Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(333)

Side by Side Diff: net/third_party/nss/patches/channelid.patch

Issue 10424013: Support TLS Channel IDs in NSS (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
(Empty)
1 diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
2 index 1368e2f..5cdbff5 100644
3 --- a/net/third_party/nss/ssl/ssl.h
4 +++ b/net/third_party/nss/ssl/ssl.h
5 @@ -945,6 +945,13 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRFil eDesc * socket,
6 SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd,
7 PRBool *last_handshake_resumed );
8
9 +/* SSL_SetChannelD sets a P-256, ECC private key to use as the TLS Channel ID.
10 + * This is only applicable to client sockets and is only effective when the
11 + * server supports TLS Channel ID. Note that this function takes ownership of
12 + * |id| and |pub|. */
13 +SSL_IMPORT SECStatus SSL_SetChannelD(PRFileDesc *fd, SECKEYPrivateKey *id,
14 + SECKEYPublicKey *pub);
15 +
16 /*
17 ** How long should we wait before retransmitting the next flight of
18 ** the DTLS handshake? Returns SECFailure if not DTLS or not in a
19 diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con .c
20 index db9fad3..508e708 100644
21 --- a/net/third_party/nss/ssl/ssl3con.c
22 +++ b/net/third_party/nss/ssl/ssl3con.c
23 @@ -86,6 +86,7 @@ static SECStatus ssl3_SendCertificate( sslSocket *ss);
24 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss);
25 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
26 static SECStatus ssl3_SendNextProto( sslSocket *ss);
27 +static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
28 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
29 static SECStatus ssl3_SendServerHello( sslSocket *ss);
30 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
31 @@ -6238,6 +6239,10 @@ ssl3_SendClientSecondRound(sslSocket *ss)
32 if (rv != SECSuccess) {
33 goto loser; /* err code was set. */
34 }
35 + rv = ssl3_SendEncryptedExtensions(ss);
36 + if (rv != SECSuccess) {
37 + goto loser; /* err code was set. */
38 + }
39 }
40
41 rv = ssl3_SendFinished(ss, 0);
42 @@ -8856,6 +8861,111 @@ ssl3_SendNextProto(sslSocket *ss)
43 }
44
45 /* called from ssl3_HandleServerHelloDone
46 + */
47 +static SECStatus
48 +ssl3_SendEncryptedExtensions(sslSocket *ss)
49 +{
50 + SECStatus rv = SECFailure;
51 + SECItem *spki = NULL;
52 + SSL3Hashes hashes;
53 + const unsigned char *pub_bytes;
54 + static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
55 + unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)];
56 + unsigned char digest[SHA256_LENGTH];
57 + SECItem digest_item;
58 + unsigned char signature[64];
59 + SECItem signature_item;
60 +
61 + if (!ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn))
62 + return SECSuccess;
63 +
64 + PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
65 + PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
66 + PORT_Assert(ss->ssl3.channelID);
67 +
68 + /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 6 4
69 + * bytes of ECDSA signature. */
70 + static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64;
71 + static const int CHANNEL_ID_LENGTH = 128;
72 +
73 + if (SECKEY_GetPrivateKeyType(ss->ssl3.channelID) != ecKey ||
74 + PK11_SignatureLen(ss->ssl3.channelID) != sizeof(signature)) {
75 + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
76 + return SECFailure;
77 + }
78 +
79 + rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, PR_TRUE);
80 + if (rv != SECSuccess)
81 + goto loser;
82 +
83 + rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions,
84 + 2 + 2 + CHANNEL_ID_LENGTH);
85 + if (rv != SECSuccess)
86 + return rv; /* error code set by AppendHandshakeHeader */
87 + rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
88 + if (rv != SECSuccess)
89 + return rv; /* error code set by AppendHandshake */
90 + rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2);
91 + if (rv != SECSuccess)
92 + return rv; /* error code set by AppendHandshake */
93 +
94 + spki = SECKEY_EncodeDERSubjectPublicKeyInfo(ss->ssl3.channelIDPub);
95 +
96 + /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
97 + * SEQUENCE
98 + * SEQUENCE
99 + * OID id-ecPublicKey
100 + * OID prime256v1
101 + * BIT STRING, length 66, 0 trailing bits: 0x04
102 + *
103 + * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62
104 + * public key. Following that are the two field elements as 32-byte,
105 + * big-endian numbers, as required by the Channel ID. */
106 + static const unsigned char P256_SPKI_PREFIX[] = {
107 + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
108 + 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
109 + 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
110 + 0x42, 0x00, 0x04
111 + };
112 +
113 + if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
114 + memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) {
115 + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
116 + return SECFailure;
117 + }
118 +
119 + pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
120 +
121 + memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
122 + memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), &hashes, sizeof(hashes));
123 +
124 + rv = SHA256_HashBuf(digest, signed_data, sizeof(signed_data));
125 + if (rv != SECSuccess)
126 + goto loser;
127 +
128 + digest_item.data = (void*) &digest;
129 + digest_item.len = sizeof(digest);
130 +
131 + signature_item.data = (void*) &signature;
132 + signature_item.len = sizeof(signature);
133 +
134 + rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
135 + if (rv != SECSuccess)
136 + goto loser;
137 +
138 + rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH);
139 + rv = ssl3_AppendHandshake(ss, signature, sizeof(signature));
140 +
141 + rv = SECSuccess;
142 +
143 +loser:
144 + if (spki)
145 + SECITEM_FreeItem(spki, PR_TRUE);
146 +
147 + return rv;
148 +}
149 +
150 +/* called from ssl3_HandleServerHelloDone
151 * ssl3_HandleClientHello
152 * ssl3_HandleFinished
153 */
154 @@ -9110,6 +9220,10 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint3 2 length,
155 if (rv != SECSuccess) {
156 goto xmit_loser; /* err code was set. */
157 }
158 + rv = ssl3_SendEncryptedExtensions(ss);
159 + if (rv != SECSuccess) {
160 + goto xmit_loser; /* err code was set. */
161 + }
162 }
163
164 if (IS_DTLS(ss)) {
165 @@ -10415,6 +10529,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
166 ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
167 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
168
169 + if (ss->ssl3.channelID)
170 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
171 + if (ss->ssl3.channelIDPub)
172 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
173 +
174 /* Destroy the DTLS data */
175 if (IS_DTLS(ss)) {
176 if (ss->ssl3.hs.lastMessageFlight) {
177 diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext .c
178 index b9fd6e7..3343b5b 100644
179 --- a/net/third_party/nss/ssl/ssl3ext.c
180 +++ b/net/third_party/nss/ssl/ssl3ext.c
181 @@ -80,10 +80,14 @@ static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket * ss,
182 PRUint16 ex_type, SECItem *data);
183 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
184 PRUint16 ex_type, SECItem *data);
185 +static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss,
186 + PRUint16 ex_type, SECItem *data);
187 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
188 PRUint16 ex_type, SECItem *data);
189 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
190 PRUint32 maxBytes);
191 +static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append,
192 + PRUint32 maxBytes);
193
194 /*
195 * Write bytes. Using this function means the SECItem structure
196 @@ -253,6 +257,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTL S[] = {
197 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
198 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
199 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
200 + { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn },
201 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
202 { -1, NULL }
203 };
204 @@ -278,6 +283,7 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTEN SIONS] = {
205 #endif
206 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
207 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
208 + { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
209 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }
210 /* any extra entries will appear as { 0, NULL } */
211 };
212 @@ -635,6 +641,21 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 e x_type,
213 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result);
214 }
215
216 +static SECStatus
217 +ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type,
218 + SECItem *data)
219 +{
220 + if (!ss->ssl3.channelID)
221 + return 0;
222 +
223 + if (data->len) {
224 + PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA);
225 + return SECFailure;
226 + }
227 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
228 + return SECSuccess;
229 +}
230 +
231 static PRInt32
232 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append,
233 PRUint32 maxBytes)
234 @@ -668,6 +689,35 @@ loser:
235 return -1;
236 }
237
238 +static PRInt32
239 +ssl3_ClientSendChannelIDXtn(sslSocket * ss, PRBool append,
240 + PRUint32 maxBytes)
241 +{
242 + PRInt32 extension_length = 4;
243 +
244 + if (!ss->ssl3.channelID)
245 + return 0;
246 +
247 + if (append && maxBytes >= extension_length) {
248 + SECStatus rv;
249 + rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
250 + if (rv != SECSuccess)
251 + goto loser;
252 + rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
253 + if (rv != SECSuccess)
254 + goto loser;
255 + ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
256 + ssl_channel_id_xtn;
257 + } else if (maxBytes < extension_length) {
258 + return 0;
259 + }
260 +
261 + return extension_length;
262 +
263 +loser:
264 + return -1;
265 +}
266 +
267 SECStatus
268 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
269 SECItem *data)
270 diff --git a/net/third_party/nss/ssl/ssl3prot.h b/net/third_party/nss/ssl/ssl3pr ot.h
271 index 550c341..11f9624 100644
272 --- a/net/third_party/nss/ssl/ssl3prot.h
273 +++ b/net/third_party/nss/ssl/ssl3prot.h
274 @@ -163,7 +163,8 @@ typedef enum {
275 client_key_exchange = 16,
276 finished = 20,
277 certificate_status = 22,
278 - next_proto = 67
279 + next_proto = 67,
280 + encrypted_extensions= 203
281 } SSL3HandshakeType;
282
283 typedef struct {
284 diff --git a/net/third_party/nss/ssl/sslerr.h b/net/third_party/nss/ssl/sslerr.h
285 index 9d3bebc..e8be95b 100644
286 --- a/net/third_party/nss/ssl/sslerr.h
287 +++ b/net/third_party/nss/ssl/sslerr.h
288 @@ -218,6 +218,9 @@ SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 121),
289 SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 122),
290 SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 123),
291
292 +SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 124),
293 +SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 125),
294 +
295 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
296 } SSLErrorCodes;
297 #endif /* NO_SECURITY_ERROR_ENUM */
298 diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl .h
299 index 8ab865a..86337b0 100644
300 --- a/net/third_party/nss/ssl/sslimpl.h
301 +++ b/net/third_party/nss/ssl/sslimpl.h
302 @@ -949,6 +949,8 @@ struct ssl3StateStr {
303 */
304 SECItem nextProto;
305 SSLNextProtoState nextProtoState;
306 + SECKEYPrivateKey * channelID; /* ECC private key. Used by client. */
307 + SECKEYPublicKey * channelIDPub; /* ECC public key. Used by client. */
308
309 PRUint16 mtu; /* Our estimate of the MTU */
310 };
311 diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock .c
312 index ebc245a..06f66b0 100644
313 --- a/net/third_party/nss/ssl/sslsock.c
314 +++ b/net/third_party/nss/ssl/sslsock.c
315 @@ -1878,6 +1878,33 @@ SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *hands hake_resumed) {
316 return SECSuccess;
317 }
318
319 +SECStatus
320 +SSL_SetChannelID(PRFileDesc *fd, SECKEYPrivateKey *id,
321 + SECKEYPublicKey *pub) {
322 + sslSocket *ss = ssl_FindSocket(fd);
323 +
324 + if (!ss) {
325 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetChannelID",
326 + SSL_GETPID(), fd));
327 + return SECFailure;
328 + }
329 +
330 + if (SECKEY_GetPrivateKeyType(id) != ecKey) {
331 + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
332 + return SECFailure;
333 + }
334 +
335 + if (ss->ssl3.channelID)
336 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
337 + if (ss->ssl3.channelIDPub)
338 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
339 +
340 + ss->ssl3.channelID = id;
341 + ss->ssl3.channelIDPub = pub;
342 +
343 + return SECSuccess;
344 +}
345 +
346 const SECItem *
347 SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd)
348 {
349 diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h
350 index 0636570..978b1cb 100644
351 --- a/net/third_party/nss/ssl/sslt.h
352 +++ b/net/third_party/nss/ssl/sslt.h
353 @@ -215,9 +215,10 @@ typedef enum {
354 #endif
355 ssl_session_ticket_xtn = 35,
356 ssl_next_proto_nego_xtn = 13172,
357 + ssl_channel_id_xtn = 30031,
358 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
359 } SSLExtensionType;
360
361 -#define SSL_MAX_EXTENSIONS 7
362 +#define SSL_MAX_EXTENSIONS 8
363
364 #endif /* __sslt_h_ */
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698