| blob | e2b985470cf6912f6768559d45da8632cdb8bb9d |
1 diff --git a/ssl/SSLerrs.h b/ssl/SSLerrs.h
2 index 174037b..81da41c 100644
3 --- a/ssl/SSLerrs.h
4 +++ b/ssl/SSLerrs.h
5 @@ -422,3 +422,12 @@ ER3(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL, (SSL_ERROR_BASE + 130),
6 ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 131),
7 "The server rejected the handshake because the client downgraded to a lower "
8 "TLS version than the server supports.")
9 +
10 +ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 132),
11 +"SSL received a malformed TLS Channel ID extension.")
12 +
13 +ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 133),
14 +"The application provided an invalid TLS Channel ID key.")
15 +
16 +ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 134),
17 +"The application could not get a TLS Channel ID.")
18 diff --git a/ssl/ssl.h b/ssl/ssl.h
19 index 593dd00..716537d 100644
20 --- a/ssl/ssl.h
21 +++ b/ssl/ssl.h
22 @@ -1025,6 +1025,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRFileDesc * socket,
23 SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd,
24 PRBool *last_handshake_resumed);
26 +/* See SSL_SetClientChannelIDCallback for usage. If the callback returns
27 + * SECWouldBlock then SSL_RestartHandshakeAfterChannelIDReq should be called in
28 + * the future to restart the handshake. On SECSuccess, the callback must have
29 + * written a P-256, EC key pair to |*out_public_key| and |*out_private_key|. */
30 +typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)(
31 + void *arg,
32 + PRFileDesc *fd,
33 + SECKEYPublicKey **out_public_key,
34 + SECKEYPrivateKey **out_private_key);
35 +
36 +/* SSL_RestartHandshakeAfterChannelIDReq attempts to restart the handshake
37 + * after a ChannelID callback returned SECWouldBlock.
38 + *
39 + * This function takes ownership of |channelIDPub| and |channelID|. */
40 +SSL_IMPORT SECStatus SSL_RestartHandshakeAfterChannelIDReq(
41 + PRFileDesc *fd,
42 + SECKEYPublicKey *channelIDPub,
43 + SECKEYPrivateKey *channelID);
44 +
45 +/* SSL_SetClientChannelIDCallback sets a callback function that will be called
46 + * once the server's ServerHello has been processed. This is only applicable to
47 + * a client socket and setting this callback causes the TLS Channel ID
48 + * extension to be advertised. */
49 +SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback(
50 + PRFileDesc *fd,
51 + SSLClientChannelIDCallback callback,
52 + void *arg);
53 +
54 /*
55 ** How long should we wait before retransmitting the next flight of
56 ** the DTLS handshake? Returns SECFailure if not DTLS or not in a
57 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c
58 index 29e8f1c..c0e8e79 100644
59 --- a/ssl/ssl3con.c
60 +++ b/ssl/ssl3con.c
61 @@ -55,6 +55,7 @@ static SECStatus ssl3_SendCertificateStatus( sslSocket *ss);
62 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss);
63 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
64 static SECStatus ssl3_SendNextProto( sslSocket *ss);
65 +static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
66 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
67 static SECStatus ssl3_SendServerHello( sslSocket *ss);
68 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
69 @@ -6296,6 +6297,15 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
70 }
71 #endif /* NSS_PLATFORM_CLIENT_AUTH */
73 + if (ss->ssl3.channelID != NULL) {
74 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
75 + ss->ssl3.channelID = NULL;
76 + }
77 + if (ss->ssl3.channelIDPub != NULL) {
78 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
79 + ss->ssl3.channelIDPub = NULL;
80 + }
81 +
82 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
83 if (temp < 0) {
84 goto loser; /* alert has been sent */
85 @@ -6578,7 +6588,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
86 if (rv != SECSuccess) {
87 goto alert_loser; /* err code was set */
88 }
89 - return SECSuccess;
90 + goto winner;
91 } while (0);
93 if (sid_match)
94 @@ -6613,6 +6623,27 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
95 } else {
96 ss->ssl3.hs.ws = wait_cert_request;
97 }
98 +
99 +winner:
100 + /* If we will need a ChannelID key then we make the callback now. This
101 + * allows the handshake to be restarted cleanly if the callback returns
102 + * SECWouldBlock. */
103 + if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
104 + rv = ss->getChannelID(ss->getChannelIDArg, ss->fd,
105 + &ss->ssl3.channelIDPub, &ss->ssl3.channelID);
106 + if (rv == SECWouldBlock) {
107 + ssl3_SetAlwaysBlock(ss);
108 + return rv;
109 + }
110 + if (rv != SECSuccess ||
111 + ss->ssl3.channelIDPub == NULL ||
112 + ss->ssl3.channelID == NULL) {
113 + PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED);
114 + desc = internal_error;
115 + goto alert_loser;
116 + }
117 + }
118 +
119 return SECSuccess;
121 alert_loser:
122 @@ -7565,7 +7596,14 @@ ssl3_SendClientSecondRound(sslSocket *ss)
123 if (rv != SECSuccess) {
124 goto loser; /* err code was set. */
125 }
126 + }
127 +
128 + rv = ssl3_SendEncryptedExtensions(ss);
129 + if (rv != SECSuccess) {
130 + goto loser; /* err code was set. */
131 + }
133 + if (!ss->firstHsDone) {
134 if (ss->opt.enableFalseStart) {
135 if (!ss->ssl3.hs.authCertificatePending) {
136 /* When we fix bug 589047, we will need to know whether we are
137 @@ -7602,6 +7640,33 @@ ssl3_SendClientSecondRound(sslSocket *ss)
139 ssl_ReleaseXmitBufLock(ss); /*******************************/
141 + if (!ss->ssl3.hs.isResuming &&
142 + ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
143 + /* If we are negotiating ChannelID on a full handshake then we record
144 + * the handshake hashes in |sid| at this point. They will be needed in
145 + * the event that we resume this session and use ChannelID on the
146 + * resumption handshake. */
147 + SSL3Hashes hashes;
148 + SECItem *originalHandshakeHash =
149 + &ss->sec.ci.sid->u.ssl3.originalHandshakeHash;
150 + PORT_Assert(ss->sec.ci.sid->cached == never_cached);
151 +
152 + ssl_GetSpecReadLock(ss);
153 + PORT_Assert(ss->version > SSL_LIBRARY_VERSION_3_0);
154 + rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
155 + ssl_ReleaseSpecReadLock(ss);
156 + if (rv != SECSuccess) {
157 + return rv;
158 + }
159 +
160 + PORT_Assert(originalHandshakeHash->len == 0);
161 + originalHandshakeHash->data = PORT_Alloc(hashes.len);
162 + if (!originalHandshakeHash->data)
163 + return SECFailure;
164 + originalHandshakeHash->len = hashes.len;
165 + memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len);
166 + }
167 +
168 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
169 ss->ssl3.hs.ws = wait_new_session_ticket;
170 else
171 @@ -10590,6 +10655,184 @@ ssl3_RecordKeyLog(sslSocket *ss)
172 }
174 /* called from ssl3_SendClientSecondRound
175 + * ssl3_HandleFinished
176 + */
177 +static SECStatus
178 +ssl3_SendEncryptedExtensions(sslSocket *ss)
179 +{
180 + static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
181 + static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption";
182 + /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
183 + * SEQUENCE
184 + * SEQUENCE
185 + * OID id-ecPublicKey
186 + * OID prime256v1
187 + * BIT STRING, length 66, 0 trailing bits: 0x04
188 + *
189 + * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62
190 + * public key. Following that are the two field elements as 32-byte,
191 + * big-endian numbers, as required by the Channel ID. */
192 + static const unsigned char P256_SPKI_PREFIX[] = {
193 + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
194 + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
195 + 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
196 + 0x42, 0x00, 0x04
197 + };
198 + /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64
199 + * bytes of ECDSA signature. */
200 + static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64;
201 + static const int CHANNEL_ID_LENGTH = 128;
202 +
203 + SECStatus rv = SECFailure;
204 + SECItem *spki = NULL;
205 + SSL3Hashes hashes;
206 + const unsigned char *pub_bytes;
207 + unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) +
208 + sizeof(CHANNEL_ID_RESUMPTION_MAGIC) +
209 + sizeof(SSL3Hashes)*2];
210 + size_t signed_data_len;
211 + unsigned char digest[SHA256_LENGTH];
212 + SECItem digest_item;
213 + unsigned char signature[64];
214 + SECItem signature_item;
215 +
216 + PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
217 + PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
218 +
219 + if (ss->ssl3.channelID == NULL)
220 + return SECSuccess;
221 +
222 + PORT_Assert(ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn));
223 +
224 + if (SECKEY_GetPrivateKeyType(ss->ssl3.channelID) != ecKey ||
225 + PK11_SignatureLen(ss->ssl3.channelID) != sizeof(signature)) {
226 + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
227 + rv = SECFailure;
228 + goto loser;
229 + }
230 +
231 + ssl_GetSpecReadLock(ss);
232 + rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
233 + ssl_ReleaseSpecReadLock(ss);
234 +
235 + if (rv != SECSuccess)
236 + goto loser;
237 +
238 + rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions,
239 + 2 + 2 + CHANNEL_ID_LENGTH);
240 + if (rv != SECSuccess)
241 + goto loser; /* error code set by AppendHandshakeHeader */
242 + rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
243 + if (rv != SECSuccess)
244 + goto loser; /* error code set by AppendHandshake */
245 + rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2);
246 + if (rv != SECSuccess)
247 + goto loser; /* error code set by AppendHandshake */
248 +
249 + spki = SECKEY_EncodeDERSubjectPublicKeyInfo(ss->ssl3.channelIDPub);
250 +
251 + if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
252 + memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX)) != 0) {
253 + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
254 + rv = SECFailure;
255 + goto loser;
256 + }
257 +
258 + pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
259 +
260 + signed_data_len = 0;
261 + memcpy(signed_data + signed_data_len, CHANNEL_ID_MAGIC,
262 + sizeof(CHANNEL_ID_MAGIC));
263 + signed_data_len += sizeof(CHANNEL_ID_MAGIC);
264 + if (ss->ssl3.hs.isResuming) {
265 + SECItem *originalHandshakeHash =
266 + &ss->sec.ci.sid->u.ssl3.originalHandshakeHash;
267 + PORT_Assert(originalHandshakeHash->len > 0);
268 +
269 + memcpy(signed_data + signed_data_len, CHANNEL_ID_RESUMPTION_MAGIC,
270 + sizeof(CHANNEL_ID_RESUMPTION_MAGIC));
271 + signed_data_len += sizeof(CHANNEL_ID_RESUMPTION_MAGIC);
272 + memcpy(signed_data + signed_data_len, originalHandshakeHash->data,
273 + originalHandshakeHash->len);
274 + signed_data_len += originalHandshakeHash->len;
275 + }
276 + memcpy(signed_data + signed_data_len, hashes.u.raw, hashes.len);
277 + signed_data_len += hashes.len;
278 +
279 + rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, signed_data_len);
280 + if (rv != SECSuccess)
281 + goto loser;
282 +
283 + digest_item.data = digest;
284 + digest_item.len = sizeof(digest);
285 +
286 + signature_item.data = signature;
287 + signature_item.len = sizeof(signature);
288 +
289 + rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
290 + if (rv != SECSuccess)
291 + goto loser;
292 +
293 + rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH);
294 + if (rv != SECSuccess)
295 + goto loser;
296 + rv = ssl3_AppendHandshake(ss, signature, sizeof(signature));
297 +
298 +loser:
299 + if (spki)
300 + SECITEM_FreeItem(spki, PR_TRUE);
301 + if (ss->ssl3.channelID) {
302 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
303 + ss->ssl3.channelID = NULL;
304 + }
305 + if (ss->ssl3.channelIDPub) {
306 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
307 + ss->ssl3.channelIDPub = NULL;
308 + }
309 +
310 + return rv;
311 +}
312 +
313 +/* ssl3_RestartHandshakeAfterChannelIDReq is called to restart a handshake
314 + * after a ChannelID callback returned SECWouldBlock. At this point we have
315 + * processed the server's ServerHello but not yet any further messages. We will
316 + * always get a message from the server after a ServerHello so either they are
317 + * waiting in the buffer or we'll get network I/O. */
318 +SECStatus
319 +ssl3_RestartHandshakeAfterChannelIDReq(sslSocket *ss,
320 + SECKEYPublicKey *channelIDPub,
321 + SECKEYPrivateKey *channelID)
322 +{
323 + if (ss->handshake == 0) {
324 + SECKEY_DestroyPublicKey(channelIDPub);
325 + SECKEY_DestroyPrivateKey(channelID);
326 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
327 + return SECFailure;
328 + }
329 +
330 + if (channelIDPub == NULL ||
331 + channelID == NULL) {
332 + if (channelIDPub)
333 + SECKEY_DestroyPublicKey(channelIDPub);
334 + if (channelID)
335 + SECKEY_DestroyPrivateKey(channelID);
336 + PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
337 + return SECFailure;
338 + }
339 +
340 + if (ss->ssl3.channelID)
341 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
342 + if (ss->ssl3.channelIDPub)
343 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
344 +
345 + ss->handshake = ssl_GatherRecord1stHandshake;
346 + ss->ssl3.channelID = channelID;
347 + ss->ssl3.channelIDPub = channelIDPub;
348 +
349 + return SECSuccess;
350 +}
351 +
352 +/* called from ssl3_SendClientSecondRound
353 * ssl3_HandleClientHello
354 * ssl3_HandleFinished
355 */
356 @@ -10849,11 +11092,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
357 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
358 }
360 - if (!isServer && !ss->firstHsDone) {
361 - rv = ssl3_SendNextProto(ss);
362 - if (rv != SECSuccess) {
363 - goto xmit_loser; /* err code was set. */
364 + if (!isServer) {
365 + if (!ss->firstHsDone) {
366 + rv = ssl3_SendNextProto(ss);
367 + if (rv != SECSuccess) {
368 + goto xmit_loser; /* err code was set. */
369 + }
370 }
371 + rv = ssl3_SendEncryptedExtensions(ss);
372 + if (rv != SECSuccess)
373 + goto xmit_loser; /* err code was set. */
374 }
376 if (IS_DTLS(ss)) {
377 @@ -12333,6 +12581,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
378 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
379 #endif /* NSS_PLATFORM_CLIENT_AUTH */
381 + if (ss->ssl3.channelID)
382 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
383 + if (ss->ssl3.channelIDPub)
384 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
385 +
386 if (ss->ssl3.peerCertArena != NULL)
387 ssl3_CleanupPeerCerts(ss);
389 diff --git a/ssl/ssl3ext.c b/ssl/ssl3ext.c
390 index 0a2288a..4d17587 100644
391 --- a/ssl/ssl3ext.c
392 +++ b/ssl/ssl3ext.c
393 @@ -73,6 +73,10 @@ static SECStatus ssl3_ClientHandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
394 SECItem *data);
395 static SECStatus ssl3_ServerHandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
396 SECItem *data);
397 +static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss,
398 + PRUint16 ex_type, SECItem *data);
399 +static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append,
400 + PRUint32 maxBytes);
401 static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
402 PRBool append, PRUint32 maxBytes);
403 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss,
404 @@ -269,6 +273,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
405 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
406 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn },
407 { ssl_use_srtp_xtn, &ssl3_ClientHandleUseSRTPXtn },
408 + { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn },
409 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
410 { -1, NULL }
411 };
412 @@ -296,6 +301,7 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
413 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
414 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
415 { ssl_use_srtp_xtn, &ssl3_ClientSendUseSRTPXtn },
416 + { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
417 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
418 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn },
419 { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn },
420 @@ -930,6 +936,61 @@ ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
421 }
423 static SECStatus
424 +ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type,
425 + SECItem *data)
426 +{
427 + PORT_Assert(ss->getChannelID != NULL);
428 +
429 + if (data->len) {
430 + PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA);
431 + return SECFailure;
432 + }
433 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
434 + return SECSuccess;
435 +}
436 +
437 +static PRInt32
438 +ssl3_ClientSendChannelIDXtn(sslSocket * ss, PRBool append,
439 + PRUint32 maxBytes)
440 +{
441 + PRInt32 extension_length = 4;
442 +
443 + if (!ss->getChannelID)
444 + return 0;
445 +
446 + if (maxBytes < extension_length) {
447 + PORT_Assert(0);
448 + return 0;
449 + }
450 +
451 + if (ss->sec.ci.sid->cached != never_cached &&
452 + ss->sec.ci.sid->u.ssl3.originalHandshakeHash.len == 0) {
453 + /* We can't do ChannelID on a connection if we're resuming and didn't
454 + * do ChannelID on the original connection: without ChannelID on the
455 + * original connection we didn't record the handshake hashes needed for
456 + * the signature. */
457 + return 0;
458 + }
459 +
460 + if (append) {
461 + SECStatus rv;
462 + rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
463 + if (rv != SECSuccess)
464 + goto loser;
465 + rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
466 + if (rv != SECSuccess)
467 + goto loser;
468 + ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
469 + ssl_channel_id_xtn;
470 + }
471 +
472 + return extension_length;
473 +
474 +loser:
475 + return -1;
476 +}
477 +
478 +static SECStatus
479 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
480 SECItem *data)
481 {
482 diff --git a/ssl/ssl3prot.h b/ssl/ssl3prot.h
483 index 485d7dd..78fbcaa 100644
484 --- a/ssl/ssl3prot.h
485 +++ b/ssl/ssl3prot.h
486 @@ -136,7 +136,8 @@ typedef enum {
487 client_key_exchange = 16,
488 finished = 20,
489 certificate_status = 22,
490 - next_proto = 67
491 + next_proto = 67,
492 + encrypted_extensions = 203,
493 } SSL3HandshakeType;
495 typedef struct {
496 diff --git a/ssl/sslauth.c b/ssl/sslauth.c
497 index 7f9c43b..c2d9201 100644
498 --- a/ssl/sslauth.c
499 +++ b/ssl/sslauth.c
500 @@ -216,6 +216,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
501 return SECSuccess;
502 }
504 +SECStatus
505 +SSL_SetClientChannelIDCallback(PRFileDesc *fd,
506 + SSLClientChannelIDCallback callback,
507 + void *arg) {
508 + sslSocket *ss = ssl_FindSocket(fd);
509 +
510 + if (!ss) {
511 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback",
512 + SSL_GETPID(), fd));
513 + return SECFailure;
514 + }
515 +
516 + ss->getChannelID = callback;
517 + ss->getChannelIDArg = arg;
518 +
519 + return SECSuccess;
520 +}
521 +
522 #ifdef NSS_PLATFORM_CLIENT_AUTH
523 /* NEED LOCKS IN HERE. */
524 SECStatus
525 diff --git a/ssl/sslerr.h b/ssl/sslerr.h
526 index 12dbb1d..24bf893 100644
527 --- a/ssl/sslerr.h
528 +++ b/ssl/sslerr.h
529 @@ -198,6 +198,10 @@ SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL = (SSL_ERROR_BASE + 130),
531 SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT = (SSL_ERROR_BASE + 131),
533 +SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 132),
534 +SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 133),
535 +SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 134),
536 +
537 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
538 } SSLErrorCodes;
539 #endif /* NO_SECURITY_ERROR_ENUM */
540 diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h
541 index 2cf0b3a..e11860e 100644
542 --- a/ssl/sslimpl.h
543 +++ b/ssl/sslimpl.h
544 @@ -711,6 +711,14 @@ struct sslSessionIDStr {
546 SECItem srvName;
548 + /* originalHandshakeHash contains the hash of the original, full
549 + * handshake prior to the server's final flow. This is either a
550 + * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for
551 + * TLS 1.2). This is recorded and used only when ChannelID is
552 + * negotiated as it's used to bind the ChannelID signature on the
553 + * resumption handshake to the original handshake. */
554 + SECItem originalHandshakeHash;
555 +
556 /* This lock is lazily initialized by CacheSID when a sid is first
557 * cached. Before then, there is no need to lock anything because
558 * the sid isn't being shared by anything.
559 @@ -986,6 +994,9 @@ struct ssl3StateStr {
560 CERTCertificateList *clientCertChain; /* used by client */
561 PRBool sendEmptyCert; /* used by client */
563 + SECKEYPrivateKey *channelID; /* used by client */
564 + SECKEYPublicKey *channelIDPub; /* used by client */
565 +
566 int policy;
567 /* This says what cipher suites we can do, and should
568 * be either SSL_ALLOWED or SSL_RESTRICTED
569 @@ -1264,6 +1275,8 @@ const unsigned char * preferredCipher;
570 void *pkcs11PinArg;
571 SSLNextProtoCallback nextProtoCallback;
572 void *nextProtoArg;
573 + SSLClientChannelIDCallback getChannelID;
574 + void *getChannelIDArg;
576 PRIntervalTime rTimeout; /* timeout for NSPR I/O */
577 PRIntervalTime wTimeout; /* timeout for NSPR I/O */
578 @@ -1610,6 +1623,11 @@ extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket * ss,
579 SECKEYPrivateKey * key,
580 CERTCertificateList *certChain);
582 +extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq(
583 + sslSocket *ss,
584 + SECKEYPublicKey *channelIDPub,
585 + SECKEYPrivateKey *channelID);
586 +
587 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error);
589 /*
590 diff --git a/ssl/sslnonce.c b/ssl/sslnonce.c
591 index be11008..1326a8b 100644
592 --- a/ssl/sslnonce.c
593 +++ b/ssl/sslnonce.c
594 @@ -180,6 +180,9 @@ ssl_DestroySID(sslSessionID *sid)
595 if (sid->u.ssl3.srvName.data) {
596 SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
597 }
598 + if (sid->u.ssl3.originalHandshakeHash.data) {
599 + SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
600 + }
602 if (sid->u.ssl3.lock) {
603 PR_DestroyRWLock(sid->u.ssl3.lock);
604 diff --git a/ssl/sslsecur.c b/ssl/sslsecur.c
605 index d44336e..5c6751a 100644
606 --- a/ssl/sslsecur.c
607 +++ b/ssl/sslsecur.c
608 @@ -1582,6 +1582,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileDesc * fd,
609 return ret;
610 }
612 +SECStatus
613 +SSL_RestartHandshakeAfterChannelIDReq(PRFileDesc * fd,
614 + SECKEYPublicKey * channelIDPub,
615 + SECKEYPrivateKey *channelID)
616 +{
617 + sslSocket * ss = ssl_FindSocket(fd);
618 + SECStatus ret;
619 +
620 + if (!ss) {
621 + SSL_DBG(("%d: SSL[%d]: bad socket in"
622 + " SSL_RestartHandshakeAfterChannelIDReq",
623 + SSL_GETPID(), fd));
624 + goto loser;
625 + }
626 +
627 +
628 + ssl_Get1stHandshakeLock(ss);
629 +
630 + if (ss->version < SSL_LIBRARY_VERSION_3_0) {
631 + PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
632 + ssl_Release1stHandshakeLock(ss);
633 + goto loser;
634 + }
635 +
636 + ret = ssl3_RestartHandshakeAfterChannelIDReq(ss, channelIDPub,
637 + channelID);
638 + ssl_Release1stHandshakeLock(ss);
639 +
640 + return ret;
641 +
642 +loser:
643 + SECKEY_DestroyPublicKey(channelIDPub);
644 + SECKEY_DestroyPrivateKey(channelID);
645 + return SECFailure;
646 +}
647 +
648 /* DO NOT USE. This function was exported in ssl.def with the wrong signature;
649 * this implementation exists to maintain link-time compatibility.
650 */
651 diff --git a/ssl/sslsock.c b/ssl/sslsock.c
652 index 9431fe4..042f24f 100644
653 --- a/ssl/sslsock.c
654 +++ b/ssl/sslsock.c
655 @@ -288,6 +288,8 @@ ssl_DupSocket(sslSocket *os)
656 ss->canFalseStartCallback = os->canFalseStartCallback;
657 ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
658 ss->pkcs11PinArg = os->pkcs11PinArg;
659 + ss->getChannelID = os->getChannelID;
660 + ss->getChannelIDArg = os->getChannelIDArg;
662 /* Create security data */
663 rv = ssl_CopySecurityInfo(ss, os);
664 @@ -1733,6 +1735,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
665 ss->handshakeCallbackData = sm->handshakeCallbackData;
666 if (sm->pkcs11PinArg)
667 ss->pkcs11PinArg = sm->pkcs11PinArg;
668 + if (sm->getChannelID)
669 + ss->getChannelID = sm->getChannelID;
670 + if (sm->getChannelIDArg)
671 + ss->getChannelIDArg = sm->getChannelIDArg;
672 return fd;
673 loser:
674 return NULL;
675 @@ -3021,6 +3027,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
676 ss->badCertArg = NULL;
677 ss->pkcs11PinArg = NULL;
678 ss->ephemeralECDHKeyPair = NULL;
679 + ss->getChannelID = NULL;
680 + ss->getChannelIDArg = NULL;
682 ssl_ChooseOps(ss);
683 ssl2_InitSocketPolicy(ss);
684 diff --git a/ssl/sslt.h b/ssl/sslt.h
685 index 1d28feb..0900f28 100644
686 --- a/ssl/sslt.h
687 +++ b/ssl/sslt.h
688 @@ -191,10 +191,11 @@ typedef enum {
689 ssl_padding_xtn = 21,
690 ssl_session_ticket_xtn = 35,
691 ssl_next_proto_nego_xtn = 13172,
692 + ssl_channel_id_xtn = 30032,
693 ssl_renegotiation_info_xtn = 0xff01,
694 ssl_tls13_draft_version_xtn = 0xff02 /* experimental number */
695 } SSLExtensionType;
697 -#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */
698 +#define SSL_MAX_EXTENSIONS 12 /* doesn't include ssl_padding_xtn. */
700 #endif /* __sslt_h_ */