Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(288)

Unified Diff: net/third_party/nss/patches/channelid.patch

Issue 10424013: Support TLS Channel IDs in NSS (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/third_party/nss/patches/channelid.patch
diff --git a/net/third_party/nss/patches/channelid.patch b/net/third_party/nss/patches/channelid.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4912f898f9601d0abb40db5497a71ac9a4a53913
--- /dev/null
+++ b/net/third_party/nss/patches/channelid.patch
@@ -0,0 +1,364 @@
+diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
+index 1368e2f..5cdbff5 100644
+--- a/net/third_party/nss/ssl/ssl.h
++++ b/net/third_party/nss/ssl/ssl.h
+@@ -945,6 +945,13 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRFileDesc * socket,
+ SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd,
+ PRBool *last_handshake_resumed);
+
++/* SSL_SetChannelD sets a P-256, ECC private key to use as the TLS Channel ID.
++ * This is only applicable to client sockets and is only effective when the
++ * server supports TLS Channel ID. Note that this function takes ownership of
++ * |id| and |pub|. */
++SSL_IMPORT SECStatus SSL_SetChannelD(PRFileDesc *fd, SECKEYPrivateKey *id,
++ SECKEYPublicKey *pub);
++
+ /*
+ ** How long should we wait before retransmitting the next flight of
+ ** the DTLS handshake? Returns SECFailure if not DTLS or not in a
+diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
+index db9fad3..508e708 100644
+--- a/net/third_party/nss/ssl/ssl3con.c
++++ b/net/third_party/nss/ssl/ssl3con.c
+@@ -86,6 +86,7 @@ static SECStatus ssl3_SendCertificate( sslSocket *ss);
+ static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss);
+ static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
+ static SECStatus ssl3_SendNextProto( sslSocket *ss);
++static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
+ static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
+ static SECStatus ssl3_SendServerHello( sslSocket *ss);
+ static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
+@@ -6238,6 +6239,10 @@ ssl3_SendClientSecondRound(sslSocket *ss)
+ if (rv != SECSuccess) {
+ goto loser; /* err code was set. */
+ }
++ rv = ssl3_SendEncryptedExtensions(ss);
++ if (rv != SECSuccess) {
++ goto loser; /* err code was set. */
++ }
+ }
+
+ rv = ssl3_SendFinished(ss, 0);
+@@ -8856,6 +8861,111 @@ ssl3_SendNextProto(sslSocket *ss)
+ }
+
+ /* called from ssl3_HandleServerHelloDone
++ */
++static SECStatus
++ssl3_SendEncryptedExtensions(sslSocket *ss)
++{
++ SECStatus rv = SECFailure;
++ SECItem *spki = NULL;
++ SSL3Hashes hashes;
++ const unsigned char *pub_bytes;
++ static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
++ unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)];
++ unsigned char digest[SHA256_LENGTH];
++ SECItem digest_item;
++ unsigned char signature[64];
++ SECItem signature_item;
++
++ if (!ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn))
++ return SECSuccess;
++
++ PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
++ PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
++ PORT_Assert(ss->ssl3.channelID);
++
++ /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64
++ * bytes of ECDSA signature. */
++ static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64;
++ static const int CHANNEL_ID_LENGTH = 128;
++
++ if (SECKEY_GetPrivateKeyType(ss->ssl3.channelID) != ecKey ||
++ PK11_SignatureLen(ss->ssl3.channelID) != sizeof(signature)) {
++ PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
++ return SECFailure;
++ }
++
++ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, PR_TRUE);
++ if (rv != SECSuccess)
++ goto loser;
++
++ rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions,
++ 2 + 2 + CHANNEL_ID_LENGTH);
++ if (rv != SECSuccess)
++ return rv; /* error code set by AppendHandshakeHeader */
++ rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
++ if (rv != SECSuccess)
++ return rv; /* error code set by AppendHandshake */
++ rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2);
++ if (rv != SECSuccess)
++ return rv; /* error code set by AppendHandshake */
++
++ spki = SECKEY_EncodeDERSubjectPublicKeyInfo(ss->ssl3.channelIDPub);
++
++ /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
++ * SEQUENCE
++ * SEQUENCE
++ * OID id-ecPublicKey
++ * OID prime256v1
++ * BIT STRING, length 66, 0 trailing bits: 0x04
++ *
++ * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62
++ * public key. Following that are the two field elements as 32-byte,
++ * big-endian numbers, as required by the Channel ID. */
++ static const unsigned char P256_SPKI_PREFIX[] = {
++ 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
++ 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a,
++ 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
++ 0x42, 0x00, 0x04
++ };
++
++ if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
++ memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) {
++ PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
++ return SECFailure;
++ }
++
++ pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
++
++ memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
++ memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), &hashes, sizeof(hashes));
++
++ rv = SHA256_HashBuf(digest, signed_data, sizeof(signed_data));
++ if (rv != SECSuccess)
++ goto loser;
++
++ digest_item.data = (void*) &digest;
++ digest_item.len = sizeof(digest);
++
++ signature_item.data = (void*) &signature;
++ signature_item.len = sizeof(signature);
++
++ rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
++ if (rv != SECSuccess)
++ goto loser;
++
++ rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH);
++ rv = ssl3_AppendHandshake(ss, signature, sizeof(signature));
++
++ rv = SECSuccess;
++
++loser:
++ if (spki)
++ SECITEM_FreeItem(spki, PR_TRUE);
++
++ return rv;
++}
++
++/* called from ssl3_HandleServerHelloDone
+ * ssl3_HandleClientHello
+ * ssl3_HandleFinished
+ */
+@@ -9110,6 +9220,10 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
+ if (rv != SECSuccess) {
+ goto xmit_loser; /* err code was set. */
+ }
++ rv = ssl3_SendEncryptedExtensions(ss);
++ if (rv != SECSuccess) {
++ goto xmit_loser; /* err code was set. */
++ }
+ }
+
+ if (IS_DTLS(ss)) {
+@@ -10415,6 +10529,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+ ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
+ ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
+
++ if (ss->ssl3.channelID)
++ SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
++ if (ss->ssl3.channelIDPub)
++ SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
++
+ /* Destroy the DTLS data */
+ if (IS_DTLS(ss)) {
+ if (ss->ssl3.hs.lastMessageFlight) {
+diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c
+index b9fd6e7..3343b5b 100644
+--- a/net/third_party/nss/ssl/ssl3ext.c
++++ b/net/third_party/nss/ssl/ssl3ext.c
+@@ -80,10 +80,14 @@ static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss,
+ PRUint16 ex_type, SECItem *data);
+ static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
+ PRUint16 ex_type, SECItem *data);
++static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss,
++ PRUint16 ex_type, SECItem *data);
+ static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
+ PRUint16 ex_type, SECItem *data);
+ static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
+ PRUint32 maxBytes);
++static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append,
++ PRUint32 maxBytes);
+
+ /*
+ * Write bytes. Using this function means the SECItem structure
+@@ -253,6 +257,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
+ { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
+ { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
+ { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
++ { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn },
+ { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
+ { -1, NULL }
+ };
+@@ -278,6 +283,7 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
+ #endif
+ { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
+ { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
++ { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }
+ /* any extra entries will appear as { 0, NULL } */
+ };
+@@ -635,6 +641,21 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
+ return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result);
+ }
+
++static SECStatus
++ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type,
++ SECItem *data)
++{
++ if (!ss->ssl3.channelID)
++ return 0;
++
++ if (data->len) {
++ PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA);
++ return SECFailure;
++ }
++ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
++ return SECSuccess;
++}
++
+ static PRInt32
+ ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append,
+ PRUint32 maxBytes)
+@@ -668,6 +689,35 @@ loser:
+ return -1;
+ }
+
++static PRInt32
++ssl3_ClientSendChannelIDXtn(sslSocket * ss, PRBool append,
++ PRUint32 maxBytes)
++{
++ PRInt32 extension_length = 4;
++
++ if (!ss->ssl3.channelID)
++ return 0;
++
++ if (append && maxBytes >= extension_length) {
++ SECStatus rv;
++ rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
++ if (rv != SECSuccess)
++ goto loser;
++ rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
++ if (rv != SECSuccess)
++ goto loser;
++ ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
++ ssl_channel_id_xtn;
++ } else if (maxBytes < extension_length) {
++ return 0;
++ }
++
++ return extension_length;
++
++loser:
++ return -1;
++}
++
+ SECStatus
+ ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
+ SECItem *data)
+diff --git a/net/third_party/nss/ssl/ssl3prot.h b/net/third_party/nss/ssl/ssl3prot.h
+index 550c341..11f9624 100644
+--- a/net/third_party/nss/ssl/ssl3prot.h
++++ b/net/third_party/nss/ssl/ssl3prot.h
+@@ -163,7 +163,8 @@ typedef enum {
+ client_key_exchange = 16,
+ finished = 20,
+ certificate_status = 22,
+- next_proto = 67
++ next_proto = 67,
++ encrypted_extensions= 203
+ } SSL3HandshakeType;
+
+ typedef struct {
+diff --git a/net/third_party/nss/ssl/sslerr.h b/net/third_party/nss/ssl/sslerr.h
+index 9d3bebc..e8be95b 100644
+--- a/net/third_party/nss/ssl/sslerr.h
++++ b/net/third_party/nss/ssl/sslerr.h
+@@ -218,6 +218,9 @@ SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 121),
+ SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 122),
+ SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 123),
+
++SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 124),
++SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 125),
++
+ SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
+ } SSLErrorCodes;
+ #endif /* NO_SECURITY_ERROR_ENUM */
+diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
+index 8ab865a..86337b0 100644
+--- a/net/third_party/nss/ssl/sslimpl.h
++++ b/net/third_party/nss/ssl/sslimpl.h
+@@ -949,6 +949,8 @@ struct ssl3StateStr {
+ */
+ SECItem nextProto;
+ SSLNextProtoState nextProtoState;
++ SECKEYPrivateKey * channelID; /* ECC private key. Used by client. */
++ SECKEYPublicKey * channelIDPub; /* ECC public key. Used by client. */
+
+ PRUint16 mtu; /* Our estimate of the MTU */
+ };
+diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
+index ebc245a..06f66b0 100644
+--- a/net/third_party/nss/ssl/sslsock.c
++++ b/net/third_party/nss/ssl/sslsock.c
+@@ -1878,6 +1878,33 @@ SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) {
+ return SECSuccess;
+ }
+
++SECStatus
++SSL_SetChannelID(PRFileDesc *fd, SECKEYPrivateKey *id,
++ SECKEYPublicKey *pub) {
++ sslSocket *ss = ssl_FindSocket(fd);
++
++ if (!ss) {
++ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetChannelID",
++ SSL_GETPID(), fd));
++ return SECFailure;
++ }
++
++ if (SECKEY_GetPrivateKeyType(id) != ecKey) {
++ PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
++ return SECFailure;
++ }
++
++ if (ss->ssl3.channelID)
++ SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
++ if (ss->ssl3.channelIDPub)
++ SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
++
++ ss->ssl3.channelID = id;
++ ss->ssl3.channelIDPub = pub;
++
++ return SECSuccess;
++}
++
+ const SECItem *
+ SSL_GetRequestedClientCertificateTypes(PRFileDesc *fd)
+ {
+diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h
+index 0636570..978b1cb 100644
+--- a/net/third_party/nss/ssl/sslt.h
++++ b/net/third_party/nss/ssl/sslt.h
+@@ -215,9 +215,10 @@ typedef enum {
+ #endif
+ ssl_session_ticket_xtn = 35,
+ ssl_next_proto_nego_xtn = 13172,
++ ssl_channel_id_xtn = 30031,
+ ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
+ } SSLExtensionType;
+
+-#define SSL_MAX_EXTENSIONS 7
++#define SSL_MAX_EXTENSIONS 8
+
+ #endif /* __sslt_h_ */

Powered by Google App Engine
This is Rietveld 408576698