OLD | NEW |
| (Empty) |
1 diff -pu -r a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ss
l.h | |
2 --- a/src/net/third_party/nss/ssl/ssl.h 2012-03-19 13:49:12.517522610 -0700 | |
3 +++ b/src/net/third_party/nss/ssl/ssl.h 2012-03-19 13:49:29.507749795 -0700 | |
4 @@ -186,6 +186,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi | |
5 #define SSL_CBC_RANDOM_IV 23 | |
6 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ | |
7 #define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */ | |
8 +#define SSL_ENCRYPT_CLIENT_CERTS 26 /* Enable encrypted client certs. */ | |
9 | |
10 #ifdef SSL_DEPRECATED_FUNCTION | |
11 /* Old deprecated function names */ | |
12 diff -pu -r a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ss
l/sslimpl.h | |
13 --- a/src/net/third_party/nss/ssl/sslimpl.h 2012-03-19 13:49:12.557523144 -0
700 | |
14 +++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-03-19 13:49:29.507749795 -0
700 | |
15 @@ -350,6 +350,7 @@ typedef struct sslOptionsStr { | |
16 unsigned int cbcRandomIV : 1; /* 24 */ | |
17 unsigned int enableOCSPStapling : 1; /* 25 */ | |
18 unsigned int enableOBCerts : 1; /* 26 */ | |
19 + unsigned int encryptClientCerts : 1; /* 27 */ | |
20 } sslOptions; | |
21 | |
22 typedef enum { sslHandshakingUndetermined = 0, | |
23 diff -pu -r a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ss
l/ssl3con.c | |
24 --- a/src/net/third_party/nss/ssl/ssl3con.c 2012-03-19 13:49:12.527522744 -0
700 | |
25 +++ b/src/net/third_party/nss/ssl/ssl3con.c 2012-03-19 13:49:29.507749795 -0
700 | |
26 @@ -2882,7 +2882,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket * | |
27 | |
28 ss->ssl3.prSpec = ss->ssl3.crSpec; | |
29 ss->ssl3.crSpec = prSpec; | |
30 - ss->ssl3.hs.ws = wait_finished; | |
31 + | |
32 + if (ss->sec.isServer && | |
33 + ss->opt.requestCertificate && | |
34 + ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | |
35 + ss->ssl3.hs.ws = wait_client_cert; | |
36 + } else { | |
37 + ss->ssl3.hs.ws = wait_finished; | |
38 + } | |
39 | |
40 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending", | |
41 SSL_GETPID(), ss->fd )); | |
42 @@ -4898,10 +4905,11 @@ loser: | |
43 static SECStatus | |
44 ssl3_SendCertificateVerify(sslSocket *ss) | |
45 { | |
46 - SECStatus rv = SECFailure; | |
47 - PRBool isTLS; | |
48 - SECItem buf = {siBuffer, NULL, 0}; | |
49 - SSL3Hashes hashes; | |
50 + SECStatus rv = SECFailure; | |
51 + PRBool isTLS; | |
52 + SECItem buf = {siBuffer, NULL, 0}; | |
53 + SSL3Hashes hashes; | |
54 + ssl3CipherSpec *spec; | |
55 | |
56 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | |
57 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | |
58 @@ -4910,13 +4918,17 @@ ssl3_SendCertificateVerify(sslSocket *ss | |
59 SSL_GETPID(), ss->fd)); | |
60 | |
61 ssl_GetSpecReadLock(ss); | |
62 - rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); | |
63 + spec = ss->ssl3.pwSpec; | |
64 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | |
65 + spec = ss->ssl3.cwSpec; | |
66 + } | |
67 + rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0); | |
68 ssl_ReleaseSpecReadLock(ss); | |
69 if (rv != SECSuccess) { | |
70 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ | |
71 } | |
72 | |
73 - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | |
74 + isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); | |
75 if (ss->ssl3.platformClientKey) { | |
76 #ifdef NSS_PLATFORM_CLIENT_AUTH | |
77 rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey, | |
78 @@ -5924,6 +5936,10 @@ ssl3_SendClientSecondRound(sslSocket *ss | |
79 { | |
80 SECStatus rv; | |
81 PRBool sendClientCert; | |
82 + PRBool sendEmptyCert; | |
83 + int n = 0, i; | |
84 + typedef SECStatus (*SendFunction)(sslSocket*); | |
85 + SendFunction send_funcs[5]; | |
86 | |
87 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | |
88 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | |
89 @@ -5970,35 +5986,40 @@ ssl3_SendClientSecondRound(sslSocket *ss | |
90 | |
91 ssl_GetXmitBufLock(ss); /*******************************/ | |
92 | |
93 - if (ss->ssl3.sendEmptyCert) { | |
94 - ss->ssl3.sendEmptyCert = PR_FALSE; | |
95 - rv = ssl3_SendEmptyCertificate(ss); | |
96 - /* Don't send verify */ | |
97 - if (rv != SECSuccess) { | |
98 - goto loser; /* error code is set. */ | |
99 - } | |
100 - } else if (sendClientCert) { | |
101 - rv = ssl3_SendCertificate(ss); | |
102 - if (rv != SECSuccess) { | |
103 - goto loser; /* error code is set. */ | |
104 - } | |
105 - } | |
106 + sendEmptyCert = ss->ssl3.sendEmptyCert; | |
107 + ss->ssl3.sendEmptyCert = PR_FALSE; | |
108 | |
109 - rv = ssl3_SendClientKeyExchange(ss); | |
110 - if (rv != SECSuccess) { | |
111 - goto loser; /* err is set. */ | |
112 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | |
113 + send_funcs[n++] = ssl3_SendClientKeyExchange; | |
114 + send_funcs[n++] = ssl3_SendChangeCipherSpecs; | |
115 + if (sendEmptyCert) { | |
116 + send_funcs[n++] = ssl3_SendEmptyCertificate; | |
117 + } | |
118 + if (sendClientCert) { | |
119 + send_funcs[n++] = ssl3_SendCertificate; | |
120 + send_funcs[n++] = ssl3_SendCertificateVerify; | |
121 + } | |
122 + } else { | |
123 + if (sendEmptyCert) { | |
124 + send_funcs[n++] = ssl3_SendEmptyCertificate; | |
125 + } | |
126 + if (sendClientCert) { | |
127 + send_funcs[n++] = ssl3_SendCertificate; | |
128 + } | |
129 + send_funcs[n++] = ssl3_SendClientKeyExchange; | |
130 + if (sendClientCert) { | |
131 + send_funcs[n++] = ssl3_SendCertificateVerify; | |
132 + } | |
133 + send_funcs[n++] = ssl3_SendChangeCipherSpecs; | |
134 } | |
135 | |
136 - if (sendClientCert) { | |
137 - rv = ssl3_SendCertificateVerify(ss); | |
138 - if (rv != SECSuccess) { | |
139 - goto loser; /* err is set. */ | |
140 - } | |
141 - } | |
142 + PORT_Assert(n <= sizeof(send_funcs)/sizeof(send_funcs[0])); | |
143 | |
144 - rv = ssl3_SendChangeCipherSpecs(ss); | |
145 - if (rv != SECSuccess) { | |
146 - goto loser; /* err code was set. */ | |
147 + for (i = 0; i < n; i++) { | |
148 + rv = send_funcs[i](ss); | |
149 + if (rv != SECSuccess) { | |
150 + goto loser; /* err code was set. */ | |
151 + } | |
152 } | |
153 | |
154 /* XXX: If the server's certificate hasn't been authenticated by this | |
155 @@ -6213,8 +6234,13 @@ ssl3_SendServerHelloSequence(sslSocket * | |
156 return rv; /* err code is set. */ | |
157 } | |
158 | |
159 - ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert | |
160 - : wait_client_key; | |
161 + if (ss->opt.requestCertificate && | |
162 + !ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | |
163 + ss->ssl3.hs.ws = wait_client_cert; | |
164 + } else { | |
165 + ss->ssl3.hs.ws = wait_client_key; | |
166 + } | |
167 + | |
168 return SECSuccess; | |
169 } | |
170 | |
171 @@ -7458,7 +7484,11 @@ ssl3_HandleCertificateVerify(sslSocket * | |
172 desc = isTLS ? decode_error : illegal_parameter; | |
173 goto alert_loser; /* malformed */ | |
174 } | |
175 - ss->ssl3.hs.ws = wait_change_cipher; | |
176 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | |
177 + ss->ssl3.hs.ws = wait_finished; | |
178 + } else { | |
179 + ss->ssl3.hs.ws = wait_change_cipher; | |
180 + } | |
181 return SECSuccess; | |
182 | |
183 alert_loser: | |
184 @@ -8358,7 +8388,11 @@ ssl3_HandleCertificate(sslSocket *ss, SS | |
185 } | |
186 } else { | |
187 server_no_cert: | |
188 - ss->ssl3.hs.ws = wait_client_key; | |
189 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | |
190 + ss->ssl3.hs.ws = wait_cert_verify; | |
191 + } else { | |
192 + ss->ssl3.hs.ws = wait_client_key; | |
193 + } | |
194 } | |
195 | |
196 PORT_Assert(rv == SECSuccess); | |
197 @@ -8968,6 +9002,8 @@ ssl3_HandleHandshakeMessage(sslSocket *s | |
198 if (type == finished) { | |
199 sender = ss->sec.isServer ? sender_client : sender_server; | |
200 rSpec = ss->ssl3.crSpec; | |
201 + } else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | |
202 + rSpec = ss->ssl3.crSpec; | |
203 } | |
204 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); | |
205 } | |
206 diff -pu -r a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ss
l/ssl3ext.c | |
207 --- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-03-19 12:50:32.610015524 -0
700 | |
208 +++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-03-19 13:49:29.507749795 -0
700 | |
209 @@ -84,6 +84,12 @@ static SECStatus ssl3_ServerHandleNextPr | |
210 PRUint16 ex_type, SECItem *data); | |
211 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, | |
212 PRUint32 maxBytes); | |
213 +static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, | |
214 + PRUint16 ex_type, SECItem *data); | |
215 +static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, | |
216 + PRUint16 ex_type, SECItem *data); | |
217 +static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss, | |
218 + PRBool append, PRUint32 maxBytes); | |
219 | |
220 /* | |
221 * Write bytes. Using this function means the SECItem structure | |
222 @@ -240,6 +246,7 @@ static const ssl3HelloExtensionHandler c | |
223 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, | |
224 #endif | |
225 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, | |
226 + { ssl_encrypted_client_certs, &ssl3_ServerHandleEncryptedClientCertsXtn }, | |
227 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | |
228 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, | |
229 { ssl_ob_cert_xtn, &ssl3_ServerHandleOBCertXtn }, | |
230 @@ -252,6 +259,7 @@ static const ssl3HelloExtensionHandler s | |
231 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, | |
232 /* TODO: add a handler for ssl_ec_point_formats_xtn */ | |
233 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, | |
234 + { ssl_encrypted_client_certs, &ssl3_ClientHandleEncryptedClientCertsXtn }, | |
235 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | |
236 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, | |
237 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, | |
238 @@ -279,6 +287,7 @@ ssl3HelloExtensionSender clientHelloSend | |
239 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, | |
240 #endif | |
241 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, | |
242 + { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn }, | |
243 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, | |
244 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, | |
245 { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn } | |
246 @@ -1082,6 +1091,18 @@ ssl3_ClientHandleSessionTicketXtn(sslSoc | |
247 return SECSuccess; | |
248 } | |
249 | |
250 +static SECStatus | |
251 +ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type, | |
252 + SECItem *data) | |
253 +{ | |
254 + if (data->len != 0) | |
255 + return SECFailure; | |
256 + | |
257 + /* Keep track of negotiated extensions. */ | |
258 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
259 + return SECSuccess; | |
260 +} | |
261 + | |
262 SECStatus | |
263 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, | |
264 SECItem *data) | |
265 @@ -1495,6 +1516,24 @@ loser: | |
266 return rv; | |
267 } | |
268 | |
269 +static SECStatus | |
270 +ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type, | |
271 + SECItem *data) | |
272 +{ | |
273 + SECStatus rv = SECSuccess; | |
274 + | |
275 + if (data->len != 0) | |
276 + return SECFailure; | |
277 + | |
278 + if (ss->opt.encryptClientCerts) { | |
279 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
280 + rv = ssl3_RegisterServerHelloExtensionSender( | |
281 + ss, ex_type, ssl3_SendEncryptedClientCertsXtn); | |
282 + } | |
283 + | |
284 + return rv; | |
285 +} | |
286 + | |
287 /* | |
288 * Read bytes. Using this function means the SECItem structure | |
289 * cannot be freed. The caller is expected to call this function | |
290 @@ -1694,6 +1733,33 @@ ssl3_SendRenegotiationInfoXtn( | |
291 return needed; | |
292 } | |
293 | |
294 +static PRInt32 | |
295 +ssl3_SendEncryptedClientCertsXtn( | |
296 + sslSocket * ss, | |
297 + PRBool append, | |
298 + PRUint32 maxBytes) | |
299 +{ | |
300 + PRInt32 needed; | |
301 + | |
302 + if (!ss->opt.encryptClientCerts) | |
303 + return 0; | |
304 + | |
305 + needed = 4; /* two bytes of type and two of length. */ | |
306 + if (append && maxBytes >= needed) { | |
307 + SECStatus rv; | |
308 + rv = ssl3_AppendHandshakeNumber(ss, ssl_encrypted_client_certs, 2); | |
309 + if (rv != SECSuccess) | |
310 + return -1; | |
311 + rv = ssl3_AppendHandshakeNumber(ss, 0 /* length */, 2); | |
312 + if (rv != SECSuccess) | |
313 + return -1; | |
314 + ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | |
315 + ssl_encrypted_client_certs; | |
316 + } | |
317 + | |
318 + return needed; | |
319 +} | |
320 + | |
321 /* This function runs in both the client and server. */ | |
322 static SECStatus | |
323 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | |
324 diff -pu -r a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ss
l/sslsock.c | |
325 --- a/src/net/third_party/nss/ssl/sslsock.c 2012-03-19 12:59:07.586991902 -0
700 | |
326 +++ b/src/net/third_party/nss/ssl/sslsock.c 2012-03-19 13:49:29.517749929 -0
700 | |
327 @@ -188,6 +188,7 @@ static sslOptions ssl_defaults = { | |
328 PR_TRUE, /* cbcRandomIV */ | |
329 PR_FALSE, /* enableOCSPStapling */ | |
330 PR_FALSE, /* enableOBCerts */ | |
331 + PR_FALSE, /* encryptClientCerts */ | |
332 }; | |
333 | |
334 /* | |
335 @@ -826,6 +827,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh | |
336 ss->opt.enableOBCerts = on; | |
337 break; | |
338 | |
339 + case SSL_ENCRYPT_CLIENT_CERTS: | |
340 + ss->opt.encryptClientCerts = on; | |
341 + break; | |
342 + | |
343 default: | |
344 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
345 rv = SECFailure; | |
346 @@ -897,6 +902,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh | |
347 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; | |
348 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; | |
349 case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break; | |
350 + case SSL_ENCRYPT_CLIENT_CERTS: | |
351 + on = ss->opt.encryptClientCerts; break; | |
352 | |
353 default: | |
354 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
355 @@ -959,6 +966,8 @@ SSL_OptionGetDefault(PRInt32 which, PRBo | |
356 on = ssl_defaults.enableOCSPStapling; | |
357 break; | |
358 case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break; | |
359 + case SSL_ENCRYPT_CLIENT_CERTS: | |
360 + on = ssl_defaults.encryptClientCerts; break; | |
361 | |
362 default: | |
363 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
364 @@ -1126,6 +1135,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo | |
365 ssl_defaults.enableOBCerts = on; | |
366 break; | |
367 | |
368 + case SSL_ENCRYPT_CLIENT_CERTS: | |
369 + ssl_defaults.encryptClientCerts = on; | |
370 + break; | |
371 + | |
372 default: | |
373 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
374 return SECFailure; | |
375 diff -pu -r a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/s
slt.h | |
376 --- a/src/net/third_party/nss/ssl/sslt.h 2012-03-19 12:50:32.610015524 -0
700 | |
377 +++ b/src/net/third_party/nss/ssl/sslt.h 2012-03-19 13:49:29.517749929 -0
700 | |
378 @@ -214,10 +214,11 @@ typedef enum { | |
379 #endif | |
380 ssl_session_ticket_xtn = 35, | |
381 ssl_next_proto_nego_xtn = 13172, | |
382 + ssl_encrypted_client_certs = 13180, /* not IANA assigned. */ | |
383 ssl_renegotiation_info_xtn = 0xff01, /* experimental number */ | |
384 ssl_ob_cert_xtn = 13175 /* experimental number */ | |
385 } SSLExtensionType; | |
386 | |
387 -#define SSL_MAX_EXTENSIONS 8 | |
388 +#define SSL_MAX_EXTENSIONS 9 | |
389 | |
390 #endif /* __sslt_h_ */ | |
OLD | NEW |