New tls channel id version for OpenSSL

openssl/ssl/s3_clnt.c

Index: openssl/ssl/s3_clnt.c
diff --git a/openssl/ssl/s3_clnt.c b/openssl/ssl/s3_clnt.c
index d1b3224b1b27876f0135c03f90d794f5ad39e312..94fd9c8542897adb11bb1495c5ef3de82e1cece3 100644
--- a/openssl/ssl/s3_clnt.c
+++ b/openssl/ssl/s3_clnt.c
@@ -583,6 +583,18 @@ int ssl3_connect(SSL *s)
 #endif
 						s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
 					}
+					if (s->s3->tlsext_channel_id_valid)

[wtc, 2014/04/30 14:11:50]

Adam: This seems to mean that if the original full handshake doesn't involve
ChannelID, then future handshakes that resume this sesssion won't be able to use
ChannelID. Is this correct?

[agl, 2014/05/02 17:58:54]

Yes.

+					{
+					/* This is a non-resumption handshake. If it
+					 * involves ChannelID, then record the
+					 * handshake hashes at this point in the
+					 * session so that any resumption of this
+					 * session with ChannelID can sign those
+					 * hashes. */
+					ret = tls1_record_handshake_hashes_for_channel_id(s);

[haavardm, 2014/04/28 20:26:15]

Before I knew about the server patch, I calculated the original hash using

s->session->original_handshake_hash = 
 SSL_get_finished(s, s->session->original_handshake_hash,							
                  sizeof(s->session->original_handshake_hash));

To me this seems a bit simpler as we don't need all the changes in
openssl/ssl/t1_lib.c The finish message is calculated in ssl3_send_finished(),
so the result should be the same?

[wtc, 2014/04/30 14:11:50]

If SSL_get_finished returns the contents of the Finished message, then it is not
the handshake hash:

      struct {
          opaque verify_data[verify_data_length];
      } Finished;

      verify_data
         PRF(master_secret, finished_label, Hash(handshake_messages))
            [0..verify_data_length-1];

What ChannelID uses is just Hash(handshake_messages).

+					if (ret <= 0)
+						goto end;
+					}
 				}
 			s->init_num=0;
 			break;