| diff --git a/lib/ssl/SSLerrs.h b/lib/ssl/SSLerrs.h |
| index 6028396..3d21ab8 100644 |
| --- a/lib/ssl/SSLerrs.h |
| +++ b/lib/ssl/SSLerrs.h |
| @@ -440,3 +440,12 @@ ER3(SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET, (SSL_ERROR_BASE + 136), |
| |
| ER3(SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET, (SSL_ERROR_BASE + 137), |
| "The peer tried to resume with an unexpected extended_master_secret extension") |
| + |
| +ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 138), |
| +"SSL received a malformed TLS Channel ID extension.") |
| + |
| +ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 139), |
| +"The application provided an invalid TLS Channel ID key.") |
| + |
| +ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 140), |
| +"The application could not get a TLS Channel ID.") |
| diff --git a/lib/ssl/ssl.h b/lib/ssl/ssl.h |
| index 85ced8a..120c257 100644 |
| --- a/lib/ssl/ssl.h |
| +++ b/lib/ssl/ssl.h |
| @@ -1135,6 +1135,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRFileDesc * socket, |
| SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd, |
| PRBool *last_handshake_resumed); |
| |
| +/* See SSL_SetClientChannelIDCallback for usage. If the callback returns |
| + * SECWouldBlock then SSL_RestartHandshakeAfterChannelIDReq should be called in |
| + * the future to restart the handshake. On SECSuccess, the callback must have |
| + * written a P-256, EC key pair to |*out_public_key| and |*out_private_key|. */ |
| +typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)( |
| + void *arg, |
| + PRFileDesc *fd, |
| + SECKEYPublicKey **out_public_key, |
| + SECKEYPrivateKey **out_private_key); |
| + |
| +/* SSL_RestartHandshakeAfterChannelIDReq attempts to restart the handshake |
| + * after a ChannelID callback returned SECWouldBlock. |
| + * |
| + * This function takes ownership of |channelIDPub| and |channelID|. */ |
| +SSL_IMPORT SECStatus SSL_RestartHandshakeAfterChannelIDReq( |
| + PRFileDesc *fd, |
| + SECKEYPublicKey *channelIDPub, |
| + SECKEYPrivateKey *channelID); |
| + |
| +/* SSL_SetClientChannelIDCallback sets a callback function that will be called |
| + * once the server's ServerHello has been processed. This is only applicable to |
| + * a client socket and setting this callback causes the TLS Channel ID |
| + * extension to be advertised. */ |
| +SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback( |
| + PRFileDesc *fd, |
| + SSLClientChannelIDCallback callback, |
| + void *arg); |
| + |
| /* |
| ** How long should we wait before retransmitting the next flight of |
| ** the DTLS handshake? Returns SECFailure if not DTLS or not in a |
| diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c |
| index 304e03b..2ae8ce9 100644 |
| --- a/lib/ssl/ssl3con.c |
| +++ b/lib/ssl/ssl3con.c |
| @@ -57,6 +57,7 @@ static SECStatus ssl3_SendCertificateStatus( sslSocket *ss); |
| static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); |
| static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); |
| static SECStatus ssl3_SendNextProto( sslSocket *ss); |
| +static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); |
| static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
| static SECStatus ssl3_SendServerHello( sslSocket *ss); |
| static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
| @@ -6470,6 +6471,15 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| } |
| #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| |
| + if (ss->ssl3.channelID != NULL) { |
| + SECKEY_DestroyPrivateKey(ss->ssl3.channelID); |
| + ss->ssl3.channelID = NULL; |
| + } |
| + if (ss->ssl3.channelIDPub != NULL) { |
| + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); |
| + ss->ssl3.channelIDPub = NULL; |
| + } |
| + |
| temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
| if (temp < 0) { |
| goto loser; /* alert has been sent */ |
| @@ -6780,7 +6790,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| if (rv != SECSuccess) { |
| goto alert_loser; /* err code was set */ |
| } |
| - return SECSuccess; |
| + goto winner; |
| } while (0); |
| |
| if (sid_match) |
| @@ -6819,6 +6829,27 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| PORT_Assert(ss->ssl3.hs.kea_def->ephemeral); |
| ss->ssl3.hs.ws = wait_server_key; |
| } |
| + |
| +winner: |
| + /* If we will need a ChannelID key then we make the callback now. This |
| + * allows the handshake to be restarted cleanly if the callback returns |
| + * SECWouldBlock. */ |
| + if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) { |
| + rv = ss->getChannelID(ss->getChannelIDArg, ss->fd, |
| + &ss->ssl3.channelIDPub, &ss->ssl3.channelID); |
| + if (rv == SECWouldBlock) { |
| + ssl3_SetAlwaysBlock(ss); |
| + return rv; |
| + } |
| + if (rv != SECSuccess || |
| + ss->ssl3.channelIDPub == NULL || |
| + ss->ssl3.channelID == NULL) { |
| + PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED); |
| + desc = internal_error; |
| + goto alert_loser; |
| + } |
| + } |
| + |
| return SECSuccess; |
| |
| alert_loser: |
| @@ -7774,7 +7805,14 @@ ssl3_SendClientSecondRound(sslSocket *ss) |
| if (rv != SECSuccess) { |
| goto loser; /* err code was set. */ |
| } |
| + } |
| + |
| + rv = ssl3_SendEncryptedExtensions(ss); |
| + if (rv != SECSuccess) { |
| + goto loser; /* err code was set. */ |
| + } |
| |
| + if (!ss->firstHsDone) { |
| if (ss->opt.enableFalseStart) { |
| if (!ss->ssl3.hs.authCertificatePending) { |
| /* When we fix bug 589047, we will need to know whether we are |
| @@ -7811,6 +7849,33 @@ ssl3_SendClientSecondRound(sslSocket *ss) |
| |
| ssl_ReleaseXmitBufLock(ss); /*******************************/ |
| |
| + if (!ss->ssl3.hs.isResuming && |
| + ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) { |
| + /* If we are negotiating ChannelID on a full handshake then we record |
| + * the handshake hashes in |sid| at this point. They will be needed in |
| + * the event that we resume this session and use ChannelID on the |
| + * resumption handshake. */ |
| + SSL3Hashes hashes; |
| + SECItem *originalHandshakeHash = |
| + &ss->sec.ci.sid->u.ssl3.originalHandshakeHash; |
| + PORT_Assert(ss->sec.ci.sid->cached == never_cached); |
| + |
| + ssl_GetSpecReadLock(ss); |
| + PORT_Assert(ss->version > SSL_LIBRARY_VERSION_3_0); |
| + rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0); |
| + ssl_ReleaseSpecReadLock(ss); |
| + if (rv != SECSuccess) { |
| + return rv; |
| + } |
| + |
| + PORT_Assert(originalHandshakeHash->len == 0); |
| + originalHandshakeHash->data = PORT_Alloc(hashes.len); |
| + if (!originalHandshakeHash->data) |
| + return SECFailure; |
| + originalHandshakeHash->len = hashes.len; |
| + memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len); |
| + } |
| + |
| if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) |
| ss->ssl3.hs.ws = wait_new_session_ticket; |
| else |
| @@ -11264,6 +11329,184 @@ ssl3_RecordKeyLog(sslSocket *ss) |
| } |
| |
| /* called from ssl3_SendClientSecondRound |
| + * ssl3_HandleFinished |
| + */ |
| +static SECStatus |
| +ssl3_SendEncryptedExtensions(sslSocket *ss) |
| +{ |
| + static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature"; |
| + static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption"; |
| + /* This is the ASN.1 prefix for a P-256 public key. Specifically it's: |
| + * SEQUENCE |
| + * SEQUENCE |
| + * OID id-ecPublicKey |
| + * OID prime256v1 |
| + * BIT STRING, length 66, 0 trailing bits: 0x04 |
| + * |
| + * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62 |
| + * public key. Following that are the two field elements as 32-byte, |
| + * big-endian numbers, as required by the Channel ID. */ |
| + static const unsigned char P256_SPKI_PREFIX[] = { |
| + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, |
| + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, |
| + 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, |
| + 0x42, 0x00, 0x04 |
| + }; |
| + /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64 |
| + * bytes of ECDSA signature. */ |
| + static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64; |
| + static const int CHANNEL_ID_LENGTH = 128; |
| + |
| + SECStatus rv = SECFailure; |
| + SECItem *spki = NULL; |
| + SSL3Hashes hashes; |
| + const unsigned char *pub_bytes; |
| + unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + |
| + sizeof(CHANNEL_ID_RESUMPTION_MAGIC) + |
| + sizeof(SSL3Hashes)*2]; |
| + size_t signed_data_len; |
| + unsigned char digest[SHA256_LENGTH]; |
| + SECItem digest_item; |
| + unsigned char signature[64]; |
| + SECItem signature_item; |
| + |
| + PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| + PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| + |
| + if (ss->ssl3.channelID == NULL) |
| + return SECSuccess; |
| + |
| + PORT_Assert(ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)); |
| + |
| + if (SECKEY_GetPrivateKeyType(ss->ssl3.channelID) != ecKey || |
| + PK11_SignatureLen(ss->ssl3.channelID) != sizeof(signature)) { |
| + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); |
| + rv = SECFailure; |
| + goto loser; |
| + } |
| + |
| + ssl_GetSpecReadLock(ss); |
| + rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0); |
| + ssl_ReleaseSpecReadLock(ss); |
| + |
| + if (rv != SECSuccess) |
| + goto loser; |
| + |
| + rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions, |
| + 2 + 2 + CHANNEL_ID_LENGTH); |
| + if (rv != SECSuccess) |
| + goto loser; /* error code set by AppendHandshakeHeader */ |
| + rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); |
| + if (rv != SECSuccess) |
| + goto loser; /* error code set by AppendHandshake */ |
| + rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2); |
| + if (rv != SECSuccess) |
| + goto loser; /* error code set by AppendHandshake */ |
| + |
| + spki = SECKEY_EncodeDERSubjectPublicKeyInfo(ss->ssl3.channelIDPub); |
| + |
| + if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH || |
| + memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX)) != 0) { |
| + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); |
| + rv = SECFailure; |
| + goto loser; |
| + } |
| + |
| + pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX); |
| + |
| + signed_data_len = 0; |
| + memcpy(signed_data + signed_data_len, CHANNEL_ID_MAGIC, |
| + sizeof(CHANNEL_ID_MAGIC)); |
| + signed_data_len += sizeof(CHANNEL_ID_MAGIC); |
| + if (ss->ssl3.hs.isResuming) { |
| + SECItem *originalHandshakeHash = |
| + &ss->sec.ci.sid->u.ssl3.originalHandshakeHash; |
| + PORT_Assert(originalHandshakeHash->len > 0); |
| + |
| + memcpy(signed_data + signed_data_len, CHANNEL_ID_RESUMPTION_MAGIC, |
| + sizeof(CHANNEL_ID_RESUMPTION_MAGIC)); |
| + signed_data_len += sizeof(CHANNEL_ID_RESUMPTION_MAGIC); |
| + memcpy(signed_data + signed_data_len, originalHandshakeHash->data, |
| + originalHandshakeHash->len); |
| + signed_data_len += originalHandshakeHash->len; |
| + } |
| + memcpy(signed_data + signed_data_len, hashes.u.raw, hashes.len); |
| + signed_data_len += hashes.len; |
| + |
| + rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, signed_data_len); |
| + if (rv != SECSuccess) |
| + goto loser; |
| + |
| + digest_item.data = digest; |
| + digest_item.len = sizeof(digest); |
| + |
| + signature_item.data = signature; |
| + signature_item.len = sizeof(signature); |
| + |
| + rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item); |
| + if (rv != SECSuccess) |
| + goto loser; |
| + |
| + rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH); |
| + if (rv != SECSuccess) |
| + goto loser; |
| + rv = ssl3_AppendHandshake(ss, signature, sizeof(signature)); |
| + |
| +loser: |
| + if (spki) |
| + SECITEM_FreeItem(spki, PR_TRUE); |
| + if (ss->ssl3.channelID) { |
| + SECKEY_DestroyPrivateKey(ss->ssl3.channelID); |
| + ss->ssl3.channelID = NULL; |
| + } |
| + if (ss->ssl3.channelIDPub) { |
| + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); |
| + ss->ssl3.channelIDPub = NULL; |
| + } |
| + |
| + return rv; |
| +} |
| + |
| +/* ssl3_RestartHandshakeAfterChannelIDReq is called to restart a handshake |
| + * after a ChannelID callback returned SECWouldBlock. At this point we have |
| + * processed the server's ServerHello but not yet any further messages. We will |
| + * always get a message from the server after a ServerHello so either they are |
| + * waiting in the buffer or we'll get network I/O. */ |
| +SECStatus |
| +ssl3_RestartHandshakeAfterChannelIDReq(sslSocket *ss, |
| + SECKEYPublicKey *channelIDPub, |
| + SECKEYPrivateKey *channelID) |
| +{ |
| + if (ss->handshake == 0) { |
| + SECKEY_DestroyPublicKey(channelIDPub); |
| + SECKEY_DestroyPrivateKey(channelID); |
| + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| + return SECFailure; |
| + } |
| + |
| + if (channelIDPub == NULL || |
| + channelID == NULL) { |
| + if (channelIDPub) |
| + SECKEY_DestroyPublicKey(channelIDPub); |
| + if (channelID) |
| + SECKEY_DestroyPrivateKey(channelID); |
| + PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
| + return SECFailure; |
| + } |
| + |
| + if (ss->ssl3.channelID) |
| + SECKEY_DestroyPrivateKey(ss->ssl3.channelID); |
| + if (ss->ssl3.channelIDPub) |
| + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); |
| + |
| + ss->handshake = ssl_GatherRecord1stHandshake; |
| + ss->ssl3.channelID = channelID; |
| + ss->ssl3.channelIDPub = channelIDPub; |
| + |
| + return SECSuccess; |
| +} |
| + |
| +/* called from ssl3_SendClientSecondRound |
| * ssl3_HandleClientHello |
| * ssl3_HandleFinished |
| */ |
| @@ -11531,11 +11774,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, |
| flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; |
| } |
| |
| - if (!isServer && !ss->firstHsDone) { |
| - rv = ssl3_SendNextProto(ss); |
| - if (rv != SECSuccess) { |
| - goto xmit_loser; /* err code was set. */ |
| + if (!isServer) { |
| + if (!ss->firstHsDone) { |
| + rv = ssl3_SendNextProto(ss); |
| + if (rv != SECSuccess) { |
| + goto xmit_loser; /* err code was set. */ |
| + } |
| } |
| + rv = ssl3_SendEncryptedExtensions(ss); |
| + if (rv != SECSuccess) |
| + goto xmit_loser; /* err code was set. */ |
| } |
| |
| if (IS_DTLS(ss)) { |
| @@ -13095,6 +13343,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
| ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
| #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
| |
| + if (ss->ssl3.channelID) |
| + SECKEY_DestroyPrivateKey(ss->ssl3.channelID); |
| + if (ss->ssl3.channelIDPub) |
| + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); |
| + |
| if (ss->ssl3.peerCertArena != NULL) |
| ssl3_CleanupPeerCerts(ss); |
| |
| diff --git a/lib/ssl/ssl3ext.c b/lib/ssl/ssl3ext.c |
| index 5661a5c..78825cb 100644 |
| --- a/lib/ssl/ssl3ext.c |
| +++ b/lib/ssl/ssl3ext.c |
| @@ -73,6 +73,10 @@ static SECStatus ssl3_ClientHandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, |
| SECItem *data); |
| static SECStatus ssl3_ServerHandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, |
| SECItem *data); |
| +static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, |
| + PRUint16 ex_type, SECItem *data); |
| +static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, |
| + PRUint32 maxBytes); |
| static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss, |
| PRBool append, PRUint32 maxBytes); |
| static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, |
| @@ -276,6 +280,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { |
| { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
| { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, |
| { ssl_use_srtp_xtn, &ssl3_ClientHandleUseSRTPXtn }, |
| + { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, |
| { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
| { ssl_extended_master_secret_xtn, &ssl3_HandleExtendedMasterSecretXtn }, |
| { -1, NULL } |
| @@ -304,6 +309,7 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { |
| { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
| { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, |
| { ssl_use_srtp_xtn, &ssl3_ClientSendUseSRTPXtn }, |
| + { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
| { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
| { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, |
| { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn }, |
| @@ -945,6 +951,61 @@ ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) |
| } |
| |
| static SECStatus |
| +ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, |
| + SECItem *data) |
| +{ |
| + PORT_Assert(ss->getChannelID != NULL); |
| + |
| + if (data->len) { |
| + PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA); |
| + return SECFailure; |
| + } |
| + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
| + return SECSuccess; |
| +} |
| + |
| +static PRInt32 |
| +ssl3_ClientSendChannelIDXtn(sslSocket * ss, PRBool append, |
| + PRUint32 maxBytes) |
| +{ |
| + PRInt32 extension_length = 4; |
| + |
| + if (!ss->getChannelID) |
| + return 0; |
| + |
| + if (maxBytes < extension_length) { |
| + PORT_Assert(0); |
| + return 0; |
| + } |
| + |
| + if (ss->sec.ci.sid->cached != never_cached && |
| + ss->sec.ci.sid->u.ssl3.originalHandshakeHash.len == 0) { |
| + /* We can't do ChannelID on a connection if we're resuming and didn't |
| + * do ChannelID on the original connection: without ChannelID on the |
| + * original connection we didn't record the handshake hashes needed for |
| + * the signature. */ |
| + return 0; |
| + } |
| + |
| + if (append) { |
| + SECStatus rv; |
| + rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); |
| + if (rv != SECSuccess) |
| + goto loser; |
| + rv = ssl3_AppendHandshakeNumber(ss, 0, 2); |
| + if (rv != SECSuccess) |
| + goto loser; |
| + ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
| + ssl_channel_id_xtn; |
| + } |
| + |
| + return extension_length; |
| + |
| +loser: |
| + return -1; |
| +} |
| + |
| +static SECStatus |
| ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, |
| SECItem *data) |
| { |
| diff --git a/lib/ssl/ssl3prot.h b/lib/ssl/ssl3prot.h |
| index a93bef1..848bdee 100644 |
| --- a/lib/ssl/ssl3prot.h |
| +++ b/lib/ssl/ssl3prot.h |
| @@ -136,7 +136,8 @@ typedef enum { |
| client_key_exchange = 16, |
| finished = 20, |
| certificate_status = 22, |
| - next_proto = 67 |
| + next_proto = 67, |
| + encrypted_extensions = 203, |
| } SSL3HandshakeType; |
| |
| typedef struct { |
| diff --git a/lib/ssl/sslauth.c b/lib/ssl/sslauth.c |
| index e6981f0..03b23b4 100644 |
| --- a/lib/ssl/sslauth.c |
| +++ b/lib/ssl/sslauth.c |
| @@ -216,6 +216,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func, |
| return SECSuccess; |
| } |
| |
| +SECStatus |
| +SSL_SetClientChannelIDCallback(PRFileDesc *fd, |
| + SSLClientChannelIDCallback callback, |
| + void *arg) { |
| + sslSocket *ss = ssl_FindSocket(fd); |
| + |
| + if (!ss) { |
| + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback", |
| + SSL_GETPID(), fd)); |
| + return SECFailure; |
| + } |
| + |
| + ss->getChannelID = callback; |
| + ss->getChannelIDArg = arg; |
| + |
| + return SECSuccess; |
| +} |
| + |
| #ifdef NSS_PLATFORM_CLIENT_AUTH |
| /* NEED LOCKS IN HERE. */ |
| SECStatus |
| diff --git a/lib/ssl/sslerr.h b/lib/ssl/sslerr.h |
| index 192a107..835b812 100644 |
| --- a/lib/ssl/sslerr.h |
| +++ b/lib/ssl/sslerr.h |
| @@ -208,6 +208,10 @@ SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 135), |
| SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET = (SSL_ERROR_BASE + 136), |
| SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET = (SSL_ERROR_BASE + 137), |
| |
| +SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 138), |
| +SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 139), |
| +SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 140), |
| + |
| SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ |
| } SSLErrorCodes; |
| #endif /* NO_SECURITY_ERROR_ENUM */ |
| diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h |
| index c089889..c286518 100644 |
| --- a/lib/ssl/sslimpl.h |
| +++ b/lib/ssl/sslimpl.h |
| @@ -722,6 +722,14 @@ struct sslSessionIDStr { |
| |
| SECItem srvName; |
| |
| + /* originalHandshakeHash contains the hash of the original, full |
| + * handshake prior to the server's final flow. This is either a |
| + * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for |
| + * TLS 1.2). This is recorded and used only when ChannelID is |
| + * negotiated as it's used to bind the ChannelID signature on the |
| + * resumption handshake to the original handshake. */ |
| + SECItem originalHandshakeHash; |
| + |
| /* This lock is lazily initialized by CacheSID when a sid is first |
| * cached. Before then, there is no need to lock anything because |
| * the sid isn't being shared by anything. |
| @@ -999,6 +1007,9 @@ struct ssl3StateStr { |
| CERTCertificateList *clientCertChain; /* used by client */ |
| PRBool sendEmptyCert; /* used by client */ |
| |
| + SECKEYPrivateKey *channelID; /* used by client */ |
| + SECKEYPublicKey *channelIDPub; /* used by client */ |
| + |
| int policy; |
| /* This says what cipher suites we can do, and should |
| * be either SSL_ALLOWED or SSL_RESTRICTED |
| @@ -1294,6 +1305,8 @@ const unsigned char * preferredCipher; |
| void *pkcs11PinArg; |
| SSLNextProtoCallback nextProtoCallback; |
| void *nextProtoArg; |
| + SSLClientChannelIDCallback getChannelID; |
| + void *getChannelIDArg; |
| |
| PRIntervalTime rTimeout; /* timeout for NSPR I/O */ |
| PRIntervalTime wTimeout; /* timeout for NSPR I/O */ |
| @@ -1640,6 +1653,11 @@ extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket * ss, |
| SECKEYPrivateKey * key, |
| CERTCertificateList *certChain); |
| |
| +extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq( |
| + sslSocket *ss, |
| + SECKEYPublicKey *channelIDPub, |
| + SECKEYPrivateKey *channelID); |
| + |
| extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error); |
| |
| /* |
| diff --git a/lib/ssl/sslnonce.c b/lib/ssl/sslnonce.c |
| index be11008..1326a8b 100644 |
| --- a/lib/ssl/sslnonce.c |
| +++ b/lib/ssl/sslnonce.c |
| @@ -180,6 +180,9 @@ ssl_DestroySID(sslSessionID *sid) |
| if (sid->u.ssl3.srvName.data) { |
| SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); |
| } |
| + if (sid->u.ssl3.originalHandshakeHash.data) { |
| + SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); |
| + } |
| |
| if (sid->u.ssl3.lock) { |
| PR_DestroyRWLock(sid->u.ssl3.lock); |
| diff --git a/lib/ssl/sslsecur.c b/lib/ssl/sslsecur.c |
| index f77d6fa..cca55bb 100644 |
| --- a/lib/ssl/sslsecur.c |
| +++ b/lib/ssl/sslsecur.c |
| @@ -1598,6 +1598,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileDesc * fd, |
| return ret; |
| } |
| |
| +SECStatus |
| +SSL_RestartHandshakeAfterChannelIDReq(PRFileDesc * fd, |
| + SECKEYPublicKey * channelIDPub, |
| + SECKEYPrivateKey *channelID) |
| +{ |
| + sslSocket * ss = ssl_FindSocket(fd); |
| + SECStatus ret; |
| + |
| + if (!ss) { |
| + SSL_DBG(("%d: SSL[%d]: bad socket in" |
| + " SSL_RestartHandshakeAfterChannelIDReq", |
| + SSL_GETPID(), fd)); |
| + goto loser; |
| + } |
| + |
| + |
| + ssl_Get1stHandshakeLock(ss); |
| + |
| + if (ss->version < SSL_LIBRARY_VERSION_3_0) { |
| + PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); |
| + ssl_Release1stHandshakeLock(ss); |
| + goto loser; |
| + } |
| + |
| + ret = ssl3_RestartHandshakeAfterChannelIDReq(ss, channelIDPub, |
| + channelID); |
| + ssl_Release1stHandshakeLock(ss); |
| + |
| + return ret; |
| + |
| +loser: |
| + SECKEY_DestroyPublicKey(channelIDPub); |
| + SECKEY_DestroyPrivateKey(channelID); |
| + return SECFailure; |
| +} |
| + |
| /* DO NOT USE. This function was exported in ssl.def with the wrong signature; |
| * this implementation exists to maintain link-time compatibility. |
| */ |
| diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c |
| index 11e66f2..efba686 100644 |
| --- a/lib/ssl/sslsock.c |
| +++ b/lib/ssl/sslsock.c |
| @@ -313,6 +313,8 @@ ssl_DupSocket(sslSocket *os) |
| ss->canFalseStartCallback = os->canFalseStartCallback; |
| ss->canFalseStartCallbackData = os->canFalseStartCallbackData; |
| ss->pkcs11PinArg = os->pkcs11PinArg; |
| + ss->getChannelID = os->getChannelID; |
| + ss->getChannelIDArg = os->getChannelIDArg; |
| |
| /* Create security data */ |
| rv = ssl_CopySecurityInfo(ss, os); |
| @@ -1987,6 +1989,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
| ss->handshakeCallbackData = sm->handshakeCallbackData; |
| if (sm->pkcs11PinArg) |
| ss->pkcs11PinArg = sm->pkcs11PinArg; |
| + if (sm->getChannelID) |
| + ss->getChannelID = sm->getChannelID; |
| + if (sm->getChannelIDArg) |
| + ss->getChannelIDArg = sm->getChannelIDArg; |
| return fd; |
| loser: |
| return NULL; |
| @@ -3279,6 +3285,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) |
| ss->badCertArg = NULL; |
| ss->pkcs11PinArg = NULL; |
| ss->ephemeralECDHKeyPair = NULL; |
| + ss->getChannelID = NULL; |
| + ss->getChannelIDArg = NULL; |
| |
| ssl_ChooseOps(ss); |
| ssl2_InitSocketPolicy(ss); |
| diff --git a/lib/ssl/sslt.h b/lib/ssl/sslt.h |
| index cd742bb..b6616e2 100644 |
| --- a/lib/ssl/sslt.h |
| +++ b/lib/ssl/sslt.h |
| @@ -238,11 +238,12 @@ typedef enum { |
| ssl_extended_master_secret_xtn = 23, |
| ssl_session_ticket_xtn = 35, |
| ssl_next_proto_nego_xtn = 13172, |
| + ssl_channel_id_xtn = 30032, |
| ssl_renegotiation_info_xtn = 0xff01, |
| ssl_tls13_draft_version_xtn = 0xff02 /* experimental number */ |
| } SSLExtensionType; |
| |
| -#define SSL_MAX_EXTENSIONS 12 /* doesn't include ssl_padding_xtn. */ |
| +#define SSL_MAX_EXTENSIONS 13 /* doesn't include ssl_padding_xtn. */ |
| |
| typedef enum { |
| ssl_dhe_group_none = 0, |