROTONEG)
85 int ssl3_send_next_proto(SSL *s)
86 	{
87 	unsigned int len, padding_len;
88@@ -3386,7 +3400,116 @@ int ssl3_send_next_proto(SSL *s)
89
90 	return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
91 }
92-#endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
93+# endif  /* !OPENSSL_NO_NEXTPROTONEG */
94+
95+int ssl3_send_channel_id(SSL *s)
96+	{
97+	unsigned char *d;
98+	int ret = -1, public_key_len;
99+	EVP_MD_CTX md_ctx;
100+	size_t sig_len;
101+	ECDSA_SIG *sig = NULL;
102+	unsigned char *public_key = NULL, *derp, *der_sig = NULL;
103+
104+	if (s->state != SSL3_ST_CW_CHANNEL_ID_A)
105+		return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
106+
107+	d = (unsigned char *)s->init_buf->data;
108+	*(d++)=SSL3_MT_ENCRYPTED_EXTENSIONS;
109+	l2n3(2 + 2 + TLSEXT_CHANNEL_ID_SIZE, d);
110+	s2n(TLSEXT_TYPE_channel_id, d);
111+	s2n(TLSEXT_CHANNEL_ID_SIZE, d);
112+
113+	EVP_MD_CTX_init(&md_ctx);
114+
115+	public_key_len = i2d_PublicKey(s->tlsext_channel_id_private, NULL);
116+	if (public_key_len <= 0)
117+		{
118+		SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY);
119+		goto err;
120+		}
121+	// i2d_PublicKey will produce an ANSI X9.62 public key which, for a
122+	// P-256 key, is 0x04 (meaning uncompressed) followed by the x and y
123+	// field elements as 32-byte, big-endian numbers.
124+	if (public_key_len != 65)
125+		{
126+		SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CHANNEL_ID_NOT_P256);
127+		goto err;
128+		}
129+	public_key = OPENSSL_malloc(public_key_len);
130+	if (!public_key)
131+		{
132+		SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,ERR_R_MALLOC_FAILURE);
133+		goto err;
134+		}
135+
136+	derp = public_key;
137+	i2d_PublicKey(s->tlsext_channel_id_private, &derp);
138+
139+	if (EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL,
140+			       s->tlsext_channel_id_private) != 1)
141+		{
142+		SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNINIT_FAILED);
143+		goto err;
144+		}
145+
146+	if (!tls1_channel_id_hash(&md_ctx, s))
147+		goto err;
148+
149+	if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len))
150+		{
151+		SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNFINAL_FAILED);
152+		goto err;
153+		}
154+
155+	der_sig = OPENSSL_malloc(sig_len);
156+	if (!der_sig)
157+		{
158+		SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,ERR_R_MALLOC_FAILURE);
159+		goto err;
160+		}
161+
162+	if (!EVP_DigestSignFinal(&md_ctx, der_sig, &sig_len))
163+		{
164+		SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_EVP_DIGESTSIGNFINAL_FAILED);
165+		goto err;
166+		}
167+
168+	derp = der_sig;
169+	sig = d2i_ECDSA_SIG(NULL, (const unsigned char**)&derp, sig_len);
170+	if (sig == NULL)
171+		{
172+		SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_D2I_ECDSA_SIG);
173+		goto err;
174+		}
175+
176+	// The first byte of public_key will be 0x4, denoting an uncompressed key.
177+	memcpy(d, public_key + 1, 64);
178+	d += 64;
179+	memset(d, 0, 2 * 32);
180+	BN_bn2bin(sig->r, d + 32 - BN_num_bytes(sig->r));
181+	d += 32;
182+	BN_bn2bin(sig->s, d + 32 - BN_num_bytes(sig->s));
183+	d += 32;
184+
185+	s->state = SSL3_ST_CW_CHANNEL_ID_B;
186+	s->init_num = 4 + 2 + 2 + TLSEXT_CHANNEL_ID_SIZE;
187+	s->init_off = 0;
188+
189+	ret = ssl3_do_write(s, SSL3_RT_HANDSHAKE);
190+
191+err:
192+	EVP_MD_CTX_cleanup(&md_ctx);
193+	if (public_key)
194+		OPENSSL_free(public_key);
195+	if (der_sig)
196+		OPENSSL_free(der_sig);
197+	if (sig)
198+		ECDSA_SIG_free(sig);
199+
200+	return ret;
201+	}
202+#endif  /* !OPENSSL_NO_TLSEXT */
203
204 /* Check to see if handshake is full or resumed. Usually this is just a
205  * case of checking to see if a cache hit has occurred. In the case of
206--- openssl-1.0.1e.orig/ssl/s3_lib.c	2013-03-05 18:49:33.223297173 +0000
207+++ openssl-1.0.1e/ssl/s3_lib.c	2013-03-05 18:49:33.413299231 +0000
208@@ -2951,6 +2951,11 @@ int ssl3_new(SSL *s)
209 #ifndef OPENSSL_NO_SRP
210 	SSL_SRP_CTX_init(s);
211 #endif
212+#if !defined(OPENSSL_NO_TLSEXT)
213+	s->tlsext_channel_id_enabled = s->ctx->tlsext_channel_id_enabled;
214+	if (s->ctx->tlsext_channel_id_private)
215+		s->tlsext_channel_id_private = EVP_PKEY_dup(s->ctx->tlsext_channel_id_private);
216+#endif
217 	s->method->ssl_clear(s);
218 	return(1);
219 err:
220@@ -3074,6 +3079,10 @@ void ssl3_clear(SSL *s)
221 		s->next_proto_negotiated_len = 0;
222 		}
223 #endif
224+
225+#if !defined(OPENSSL_NO_TLSEXT)
226+	s->s3->tlsext_channel_id_valid = 0;
227+#endif
228 	}
229
230 #ifndef OPENSSL_NO_SRP
231@@ -3348,6 +3357,35 @@ long ssl3_ctrl(SSL *s, int cmd, long lar
232 		ret = 1;
233 		break;
234 #endif
235+	case SSL_CTRL_CHANNEL_ID:
236+		if (!s->server)
237+			break;
238+		s->tlsext_channel_id_enabled = 1;
239+		ret = 1;
240+		break;
241+
242+	case SSL_CTRL_SET_CHANNEL_ID:
243+		if (s->server)
244+			break;
245+		s->tlsext_channel_id_enabled = 1;
246+		if (EVP_PKEY_bits(parg) != 256)
247+			{
248+			SSLerr(SSL_F_SSL3_CTRL,SSL_R_CHANNEL_ID_NOT_P256);
249+			break;
250+			}
251+		if (s->tlsext_channel_id_private)
252+			EVP_PKEY_free(s->tlsext_channel_id_private);
253+		s->tlsext_channel_id_private = (EVP_PKEY*) parg;
254+		ret = 1;
255+		break;
256+
257+	case SSL_CTRL_GET_CHANNEL_ID:
258+		if (!s->server)
259+			break;
260+		if (!s->s3->tlsext_channel_id_valid)
261+			break;
262+		memcpy(parg, s->s3->tlsext_channel_id, larg < 64 ? larg : 64);
263+		return 64;
264
265 #endif /* !OPENSSL_NO_TLSEXT */
266 	default:
267@@ -3569,6 +3607,12 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd
268 			}
269 		return 1;
270 		}
271+	case SSL_CTRL_CHANNEL_ID:
272+		/* must be called on a server */
273+		if (ctx->method->ssl_accept == ssl_undefined_function)
274+			return 0;
275+		ctx->tlsext_channel_id_enabled=1;
276+		return 1;
277
278 #ifdef TLSEXT_TYPE_opaque_prf_input
279 	case SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG:
280@@ -3637,6 +3681,18 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd
281 			}
282 		break;
283
284+	case SSL_CTRL_SET_CHANNEL_ID:
285+		ctx->tlsext_channel_id_enabled = 1;
286+		if (EVP_PKEY_bits(parg) != 256)
287+			{
288+			SSLerr(SSL_F_SSL3_CTX_CTRL,SSL_R_CHANNEL_ID_NOT_P256);
289+			break;
290+			}
291+		if (ctx->tlsext_channel_id_private)
292+			EVP_PKEY_free(ctx->tlsext_channel_id_private);
293+		ctx->tlsext_channel_id_private = (EVP_PKEY*) parg;
294+		break;
295+
296 	default:
297 		return(0);
298 		}
299--- openssl-1.0.1e.orig/ssl/s3_srvr.c	2013-03-05 18:49:33.233297282 +0000
300+++ openssl-1.0.1e/ssl/s3_srvr.c	2013-03-05 18:49:33.413299231 +0000
301@@ -157,8 +157,11 @@
302 #include <openssl/buffer.h>
303 #include <openssl/rand.h>
304 #include <openssl/objects.h>
305+#include <openssl/ec.h>
306+#include <openssl/ecdsa.h>
307 #include <openssl/evp.h>
308 #include <openssl/hmac.h>
309+#include <openssl/sha.h>
310 #include <openssl/x509.h>
311 #ifndef OPENSSL_NO_DH
312 #include <openssl/dh.h>
313@@ -609,15 +612,8 @@ int ssl3_accept(SSL *s)
314 				 * the client uses its key from the certificate
315 				 * for key exchange.
316 				 */
317-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
318-				s->state=SSL3_ST_SR_FINISHED_A;
319-#else
320-				if (s->s3->next_proto_neg_seen)
321-					s->state=SSL3_ST_SR_NEXT_PROTO_A;
322-				else
323-					s->state=SSL3_ST_SR_FINISHED_A;
324-#endif
325 				s->init_num = 0;
326+				s->state=SSL3_ST_SR_POST_CLIENT_CERT;
327 				}
328 			else if (TLS1_get_version(s) >= TLS1_2_VERSION)
329 				{
330@@ -677,16 +673,28 @@ int ssl3_accept(SSL *s)
331 			ret=ssl3_get_cert_verify(s);
332 			if (ret <= 0) goto end;
333
334-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
335-			s->state=SSL3_ST_SR_FINISHED_A;
336-#else
337-			if (s->s3->next_proto_neg_seen)
338+			s->state=SSL3_ST_SR_POST_CLIENT_CERT;
339+			s->init_num=0;
340+			break;
341+
342+		case SSL3_ST_SR_POST_CLIENT_CERT: {
343+			char next_proto_neg = 0;
344+			char channel_id = 0;
345+#if !defined(OPENSSL_NO_TLSEXT)
346+# if !defined(OPENSSL_NO_NEXTPROTONEG)
347+			next_proto_neg = s->s3->next_proto_neg_seen;
348+# endif
349+			channel_id = s->s3->tlsext_channel_id_valid;
350+#endif
351+
352+			if (next_proto_neg)
353 				s->state=SSL3_ST_SR_NEXT_PROTO_A;
354+			else if (channel_id)
355+				s->state=SSL3_ST_SR_CHANNEL_ID_A;
356 			else
357 				s->state=SSL3_ST_SR_FINISHED_A;
358-#endif
359-			s->init_num=0;
360 			break;
361+		}
362
363 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
364 		case SSL3_ST_SR_NEXT_PROTO_A:
365@@ -694,6 +702,19 @@ int ssl3_accept(SSL *s)
366 			ret=ssl3_get_next_proto(s);
367 			if (ret <= 0) goto end;
368 			s->init_num = 0;
369+			if (s->s3->tlsext_channel_id_valid)
370+				s->state=SSL3_ST_SR_CHANNEL_ID_A;
371+			else
372+				s->state=SSL3_ST_SR_FINISHED_A;
373+			break;
374+#endif
375+
376+#if !defined(OPENSSL_NO_TLSEXT)
377+		case SSL3_ST_SR_CHANNEL_ID_A:
378+		case SSL3_ST_SR_CHANNEL_ID_B:
379+			ret=ssl3_get_channel_id(s);
380+			if (ret <= 0) goto end;
381+			s->init_num = 0;
382 			s->state=SSL3_ST_SR_FINISHED_A;
383 			break;
384 #endif
385@@ -765,16 +786,7 @@ int ssl3_accept(SSL *s)
386 			if (ret <= 0) goto end;
387 			s->state=SSL3_ST_SW_FLUSH;
388 			if (s->hit)
389-				{
390-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
391-				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
392-#else
393-				if (s->s3->next_proto_neg_seen)
394-					s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
395-				else
396-					s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
397-#endif
398-				}
399+				s->s3->tmp.next_state=SSL3_ST_SR_POST_CLIENT_CERT;
400 			else
401 				s->s3->tmp.next_state=SSL_ST_OK;
402 			s->init_num=0;
403@@ -3610,4 +3622,140 @@ int ssl3_get_next_proto(SSL *s)
404 	return 1;
405 	}
406 # endif
407+
408+/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */
409+int ssl3_get_channel_id(SSL *s)
410+	{
411+	int ret = -1, ok;
412+	long n;
413+	const unsigned char *p;
414+	unsigned short extension_type, extension_len;
415+	EC_GROUP* p256 = NULL;
416+	EC_KEY* key = NULL;
417+	EC_POINT* point = NULL;
418+	ECDSA_SIG sig;
419+	BIGNUM x, y;
420+
421+	if (s->state == SSL3_ST_SR_CHANNEL_ID_A && s->init_num == 0)
422+		{
423+		/* The first time that we're called we take the current
424+		 * handshake hash and store it. */
425+		EVP_MD_CTX md_ctx;
426+		unsigned int len;
427+
428+		EVP_MD_CTX_init(&md_ctx);
429+		EVP_DigestInit_ex(&md_ctx, EVP_sha256(), NULL);
430+		if (!tls1_channel_id_hash(&md_ctx, s))
431+			return -1;
432+		len = sizeof(s->s3->tlsext_channel_id);
433+		EVP_DigestFinal(&md_ctx, s->s3->tlsext_channel_id, &len);
434+		EVP_MD_CTX_cleanup(&md_ctx);
435+		}
436+
437+	n = s->method->ssl_get_message(s,
438+		SSL3_ST_SR_CHANNEL_ID_A,
439+		SSL3_ST_SR_CHANNEL_ID_B,
440+		SSL3_MT_ENCRYPTED_EXTENSIONS,
441+		2 + 2 + TLSEXT_CHANNEL_ID_SIZE,
442+		&ok);
443+
444+	if (!ok)
445+		return((int)n);
446+
447+	ssl3_finish_mac(s, (unsigned char*)s->init_buf->data, s->init_num + 4);
448+
449+	/* s->state doesn't reflect whether ChangeCipherSpec has been received
450+	 * in this handshake, but s->s3->change_cipher_spec does (will be reset
451+	 * by ssl3_get_finished). */
452+	if (!s->s3->change_cipher_spec)
453+		{
454+		SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS);
455+		return -1;
456+		}
457+
458+	if (n != 2 + 2 + TLSEXT_CHANNEL_ID_SIZE)
459+		{
460+		SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_INVALID_MESSAGE);
461+		return -1;
462+		}
463+
464+	p = (unsigned char *)s->init_msg;
465+
466+	/* The payload looks like:
467+	 *   uint16 extension_type
468+	 *   uint16 extension_len;
469+	 *   uint8 x[32];
470+	 *   uint8 y[32];
471+	 *   uint8 r[32];
472+	 *   uint8 s[32];
473+	 */
474+	n2s(p, extension_type);
475+	n2s(p, extension_len);
476+
477+	if (extension_type != TLSEXT_TYPE_channel_id ||
478+	    extension_len != TLSEXT_CHANNEL_ID_SIZE)
479+		{
480+		SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_INVALID_MESSAGE);
481+		return -1;
482+		}
483+
484+	p256 = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
485+	if (!p256)
486+		{
487+		SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_NO_P256_SUPPORT);
488+		return -1;
489+		}
490+
491+	BN_init(&x);
492+	BN_init(&y);
493+	sig.r = BN_new();
494+	sig.s = BN_new();
495+
496+	if (BN_bin2bn(p +  0, 32, &x) == NULL ||
497+	    BN_bin2bn(p + 32, 32, &y) == NULL ||
498+	    BN_bin2bn(p + 64, 32, sig.r) == NULL ||
499+	    BN_bin2bn(p + 96, 32, sig.s) == NULL)
500+		goto err;
501+
502+	point = EC_POINT_new(p256);
503+	if (!point ||
504+	    !EC_POINT_set_affine_coordinates_GFp(p256, point, &x, &y, NULL))
505+		goto err;
506+
507+	key = EC_KEY_new();
508+	if (!key ||
509+	    !EC_KEY_set_group(key, p256) ||
510+	    !EC_KEY_set_public_key(key, point))
511+		goto err;
512+
513+	/* We stored the handshake hash in |tlsext_channel_id| the first time
514+	 * that we were called. */
515+	switch (ECDSA_do_verify(s->s3->tlsext_channel_id, SHA256_DIGEST_LENGTH, &sig, key)) {
516+	case 1:
517+		break;
518+	case 0:
519+		SSLerr(SSL_F_SSL3_GET_CHANNEL_ID,SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
520+		s->s3->tlsext_channel_id_valid = 0;
521+		goto err;
522+	default:
523+		s->s3->tlsext_channel_id_valid = 0;
524+		goto err;
525+	}
526+
527+	memcpy(s->s3->tlsext_channel_id, p, 64);
528+	ret = 1;
529+
530+err:
531+	BN_free(&x);
532+	BN_free(&y);
533+	BN_free(sig.r);
534+	BN_free(sig.s);
535+	if (key)
536+		EC_KEY_free(key);
537+	if (point)
538+		EC_POINT_free(point);
539+	if (p256)
540+		EC_GROUP_free(p256);
541+	return ret;
542+	}
543 #endif
544--- openssl-1.0.1e.orig/ssl/ssl.h	2013-03-05 18:49:33.233297282 +0000
545+++ openssl-1.0.1e/ssl/ssl.h	2013-03-05 18:49:33.413299231 +0000
546@@ -981,6 +981,12 @@ struct ssl_ctx_st
547 # endif
548         /* SRTP profiles we are willing to do from RFC 5764 */
549         STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
550+
551+	/* If true, a client will advertise the Channel ID extension and a
552+	 * server will echo it. */
553+	char tlsext_channel_id_enabled;
554+	/* The client's Channel ID private key. */
555+	EVP_PKEY *tlsext_channel_id_private;
556 #endif
557 	};
558
559@@ -1022,6 +1028,10 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(
560 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
561 #define SSL_CTX_sess_cache_full(ctx) \
562 	SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
563+/* SSL_CTX_enable_tls_channel_id configures a TLS server to accept TLS client
564+ * IDs from clients. Returns 1 on success. */
565+#define SSL_CTX_enable_tls_channel_id(ctx) \
566+	SSL_CTX_ctrl(ctx,SSL_CTRL_CHANNEL_ID,0,NULL)
567
568 void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess));
569 int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess);
570@@ -1348,6 +1358,13 @@ struct ssl_st
571 	                                 */
572 	unsigned int tlsext_hb_pending; /* Indicates if a HeartbeatRequest is in flight */
573 	unsigned int tlsext_hb_seq;     /* HeartbeatRequest sequence number */
574+
575+	/* Copied from the SSL_CTX. For a server, means that we'll accept
576+	 * Channel IDs from clients. For a client, means that we'll advertise
577+	 * support. */
578+	char tlsext_channel_id_enabled;
579+	/* The client's Channel ID private key. */
580+	EVP_PKEY *tlsext_channel_id_private;
581 #else
582 #define session_ctx ctx
583 #endif /* OPENSSL_NO_TLSEXT */
584@@ -1605,6 +1622,9 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
585 #define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING		86
586 #define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS	87
587 #endif
588+#define SSL_CTRL_CHANNEL_ID			88
589+#define SSL_CTRL_GET_CHANNEL_ID			89
590+#define SSL_CTRL_SET_CHANNEL_ID			90
591 #endif
592
593 #define DTLS_CTRL_GET_TIMEOUT		73
594@@ -1652,6 +1672,25 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
595 #define SSL_set_tmp_ecdh(ssl,ecdh) \
596 	SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
597
598+/* SSL_enable_tls_channel_id configures a TLS server to accept TLS client
599+ * IDs from clients. Returns 1 on success. */
600+#define SSL_enable_tls_channel_id(ctx) \
601+	SSL_ctrl(ctx,SSL_CTRL_CHANNEL_ID,0,NULL)
602+/* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to
603+ * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on
604+ * success. */
605+#define SSL_set1_tls_channel_id(s, private_key) \
606+	SSL_ctrl(s,SSL_CTRL_SET_CHANNEL_ID,0,(void*)private_key)
607+#define SSL_CTX_set1_tls_channel_id(ctx, private_key) \
608+	SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHANNEL_ID,0,(void*)private_key)
609+/* SSL_get_tls_channel_id gets the client's TLS Channel ID from a server SSL*
610+ * and copies up to the first |channel_id_len| bytes into |channel_id|. The
611+ * Channel ID consists of the client's P-256 public key as an (x,y) pair where
612+ * each is a 32-byte, big-endian field element. Returns 0 if the client didn't
613+ * offer a Channel ID and the length of the complete Channel ID otherwise. */
614+#define SSL_get_tls_channel_id(ctx, channel_id, channel_id_len) \
615+	SSL_ctrl(ctx,SSL_CTRL_GET_CHANNEL_ID,channel_id_len,(void*)channel_id)
616+
617 #define SSL_CTX_add_extra_chain_cert(ctx,x509) \
618 	SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509)
619 #define SSL_CTX_get_extra_chain_certs(ctx,px509) \
620@@ -1686,6 +1725,7 @@ int	SSL_CIPHER_get_bits(const SSL_CIPHER
621 char *	SSL_CIPHER_get_version(const SSL_CIPHER *c);
622 const char *	SSL_CIPHER_get_name(const SSL_CIPHER *c);
623 unsigned long 	SSL_CIPHER_get_id(const SSL_CIPHER *c);
624+const char* SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher);
625
626 int	SSL_get_fd(const SSL *s);
627 int	SSL_get_rfd(const SSL *s);
628@@ -2149,6 +2189,7 @@ void ERR_load_SSL_strings(void);
629 #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST		 135
630 #define SSL_F_SSL3_GET_CERT_STATUS			 289
631 #define SSL_F_SSL3_GET_CERT_VERIFY			 136
632+#define SSL_F_SSL3_GET_CHANNEL_ID			 317
633 #define SSL_F_SSL3_GET_CLIENT_CERTIFICATE		 137
634 #define SSL_F_SSL3_GET_CLIENT_HELLO			 138
635 #define SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE		 139
636@@ -2168,6 +2209,7 @@ void ERR_load_SSL_strings(void);
637 #define SSL_F_SSL3_READ_BYTES				 148
638 #define SSL_F_SSL3_READ_N				 149
639 #define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST		 150
640+#define SSL_F_SSL3_SEND_CHANNEL_ID			 318
641 #define SSL_F_SSL3_SEND_CLIENT_CERTIFICATE		 151
642 #define SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE		 152
643 #define SSL_F_SSL3_SEND_CLIENT_VERIFY			 153
644@@ -2335,12 +2377,15 @@ void ERR_load_SSL_strings(void);
645 #define SSL_R_BIO_NOT_SET				 128
646 #define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG			 129
647 #define SSL_R_BN_LIB					 130
648+#define SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY		 376
649 #define SSL_R_CA_DN_LENGTH_MISMATCH			 131
650 #define SSL_R_CA_DN_TOO_LONG				 132
651 #define SSL_R_CCS_RECEIVED_EARLY			 133
652 #define SSL_R_CERTIFICATE_VERIFY_FAILED			 134
653 #define SSL_R_CERT_LENGTH_MISMATCH			 135
654 #define SSL_R_CHALLENGE_IS_DIFFERENT			 136
655+#define SSL_R_CHANNEL_ID_NOT_P256			 375
656+#define SSL_R_CHANNEL_ID_SIGNATURE_INVALID		 371
657 #define SSL_R_CIPHER_CODE_WRONG_LENGTH			 137
658 #define SSL_R_CIPHER_OR_HASH_UNAVAILABLE		 138
659 #define SSL_R_CIPHER_TABLE_SRC_ERROR			 139
660@@ -2353,6 +2398,7 @@ void ERR_load_SSL_strings(void);
661 #define SSL_R_CONNECTION_ID_IS_DIFFERENT		 143
662 #define SSL_R_CONNECTION_TYPE_NOT_SET			 144
663 #define SSL_R_COOKIE_MISMATCH				 308
664+#define SSL_R_D2I_ECDSA_SIG				 379
665 #define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED		 145
666 #define SSL_R_DATA_LENGTH_TOO_LONG			 146
667 #define SSL_R_DECRYPTION_FAILED				 147
668@@ -2370,9 +2416,12 @@ void ERR_load_SSL_strings(void);
669 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG			 150
670 #define SSL_R_ERROR_GENERATING_TMP_RSA_KEY		 282
671 #define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST		 151
672+#define SSL_R_EVP_DIGESTSIGNFINAL_FAILED		 377
673+#define SSL_R_EVP_DIGESTSIGNINIT_FAILED			 378
674 #define SSL_R_EXCESSIVE_MESSAGE_SIZE			 152
675 #define SSL_R_EXTRA_DATA_IN_MESSAGE			 153
676 #define SSL_R_GOT_A_FIN_BEFORE_A_CCS			 154
677+#define SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS		 372
678 #define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS		 355
679 #define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION		 356
680 #define SSL_R_HTTPS_PROXY_REQUEST			 155
681@@ -2382,6 +2431,7 @@ void ERR_load_SSL_strings(void);
682 #define SSL_R_INVALID_CHALLENGE_LENGTH			 158
683 #define SSL_R_INVALID_COMMAND				 280
684 #define SSL_R_INVALID_COMPRESSION_ALGORITHM		 341
685+#define SSL_R_INVALID_MESSAGE				 374
686 #define SSL_R_INVALID_PURPOSE				 278
687 #define SSL_R_INVALID_SRP_USERNAME			 357
688 #define SSL_R_INVALID_STATUS_RESPONSE			 328
689@@ -2436,6 +2486,7 @@ void ERR_load_SSL_strings(void);
690 #define SSL_R_NO_COMPRESSION_SPECIFIED			 187
691 #define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER		 330
692 #define SSL_R_NO_METHOD_SPECIFIED			 188
693+#define SSL_R_NO_P256_SUPPORT				 373
694 #define SSL_R_NO_PRIVATEKEY				 189
695 #define SSL_R_NO_PRIVATE_KEY_ASSIGNED			 190
696 #define SSL_R_NO_PROTOCOLS_AVAILABLE			 191
697--- openssl-1.0.1e.orig/ssl/ssl3.h	2013-03-05 18:49:33.223297173 +0000
698+++ openssl-1.0.1e/ssl/ssl3.h	2013-03-05 18:49:33.413299231 +0000
699@@ -539,6 +539,17 @@ typedef struct ssl3_state_st
700 	/* Set if we saw the Next Protocol Negotiation extension from our peer. */
701 	int next_proto_neg_seen;
702 #endif
703+
704+	/* In a client, this means that the server supported Channel ID and that
705+	 * a Channel ID was sent. In a server it means that we echoed support
706+	 * for Channel IDs and that tlsext_channel_id will be valid after the
707+	 * handshake. */
708+	char tlsext_channel_id_valid;
709+	/* For a server:
710+	 *     If |tlsext_channel_id_valid| is true, then this contains the
711+	 *     verified Channel ID from the client: a P256 point, (x,y), where
712+	 *     each are big-endian values. */
713+	unsigned char tlsext_channel_id[64];
714 	} SSL3_STATE;
715
716 #endif
717@@ -583,6 +594,8 @@ typedef struct ssl3_state_st
718 #define SSL3_ST_CW_NEXT_PROTO_A		(0x200|SSL_ST_CONNECT)
719 #define SSL3_ST_CW_NEXT_PROTO_B		(0x201|SSL_ST_CONNECT)
720 #endif
721+#define SSL3_ST_CW_CHANNEL_ID_A		(0x210|SSL_ST_CONNECT)
722+#define SSL3_ST_CW_CHANNEL_ID_B		(0x211|SSL_ST_CONNECT)
723 #define SSL3_ST_CW_FINISHED_A		(0x1B0|SSL_ST_CONNECT)
724 #define SSL3_ST_CW_FINISHED_B		(0x1B1|SSL_ST_CONNECT)
725 /* read from server */
726@@ -632,10 +645,13 @@ typedef struct ssl3_state_st
727 #define SSL3_ST_SR_CERT_VRFY_B		(0x1A1|SSL_ST_ACCEPT)
728 #define SSL3_ST_SR_CHANGE_A		(0x1B0|SSL_ST_ACCEPT)
729 #define SSL3_ST_SR_CHANGE_B		(0x1B1|SSL_ST_ACCEPT)
730+#define SSL3_ST_SR_POST_CLIENT_CERT	(0x1BF|SSL_ST_ACCEPT)
731 #ifndef OPENSSL_NO_NEXTPROTONEG
732 #define SSL3_ST_SR_NEXT_PROTO_A		(0x210|SSL_ST_ACCEPT)
733 #define SSL3_ST_SR_NEXT_PROTO_B		(0x211|SSL_ST_ACCEPT)
734 #endif
735+#define SSL3_ST_SR_CHANNEL_ID_A		(0x220|SSL_ST_ACCEPT)
736+#define SSL3_ST_SR_CHANNEL_ID_B		(0x221|SSL_ST_ACCEPT)
737 #define SSL3_ST_SR_FINISHED_A		(0x1C0|SSL_ST_ACCEPT)
738 #define SSL3_ST_SR_FINISHED_B		(0x1C1|SSL_ST_ACCEPT)
739 /* write to client */
740@@ -663,6 +679,7 @@ typedef struct ssl3_state_st
741 #ifndef OPENSSL_NO_NEXTPROTONEG
742 #define SSL3_MT_NEXT_PROTO			67
743 #endif
744+#define SSL3_MT_ENCRYPTED_EXTENSIONS		203
745 #define DTLS1_MT_HELLO_VERIFY_REQUEST    3
746
747
748--- openssl-1.0.1e.orig/ssl/ssl_err.c	2013-03-05 18:49:33.243297392 +0000
749+++ openssl-1.0.1e/ssl/ssl_err.c	2013-03-05 18:49:33.413299231 +0000
750@@ -151,6 +151,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
751 {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),	"SSL3_GET_CERTIFICATE_REQUEST"},
752 {ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS),	"SSL3_GET_CERT_STATUS"},
753 {ERR_FUNC(SSL_F_SSL3_GET_CERT_VERIFY),	"SSL3_GET_CERT_VERIFY"},
754+{ERR_FUNC(SSL_F_SSL3_GET_CHANNEL_ID),	"SSL3_GET_CHANNEL_ID"},
755 {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_CERTIFICATE),	"SSL3_GET_CLIENT_CERTIFICATE"},
756 {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_HELLO),	"SSL3_GET_CLIENT_HELLO"},
757 {ERR_FUNC(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE),	"SSL3_GET_CLIENT_KEY_EXCHANGE"},
758@@ -170,6 +171,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
759 {ERR_FUNC(SSL_F_SSL3_READ_BYTES),	"SSL3_READ_BYTES"},
760 {ERR_FUNC(SSL_F_SSL3_READ_N),	"SSL3_READ_N"},
761 {ERR_FUNC(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST),	"SSL3_SEND_CERTIFICATE_REQUEST"},
762+{ERR_FUNC(SSL_F_SSL3_SEND_CHANNEL_ID),	"SSL3_SEND_CHANNEL_ID"},
763 {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE),	"SSL3_SEND_CLIENT_CERTIFICATE"},
764 {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE),	"SSL3_SEND_CLIENT_KEY_EXCHANGE"},
765 {ERR_FUNC(SSL_F_SSL3_SEND_CLIENT_VERIFY),	"SSL3_SEND_CLIENT_VERIFY"},
766@@ -339,12 +341,15 @@ static ERR_STRING_DATA SSL_str_reasons[]
767 {ERR_REASON(SSL_R_BIO_NOT_SET)           ,"bio not set"},
768 {ERR_REASON(SSL_R_BLOCK_CIPHER_PAD_IS_WRONG),"block cipher pad is wrong"},
769 {ERR_REASON(SSL_R_BN_LIB)                ,"bn lib"},
770+{ERR_REASON(SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY),"cannot serialize public key"},
771 {ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) ,"ca dn length mismatch"},
772 {ERR_REASON(SSL_R_CA_DN_TOO_LONG)        ,"ca dn too long"},
773 {ERR_REASON(SSL_R_CCS_RECEIVED_EARLY)    ,"ccs received early"},
774 {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED),"certificate verify failed"},
775 {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH)  ,"cert length mismatch"},
776 {ERR_REASON(SSL_R_CHALLENGE_IS_DIFFERENT),"challenge is different"},
777+{ERR_REASON(SSL_R_CHANNEL_ID_NOT_P256)   ,"channel id not p256"},
778+{ERR_REASON(SSL_R_CHANNEL_ID_SIGNATURE_INVALID),"Channel ID signature invalid"},
779 {ERR_REASON(SSL_R_CIPHER_CODE_WRONG_LENGTH),"cipher code wrong length"},
780 {ERR_REASON(SSL_R_CIPHER_OR_HASH_UNAVAILABLE),"cipher or hash unavailable"},
781 {ERR_REASON(SSL_R_CIPHER_TABLE_SRC_ERROR),"cipher table src error"},
782@@ -357,6 +362,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
783 {ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"},
784 {ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"},
785 {ERR_REASON(SSL_R_COOKIE_MISMATCH)       ,"cookie mismatch"},
786+{ERR_REASON(SSL_R_D2I_ECDSA_SIG)         ,"d2i ecdsa sig"},
787 {ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"},
788 {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG)  ,"data length too long"},
789 {ERR_REASON(SSL_R_DECRYPTION_FAILED)     ,"decryption failed"},
790@@ -374,9 +380,12 @@ static ERR_STRING_DATA SSL_str_reasons[]
791 {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG),"encrypted length too long"},
792 {ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY),"error generating tmp rsa key"},
793 {ERR_REASON(SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST),"error in received cipher list"},
794+{ERR_REASON(SSL_R_EVP_DIGESTSIGNFINAL_FAILED),"evp digestsignfinal failed"},
795+{ERR_REASON(SSL_R_EVP_DIGESTSIGNINIT_FAILED),"evp digestsigninit failed"},
796 {ERR_REASON(SSL_R_EXCESSIVE_MESSAGE_SIZE),"excessive message size"},
797 {ERR_REASON(SSL_R_EXTRA_DATA_IN_MESSAGE) ,"extra data in message"},
798 {ERR_REASON(SSL_R_GOT_A_FIN_BEFORE_A_CCS),"got a fin before a ccs"},
799+{ERR_REASON(SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS),"got Channel ID before a ccs"},
800 {ERR_REASON(SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS),"got next proto before a ccs"},
801 {ERR_REASON(SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION),"got next proto without seeing extension"},
802 {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST)   ,"https proxy request"},
803@@ -386,6 +395,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
804 {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
805 {ERR_REASON(SSL_R_INVALID_COMMAND)       ,"invalid command"},
806 {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},
807+{ERR_REASON(SSL_R_INVALID_MESSAGE)       ,"invalid message"},
808 {ERR_REASON(SSL_R_INVALID_PURPOSE)       ,"invalid purpose"},
809 {ERR_REASON(SSL_R_INVALID_SRP_USERNAME)  ,"invalid srp username"},
810 {ERR_REASON(SSL_R_INVALID_STATUS_RESPONSE),"invalid status response"},
811@@ -440,6 +450,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
812 {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
813 {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),"Peer haven't sent GOST certificate, required for selected ciphersuite"},
814 {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED)   ,"no method specified"},
815+{ERR_REASON(SSL_R_NO_P256_SUPPORT)       ,"no p256 support"},
816 {ERR_REASON(SSL_R_NO_PRIVATEKEY)         ,"no privatekey"},
817 {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
818 {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
819--- openssl-1.0.1e.orig/ssl/ssl_lib.c	2013-03-05 18:49:33.243297392 +0000
820+++ openssl-1.0.1e/ssl/ssl_lib.c	2013-03-05 18:49:33.413299231 +0000
821@@ -579,6 +579,8 @@ void SSL_free(SSL *s)
822 		sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
823 	if (s->tlsext_ocsp_resp)
824 		OPENSSL_free(s->tlsext_ocsp_resp);
825+	if (s->tlsext_channel_id_private)
826+		EVP_PKEY_free(s->tlsext_channel_id_private);
827 #endif
828
829 	if (s->client_CA != NULL)
830@@ -2005,6 +2007,11 @@ void SSL_CTX_free(SSL_CTX *a)
831 		ssl_buf_freelist_free(a->rbuf_freelist);
832 #endif
833
834+#ifndef OPENSSL_NO_TLSEXT
835+	if (a->tlsext_channel_id_private)
836+		EVP_PKEY_free(a->tlsext_channel_id_private);
837+#endif
838+
839 	OPENSSL_free(a);
840 	}
841
842--- openssl-1.0.1e.orig/ssl/ssl_locl.h	2013-03-05 18:49:33.243297392 +0000
843+++ openssl-1.0.1e/ssl/ssl_locl.h	2013-03-05 18:49:33.413299231 +0000
844@@ -378,6 +378,7 @@
845  * (currently this also goes into algorithm2) */
846 #define TLS1_STREAM_MAC 0x04
847
848+#define TLSEXT_CHANNEL_ID_SIZE 128
849
850
851 /*
852@@ -1004,6 +1005,7 @@ int ssl3_check_cert_and_algorithm(SSL *s
853 int ssl3_check_finished(SSL *s);
854 # ifndef OPENSSL_NO_NEXTPROTONEG
855 int ssl3_send_next_proto(SSL *s);
856+int ssl3_send_channel_id(SSL *s);
857 # endif
858 #endif
859
860@@ -1026,6 +1028,7 @@ int ssl3_get_cert_verify(SSL *s);
861 #ifndef OPENSSL_NO_NEXTPROTONEG
862 int ssl3_get_next_proto(SSL *s);
863 #endif
864+int ssl3_get_channel_id(SSL *s);
865
866 int dtls1_send_hello_request(SSL *s);
867 int dtls1_send_server_hello(SSL *s);
868@@ -1123,7 +1126,9 @@ int tls12_get_sigandhash(unsigned char *
869 int tls12_get_sigid(const EVP_PKEY *pk);
870 const EVP_MD *tls12_get_hash(unsigned char hash_alg);
871
872+int tls1_channel_id_hash(EVP_MD_CTX *ctx, SSL *s);
873 #endif
874+
875 EVP_MD_CTX* ssl_replace_hash(EVP_MD_CTX **hash,const EVP_MD *md) ;
876 void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
877 int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
878--- openssl-1.0.1e.orig/ssl/t1_lib.c	2013-03-05 18:49:33.173296633 +0000
879+++ openssl-1.0.1e/ssl/t1_lib.c	2013-03-05 18:49:33.413299231 +0000
880@@ -649,6 +649,16 @@ unsigned char *ssl_add_clienthello_tlsex
881 		}
882 #endif
883
884+	if (s->tlsext_channel_id_enabled)
885+		{
886+		/* The client advertises an emtpy extension to indicate its
887+		 * support for Channel ID. */
888+		if (limit - ret - 4 < 0)
889+			return NULL;
890+		s2n(TLSEXT_TYPE_channel_id,ret);
891+		s2n(0,ret);
892+		}
893+
894 #ifndef OPENSSL_NO_SRTP
895         if(SSL_get_srtp_profiles(s))
896                 {
897@@ -859,6 +869,16 @@ unsigned char *ssl_add_serverhello_tlsex
898 		}
899 #endif
900
901+	/* If the client advertised support for Channel ID, and we have it
902+	 * enabled, then we want to echo it back. */
903+	if (s->s3->tlsext_channel_id_valid)
904+		{
905+		if (limit - ret - 4 < 0)
906+			return NULL;
907+		s2n(TLSEXT_TYPE_channel_id,ret);
908+		s2n(0,ret);
909+		}
910+
911 	if ((extdatalen = ret-p-2)== 0)
912 		return p;
913
914@@ -1332,6 +1352,9 @@ int ssl_parse_clienthello_tlsext(SSL *s,
915 			}
916 #endif
917
918+		else if (type == TLSEXT_TYPE_channel_id && s->tlsext_channel_id_enabled)
919+			s->s3->tlsext_channel_id_valid = 1;
920+
921 		/* session ticket processed earlier */
922 #ifndef OPENSSL_NO_SRTP
923 		else if (type == TLSEXT_TYPE_use_srtp)
924@@ -1562,6 +1585,9 @@ int ssl_parse_serverhello_tlsext(SSL *s,
925 			s->s3->next_proto_neg_seen = 1;
926 			}
927 #endif
928+		else if (type == TLSEXT_TYPE_channel_id)
929+			s->s3->tlsext_channel_id_valid = 1;
930+
931 		else if (type == TLSEXT_TYPE_renegotiate)
932 			{
933 			if(!ssl_parse_serverhello_renegotiate_ext(s, data, size, al))
934@@ -2621,3 +2647,37 @@ tls1_heartbeat(SSL *s)
935 	return ret;
936 	}
937 #endif
938+
939+#if !defined(OPENSSL_NO_TLSEXT)
940+/* tls1_channel_id_hash calculates the signed data for a Channel ID on the given
941+ * SSL connection and writes it to |md|.
942+ */
943+int
944+tls1_channel_id_hash(EVP_MD_CTX *md, SSL *s)
945+	{
946+	EVP_MD_CTX ctx;
947+	unsigned char temp_digest[EVP_MAX_MD_SIZE];
948+	unsigned temp_digest_len;
949+	int i;
950+	static const char kClientIDMagic[] = "TLS Channel ID signature";
951+
952+	if (s->s3->handshake_buffer)
953+		if (!ssl3_digest_cached_records(s))
954+			return 0;
955+
956+	EVP_DigestUpdate(md, kClientIDMagic, sizeof(kClientIDMagic));
957+
958+	EVP_MD_CTX_init(&ctx);
959+	for (i = 0; i < SSL_MAX_DIGEST; i++)
960+		{
961+		if (s->s3->handshake_dgst[i] == NULL)
962+			continue;
963+		EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
964+		EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
965+		EVP_DigestUpdate(md, temp_digest, temp_digest_len);
966+		}
967+	EVP_MD_CTX_cleanup(&ctx);
968+
969+	return 1;
970+	}
971+#endif
972--- openssl-1.0.1e.orig/ssl/tls1.h	2013-03-05 18:49:33.173296633 +0000
973+++ openssl-1.0.1e/ssl/tls1.h	2013-03-05 18:49:33.413299231 +0000
974@@ -248,6 +248,9 @@ extern "C" {
975 #define TLSEXT_TYPE_next_proto_neg		13172
976 #endif
977
978+/* This is not an IANA defined extension number */
979+#define TLSEXT_TYPE_channel_id			30031
980+
981 /* NameType value from RFC 3546 */
982 #define TLSEXT_NAMETYPE_host_name 0
983 /* status request value from RFC 3546 */
984