Support new ChannelID extension.

net/third_party/nss/ssl/ssl3con.c

Index: net/third_party/nss/ssl/ssl3con.c
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index 8b8b758c0b47c50fb1b55a51658bf84ee3493a9b..1c55bc4488c3413267c9d0e484b1aa19b3146ec2 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -7570,6 +7570,30 @@ ssl3_SendClientSecondRound(sslSocket *ss)
 	goto loser;	/* err code was set. */
     }
 
+    if (!ss->ssl3.hs.isResuming &&
+        ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
+        /* If we are negotiating ChannelID on a full handshake then we record
+         * the handshake hashes in |sid| at this point. They will be needed in
+         * the event that we resume this session and use ChannelID on the
+         * resumption handshake. */
+        SSL3Hashes hashes;
+        SECItem *lastHandshakeHash = &ss->sec.ci.sid->u.ssl3.lastHandshakeHash;
+

[wtc, 2013/11/14 00:50:56]

Can you assert ss->sec.ci.sid->cached == never_cached?

[agl, 2013/11/14 18:50:42]

Done.

+        ssl_GetSpecReadLock(ss);
+        /* the cwSpec and zero arguments are only used for SSLv3, but we know

[wtc, 2013/11/14 00:50:56]

The cwSpec argument is also used by ssl3_ComputeHandshakeHashes to get the
protocol version (spec->version) and to verify we have the master secret
available, even though the master secret is only used for SSLv3. So this comment
is a little inaccurate.

Are you trying to explain why it doesn't matter whether we're using
ss->ssl3.cwSpec or ss->ssl3.crSpec? At this point, we haven't received the
server's ChangeCipherSpec, so ss->ssl3.crSpec is still using the null cipher.

[agl, 2013/11/14 18:50:42]

This comment is clearly confusing. I've deleted it.

+         * that this connection is not SSLv3 because we negotiated ChannelID. */
+        PORT_Assert(ss->version > SSL_LIBRARY_VERSION_3_0);
+        ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);

[wtc, 2013/11/14 00:50:56]

Check the return value?

[agl, 2013/11/14 18:50:42]

Done.

+        ssl_ReleaseSpecReadLock(ss);
+
+        PORT_Assert(lastHandshakeHash->len == 0);
+        lastHandshakeHash->data = PORT_Alloc(hashes.len);
+        if (!lastHandshakeHash->data)
+            goto loser;

[wtc, 2013/11/14 00:50:56]

This should be simply "return SECFailure" if you move the
ssl_ReleaseXmitBufLock(ss) call up, as I suggest below.

[agl, 2013/11/14 18:50:42]

Done.

+        lastHandshakeHash->len = hashes.len;
+        memcpy(lastHandshakeHash->data, hashes.u.raw, hashes.len);
+    }
+
     ssl_ReleaseXmitBufLock(ss);		/*******************************/

[wtc, 2013/11/14 00:50:56]

We should call ssl_ReleaseXmitBufLock(ss) before recording the full handshake
hash.

[agl, 2013/11/14 18:50:42]

Done.

 
     if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
@@ -10568,6 +10592,7 @@ static SECStatus
 ssl3_SendEncryptedExtensions(sslSocket *ss)
 {
     static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
+    static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption";
     /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
      * SEQUENCE
      *   SEQUENCE
@@ -10593,7 +10618,10 @@ ssl3_SendEncryptedExtensions(sslSocket *ss)
     SECItem *spki = NULL;
     SSL3Hashes hashes;
     const unsigned char *pub_bytes;
-    unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)];
+    unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) +
+                              sizeof(CHANNEL_ID_RESUMPTION_MAGIC) +
+                              sizeof(SSL3Hashes)*2];
+    size_t j;

[wtc, 2013/11/14 00:50:56]

Nit: this variable should be named signed_data_len if that's not too long.

[agl, 2013/11/14 18:50:42]

Done.

     unsigned char digest[SHA256_LENGTH];
     SECItem digest_item;
     unsigned char signature[64];
@@ -10643,11 +10671,24 @@ ssl3_SendEncryptedExtensions(sslSocket *ss)
 
     pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
 
-    memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
-    memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), hashes.u.raw, hashes.len);
+    j = 0;
+    memcpy(signed_data + j, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
+    j += sizeof(CHANNEL_ID_MAGIC);
+    if (ss->ssl3.hs.isResuming) {
+        SECItem *lastHandshakeHash = &ss->sec.ci.sid->u.ssl3.lastHandshakeHash;
+        PORT_Assert(lastHandshakeHash->len > 0);
 
-    rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data,
-		      sizeof(CHANNEL_ID_MAGIC) + hashes.len);
+        memcpy(signed_data + j, CHANNEL_ID_RESUMPTION_MAGIC,
+               sizeof(CHANNEL_ID_RESUMPTION_MAGIC));
+        j += sizeof(CHANNEL_ID_RESUMPTION_MAGIC);
+        memcpy(signed_data + j, lastHandshakeHash->data,
+               lastHandshakeHash->len);
+        j += lastHandshakeHash->len;
+    }
+    memcpy(signed_data + j, hashes.u.raw, hashes.len);
+    j += hashes.len;
+
+    rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, j);
     if (rv != SECSuccess)
 	goto loser;