Support new ChannelID extension.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 7576 matching lines @@
         }
     }
 
     rv = ssl3_SendFinished(ss, 0);
     if (rv != SECSuccess) {
         goto loser;     /* err code was set. */
     }
 
     ssl_ReleaseXmitBufLock(ss);         /*******************************/
 
+    if (!ss->ssl3.hs.isResuming &&
+        ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
+        /* If we are negotiating ChannelID on a full handshake then we record
+         * the handshake hashes in |sid| at this point. They will be needed in
+         * the event that we resume this session and use ChannelID on the
+         * resumption handshake. */
+        SSL3Hashes hashes;
+        SECItem *originalHandshakeHash =
+            &ss->sec.ci.sid->u.ssl3.originalHandshakeHash;
+        PORT_Assert(ss->sec.ci.sid->cached == never_cached);
+
+        ssl_GetSpecReadLock(ss);
+        PORT_Assert(ss->version > SSL_LIBRARY_VERSION_3_0);
+        rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
+        ssl_ReleaseSpecReadLock(ss);
+        if (rv != SECSuccess) {
+            return rv;
+        }
+
+        PORT_Assert(originalHandshakeHash->len == 0);
+        originalHandshakeHash->data = PORT_Alloc(hashes.len);
+        if (!originalHandshakeHash->data)
+            return SECFailure;
+        originalHandshakeHash->len = hashes.len;
+        memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len);
+    }
+
     if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
         ss->ssl3.hs.ws = wait_new_session_ticket;
     else
         ss->ssl3.hs.ws = wait_change_cipher;
 
     if (ss->handshakeCallback &&
         (ss->ssl3.hs.canFalseStart && !ss->canFalseStartCallback)) {
         /* Call the handshake callback here for backwards compatibility with
          * applications that were using false start before
          * canFalseStartCallback was added. Note that we do this after calling
@@ skipping 2976 matching lines @@
     return;
 }
 
 /* called from ssl3_SendClientSecondRound
  *           ssl3_HandleFinished
  */
 static SECStatus
 ssl3_SendEncryptedExtensions(sslSocket *ss)
 {
     static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
+    static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption";
     /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
      * SEQUENCE
      *   SEQUENCE
      *     OID id-ecPublicKey
      *     OID prime256v1
      *   BIT STRING, length 66, 0 trailing bits: 0x04
      *
      * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62
      * public key. Following that are the two field elements as 32-byte,
      * big-endian numbers, as required by the Channel ID. */
     static const unsigned char P256_SPKI_PREFIX[] = {
         0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
         0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
         0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
         0x42, 0x00, 0x04
     };
     /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64
      * bytes of ECDSA signature. */
     static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64;
     static const int CHANNEL_ID_LENGTH = 128;
 
     SECStatus rv = SECFailure;
     SECItem *spki = NULL;
     SSL3Hashes hashes;
     const unsigned char *pub_bytes;
-    unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)];
+    unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) +
+                              sizeof(CHANNEL_ID_RESUMPTION_MAGIC) +
+                              sizeof(SSL3Hashes)*2];
+    size_t signed_data_len;
     unsigned char digest[SHA256_LENGTH];
     SECItem digest_item;
     unsigned char signature[64];
     SECItem signature_item;
 
     PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     if (ss->ssl3.channelID == NULL)
         return SECSuccess;
@@ skipping 29 matching lines @@
 
     if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
         memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) {
         PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
         rv = SECFailure;
         goto loser;
     }
 
     pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
 
-    memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
-    memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), hashes.u.raw, hashes.len);
+    signed_data_len = 0;
+    memcpy(signed_data + signed_data_len, CHANNEL_ID_MAGIC,
+           sizeof(CHANNEL_ID_MAGIC));
+    signed_data_len += sizeof(CHANNEL_ID_MAGIC);
+    if (ss->ssl3.hs.isResuming) {
+        SECItem *originalHandshakeHash =
+            &ss->sec.ci.sid->u.ssl3.originalHandshakeHash;
+        PORT_Assert(originalHandshakeHash->len > 0);
 
-    rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data,
-                      sizeof(CHANNEL_ID_MAGIC) + hashes.len);
+        memcpy(signed_data + signed_data_len, CHANNEL_ID_RESUMPTION_MAGIC,
+               sizeof(CHANNEL_ID_RESUMPTION_MAGIC));
+        signed_data_len += sizeof(CHANNEL_ID_RESUMPTION_MAGIC);
+        memcpy(signed_data + signed_data_len, originalHandshakeHash->data,
+               originalHandshakeHash->len);
+        signed_data_len += originalHandshakeHash->len;
+    }
+    memcpy(signed_data + signed_data_len, hashes.u.raw, hashes.len);
+    signed_data_len += hashes.len;
+
+    rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, signed_data_len);
     if (rv != SECSuccess)
         goto loser;
 
     digest_item.data = digest;
     digest_item.len = sizeof(digest);
 
     signature_item.data = signature;
     signature_item.len = sizeof(signature);
 
     rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
@@ skipping 1907 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */