Optionally, retain only SHA-256 of client cert.

Adds an option to retain only the SHA256 of a client certificate in
memory and in the serialized session state.
This commit is contained in:
Adam Langley 2014-06-20 12:00:00 -07:00
parent 95f22882a7
commit 75872534c2
3 changed files with 53 additions and 3 deletions

View File

@ -756,6 +756,14 @@ int ssl3_accept(SSL *s)
s->init_num=0; s->init_num=0;
/* If we aren't retaining peer certificates then we can
* discard it now. */
if (s->session->peer && s->ctx->retain_only_sha256_of_client_certs)
{
X509_free(s->session->peer);
s->session->peer = NULL;
}
if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */ if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
{ {
s->renegotiate=0; s->renegotiate=0;
@ -2811,6 +2819,7 @@ int ssl3_get_client_certificate(SSL *s)
const unsigned char *p,*q; const unsigned char *p,*q;
unsigned char *d; unsigned char *d;
STACK_OF(X509) *sk=NULL; STACK_OF(X509) *sk=NULL;
SHA256_CTX sha256;
n=s->method->ssl_get_message(s, n=s->method->ssl_get_message(s,
SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_A,
@ -2872,6 +2881,17 @@ int ssl3_get_client_certificate(SSL *s)
goto f_err; goto f_err;
} }
if (nc == 0 && s->ctx->retain_only_sha256_of_client_certs)
{
/* If this is the first certificate, and we don't want
* to keep peer certificates in memory, then we hash it
* right away. */
SHA256_Init(&sha256);
SHA256_Update(&sha256, p, l);
SHA256_Final(s->session->peer_sha256, &sha256);
s->session->peer_sha256_valid = 1;
}
q=p; q=p;
x=d2i_X509(NULL,&p,l); x=d2i_X509(NULL,&p,l);
if (x == NULL) if (x == NULL)

View File

@ -501,6 +501,7 @@ struct ssl_method_st
* Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only) * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only)
* Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method
* SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username
* Peer SHA256 [13] EXPLICIT OCTET STRING, -- optional SHA256 hash of Peer certifiate
* } * }
* Look in ssl/ssl_asn1.c for more details * Look in ssl/ssl_asn1.c for more details
* I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-).
@ -576,6 +577,8 @@ struct ssl_session_st
size_t tlsext_ticklen; /* Session ticket length */ size_t tlsext_ticklen; /* Session ticket length */
long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
#endif #endif
char peer_sha256_valid; /* Non-zero if peer_sha256 is valid */
unsigned char peer_sha256[SHA256_DIGEST_LENGTH]; /* SHA256 of peer certificate */
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
/* Used by client: the proof for this session. /* Used by client: the proof for this session.
* We store it outside the sess_cert structure, since the proof * We store it outside the sess_cert structure, since the proof
@ -1034,6 +1037,10 @@ struct ssl_ctx_st
unsigned int freelist_max_len; unsigned int freelist_max_len;
struct ssl3_buf_freelist_st *wbuf_freelist; struct ssl3_buf_freelist_st *wbuf_freelist;
struct ssl3_buf_freelist_st *rbuf_freelist; struct ssl3_buf_freelist_st *rbuf_freelist;
/* retain_only_sha256_of_client_certs is true if we should compute the
* SHA256 hash of the peer's certifiate and then discard it to save
* memory and session space. Only effective on the server side. */
char retain_only_sha256_of_client_certs;
#endif #endif
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT

View File

@ -121,12 +121,13 @@ typedef struct ssl_session_asn1_st
ASN1_OCTET_STRING psk_identity_hint; ASN1_OCTET_STRING psk_identity_hint;
ASN1_OCTET_STRING psk_identity; ASN1_OCTET_STRING psk_identity;
#endif /* OPENSSL_NO_PSK */ #endif /* OPENSSL_NO_PSK */
ASN1_OCTET_STRING peer_sha256;
} SSL_SESSION_ASN1; } SSL_SESSION_ASN1;
int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
{ {
#define LSIZE2 (sizeof(long)*2) #define LSIZE2 (sizeof(long)*2)
int v1=0,v2=0,v3=0,v4=0,v5=0,v7=0,v8=0; int v1=0,v2=0,v3=0,v4=0,v5=0,v7=0,v8=0,v13=0;
unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2]; unsigned char buf[4],ibuf1[LSIZE2],ibuf2[LSIZE2];
unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2]; unsigned char ibuf3[LSIZE2],ibuf4[LSIZE2],ibuf5[LSIZE2];
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
@ -251,6 +252,13 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
a.psk_identity.type=V_ASN1_OCTET_STRING; a.psk_identity.type=V_ASN1_OCTET_STRING;
a.psk_identity.data=(unsigned char *)(in->psk_identity); a.psk_identity.data=(unsigned char *)(in->psk_identity);
} }
if (in->peer_sha256_valid)
{
a.peer_sha256.length = sizeof(in->peer_sha256);
a.peer_sha256.type = V_ASN1_OCTET_STRING;
a.peer_sha256.data = in->peer_sha256;
}
#endif /* OPENSSL_NO_PSK */ #endif /* OPENSSL_NO_PSK */
M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER); M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER);
@ -264,7 +272,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
M_ASN1_I2D_len_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1); M_ASN1_I2D_len_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
if (in->timeout != 0L) if (in->timeout != 0L)
M_ASN1_I2D_len_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2); M_ASN1_I2D_len_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
if (in->peer != NULL) if (in->peer != NULL && in->peer_sha256_valid == 0)
M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3); M_ASN1_I2D_len_EXP_opt(in->peer,i2d_X509,3,v3);
M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4); M_ASN1_I2D_len_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,v4);
if (in->verify_result != X509_V_OK) if (in->verify_result != X509_V_OK)
@ -284,6 +292,8 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
if (in->psk_identity) if (in->psk_identity)
M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8); M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING,8,v8);
#endif /* OPENSSL_NO_PSK */ #endif /* OPENSSL_NO_PSK */
if (in->peer_sha256_valid)
M_ASN1_I2D_len_EXP_opt(&(a.peer_sha256),i2d_ASN1_OCTET_STRING,13,v13);
M_ASN1_I2D_seq_total(); M_ASN1_I2D_seq_total();
@ -298,7 +308,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
M_ASN1_I2D_put_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1); M_ASN1_I2D_put_EXP_opt(&(a.time),i2d_ASN1_INTEGER,1,v1);
if (in->timeout != 0L) if (in->timeout != 0L)
M_ASN1_I2D_put_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2); M_ASN1_I2D_put_EXP_opt(&(a.timeout),i2d_ASN1_INTEGER,2,v2);
if (in->peer != NULL) if (in->peer != NULL && in->peer_sha256_valid == 0)
M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3); M_ASN1_I2D_put_EXP_opt(in->peer,i2d_X509,3,v3);
M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4, M_ASN1_I2D_put_EXP_opt(&a.session_id_context,i2d_ASN1_OCTET_STRING,4,
v4); v4);
@ -320,6 +330,8 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
if (in->tlsext_tick) if (in->tlsext_tick)
M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10); M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING,10,v10);
#endif /* OPENSSL_NO_TLSEXT */ #endif /* OPENSSL_NO_TLSEXT */
if (in->peer_sha256_valid)
M_ASN1_I2D_put_EXP_opt(&(a.peer_sha256),i2d_ASN1_OCTET_STRING,13,v13);
M_ASN1_I2D_finish(); M_ASN1_I2D_finish();
} }
@ -541,5 +553,16 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
ret->tlsext_tick=NULL; ret->tlsext_tick=NULL;
#endif /* OPENSSL_NO_TLSEXT */ #endif /* OPENSSL_NO_TLSEXT */
os.length=0;
os.data=NULL;
M_ASN1_D2I_get_EXP_opt(osp,d2i_ASN1_OCTET_STRING,13);
if (os.data && os.length == sizeof(ret->peer_sha256))
{
memcpy(ret->peer_sha256, os.data, sizeof(ret->peer_sha256));
ret->peer_sha256_valid = 1;
OPENSSL_free(os.data);
os.data = NULL;
}
M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION); M_ASN1_D2I_Finish(a,SSL_SESSION_free,SSL_F_D2I_SSL_SESSION);
} }