OLD | NEW |
| (Empty) |
1 diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h | |
2 --- a/src/net/third_party/nss/ssl/ssl.h 2012-02-29 14:41:25.755295547 -0800 | |
3 +++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-29 16:45:47.368569394 -0800 | |
4 @@ -168,6 +168,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi | |
5 */ | |
6 #define SSL_CBC_RANDOM_IV 23 | |
7 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ | |
8 +#define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */ | |
9 | |
10 #ifdef SSL_DEPRECATED_FUNCTION | |
11 /* Old deprecated function names */ | |
12 diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/s
sl3ext.c | |
13 --- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-28 20:34:50.114663722 -0
800 | |
14 +++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-29 17:05:21.684414824 -0
800 | |
15 @@ -242,6 +242,7 @@ static const ssl3HelloExtensionHandler c | |
16 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, | |
17 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | |
18 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, | |
19 + { ssl_ob_cert_xtn, &ssl3_ServerHandleOBCertXtn }, | |
20 { -1, NULL } | |
21 }; | |
22 | |
23 @@ -254,6 +255,7 @@ static const ssl3HelloExtensionHandler s | |
24 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | |
25 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, | |
26 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, | |
27 + { ssl_ob_cert_xtn, &ssl3_ClientHandleOBCertXtn }, | |
28 { -1, NULL } | |
29 }; | |
30 | |
31 @@ -278,7 +280,8 @@ ssl3HelloExtensionSender clientHelloSend | |
32 #endif | |
33 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, | |
34 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, | |
35 - { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } | |
36 + { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, | |
37 + { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn } | |
38 /* any extra entries will appear as { 0, NULL } */ | |
39 }; | |
40 | |
41 @@ -1723,3 +1726,80 @@ ssl3_HandleRenegotiationInfoXtn(sslSocke | |
42 return rv; | |
43 } | |
44 | |
45 +/* This sender is used by both the client and server. */ | |
46 +PRInt32 | |
47 +ssl3_SendOBCertXtn(sslSocket * ss, PRBool append, | |
48 + PRUint32 maxBytes) | |
49 +{ | |
50 + SECStatus rv; | |
51 + PRUint32 extension_length; | |
52 + | |
53 + if (!ss) | |
54 + return 0; | |
55 + | |
56 + if (!ss->opt.enableOBCerts) | |
57 + return 0; | |
58 + | |
59 + /* extension length = extension_type (2-bytes) + | |
60 + * length(extension_data) (2-bytes) + | |
61 + */ | |
62 + | |
63 + extension_length = 4; | |
64 + | |
65 + if (append && maxBytes >= extension_length) { | |
66 + /* extension_type */ | |
67 + rv = ssl3_AppendHandshakeNumber(ss, ssl_ob_cert_xtn, 2); | |
68 + if (rv != SECSuccess) return -1; | |
69 + /* length of extension_data */ | |
70 + rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | |
71 + if (rv != SECSuccess) return -1; | |
72 + | |
73 + if (!ss->sec.isServer) { | |
74 + TLSExtensionData *xtnData = &ss->xtnData; | |
75 + xtnData->advertised[xtnData->numAdvertised++] = ssl_ob_cert_xtn; | |
76 + } | |
77 + } | |
78 + | |
79 + return extension_length; | |
80 +} | |
81 + | |
82 +SECStatus | |
83 +ssl3_ServerHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type, | |
84 + SECItem *data) | |
85 +{ | |
86 + SECStatus rv; | |
87 + | |
88 + /* Ignore the OBCert extension if it is disabled. */ | |
89 + if (!ss->opt.enableOBCerts) | |
90 + return SECSuccess; | |
91 + | |
92 + /* The echoed extension must be empty. */ | |
93 + if (data->len != 0) | |
94 + return SECFailure; | |
95 + | |
96 + /* Keep track of negotiated extensions. */ | |
97 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
98 + | |
99 + rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, | |
100 + ssl3_SendOBCertXtn); | |
101 + | |
102 + return SECSuccess; | |
103 +} | |
104 + | |
105 +SECStatus | |
106 +ssl3_ClientHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type, | |
107 + SECItem *data) | |
108 +{ | |
109 + /* If we didn't request this extension, then the server may not echo it. */ | |
110 + if (!ss->opt.enableOBCerts) | |
111 + return SECFailure; | |
112 + | |
113 + /* The echoed extension must be empty. */ | |
114 + if (data->len != 0) | |
115 + return SECFailure; | |
116 + | |
117 + /* Keep track of negotiated extensions. */ | |
118 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
119 + | |
120 + return SECSuccess; | |
121 +} | |
122 diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/s
slimpl.h | |
123 --- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 20:34:50.114663722 -0
800 | |
124 +++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 16:57:21.097919853 -0
800 | |
125 @@ -349,6 +349,7 @@ typedef struct sslOptionsStr { | |
126 unsigned int enableFalseStart : 1; /* 23 */ | |
127 unsigned int cbcRandomIV : 1; /* 24 */ | |
128 unsigned int enableOCSPStapling : 1; /* 25 */ | |
129 + unsigned int enableOBCerts : 1; /* 26 */ | |
130 } sslOptions; | |
131 | |
132 typedef enum { sslHandshakingUndetermined = 0, | |
133 @@ -1563,8 +1564,12 @@ extern SECStatus ssl3_ClientHandleSessio | |
134 PRUint16 ex_type, SECItem *data); | |
135 extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, | |
136 PRUint16 ex_type, SECItem *data); | |
137 +extern SECStatus ssl3_ClientHandleOBCertXtn(sslSocket *ss, | |
138 + PRUint16 ex_type, SECItem *data); | |
139 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, | |
140 PRUint16 ex_type, SECItem *data); | |
141 +extern SECStatus ssl3_ServerHandleOBCertXtn(sslSocket *ss, | |
142 + PRUint16 ex_type, SECItem *data); | |
143 | |
144 /* ClientHello and ServerHello extension senders. | |
145 * Note that not all extension senders are exposed here; only those that | |
146 @@ -1580,6 +1585,8 @@ extern PRInt32 ssl3_ClientSendStatusRequ | |
147 */ | |
148 extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append, | |
149 PRUint32 maxBytes); | |
150 +extern PRInt32 ssl3_SendOBCertXtn(sslSocket *ss, PRBool append, | |
151 + PRUint32 maxBytes); | |
152 | |
153 /* Assigns new cert, cert chain and keys to ss->serverCerts | |
154 * struct. If certChain is NULL, tries to find one. Aborts if | |
155 diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/s
slsock.c | |
156 --- a/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 14:41:25.755295547 -0
800 | |
157 +++ b/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 17:03:16.272715683 -0
800 | |
158 @@ -187,6 +187,7 @@ static sslOptions ssl_defaults = { | |
159 PR_FALSE, /* enableFalseStart */ | |
160 PR_TRUE, /* cbcRandomIV */ | |
161 PR_FALSE, /* enableOCSPStapling */ | |
162 + PR_FALSE, /* enableOBCerts */ | |
163 }; | |
164 | |
165 sslSessionIDLookupFunc ssl_sid_lookup; | |
166 @@ -750,6 +751,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh | |
167 ss->opt.enableOCSPStapling = on; | |
168 break; | |
169 | |
170 + case SSL_ENABLE_OB_CERTS: | |
171 + ss->opt.enableOBCerts = on; | |
172 + break; | |
173 + | |
174 default: | |
175 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
176 rv = SECFailure; | |
177 @@ -816,6 +821,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh | |
178 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; | |
179 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; | |
180 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; | |
181 + case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break; | |
182 | |
183 default: | |
184 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
185 @@ -873,6 +879,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBo | |
186 case SSL_ENABLE_OCSP_STAPLING: | |
187 on = ssl_defaults.enableOCSPStapling; | |
188 break; | |
189 + case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break; | |
190 | |
191 default: | |
192 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
193 @@ -1036,6 +1043,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo | |
194 ssl_defaults.enableOCSPStapling = on; | |
195 break; | |
196 | |
197 + case SSL_ENABLE_OB_CERTS: | |
198 + ssl_defaults.enableOBCerts = on; | |
199 + break; | |
200 + | |
201 default: | |
202 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
203 return SECFailure; | |
204 diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt
.h | |
205 --- a/src/net/third_party/nss/ssl/sslt.h 2012-02-28 19:26:04.057351342 -0
800 | |
206 +++ b/src/net/third_party/nss/ssl/sslt.h 2012-02-29 17:05:03.744171015 -0
800 | |
207 @@ -205,9 +205,10 @@ typedef enum { | |
208 #endif | |
209 ssl_session_ticket_xtn = 35, | |
210 ssl_next_proto_nego_xtn = 13172, | |
211 - ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ | |
212 + ssl_renegotiation_info_xtn = 0xff01, /* experimental number */ | |
213 + ssl_ob_cert_xtn = 13175 /* experimental number */ | |
214 } SSLExtensionType; | |
215 | |
216 -#define SSL_MAX_EXTENSIONS 7 | |
217 +#define SSL_MAX_EXTENSIONS 8 | |
218 | |
219 #endif /* __sslt_h_ */ | |
OLD | NEW |