| OLD | NEW |
|---|
| (Empty) |
| 1 diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h | |
| 2 --- a/src/net/third_party/nss/ssl/ssl.h 2012-02-29 14:41:25.755295547 -0800 | |
| 3 +++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-29 16:45:47.368569394 -0800 | |
| 4 @@ -168,6 +168,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi | |
| 5 */ | |
| 6 #define SSL_CBC_RANDOM_IV 23 | |
| 7 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ | |
| 8 +#define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */ | |
| 9 | |
| 10 #ifdef SSL_DEPRECATED_FUNCTION | |
| 11 /* Old deprecated function names */ | |
| 12 diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/s
sl3ext.c | |
| 13 --- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-28 20:34:50.114663722 -0
800 | |
| 14 +++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-29 17:05:21.684414824 -0
800 | |
| 15 @@ -242,6 +242,7 @@ static const ssl3HelloExtensionHandler c | |
| 16 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, | |
| 17 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | |
| 18 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, | |
| 19 + { ssl_ob_cert_xtn, &ssl3_ServerHandleOBCertXtn }, | |
| 20 { -1, NULL } | |
| 21 }; | |
| 22 | |
| 23 @@ -254,6 +255,7 @@ static const ssl3HelloExtensionHandler s | |
| 24 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | |
| 25 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, | |
| 26 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, | |
| 27 + { ssl_ob_cert_xtn, &ssl3_ClientHandleOBCertXtn }, | |
| 28 { -1, NULL } | |
| 29 }; | |
| 30 | |
| 31 @@ -278,7 +280,8 @@ ssl3HelloExtensionSender clientHelloSend | |
| 32 #endif | |
| 33 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, | |
| 34 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, | |
| 35 - { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } | |
| 36 + { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, | |
| 37 + { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn } | |
| 38 /* any extra entries will appear as { 0, NULL } */ | |
| 39 }; | |
| 40 | |
| 41 @@ -1723,3 +1726,80 @@ ssl3_HandleRenegotiationInfoXtn(sslSocke | |
| 42 return rv; | |
| 43 } | |
| 44 | |
| 45 +/* This sender is used by both the client and server. */ | |
| 46 +PRInt32 | |
| 47 +ssl3_SendOBCertXtn(sslSocket * ss, PRBool append, | |
| 48 + PRUint32 maxBytes) | |
| 49 +{ | |
| 50 + SECStatus rv; | |
| 51 + PRUint32 extension_length; | |
| 52 + | |
| 53 + if (!ss) | |
| 54 + return 0; | |
| 55 + | |
| 56 + if (!ss->opt.enableOBCerts) | |
| 57 + return 0; | |
| 58 + | |
| 59 + /* extension length = extension_type (2-bytes) + | |
| 60 + * length(extension_data) (2-bytes) + | |
| 61 + */ | |
| 62 + | |
| 63 + extension_length = 4; | |
| 64 + | |
| 65 + if (append && maxBytes >= extension_length) { | |
| 66 + /* extension_type */ | |
| 67 + rv = ssl3_AppendHandshakeNumber(ss, ssl_ob_cert_xtn, 2); | |
| 68 + if (rv != SECSuccess) return -1; | |
| 69 + /* length of extension_data */ | |
| 70 + rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); | |
| 71 + if (rv != SECSuccess) return -1; | |
| 72 + | |
| 73 + if (!ss->sec.isServer) { | |
| 74 + TLSExtensionData *xtnData = &ss->xtnData; | |
| 75 + xtnData->advertised[xtnData->numAdvertised++] = ssl_ob_cert_xtn; | |
| 76 + } | |
| 77 + } | |
| 78 + | |
| 79 + return extension_length; | |
| 80 +} | |
| 81 + | |
| 82 +SECStatus | |
| 83 +ssl3_ServerHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type, | |
| 84 + SECItem *data) | |
| 85 +{ | |
| 86 + SECStatus rv; | |
| 87 + | |
| 88 + /* Ignore the OBCert extension if it is disabled. */ | |
| 89 + if (!ss->opt.enableOBCerts) | |
| 90 + return SECSuccess; | |
| 91 + | |
| 92 + /* The echoed extension must be empty. */ | |
| 93 + if (data->len != 0) | |
| 94 + return SECFailure; | |
| 95 + | |
| 96 + /* Keep track of negotiated extensions. */ | |
| 97 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
| 98 + | |
| 99 + rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, | |
| 100 + ssl3_SendOBCertXtn); | |
| 101 + | |
| 102 + return SECSuccess; | |
| 103 +} | |
| 104 + | |
| 105 +SECStatus | |
| 106 +ssl3_ClientHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type, | |
| 107 + SECItem *data) | |
| 108 +{ | |
| 109 + /* If we didn't request this extension, then the server may not echo it. */ | |
| 110 + if (!ss->opt.enableOBCerts) | |
| 111 + return SECFailure; | |
| 112 + | |
| 113 + /* The echoed extension must be empty. */ | |
| 114 + if (data->len != 0) | |
| 115 + return SECFailure; | |
| 116 + | |
| 117 + /* Keep track of negotiated extensions. */ | |
| 118 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | |
| 119 + | |
| 120 + return SECSuccess; | |
| 121 +} | |
| 122 diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/s
slimpl.h | |
| 123 --- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 20:34:50.114663722 -0
800 | |
| 124 +++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 16:57:21.097919853 -0
800 | |
| 125 @@ -349,6 +349,7 @@ typedef struct sslOptionsStr { | |
| 126 unsigned int enableFalseStart : 1; /* 23 */ | |
| 127 unsigned int cbcRandomIV : 1; /* 24 */ | |
| 128 unsigned int enableOCSPStapling : 1; /* 25 */ | |
| 129 + unsigned int enableOBCerts : 1; /* 26 */ | |
| 130 } sslOptions; | |
| 131 | |
| 132 typedef enum { sslHandshakingUndetermined = 0, | |
| 133 @@ -1563,8 +1564,12 @@ extern SECStatus ssl3_ClientHandleSessio | |
| 134 PRUint16 ex_type, SECItem *data); | |
| 135 extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, | |
| 136 PRUint16 ex_type, SECItem *data); | |
| 137 +extern SECStatus ssl3_ClientHandleOBCertXtn(sslSocket *ss, | |
| 138 + PRUint16 ex_type, SECItem *data); | |
| 139 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, | |
| 140 PRUint16 ex_type, SECItem *data); | |
| 141 +extern SECStatus ssl3_ServerHandleOBCertXtn(sslSocket *ss, | |
| 142 + PRUint16 ex_type, SECItem *data); | |
| 143 | |
| 144 /* ClientHello and ServerHello extension senders. | |
| 145 * Note that not all extension senders are exposed here; only those that | |
| 146 @@ -1580,6 +1585,8 @@ extern PRInt32 ssl3_ClientSendStatusRequ | |
| 147 */ | |
| 148 extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append, | |
| 149 PRUint32 maxBytes); | |
| 150 +extern PRInt32 ssl3_SendOBCertXtn(sslSocket *ss, PRBool append, | |
| 151 + PRUint32 maxBytes); | |
| 152 | |
| 153 /* Assigns new cert, cert chain and keys to ss->serverCerts | |
| 154 * struct. If certChain is NULL, tries to find one. Aborts if | |
| 155 diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/s
slsock.c | |
| 156 --- a/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 14:41:25.755295547 -0
800 | |
| 157 +++ b/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 17:03:16.272715683 -0
800 | |
| 158 @@ -187,6 +187,7 @@ static sslOptions ssl_defaults = { | |
| 159 PR_FALSE, /* enableFalseStart */ | |
| 160 PR_TRUE, /* cbcRandomIV */ | |
| 161 PR_FALSE, /* enableOCSPStapling */ | |
| 162 + PR_FALSE, /* enableOBCerts */ | |
| 163 }; | |
| 164 | |
| 165 sslSessionIDLookupFunc ssl_sid_lookup; | |
| 166 @@ -750,6 +751,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh | |
| 167 ss->opt.enableOCSPStapling = on; | |
| 168 break; | |
| 169 | |
| 170 + case SSL_ENABLE_OB_CERTS: | |
| 171 + ss->opt.enableOBCerts = on; | |
| 172 + break; | |
| 173 + | |
| 174 default: | |
| 175 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
| 176 rv = SECFailure; | |
| 177 @@ -816,6 +821,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh | |
| 178 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; | |
| 179 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; | |
| 180 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; | |
| 181 + case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break; | |
| 182 | |
| 183 default: | |
| 184 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
| 185 @@ -873,6 +879,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBo | |
| 186 case SSL_ENABLE_OCSP_STAPLING: | |
| 187 on = ssl_defaults.enableOCSPStapling; | |
| 188 break; | |
| 189 + case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break; | |
| 190 | |
| 191 default: | |
| 192 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
| 193 @@ -1036,6 +1043,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo | |
| 194 ssl_defaults.enableOCSPStapling = on; | |
| 195 break; | |
| 196 | |
| 197 + case SSL_ENABLE_OB_CERTS: | |
| 198 + ssl_defaults.enableOBCerts = on; | |
| 199 + break; | |
| 200 + | |
| 201 default: | |
| 202 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
| 203 return SECFailure; | |
| 204 diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt
.h | |
| 205 --- a/src/net/third_party/nss/ssl/sslt.h 2012-02-28 19:26:04.057351342 -0
800 | |
| 206 +++ b/src/net/third_party/nss/ssl/sslt.h 2012-02-29 17:05:03.744171015 -0
800 | |
| 207 @@ -205,9 +205,10 @@ typedef enum { | |
| 208 #endif | |
| 209 ssl_session_ticket_xtn = 35, | |
| 210 ssl_next_proto_nego_xtn = 13172, | |
| 211 - ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ | |
| 212 + ssl_renegotiation_info_xtn = 0xff01, /* experimental number */ | |
| 213 + ssl_ob_cert_xtn = 13175 /* experimental number */ | |
| 214 } SSLExtensionType; | |
| 215 | |
| 216 -#define SSL_MAX_EXTENSIONS 7 | |
| 217 +#define SSL_MAX_EXTENSIONS 8 | |
| 218 | |
| 219 #endif /* __sslt_h_ */ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10451012:
Revert 138795 - Revert "nss: revert encrypted and origin bound certificates support." (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/