Index: net/third_party/nss/patches/channelid.patch |
=================================================================== |
--- net/third_party/nss/patches/channelid.patch (revision 242942) |
+++ net/third_party/nss/patches/channelid.patch (working copy) |
@@ -1,6 +1,6 @@ |
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
---- a/nss/lib/ssl/ssl3con.c 2013-07-31 12:45:11.497944276 -0700 |
-+++ b/nss/lib/ssl/ssl3con.c 2013-07-31 12:51:32.663550380 -0700 |
+--- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:36:09.938766379 -0800 |
++++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:37:50.360408300 -0800 |
@@ -55,6 +55,7 @@ static SECStatus ssl3_SendCertificateSta |
static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); |
static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); |
@@ -9,7 +9,7 @@ |
static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
static SECStatus ssl3_SendServerHello( sslSocket *ss); |
static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
-@@ -5891,6 +5892,15 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
+@@ -6198,6 +6199,15 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
} |
#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
@@ -25,7 +25,7 @@ |
temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
if (temp < 0) { |
goto loser; /* alert has been sent */ |
-@@ -6170,7 +6180,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
+@@ -6480,7 +6490,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
if (rv != SECSuccess) { |
goto alert_loser; /* err code was set */ |
} |
@@ -34,7 +34,7 @@ |
} while (0); |
if (sid_match) |
-@@ -6196,6 +6206,27 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
+@@ -6506,6 +6516,27 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
ss->ssl3.hs.isResuming = PR_FALSE; |
ss->ssl3.hs.ws = wait_server_cert; |
@@ -62,28 +62,66 @@ |
return SECSuccess; |
alert_loser: |
-@@ -6993,6 +7024,10 @@ ssl3_SendClientSecondRound(sslSocket *ss |
+@@ -7467,7 +7498,14 @@ ssl3_SendClientSecondRound(sslSocket *ss |
+ if (rv != SECSuccess) { |
goto loser; /* err code was set. */ |
} |
- } |
++ } |
+ |
+ rv = ssl3_SendEncryptedExtensions(ss); |
+ if (rv != SECSuccess) { |
+ goto loser; /* err code was set. */ |
+ } |
++ |
++ if (!ss->firstHsDone) { |
+ if (ss->opt.enableFalseStart) { |
+ if (!ss->ssl3.hs.authCertificatePending) { |
+ /* When we fix bug 589047, we will need to know whether we are |
+@@ -7504,6 +7542,33 @@ ssl3_SendClientSecondRound(sslSocket *ss |
- rv = ssl3_SendFinished(ss, 0); |
- if (rv != SECSuccess) { |
-@@ -9947,6 +9982,165 @@ ssl3_RecordKeyLog(sslSocket *ss) |
- return; |
+ ssl_ReleaseXmitBufLock(ss); /*******************************/ |
+ |
++ if (!ss->ssl3.hs.isResuming && |
++ ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) { |
++ /* If we are negotiating ChannelID on a full handshake then we record |
++ * the handshake hashes in |sid| at this point. They will be needed in |
++ * the event that we resume this session and use ChannelID on the |
++ * resumption handshake. */ |
++ SSL3Hashes hashes; |
++ SECItem *originalHandshakeHash = |
++ &ss->sec.ci.sid->u.ssl3.originalHandshakeHash; |
++ PORT_Assert(ss->sec.ci.sid->cached == never_cached); |
++ |
++ ssl_GetSpecReadLock(ss); |
++ PORT_Assert(ss->version > SSL_LIBRARY_VERSION_3_0); |
++ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0); |
++ ssl_ReleaseSpecReadLock(ss); |
++ if (rv != SECSuccess) { |
++ return rv; |
++ } |
++ |
++ PORT_Assert(originalHandshakeHash->len == 0); |
++ originalHandshakeHash->data = PORT_Alloc(hashes.len); |
++ if (!originalHandshakeHash->data) |
++ return SECFailure; |
++ originalHandshakeHash->len = hashes.len; |
++ memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len); |
++ } |
++ |
+ if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) |
+ ss->ssl3.hs.ws = wait_new_session_ticket; |
+ else |
+@@ -10469,6 +10534,184 @@ ssl3_RecordKeyLog(sslSocket *ss) |
} |
-+/* called from ssl3_SendClientSecondRound |
+ /* called from ssl3_SendClientSecondRound |
+ * ssl3_HandleFinished |
+ */ |
+static SECStatus |
+ssl3_SendEncryptedExtensions(sslSocket *ss) |
+{ |
+ static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature"; |
++ static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption"; |
+ /* This is the ASN.1 prefix for a P-256 public key. Specifically it's: |
+ * SEQUENCE |
+ * SEQUENCE |
@@ -109,7 +147,10 @@ |
+ SECItem *spki = NULL; |
+ SSL3Hashes hashes; |
+ const unsigned char *pub_bytes; |
-+ unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)]; |
++ unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + |
++ sizeof(CHANNEL_ID_RESUMPTION_MAGIC) + |
++ sizeof(SSL3Hashes)*2]; |
++ size_t signed_data_len; |
+ unsigned char digest[SHA256_LENGTH]; |
+ SECItem digest_item; |
+ unsigned char signature[64]; |
@@ -159,11 +200,26 @@ |
+ |
+ pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX); |
+ |
-+ memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC)); |
-+ memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), hashes.u.raw, hashes.len); |
++ signed_data_len = 0; |
++ memcpy(signed_data + signed_data_len, CHANNEL_ID_MAGIC, |
++ sizeof(CHANNEL_ID_MAGIC)); |
++ signed_data_len += sizeof(CHANNEL_ID_MAGIC); |
++ if (ss->ssl3.hs.isResuming) { |
++ SECItem *originalHandshakeHash = |
++ &ss->sec.ci.sid->u.ssl3.originalHandshakeHash; |
++ PORT_Assert(originalHandshakeHash->len > 0); |
+ |
-+ rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, |
-+ sizeof(CHANNEL_ID_MAGIC) + hashes.len); |
++ memcpy(signed_data + signed_data_len, CHANNEL_ID_RESUMPTION_MAGIC, |
++ sizeof(CHANNEL_ID_RESUMPTION_MAGIC)); |
++ signed_data_len += sizeof(CHANNEL_ID_RESUMPTION_MAGIC); |
++ memcpy(signed_data + signed_data_len, originalHandshakeHash->data, |
++ originalHandshakeHash->len); |
++ signed_data_len += originalHandshakeHash->len; |
++ } |
++ memcpy(signed_data + signed_data_len, hashes.u.raw, hashes.len); |
++ signed_data_len += hashes.len; |
++ |
++ rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, signed_data_len); |
+ if (rv != SECSuccess) |
+ goto loser; |
+ |
@@ -236,10 +292,11 @@ |
+ return SECSuccess; |
+} |
+ |
- /* called from ssl3_HandleServerHelloDone |
++/* called from ssl3_SendClientSecondRound |
* ssl3_HandleClientHello |
* ssl3_HandleFinished |
-@@ -10202,11 +10396,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O |
+ */ |
+@@ -10728,11 +10971,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O |
flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; |
} |
@@ -260,7 +317,7 @@ |
} |
if (IS_DTLS(ss)) { |
-@@ -11635,6 +11834,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
+@@ -12212,6 +12460,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
@@ -273,8 +330,8 @@ |
ssl3_CleanupPeerCerts(ss); |
diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c |
---- a/nss/lib/ssl/ssl3ext.c 2013-07-31 12:40:14.493586151 -0700 |
-+++ b/nss/lib/ssl/ssl3ext.c 2013-07-31 12:45:50.338515793 -0700 |
+--- a/nss/lib/ssl/ssl3ext.c 2014-01-03 19:31:09.783859095 -0800 |
++++ b/nss/lib/ssl/ssl3ext.c 2014-01-03 19:36:25.379018825 -0800 |
@@ -60,6 +60,10 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSo |
PRUint32 maxBytes); |
static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, |
@@ -302,7 +359,7 @@ |
{ ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
{ ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } |
/* any extra entries will appear as { 0, NULL } */ |
-@@ -660,6 +666,52 @@ ssl3_ClientSendNextProtoNegoXtn(sslSocke |
+@@ -669,6 +675,61 @@ ssl3_ClientSendNextProtoNegoXtn(sslSocke |
} |
return extension_length; |
@@ -339,6 +396,15 @@ |
+ return 0; |
+ } |
+ |
++ if (ss->sec.ci.sid->cached != never_cached && |
++ ss->sec.ci.sid->u.ssl3.originalHandshakeHash.len == 0) { |
++ /* We can't do ChannelID on a connection if we're resuming and didn't |
++ * do ChannelID on the original connection: without ChannelID on the |
++ * original connection we didn't record the handshake hashes needed for |
++ * the signature. */ |
++ return 0; |
++ } |
++ |
+ if (append) { |
+ SECStatus rv; |
+ rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); |
@@ -356,8 +422,8 @@ |
loser: |
return -1; |
diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h |
---- a/nss/lib/ssl/ssl3prot.h 2013-07-31 12:07:10.974699609 -0700 |
-+++ b/nss/lib/ssl/ssl3prot.h 2013-07-31 12:45:50.338515793 -0700 |
+--- a/nss/lib/ssl/ssl3prot.h 2014-01-03 19:28:03.550814608 -0800 |
++++ b/nss/lib/ssl/ssl3prot.h 2014-01-03 19:36:25.379018825 -0800 |
@@ -129,7 +129,8 @@ typedef enum { |
client_key_exchange = 16, |
finished = 20, |
@@ -369,9 +435,9 @@ |
typedef struct { |
diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c |
---- a/nss/lib/ssl/sslauth.c 2013-07-31 12:40:14.503586299 -0700 |
-+++ b/nss/lib/ssl/sslauth.c 2013-07-31 12:45:50.338515793 -0700 |
-@@ -219,6 +219,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, |
+--- a/nss/lib/ssl/sslauth.c 2014-01-03 19:31:09.783859095 -0800 |
++++ b/nss/lib/ssl/sslauth.c 2014-01-03 19:36:25.379018825 -0800 |
+@@ -216,6 +216,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, |
return SECSuccess; |
} |
@@ -397,8 +463,8 @@ |
/* NEED LOCKS IN HERE. */ |
SECStatus |
diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h |
---- a/nss/lib/ssl/sslerr.h 2013-07-31 12:07:10.974699609 -0700 |
-+++ b/nss/lib/ssl/sslerr.h 2013-07-31 12:45:50.338515793 -0700 |
+--- a/nss/lib/ssl/sslerr.h 2014-01-03 19:28:03.550814608 -0800 |
++++ b/nss/lib/ssl/sslerr.h 2014-01-03 19:36:25.379018825 -0800 |
@@ -193,6 +193,10 @@ SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM = ( |
SSL_ERROR_DIGEST_FAILURE = (SSL_ERROR_BASE + 127), |
SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128), |
@@ -411,8 +477,8 @@ |
} SSLErrorCodes; |
#endif /* NO_SECURITY_ERROR_ENUM */ |
diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h |
---- a/nss/lib/ssl/SSLerrs.h 2013-07-31 12:07:10.964699464 -0700 |
-+++ b/nss/lib/ssl/SSLerrs.h 2013-07-31 12:45:50.338515793 -0700 |
+--- a/nss/lib/ssl/SSLerrs.h 2014-01-03 19:28:03.540814444 -0800 |
++++ b/nss/lib/ssl/SSLerrs.h 2014-01-03 19:36:25.379018825 -0800 |
@@ -412,3 +412,12 @@ ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR |
ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128), |
@@ -427,9 +493,9 @@ |
+ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131), |
+"The application could not get a TLS Channel ID.") |
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h |
---- a/nss/lib/ssl/ssl.h 2013-07-31 12:45:11.497944276 -0700 |
-+++ b/nss/lib/ssl/ssl.h 2013-07-31 12:45:50.338515793 -0700 |
-@@ -958,6 +958,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti |
+--- a/nss/lib/ssl/ssl.h 2014-01-03 19:36:09.938766379 -0800 |
++++ b/nss/lib/ssl/ssl.h 2014-01-03 19:36:25.379018825 -0800 |
+@@ -985,6 +985,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti |
SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd, |
PRBool *last_handshake_resumed); |
@@ -465,9 +531,24 @@ |
** How long should we wait before retransmitting the next flight of |
** the DTLS handshake? Returns SECFailure if not DTLS or not in a |
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
---- a/nss/lib/ssl/sslimpl.h 2013-07-31 12:45:11.497944276 -0700 |
-+++ b/nss/lib/ssl/sslimpl.h 2013-07-31 12:45:50.338515793 -0700 |
-@@ -921,6 +921,9 @@ struct ssl3StateStr { |
+--- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:36:09.938766379 -0800 |
++++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:36:25.379018825 -0800 |
+@@ -700,6 +700,14 @@ struct sslSessionIDStr { |
+ |
+ SECItem srvName; |
+ |
++ /* originalHandshakeHash contains the hash of the original, full |
++ * handshake prior to the server's final flow. This is either a |
++ * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for |
++ * TLS 1.2). This is recorded and used only when ChannelID is |
++ * negotiated as it's used to bind the ChannelID signature on the |
++ * resumption handshake to the original handshake. */ |
++ SECItem originalHandshakeHash; |
++ |
+ /* This lock is lazily initialized by CacheSID when a sid is first |
+ * cached. Before then, there is no need to lock anything because |
+ * the sid isn't being shared by anything. |
+@@ -969,6 +977,9 @@ struct ssl3StateStr { |
CERTCertificateList *clientCertChain; /* used by client */ |
PRBool sendEmptyCert; /* used by client */ |
@@ -477,7 +558,7 @@ |
int policy; |
/* This says what cipher suites we can do, and should |
* be either SSL_ALLOWED or SSL_RESTRICTED |
-@@ -1192,6 +1195,8 @@ const unsigned char * preferredCipher; |
+@@ -1246,6 +1257,8 @@ const unsigned char * preferredCipher; |
void *pkcs11PinArg; |
SSLNextProtoCallback nextProtoCallback; |
void *nextProtoArg; |
@@ -486,7 +567,7 @@ |
PRIntervalTime rTimeout; /* timeout for NSPR I/O */ |
PRIntervalTime wTimeout; /* timeout for NSPR I/O */ |
-@@ -1524,6 +1529,11 @@ extern SECStatus ssl3_RestartHandshakeAf |
+@@ -1590,6 +1603,11 @@ extern SECStatus ssl3_RestartHandshakeAf |
SECKEYPrivateKey * key, |
CERTCertificateList *certChain); |
@@ -498,10 +579,23 @@ |
extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error); |
/* |
+diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c |
+--- a/nss/lib/ssl/sslnonce.c 2014-01-03 19:30:40.073373382 -0800 |
++++ b/nss/lib/ssl/sslnonce.c 2014-01-03 19:36:25.379018825 -0800 |
+@@ -182,6 +182,9 @@ ssl_DestroySID(sslSessionID *sid) |
+ if (sid->u.ssl3.srvName.data) { |
+ SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); |
+ } |
++ if (sid->u.ssl3.originalHandshakeHash.data) { |
++ SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); |
++ } |
+ |
+ if (sid->u.ssl3.lock) { |
+ PR_DestroyRWLock(sid->u.ssl3.lock); |
diff -pu a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c |
---- a/nss/lib/ssl/sslsecur.c 2013-07-31 12:45:11.497944276 -0700 |
-+++ b/nss/lib/ssl/sslsecur.c 2013-07-31 12:45:50.338515793 -0700 |
-@@ -1502,6 +1502,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileD |
+--- a/nss/lib/ssl/sslsecur.c 2014-01-03 19:36:09.938766379 -0800 |
++++ b/nss/lib/ssl/sslsecur.c 2014-01-03 19:36:25.379018825 -0800 |
+@@ -1584,6 +1584,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileD |
return ret; |
} |
@@ -545,18 +639,18 @@ |
* this implementation exists to maintain link-time compatibility. |
*/ |
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c |
---- a/nss/lib/ssl/sslsock.c 2013-07-31 12:44:32.017363288 -0700 |
-+++ b/nss/lib/ssl/sslsock.c 2013-07-31 12:45:50.348515937 -0700 |
-@@ -354,6 +354,8 @@ ssl_DupSocket(sslSocket *os) |
- ss->handshakeCallback = os->handshakeCallback; |
- ss->handshakeCallbackData = os->handshakeCallbackData; |
+--- a/nss/lib/ssl/sslsock.c 2014-01-03 19:32:06.914793097 -0800 |
++++ b/nss/lib/ssl/sslsock.c 2014-01-03 19:36:25.379018825 -0800 |
+@@ -274,6 +274,8 @@ ssl_DupSocket(sslSocket *os) |
+ ss->canFalseStartCallback = os->canFalseStartCallback; |
+ ss->canFalseStartCallbackData = os->canFalseStartCallbackData; |
ss->pkcs11PinArg = os->pkcs11PinArg; |
+ ss->getChannelID = os->getChannelID; |
+ ss->getChannelIDArg = os->getChannelIDArg; |
/* Create security data */ |
rv = ssl_CopySecurityInfo(ss, os); |
-@@ -1754,6 +1756,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile |
+@@ -1669,6 +1671,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile |
ss->handshakeCallbackData = sm->handshakeCallbackData; |
if (sm->pkcs11PinArg) |
ss->pkcs11PinArg = sm->pkcs11PinArg; |
@@ -567,7 +661,7 @@ |
return fd; |
loser: |
return NULL; |
-@@ -3027,6 +3033,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProto |
+@@ -2946,6 +2952,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProto |
ss->badCertArg = NULL; |
ss->pkcs11PinArg = NULL; |
ss->ephemeralECDHKeyPair = NULL; |
@@ -577,13 +671,13 @@ |
ssl_ChooseOps(ss); |
ssl2_InitSocketPolicy(ss); |
diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h |
---- a/nss/lib/ssl/sslt.h 2013-07-31 12:07:10.974699609 -0700 |
-+++ b/nss/lib/ssl/sslt.h 2013-07-31 12:45:50.348515937 -0700 |
-@@ -184,9 +184,10 @@ typedef enum { |
+--- a/nss/lib/ssl/sslt.h 2014-01-03 19:28:03.560814773 -0800 |
++++ b/nss/lib/ssl/sslt.h 2014-01-03 19:36:25.379018825 -0800 |
+@@ -189,9 +189,10 @@ typedef enum { |
ssl_use_srtp_xtn = 14, |
ssl_session_ticket_xtn = 35, |
ssl_next_proto_nego_xtn = 13172, |
-+ ssl_channel_id_xtn = 30031, |
++ ssl_channel_id_xtn = 30032, |
ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
} SSLExtensionType; |