Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(546)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/patches/origin_bound_certs.patch

Issue 10387222: nss: revert encrypted and origin bound certificates support. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 8 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/third_party/nss/patches/encryptedclientcerts.patch ('k') | net/third_party/nss/ssl/ssl.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
2 --- a/src/net/third_party/nss/ssl/ssl.h 2012-02-29 14:41:25.755295547 -0800
3 +++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-29 16:45:47.368569394 -0800
4 @@ -168,6 +168,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi
5 */
6 #define SSL_CBC_RANDOM_IV 23
7 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
8 +#define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */
9
10 #ifdef SSL_DEPRECATED_FUNCTION
11 /* Old deprecated function names */
12 diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/s sl3ext.c
13 --- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-28 20:34:50.114663722 -0 800
14 +++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-29 17:05:21.684414824 -0 800
15 @@ -242,6 +242,7 @@ static const ssl3HelloExtensionHandler c
16 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn },
17 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
18 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn },
19 + { ssl_ob_cert_xtn, &ssl3_ServerHandleOBCertXtn },
20 { -1, NULL }
21 };
22
23 @@ -254,6 +255,7 @@ static const ssl3HelloExtensionHandler s
24 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
25 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
26 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
27 + { ssl_ob_cert_xtn, &ssl3_ClientHandleOBCertXtn },
28 { -1, NULL }
29 };
30
31 @@ -278,7 +280,8 @@ ssl3HelloExtensionSender clientHelloSend
32 #endif
33 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
34 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
35 - { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }
36 + { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
37 + { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn }
38 /* any extra entries will appear as { 0, NULL } */
39 };
40
41 @@ -1723,3 +1726,80 @@ ssl3_HandleRenegotiationInfoXtn(sslSocke
42 return rv;
43 }
44
45 +/* This sender is used by both the client and server. */
46 +PRInt32
47 +ssl3_SendOBCertXtn(sslSocket * ss, PRBool append,
48 + PRUint32 maxBytes)
49 +{
50 + SECStatus rv;
51 + PRUint32 extension_length;
52 +
53 + if (!ss)
54 + return 0;
55 +
56 + if (!ss->opt.enableOBCerts)
57 + return 0;
58 +
59 + /* extension length = extension_type (2-bytes) +
60 + * length(extension_data) (2-bytes) +
61 + */
62 +
63 + extension_length = 4;
64 +
65 + if (append && maxBytes >= extension_length) {
66 + /* extension_type */
67 + rv = ssl3_AppendHandshakeNumber(ss, ssl_ob_cert_xtn, 2);
68 + if (rv != SECSuccess) return -1;
69 + /* length of extension_data */
70 + rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
71 + if (rv != SECSuccess) return -1;
72 +
73 + if (!ss->sec.isServer) {
74 + TLSExtensionData *xtnData = &ss->xtnData;
75 + xtnData->advertised[xtnData->numAdvertised++] = ssl_ob_cert_xtn;
76 + }
77 + }
78 +
79 + return extension_length;
80 +}
81 +
82 +SECStatus
83 +ssl3_ServerHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
84 + SECItem *data)
85 +{
86 + SECStatus rv;
87 +
88 + /* Ignore the OBCert extension if it is disabled. */
89 + if (!ss->opt.enableOBCerts)
90 + return SECSuccess;
91 +
92 + /* The echoed extension must be empty. */
93 + if (data->len != 0)
94 + return SECFailure;
95 +
96 + /* Keep track of negotiated extensions. */
97 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
98 +
99 + rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
100 + ssl3_SendOBCertXtn);
101 +
102 + return SECSuccess;
103 +}
104 +
105 +SECStatus
106 +ssl3_ClientHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
107 + SECItem *data)
108 +{
109 + /* If we didn't request this extension, then the server may not echo it. */
110 + if (!ss->opt.enableOBCerts)
111 + return SECFailure;
112 +
113 + /* The echoed extension must be empty. */
114 + if (data->len != 0)
115 + return SECFailure;
116 +
117 + /* Keep track of negotiated extensions. */
118 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
119 +
120 + return SECSuccess;
121 +}
122 diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/s slimpl.h
123 --- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 20:34:50.114663722 -0 800
124 +++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 16:57:21.097919853 -0 800
125 @@ -349,6 +349,7 @@ typedef struct sslOptionsStr {
126 unsigned int enableFalseStart : 1; /* 23 */
127 unsigned int cbcRandomIV : 1; /* 24 */
128 unsigned int enableOCSPStapling : 1; /* 25 */
129 + unsigned int enableOBCerts : 1; /* 26 */
130 } sslOptions;
131
132 typedef enum { sslHandshakingUndetermined = 0,
133 @@ -1563,8 +1564,12 @@ extern SECStatus ssl3_ClientHandleSessio
134 PRUint16 ex_type, SECItem *data);
135 extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
136 PRUint16 ex_type, SECItem *data);
137 +extern SECStatus ssl3_ClientHandleOBCertXtn(sslSocket *ss,
138 + PRUint16 ex_type, SECItem *data);
139 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
140 PRUint16 ex_type, SECItem *data);
141 +extern SECStatus ssl3_ServerHandleOBCertXtn(sslSocket *ss,
142 + PRUint16 ex_type, SECItem *data);
143
144 /* ClientHello and ServerHello extension senders.
145 * Note that not all extension senders are exposed here; only those that
146 @@ -1580,6 +1585,8 @@ extern PRInt32 ssl3_ClientSendStatusRequ
147 */
148 extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
149 PRUint32 maxBytes);
150 +extern PRInt32 ssl3_SendOBCertXtn(sslSocket *ss, PRBool append,
151 + PRUint32 maxBytes);
152
153 /* Assigns new cert, cert chain and keys to ss->serverCerts
154 * struct. If certChain is NULL, tries to find one. Aborts if
155 diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/s slsock.c
156 --- a/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 14:41:25.755295547 -0 800
157 +++ b/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 17:03:16.272715683 -0 800
158 @@ -187,6 +187,7 @@ static sslOptions ssl_defaults = {
159 PR_FALSE, /* enableFalseStart */
160 PR_TRUE, /* cbcRandomIV */
161 PR_FALSE, /* enableOCSPStapling */
162 + PR_FALSE, /* enableOBCerts */
163 };
164
165 sslSessionIDLookupFunc ssl_sid_lookup;
166 @@ -750,6 +751,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
167 ss->opt.enableOCSPStapling = on;
168 break;
169
170 + case SSL_ENABLE_OB_CERTS:
171 + ss->opt.enableOBCerts = on;
172 + break;
173 +
174 default:
175 PORT_SetError(SEC_ERROR_INVALID_ARGS);
176 rv = SECFailure;
177 @@ -816,6 +821,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
178 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break;
179 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
180 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
181 + case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break;
182
183 default:
184 PORT_SetError(SEC_ERROR_INVALID_ARGS);
185 @@ -873,6 +879,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
186 case SSL_ENABLE_OCSP_STAPLING:
187 on = ssl_defaults.enableOCSPStapling;
188 break;
189 + case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break;
190
191 default:
192 PORT_SetError(SEC_ERROR_INVALID_ARGS);
193 @@ -1036,6 +1043,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
194 ssl_defaults.enableOCSPStapling = on;
195 break;
196
197 + case SSL_ENABLE_OB_CERTS:
198 + ssl_defaults.enableOBCerts = on;
199 + break;
200 +
201 default:
202 PORT_SetError(SEC_ERROR_INVALID_ARGS);
203 return SECFailure;
204 diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt .h
205 --- a/src/net/third_party/nss/ssl/sslt.h 2012-02-28 19:26:04.057351342 -0 800
206 +++ b/src/net/third_party/nss/ssl/sslt.h 2012-02-29 17:05:03.744171015 -0 800
207 @@ -205,9 +205,10 @@ typedef enum {
208 #endif
209 ssl_session_ticket_xtn = 35,
210 ssl_next_proto_nego_xtn = 13172,
211 - ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
212 + ssl_renegotiation_info_xtn = 0xff01, /* experimental number */
213 + ssl_ob_cert_xtn = 13175 /* experimental number */
214 } SSLExtensionType;
215
216 -#define SSL_MAX_EXTENSIONS 7
217 +#define SSL_MAX_EXTENSIONS 8
218
219 #endif /* __sslt_h_ */
OLDNEW
« no previous file with comments | « net/third_party/nss/patches/encryptedclientcerts.patch ('k') | net/third_party/nss/ssl/ssl.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698