Support new ChannelID extension.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 7552 matching lines @@
                             SSL_GETPID(), ss->fd));
             }
         }
     }
 
     rv = ssl3_SendFinished(ss, 0);
     if (rv != SECSuccess) {
         goto loser;     /* err code was set. */
     }
 
+    if (!ss->ssl3.hs.isResuming &&
+        ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
+        /* If we are negotiating ChannelID on a full handshake then we record
+         * the handshake hashes in |sid| at this point. They will be needed in
+         * the event that we resume this session and use ChannelID on the
+         * resumption handshake. */
+        SSL3Hashes hashes;
+        SECItem *lastHandshakeHash = &ss->sec.ci.sid->u.ssl3.lastHandshakeHash;
+

[wtc, 2013/11/14 00:50:56]

Can you assert ss->sec.ci.sid->cached == never_cached?

[agl, 2013/11/14 18:50:42]

Done.

+        ssl_GetSpecReadLock(ss);
+        /* the cwSpec and zero arguments are only used for SSLv3, but we know

[wtc, 2013/11/14 00:50:56]

The cwSpec argument is also used by ssl3_ComputeHandshakeHashes to get the
protocol version (spec->version) and to verify we have the master secret
available, even though the master secret is only used for SSLv3. So this comment
is a little inaccurate.

Are you trying to explain why it doesn't matter whether we're using
ss->ssl3.cwSpec or ss->ssl3.crSpec? At this point, we haven't received the
server's ChangeCipherSpec, so ss->ssl3.crSpec is still using the null cipher.

[agl, 2013/11/14 18:50:42]

This comment is clearly confusing. I've deleted it.

+         * that this connection is not SSLv3 because we negotiated ChannelID. */
+        PORT_Assert(ss->version > SSL_LIBRARY_VERSION_3_0);
+        ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);

[wtc, 2013/11/14 00:50:56]

Check the return value?

[agl, 2013/11/14 18:50:42]

Done.

+        ssl_ReleaseSpecReadLock(ss);
+
+        PORT_Assert(lastHandshakeHash->len == 0);
+        lastHandshakeHash->data = PORT_Alloc(hashes.len);
+        if (!lastHandshakeHash->data)
+            goto loser;

[wtc, 2013/11/14 00:50:56]

This should be simply "return SECFailure" if you move the
ssl_ReleaseXmitBufLock(ss) call up, as I suggest below.

[agl, 2013/11/14 18:50:42]

Done.

+        lastHandshakeHash->len = hashes.len;
+        memcpy(lastHandshakeHash->data, hashes.u.raw, hashes.len);
+    }
+
     ssl_ReleaseXmitBufLock(ss);         /*******************************/

[wtc, 2013/11/14 00:50:56]

We should call ssl_ReleaseXmitBufLock(ss) before recording the full handshake
hash.

[agl, 2013/11/14 18:50:42]

Done.

 
     if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
         ss->ssl3.hs.ws = wait_new_session_ticket;
     else
         ss->ssl3.hs.ws = wait_change_cipher;
 
     if (ss->handshakeCallback &&
         (ss->ssl3.hs.canFalseStart && !ss->canFalseStartCallback)) {
         /* Call the handshake callback here for backwards compatibility with
          * applications that were using false start before
@@ skipping 2977 matching lines @@
     return;
 }
 
 /* called from ssl3_SendClientSecondRound
  *           ssl3_HandleFinished
  */
 static SECStatus
 ssl3_SendEncryptedExtensions(sslSocket *ss)
 {
     static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
+    static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption";
     /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
      * SEQUENCE
      *   SEQUENCE
      *     OID id-ecPublicKey
      *     OID prime256v1
      *   BIT STRING, length 66, 0 trailing bits: 0x04
      *
      * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62
      * public key. Following that are the two field elements as 32-byte,
      * big-endian numbers, as required by the Channel ID. */
     static const unsigned char P256_SPKI_PREFIX[] = {
         0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
         0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
         0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
         0x42, 0x00, 0x04
     };
     /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64
      * bytes of ECDSA signature. */
     static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64;
     static const int CHANNEL_ID_LENGTH = 128;
 
     SECStatus rv = SECFailure;
     SECItem *spki = NULL;
     SSL3Hashes hashes;
     const unsigned char *pub_bytes;
-    unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)];
+    unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) +
+                              sizeof(CHANNEL_ID_RESUMPTION_MAGIC) +
+                              sizeof(SSL3Hashes)*2];
+    size_t j;

[wtc, 2013/11/14 00:50:56]

Nit: this variable should be named signed_data_len if that's not too long.

[agl, 2013/11/14 18:50:42]

Done.

     unsigned char digest[SHA256_LENGTH];
     SECItem digest_item;
     unsigned char signature[64];
     SECItem signature_item;
 
     PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     if (ss->ssl3.channelID == NULL)
         return SECSuccess;
@@ skipping 29 matching lines @@
 
     if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
         memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) {
         PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
         rv = SECFailure;
         goto loser;
     }
 
     pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
 
-    memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
-    memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), hashes.u.raw, hashes.len);
+    j = 0;
+    memcpy(signed_data + j, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
+    j += sizeof(CHANNEL_ID_MAGIC);
+    if (ss->ssl3.hs.isResuming) {
+        SECItem *lastHandshakeHash = &ss->sec.ci.sid->u.ssl3.lastHandshakeHash;
+        PORT_Assert(lastHandshakeHash->len > 0);
 
-    rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data,
-                      sizeof(CHANNEL_ID_MAGIC) + hashes.len);
+        memcpy(signed_data + j, CHANNEL_ID_RESUMPTION_MAGIC,
+               sizeof(CHANNEL_ID_RESUMPTION_MAGIC));
+        j += sizeof(CHANNEL_ID_RESUMPTION_MAGIC);
+        memcpy(signed_data + j, lastHandshakeHash->data,
+               lastHandshakeHash->len);
+        j += lastHandshakeHash->len;
+    }
+    memcpy(signed_data + j, hashes.u.raw, hashes.len);
+    j += hashes.len;
+
+    rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, j);
     if (rv != SECSuccess)
         goto loser;
 
     digest_item.data = digest;
     digest_item.len = sizeof(digest);
 
     signature_item.data = signature;
     signature_item.len = sizeof(signature);
 
     rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
@@ skipping 1907 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */