@@ -750,8 +750,9 @@ int tls_init_channel_binding(tls_t *tls,
750750{
751751 const char * label = NULL ;
752752 size_t labellen = 0 ;
753+ int ssl_version = SSL_version (tls -> ssl );
753754
754- switch (SSL_version ( tls -> ssl ) ) {
755+ switch (ssl_version ) {
755756 case SSL3_VERSION :
756757 * binding_prefix = "tls-unique" ;
757758 * binding_prefix_len = strlen ("tls-unique" );
@@ -774,7 +775,7 @@ int tls_init_channel_binding(tls_t *tls,
774775 break ;
775776#endif
776777 default :
777- strophe_error (tls -> ctx , "tls" , "Unsupported TLS Version: %s" ,
778+ strophe_error (tls -> ctx , "tls" , "Unsupported TLS/SSL Version: %s" ,
778779 SSL_get_version (tls -> ssl ));
779780 return -1 ;
780781 }
@@ -785,11 +786,28 @@ int tls_init_channel_binding(tls_t *tls,
785786 if (!tls -> channel_binding_data )
786787 return -1 ;
787788
788- if (SSL_export_keying_material (tls -> ssl , tls -> channel_binding_data ,
789- tls -> channel_binding_size , label , labellen ,
790- NULL , 0 , 0 ) != 1 ) {
791- strophe_error (tls -> ctx , "tls" , "Could not get channel binding data" );
792- return -1 ;
789+ if (ssl_version <= TLS1_2_VERSION ) {
790+ size_t len ;
791+ if (SSL_session_reused (tls -> ssl )) {
792+ len = SSL_get_peer_finished (tls -> ssl , tls -> channel_binding_data ,
793+ tls -> channel_binding_size );
794+ } else {
795+ len = SSL_get_finished (tls -> ssl , tls -> channel_binding_data ,
796+ tls -> channel_binding_size );
797+ }
798+ if (len != tls -> channel_binding_size ) {
799+ strophe_error (tls -> ctx , "tls" ,
800+ "Got channel binding data of wrong size %zu" , len );
801+ return -1 ;
802+ }
803+ } else {
804+ if (SSL_export_keying_material (tls -> ssl , tls -> channel_binding_data ,
805+ tls -> channel_binding_size , label ,
806+ labellen , NULL , 0 , 0 ) != 1 ) {
807+ strophe_error (tls -> ctx , "tls" ,
808+ "Could not get channel binding data" );
809+ return -1 ;
810+ }
793811 }
794812 return 0 ;
795813}
0 commit comments