1diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c 2--- a/nss/lib/ssl/ssl3con.c 2014-01-18 10:39:50.799150460 -0800 3+++ b/nss/lib/ssl/ssl3con.c 2014-01-18 10:40:15.489552270 -0800 4@@ -55,6 +55,7 @@ static SECStatus ssl3_SendCertificateSta 5 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); 6 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); 7 static SECStatus ssl3_SendNextProto( sslSocket *ss); 8+static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); 9 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); 10 static SECStatus ssl3_SendServerHello( sslSocket *ss); 11 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); 12@@ -6221,6 +6222,15 @@ ssl3_HandleServerHello(sslSocket *ss, SS 13 } 14 #endif /* NSS_PLATFORM_CLIENT_AUTH */ 15 16+ if (ss->ssl3.channelID != NULL) { 17+ SECKEY_DestroyPrivateKey(ss->ssl3.channelID); 18+ ss->ssl3.channelID = NULL; 19+ } 20+ if (ss->ssl3.channelIDPub != NULL) { 21+ SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); 22+ ss->ssl3.channelIDPub = NULL; 23+ } 24+ 25 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); 26 if (temp < 0) { 27 goto loser; /* alert has been sent */ 28@@ -6503,7 +6513,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS 29 if (rv != SECSuccess) { 30 goto alert_loser; /* err code was set */ 31 } 32- return SECSuccess; 33+ goto winner; 34 } while (0); 35 36 if (sid_match) 37@@ -6529,6 +6539,27 @@ ssl3_HandleServerHello(sslSocket *ss, SS 38 39 ss->ssl3.hs.isResuming = PR_FALSE; 40 ss->ssl3.hs.ws = wait_server_cert; 41+ 42+winner: 43+ /* If we will need a ChannelID key then we make the callback now. This 44+ * allows the handshake to be restarted cleanly if the callback returns 45+ * SECWouldBlock. */ 46+ if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) { 47+ rv = ss->getChannelID(ss->getChannelIDArg, ss->fd, 48+ &ss->ssl3.channelIDPub, &ss->ssl3.channelID); 49+ if (rv == SECWouldBlock) { 50+ ssl3_SetAlwaysBlock(ss); 51+ return rv; 52+ } 53+ if (rv != SECSuccess || 54+ ss->ssl3.channelIDPub == NULL || 55+ ss->ssl3.channelID == NULL) { 56+ PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED); 57+ desc = internal_error; 58+ goto alert_loser; 59+ } 60+ } 61+ 62 return SECSuccess; 63 64 alert_loser: 65@@ -7490,7 +7521,14 @@ ssl3_SendClientSecondRound(sslSocket *ss 66 if (rv != SECSuccess) { 67 goto loser; /* err code was set. */ 68 } 69+ } 70 71+ rv = ssl3_SendEncryptedExtensions(ss); 72+ if (rv != SECSuccess) { 73+ goto loser; /* err code was set. */ 74+ } 75+ 76+ if (!ss->firstHsDone) { 77 if (ss->opt.enableFalseStart) { 78 if (!ss->ssl3.hs.authCertificatePending) { 79 /* When we fix bug 589047, we will need to know whether we are 80@@ -7527,6 +7565,33 @@ ssl3_SendClientSecondRound(sslSocket *ss 81 82 ssl_ReleaseXmitBufLock(ss); /*******************************/ 83 84+ if (!ss->ssl3.hs.isResuming && 85+ ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) { 86+ /* If we are negotiating ChannelID on a full handshake then we record 87+ * the handshake hashes in |sid| at this point. They will be needed in 88+ * the event that we resume this session and use ChannelID on the 89+ * resumption handshake. */ 90+ SSL3Hashes hashes; 91+ SECItem *originalHandshakeHash = 92+ &ss->sec.ci.sid->u.ssl3.originalHandshakeHash; 93+ PORT_Assert(ss->sec.ci.sid->cached == never_cached); 94+ 95+ ssl_GetSpecReadLock(ss); 96+ PORT_Assert(ss->version > SSL_LIBRARY_VERSION_3_0); 97+ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0); 98+ ssl_ReleaseSpecReadLock(ss); 99+ if (rv != SECSuccess) { 100+ return rv; 101+ } 102+ 103+ PORT_Assert(originalHandshakeHash->len == 0); 104+ originalHandshakeHash->data = PORT_Alloc(hashes.len); 105+ if (!originalHandshakeHash->data) 106+ return SECFailure; 107+ originalHandshakeHash->len = hashes.len; 108+ memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len); 109+ } 110+ 111 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) 112 ss->ssl3.hs.ws = wait_new_session_ticket; 113 else 114@@ -10494,6 +10559,184 @@ ssl3_RecordKeyLog(sslSocket *ss) 115 } 116 117 /* called from ssl3_SendClientSecondRound 118+ * ssl3_HandleFinished 119+ */ 120+static SECStatus 121+ssl3_SendEncryptedExtensions(sslSocket *ss) 122+{ 123+ static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature"; 124+ static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption"; 125+ /* This is the ASN.1 prefix for a P-256 public key. Specifically it's: 126+ * SEQUENCE 127+ * SEQUENCE 128+ * OID id-ecPublicKey 129+ * OID prime256v1 130+ * BIT STRING, length 66, 0 trailing bits: 0x04 131+ * 132+ * The 0x04 in the BIT STRING is the prefix for an uncompressed, X9.62 133+ * public key. Following that are the two field elements as 32-byte, 134+ * big-endian numbers, as required by the Channel ID. */ 135+ static const unsigned char P256_SPKI_PREFIX[] = { 136+ 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 137+ 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 138+ 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 139+ 0x42, 0x00, 0x04 140+ }; 141+ /* ChannelIDs are always 128 bytes long: 64 bytes of P-256 public key and 64 142+ * bytes of ECDSA signature. */ 143+ static const int CHANNEL_ID_PUBLIC_KEY_LENGTH = 64; 144+ static const int CHANNEL_ID_LENGTH = 128; 145+ 146+ SECStatus rv = SECFailure; 147+ SECItem *spki = NULL; 148+ SSL3Hashes hashes; 149+ const unsigned char *pub_bytes; 150+ unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + 151+ sizeof(CHANNEL_ID_RESUMPTION_MAGIC) + 152+ sizeof(SSL3Hashes)*2]; 153+ size_t signed_data_len; 154+ unsigned char digest[SHA256_LENGTH]; 155+ SECItem digest_item; 156+ unsigned char signature[64]; 157+ SECItem signature_item; 158+ 159+ PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 160+ PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 161+ 162+ if (ss->ssl3.channelID == NULL) 163+ return SECSuccess; 164+ 165+ PORT_Assert(ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)); 166+ 167+ if (SECKEY_GetPrivateKeyType(ss->ssl3.channelID) != ecKey || 168+ PK11_SignatureLen(ss->ssl3.channelID) != sizeof(signature)) { 169+ PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); 170+ rv = SECFailure; 171+ goto loser; 172+ } 173+ 174+ ssl_GetSpecReadLock(ss); 175+ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0); 176+ ssl_ReleaseSpecReadLock(ss); 177+ 178+ if (rv != SECSuccess) 179+ goto loser; 180+ 181+ rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions, 182+ 2 + 2 + CHANNEL_ID_LENGTH); 183+ if (rv != SECSuccess) 184+ goto loser; /* error code set by AppendHandshakeHeader */ 185+ rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); 186+ if (rv != SECSuccess) 187+ goto loser; /* error code set by AppendHandshake */ 188+ rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2); 189+ if (rv != SECSuccess) 190+ goto loser; /* error code set by AppendHandshake */ 191+ 192+ spki = SECKEY_EncodeDERSubjectPublicKeyInfo(ss->ssl3.channelIDPub); 193+ 194+ if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH || 195+ memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX)) != 0) { 196+ PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); 197+ rv = SECFailure; 198+ goto loser; 199+ } 200+ 201+ pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX); 202+ 203+ signed_data_len = 0; 204+ memcpy(signed_data + signed_data_len, CHANNEL_ID_MAGIC, 205+ sizeof(CHANNEL_ID_MAGIC)); 206+ signed_data_len += sizeof(CHANNEL_ID_MAGIC); 207+ if (ss->ssl3.hs.isResuming) { 208+ SECItem *originalHandshakeHash = 209+ &ss->sec.ci.sid->u.ssl3.originalHandshakeHash; 210+ PORT_Assert(originalHandshakeHash->len > 0); 211+ 212+ memcpy(signed_data + signed_data_len, CHANNEL_ID_RESUMPTION_MAGIC, 213+ sizeof(CHANNEL_ID_RESUMPTION_MAGIC)); 214+ signed_data_len += sizeof(CHANNEL_ID_RESUMPTION_MAGIC); 215+ memcpy(signed_data + signed_data_len, originalHandshakeHash->data, 216+ originalHandshakeHash->len); 217+ signed_data_len += originalHandshakeHash->len; 218+ } 219+ memcpy(signed_data + signed_data_len, hashes.u.raw, hashes.len); 220+ signed_data_len += hashes.len; 221+ 222+ rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, signed_data_len); 223+ if (rv != SECSuccess) 224+ goto loser; 225+ 226+ digest_item.data = digest; 227+ digest_item.len = sizeof(digest); 228+ 229+ signature_item.data = signature; 230+ signature_item.len = sizeof(signature); 231+ 232+ rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item); 233+ if (rv != SECSuccess) 234+ goto loser; 235+ 236+ rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH); 237+ if (rv != SECSuccess) 238+ goto loser; 239+ rv = ssl3_AppendHandshake(ss, signature, sizeof(signature)); 240+ 241+loser: 242+ if (spki) 243+ SECITEM_FreeItem(spki, PR_TRUE); 244+ if (ss->ssl3.channelID) { 245+ SECKEY_DestroyPrivateKey(ss->ssl3.channelID); 246+ ss->ssl3.channelID = NULL; 247+ } 248+ if (ss->ssl3.channelIDPub) { 249+ SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); 250+ ss->ssl3.channelIDPub = NULL; 251+ } 252+ 253+ return rv; 254+} 255+ 256+/* ssl3_RestartHandshakeAfterChannelIDReq is called to restart a handshake 257+ * after a ChannelID callback returned SECWouldBlock. At this point we have 258+ * processed the server's ServerHello but not yet any further messages. We will 259+ * always get a message from the server after a ServerHello so either they are 260+ * waiting in the buffer or we'll get network I/O. */ 261+SECStatus 262+ssl3_RestartHandshakeAfterChannelIDReq(sslSocket *ss, 263+ SECKEYPublicKey *channelIDPub, 264+ SECKEYPrivateKey *channelID) 265+{ 266+ if (ss->handshake == 0) { 267+ SECKEY_DestroyPublicKey(channelIDPub); 268+ SECKEY_DestroyPrivateKey(channelID); 269+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 270+ return SECFailure; 271+ } 272+ 273+ if (channelIDPub == NULL || 274+ channelID == NULL) { 275+ if (channelIDPub) 276+ SECKEY_DestroyPublicKey(channelIDPub); 277+ if (channelID) 278+ SECKEY_DestroyPrivateKey(channelID); 279+ PORT_SetError(PR_INVALID_ARGUMENT_ERROR); 280+ return SECFailure; 281+ } 282+ 283+ if (ss->ssl3.channelID) 284+ SECKEY_DestroyPrivateKey(ss->ssl3.channelID); 285+ if (ss->ssl3.channelIDPub) 286+ SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); 287+ 288+ ss->handshake = ssl_GatherRecord1stHandshake; 289+ ss->ssl3.channelID = channelID; 290+ ss->ssl3.channelIDPub = channelIDPub; 291+ 292+ return SECSuccess; 293+} 294+ 295+/* called from ssl3_SendClientSecondRound 296 * ssl3_HandleClientHello 297 * ssl3_HandleFinished 298 */ 299@@ -10753,11 +10996,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O 300 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; 301 } 302 303- if (!isServer && !ss->firstHsDone) { 304- rv = ssl3_SendNextProto(ss); 305- if (rv != SECSuccess) { 306- goto xmit_loser; /* err code was set. */ 307+ if (!isServer) { 308+ if (!ss->firstHsDone) { 309+ rv = ssl3_SendNextProto(ss); 310+ if (rv != SECSuccess) { 311+ goto xmit_loser; /* err code was set. */ 312+ } 313 } 314+ rv = ssl3_SendEncryptedExtensions(ss); 315+ if (rv != SECSuccess) 316+ goto xmit_loser; /* err code was set. */ 317 } 318 319 if (IS_DTLS(ss)) { 320@@ -12237,6 +12485,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) 321 ssl_FreePlatformKey(ss->ssl3.platformClientKey); 322 #endif /* NSS_PLATFORM_CLIENT_AUTH */ 323 324+ if (ss->ssl3.channelID) 325+ SECKEY_DestroyPrivateKey(ss->ssl3.channelID); 326+ if (ss->ssl3.channelIDPub) 327+ SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); 328+ 329 if (ss->ssl3.peerCertArena != NULL) 330 ssl3_CleanupPeerCerts(ss); 331 332diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c 333--- a/nss/lib/ssl/ssl3ext.c 2014-01-18 10:39:50.749149654 -0800 334+++ b/nss/lib/ssl/ssl3ext.c 2014-01-18 10:43:52.543083984 -0800 335@@ -64,6 +64,10 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSo 336 PRUint32 maxBytes); 337 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, 338 SECItem *data); 339+static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, 340+ PRUint16 ex_type, SECItem *data); 341+static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, 342+ PRUint32 maxBytes); 343 static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss, 344 PRBool append, PRUint32 maxBytes); 345 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, 346@@ -253,6 +257,7 @@ static const ssl3HelloExtensionHandler s 347 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, 348 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, 349 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, 350+ { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, 351 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 352 { -1, NULL } 353 }; 354@@ -280,6 +285,7 @@ ssl3HelloExtensionSender clientHelloSend 355 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, 356 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, 357 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, 358+ { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, 359 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, 360 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } 361 /* any extra entries will appear as { 0, NULL } */ 362@@ -795,6 +801,61 @@ loser: 363 return -1; 364 } 365 366+static SECStatus 367+ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, 368+ SECItem *data) 369+{ 370+ PORT_Assert(ss->getChannelID != NULL); 371+ 372+ if (data->len) { 373+ PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA); 374+ return SECFailure; 375+ } 376+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 377+ return SECSuccess; 378+} 379+ 380+static PRInt32 381+ssl3_ClientSendChannelIDXtn(sslSocket * ss, PRBool append, 382+ PRUint32 maxBytes) 383+{ 384+ PRInt32 extension_length = 4; 385+ 386+ if (!ss->getChannelID) 387+ return 0; 388+ 389+ if (maxBytes < extension_length) { 390+ PORT_Assert(0); 391+ return 0; 392+ } 393+ 394+ if (ss->sec.ci.sid->cached != never_cached && 395+ ss->sec.ci.sid->u.ssl3.originalHandshakeHash.len == 0) { 396+ /* We can't do ChannelID on a connection if we're resuming and didn't 397+ * do ChannelID on the original connection: without ChannelID on the 398+ * original connection we didn't record the handshake hashes needed for 399+ * the signature. */ 400+ return 0; 401+ } 402+ 403+ if (append) { 404+ SECStatus rv; 405+ rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); 406+ if (rv != SECSuccess) 407+ goto loser; 408+ rv = ssl3_AppendHandshakeNumber(ss, 0, 2); 409+ if (rv != SECSuccess) 410+ goto loser; 411+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 412+ ssl_channel_id_xtn; 413+ } 414+ 415+ return extension_length; 416+ 417+loser: 418+ return -1; 419+} 420+ 421 static SECStatus 422 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, 423 SECItem *data) 424diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h 425--- a/nss/lib/ssl/ssl3prot.h 2014-01-18 10:39:34.278881614 -0800 426+++ b/nss/lib/ssl/ssl3prot.h 2014-01-18 10:40:15.499552430 -0800 427@@ -129,7 +129,8 @@ typedef enum { 428 client_key_exchange = 16, 429 finished = 20, 430 certificate_status = 22, 431- next_proto = 67 432+ next_proto = 67, 433+ encrypted_extensions= 203 434 } SSL3HandshakeType; 435 436 typedef struct { 437diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c 438--- a/nss/lib/ssl/sslauth.c 2014-01-18 10:39:50.749149654 -0800 439+++ b/nss/lib/ssl/sslauth.c 2014-01-18 10:40:15.499552430 -0800 440@@ -216,6 +216,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, 441 return SECSuccess; 442 } 443 444+SECStatus 445+SSL_SetClientChannelIDCallback(PRFileDesc *fd, 446+ SSLClientChannelIDCallback callback, 447+ void *arg) { 448+ sslSocket *ss = ssl_FindSocket(fd); 449+ 450+ if (!ss) { 451+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback", 452+ SSL_GETPID(), fd)); 453+ return SECFailure; 454+ } 455+ 456+ ss->getChannelID = callback; 457+ ss->getChannelIDArg = arg; 458+ 459+ return SECSuccess; 460+} 461+ 462 #ifdef NSS_PLATFORM_CLIENT_AUTH 463 /* NEED LOCKS IN HERE. */ 464 SECStatus 465diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h 466--- a/nss/lib/ssl/sslerr.h 2014-01-18 10:39:34.288881780 -0800 467+++ b/nss/lib/ssl/sslerr.h 2014-01-18 10:40:15.499552430 -0800 468@@ -193,6 +193,10 @@ SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM = ( 469 SSL_ERROR_DIGEST_FAILURE = (SSL_ERROR_BASE + 127), 470 SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128), 471 472+SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129), 473+SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130), 474+SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 131), 475+ 476 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ 477 } SSLErrorCodes; 478 #endif /* NO_SECURITY_ERROR_ENUM */ 479diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h 480--- a/nss/lib/ssl/SSLerrs.h 2014-01-18 10:39:34.238880964 -0800 481+++ b/nss/lib/ssl/SSLerrs.h 2014-01-18 10:40:15.499552430 -0800 482@@ -412,3 +412,12 @@ ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR 483 484 ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128), 485 "Incorrect signature algorithm specified in a digitally-signed element.") 486+ 487+ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 129), 488+"SSL received a malformed TLS Channel ID extension.") 489+ 490+ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 130), 491+"The application provided an invalid TLS Channel ID key.") 492+ 493+ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131), 494+"The application could not get a TLS Channel ID.") 495diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h 496--- a/nss/lib/ssl/ssl.h 2014-01-18 10:39:50.799150460 -0800 497+++ b/nss/lib/ssl/ssl.h 2014-01-18 10:40:15.499552430 -0800 498@@ -1015,6 +1015,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti 499 SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd, 500 PRBool *last_handshake_resumed); 501 502+/* See SSL_SetClientChannelIDCallback for usage. If the callback returns 503+ * SECWouldBlock then SSL_RestartHandshakeAfterChannelIDReq should be called in 504+ * the future to restart the handshake. On SECSuccess, the callback must have 505+ * written a P-256, EC key pair to |*out_public_key| and |*out_private_key|. */ 506+typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)( 507+ void *arg, 508+ PRFileDesc *fd, 509+ SECKEYPublicKey **out_public_key, 510+ SECKEYPrivateKey **out_private_key); 511+ 512+/* SSL_RestartHandshakeAfterChannelIDReq attempts to restart the handshake 513+ * after a ChannelID callback returned SECWouldBlock. 514+ * 515+ * This function takes ownership of |channelIDPub| and |channelID|. */ 516+SSL_IMPORT SECStatus SSL_RestartHandshakeAfterChannelIDReq( 517+ PRFileDesc *fd, 518+ SECKEYPublicKey *channelIDPub, 519+ SECKEYPrivateKey *channelID); 520+ 521+/* SSL_SetClientChannelIDCallback sets a callback function that will be called 522+ * once the server's ServerHello has been processed. This is only applicable to 523+ * a client socket and setting this callback causes the TLS Channel ID 524+ * extension to be advertised. */ 525+SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback( 526+ PRFileDesc *fd, 527+ SSLClientChannelIDCallback callback, 528+ void *arg); 529+ 530 /* 531 ** How long should we wait before retransmitting the next flight of 532 ** the DTLS handshake? Returns SECFailure if not DTLS or not in a 533diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h 534--- a/nss/lib/ssl/sslimpl.h 2014-01-18 10:39:50.799150460 -0800 535+++ b/nss/lib/ssl/sslimpl.h 2014-01-18 10:40:15.499552430 -0800 536@@ -709,6 +709,14 @@ struct sslSessionIDStr { 537 538 SECItem srvName; 539 540+ /* originalHandshakeHash contains the hash of the original, full 541+ * handshake prior to the server's final flow. This is either a 542+ * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for 543+ * TLS 1.2). This is recorded and used only when ChannelID is 544+ * negotiated as it's used to bind the ChannelID signature on the 545+ * resumption handshake to the original handshake. */ 546+ SECItem originalHandshakeHash; 547+ 548 /* This lock is lazily initialized by CacheSID when a sid is first 549 * cached. Before then, there is no need to lock anything because 550 * the sid isn't being shared by anything. 551@@ -978,6 +986,9 @@ struct ssl3StateStr { 552 CERTCertificateList *clientCertChain; /* used by client */ 553 PRBool sendEmptyCert; /* used by client */ 554 555+ SECKEYPrivateKey *channelID; /* used by client */ 556+ SECKEYPublicKey *channelIDPub; /* used by client */ 557+ 558 int policy; 559 /* This says what cipher suites we can do, and should 560 * be either SSL_ALLOWED or SSL_RESTRICTED 561@@ -1255,6 +1266,8 @@ const unsigned char * preferredCipher; 562 void *pkcs11PinArg; 563 SSLNextProtoCallback nextProtoCallback; 564 void *nextProtoArg; 565+ SSLClientChannelIDCallback getChannelID; 566+ void *getChannelIDArg; 567 568 PRIntervalTime rTimeout; /* timeout for NSPR I/O */ 569 PRIntervalTime wTimeout; /* timeout for NSPR I/O */ 570@@ -1599,6 +1612,11 @@ extern SECStatus ssl3_RestartHandshakeAf 571 SECKEYPrivateKey * key, 572 CERTCertificateList *certChain); 573 574+extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq( 575+ sslSocket *ss, 576+ SECKEYPublicKey *channelIDPub, 577+ SECKEYPrivateKey *channelID); 578+ 579 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error); 580 581 /* 582diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c 583--- a/nss/lib/ssl/sslnonce.c 2014-01-18 10:39:50.739149486 -0800 584+++ b/nss/lib/ssl/sslnonce.c 2014-01-18 10:40:15.499552430 -0800 585@@ -180,6 +180,9 @@ ssl_DestroySID(sslSessionID *sid) 586 if (sid->u.ssl3.srvName.data) { 587 SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); 588 } 589+ if (sid->u.ssl3.originalHandshakeHash.data) { 590+ SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); 591+ } 592 593 if (sid->u.ssl3.lock) { 594 PR_DestroyRWLock(sid->u.ssl3.lock); 595diff -pu a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c 596--- a/nss/lib/ssl/sslsecur.c 2014-01-18 10:39:50.799150460 -0800 597+++ b/nss/lib/ssl/sslsecur.c 2014-01-18 10:40:15.499552430 -0800 598@@ -1584,6 +1584,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileD 599 return ret; 600 } 601 602+SECStatus 603+SSL_RestartHandshakeAfterChannelIDReq(PRFileDesc * fd, 604+ SECKEYPublicKey * channelIDPub, 605+ SECKEYPrivateKey *channelID) 606+{ 607+ sslSocket * ss = ssl_FindSocket(fd); 608+ SECStatus ret; 609+ 610+ if (!ss) { 611+ SSL_DBG(("%d: SSL[%d]: bad socket in" 612+ " SSL_RestartHandshakeAfterChannelIDReq", 613+ SSL_GETPID(), fd)); 614+ goto loser; 615+ } 616+ 617+ 618+ ssl_Get1stHandshakeLock(ss); 619+ 620+ if (ss->version < SSL_LIBRARY_VERSION_3_0) { 621+ PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); 622+ ssl_Release1stHandshakeLock(ss); 623+ goto loser; 624+ } 625+ 626+ ret = ssl3_RestartHandshakeAfterChannelIDReq(ss, channelIDPub, 627+ channelID); 628+ ssl_Release1stHandshakeLock(ss); 629+ 630+ return ret; 631+ 632+loser: 633+ SECKEY_DestroyPublicKey(channelIDPub); 634+ SECKEY_DestroyPrivateKey(channelID); 635+ return SECFailure; 636+} 637+ 638 /* DO NOT USE. This function was exported in ssl.def with the wrong signature; 639 * this implementation exists to maintain link-time compatibility. 640 */ 641diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c 642--- a/nss/lib/ssl/sslsock.c 2014-01-18 10:39:50.769149984 -0800 643+++ b/nss/lib/ssl/sslsock.c 2014-01-18 10:40:15.499552430 -0800 644@@ -276,6 +276,8 @@ ssl_DupSocket(sslSocket *os) 645 ss->canFalseStartCallback = os->canFalseStartCallback; 646 ss->canFalseStartCallbackData = os->canFalseStartCallbackData; 647 ss->pkcs11PinArg = os->pkcs11PinArg; 648+ ss->getChannelID = os->getChannelID; 649+ ss->getChannelIDArg = os->getChannelIDArg; 650 651 /* Create security data */ 652 rv = ssl_CopySecurityInfo(ss, os); 653@@ -1691,6 +1693,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile 654 ss->handshakeCallbackData = sm->handshakeCallbackData; 655 if (sm->pkcs11PinArg) 656 ss->pkcs11PinArg = sm->pkcs11PinArg; 657+ if (sm->getChannelID) 658+ ss->getChannelID = sm->getChannelID; 659+ if (sm->getChannelIDArg) 660+ ss->getChannelIDArg = sm->getChannelIDArg; 661 return fd; 662 loser: 663 return NULL; 664@@ -2968,6 +2974,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProto 665 ss->badCertArg = NULL; 666 ss->pkcs11PinArg = NULL; 667 ss->ephemeralECDHKeyPair = NULL; 668+ ss->getChannelID = NULL; 669+ ss->getChannelIDArg = NULL; 670 671 ssl_ChooseOps(ss); 672 ssl2_InitSocketPolicy(ss); 673diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h 674--- a/nss/lib/ssl/sslt.h 2014-01-18 10:39:34.328882426 -0800 675+++ b/nss/lib/ssl/sslt.h 2014-01-18 10:40:15.499552430 -0800 676@@ -190,10 +190,11 @@ typedef enum { 677 ssl_app_layer_protocol_xtn = 16, 678 ssl_session_ticket_xtn = 35, 679 ssl_next_proto_nego_xtn = 13172, 680+ ssl_channel_id_xtn = 30032, 681 ssl_padding_xtn = 35655, 682 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ 683 } SSLExtensionType; 684 685-#define SSL_MAX_EXTENSIONS 10 /* doesn't include ssl_padding_xtn. */ 686+#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */ 687 688 #endif /* __sslt_h_ */ 689