Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(110)

Side by Side Diff: net/third_party/nss/patches/channelid.patch

Issue 10540014: nss: support SECWouldBlock from ChannelID callback. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: ... Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | net/third_party/nss/ssl/ssl.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 diff --git a/net/third_party/nss/ssl/SSLerrs.h b/net/third_party/nss/ssl/SSLerrs .h 1 diff --git a/net/third_party/nss/ssl/SSLerrs.h b/net/third_party/nss/ssl/SSLerrs .h
2 index e3f9a1c..2d92514 100644 2 index e3f9a1c..2d92514 100644
3 --- a/net/third_party/nss/ssl/SSLerrs.h 3 --- a/net/third_party/nss/ssl/SSLerrs.h
4 +++ b/net/third_party/nss/ssl/SSLerrs.h 4 +++ b/net/third_party/nss/ssl/SSLerrs.h
5 @@ -429,3 +429,12 @@ ER3(SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST, (SSL_ERROR _BASE + 122), 5 @@ -429,3 +429,12 @@ ER3(SSL_ERROR_RX_MALFORMED_HELLO_VERIFY_REQUEST, (SSL_ERROR _BASE + 122),
6 6
7 ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST, (SSL_ERROR_BASE + 123), 7 ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST, (SSL_ERROR_BASE + 123),
8 "SSL received an unexpected Hello Verify Request handshake message.") 8 "SSL received an unexpected Hello Verify Request handshake message.")
9 + 9 +
10 +ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 124), 10 +ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 124),
11 +"SSL received a malformed TLS Channel ID extension.") 11 +"SSL received a malformed TLS Channel ID extension.")
12 + 12 +
13 +ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 125), 13 +ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 125),
14 +"The application provided an invalid TLS Channel ID key.") 14 +"The application provided an invalid TLS Channel ID key.")
15 + 15 +
16 +ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 126), 16 +ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 126),
17 +"The application could not get a TLS Channel ID.") 17 +"The application could not get a TLS Channel ID.")
18 diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h 18 diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
19 index 1368e2f..3d8fdcb 100644 19 index 1368e2f..9b3a199 100644
20 --- a/net/third_party/nss/ssl/ssl.h 20 --- a/net/third_party/nss/ssl/ssl.h
21 +++ b/net/third_party/nss/ssl/ssl.h 21 +++ b/net/third_party/nss/ssl/ssl.h
22 @@ -945,6 +945,25 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRFil eDesc * socket, 22 @@ -945,6 +945,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRFil eDesc * socket,
23 SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd, 23 SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd,
24 PRBool *last_handshake_resumed ); 24 PRBool *last_handshake_resumed );
25 25
26 +/* See SSL_SetClientChannelIDCallback for usage. The callback must return 26 +/* See SSL_SetClientChannelIDCallback for usage. If the callback returns
27 + * SECFailure or SECSuccess (not SECWouldBlock). On SECSuccess, the callback 27 + * SECWouldBlock then SSL_RestartHandshakeAfterChannelIDReq should be called in
28 + * must have written a P-256, EC key pair to |*out_public_key| and 28 + * the future to restart the handshake. On SECSuccess, the callback must have
29 + * |*out_private_key|. */ 29 + * written a P-256, EC key pair to |*out_public_key| and |*out_private_key|. */
30 +typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)( 30 +typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)(
31 + void *arg, 31 + void *arg,
32 + PRFileDesc *fd, 32 + PRFileDesc *fd,
33 + SECKEYPublicKey **out_public_key, 33 + SECKEYPublicKey **out_public_key,
34 + SECKEYPrivateKey **out_private_key); 34 + SECKEYPrivateKey **out_private_key);
35 + 35 +
36 +/* SSL_RestartHandshakeAfterChannelIDReq attempts to restart the handshake
37 + * after a ChannelID callback returned SECWouldBlock.
38 + *
39 + * This function takes ownership of |channelIDPub| and |channelID|. */
40 +SSL_IMPORT SECStatus SSL_RestartHandshakeAfterChannelIDReq(
41 + PRFileDesc *fd,
42 + SECKEYPublicKey *channelIDPub,
43 + SECKEYPrivateKey *channelID);
44 +
36 +/* SSL_SetClientChannelIDCallback sets a callback function that will be called 45 +/* SSL_SetClientChannelIDCallback sets a callback function that will be called
37 + * just before a Channel ID is sent. This is only applicable to a client socket 46 + * once the server's ServerHello has been processed. This is only applicable to
38 + * and setting this callback causes the TLS Channel ID extension to be 47 + * a client socket and setting this callback causes the TLS Channel ID
39 + * advertised. */ 48 + * extension to be advertised. */
40 +SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback( 49 +SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback(
41 + PRFileDesc *fd, 50 + PRFileDesc *fd,
42 + SSLClientChannelIDCallback callback, 51 + SSLClientChannelIDCallback callback,
43 + void *arg); 52 + void *arg);
44 + 53 +
45 /* 54 /*
46 ** How long should we wait before retransmitting the next flight of 55 ** How long should we wait before retransmitting the next flight of
47 ** the DTLS handshake? Returns SECFailure if not DTLS or not in a 56 ** the DTLS handshake? Returns SECFailure if not DTLS or not in a
48 diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con .c 57 diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con .c
49 index db9fad3..f714a98 100644 58 index db9fad3..6780a84 100644
50 --- a/net/third_party/nss/ssl/ssl3con.c 59 --- a/net/third_party/nss/ssl/ssl3con.c
51 +++ b/net/third_party/nss/ssl/ssl3con.c 60 +++ b/net/third_party/nss/ssl/ssl3con.c
52 @@ -86,6 +86,7 @@ static SECStatus ssl3_SendCertificate( sslSocket *ss); 61 @@ -86,6 +86,7 @@ static SECStatus ssl3_SendCertificate( sslSocket *ss);
53 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); 62 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss);
54 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); 63 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
55 static SECStatus ssl3_SendNextProto( sslSocket *ss); 64 static SECStatus ssl3_SendNextProto( sslSocket *ss);
56 +static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); 65 +static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
57 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); 66 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
58 static SECStatus ssl3_SendServerHello( sslSocket *ss); 67 static SECStatus ssl3_SendServerHello( sslSocket *ss);
59 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); 68 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
60 @@ -6239,6 +6240,10 @@ ssl3_SendClientSecondRound(sslSocket *ss) 69 @@ -5200,6 +5201,15 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUi nt32 length)
70 }
71 #endif /* NSS_PLATFORM_CLIENT_AUTH */
72
73 + if (ss->ssl3.channelID != NULL) {
74 +» SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
75 +» ss->ssl3.channelID = NULL;
76 + }
77 + if (ss->ssl3.channelIDPub != NULL) {
78 +» SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
79 +» ss->ssl3.channelIDPub = NULL;
80 + }
81 +
82 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
83 if (temp < 0) {
84 » goto loser; » /* alert has been sent */
85 @@ -5452,13 +5462,12 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRU int32 length)
86 » ssl3_CopyPeerCertsFromSID(ss, sid);
87 » }
88
89 -
90 » /* NULL value for PMS signifies re-use of the old MS */
91 » rv = ssl3_InitPendingCipherSpec(ss, NULL);
92 » if (rv != SECSuccess) {
93 » goto alert_loser;» /* err code was set */
94 » }
95 -» return SECSuccess;
96 +» goto winner;
97 } while (0);
98
99 if (sid_match)
100 @@ -5483,6 +5492,26 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUi nt32 length)
101
102 ss->ssl3.hs.isResuming = PR_FALSE;
103 ss->ssl3.hs.ws = wait_server_cert;
104 +
105 +winner:
106 + /* If we will need a ChannelID key then we make the callback now. This
107 + * allows the handshake to be restarted cleanly if the callback returns
108 + * SECWouldBlock. */
109 + if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
110 +» rv = ss->getChannelID(ss->getChannelIDArg, ss->fd,
111 +» » » &ss->ssl3.channelIDPub, &ss->ssl3.channelID);
112 +» if (rv == SECWouldBlock) {
113 +» ssl3_SetAlwaysBlock(ss);
114 +» return rv;
115 +» }
116 +» if (rv != SECSuccess ||
117 +» ss->ssl3.channelIDPub == NULL ||
118 +» ss->ssl3.channelID == NULL) {
119 +» PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED);
120 +» goto loser;
121 +» }
122 + }
123 +
124 return SECSuccess;
125
126 alert_loser:
127 @@ -6239,6 +6268,10 @@ ssl3_SendClientSecondRound(sslSocket *ss)
61 goto loser; /* err code was set. */ 128 goto loser; /* err code was set. */
62 } 129 }
63 } 130 }
64 + rv = ssl3_SendEncryptedExtensions(ss); 131 + rv = ssl3_SendEncryptedExtensions(ss);
65 + if (rv != SECSuccess) { 132 + if (rv != SECSuccess) {
66 + goto loser; /* err code was set. */ 133 + goto loser; /* err code was set. */
67 + } 134 + }
68 135
69 rv = ssl3_SendFinished(ss, 0); 136 rv = ssl3_SendFinished(ss, 0);
70 if (rv != SECSuccess) { 137 if (rv != SECSuccess) {
71 @@ -8855,6 +8860,130 @@ ssl3_SendNextProto(sslSocket *ss) 138 @@ -8855,6 +8888,164 @@ ssl3_SendNextProto(sslSocket *ss)
72 return rv; 139 return rv;
73 } 140 }
74 141
75 +/* called from ssl3_SendClientSecondRound 142 +/* called from ssl3_SendClientSecondRound
76 + * ssl3_HandleFinished 143 + * ssl3_HandleFinished
77 + */ 144 + */
78 +static SECStatus 145 +static SECStatus
79 +ssl3_SendEncryptedExtensions(sslSocket *ss) 146 +ssl3_SendEncryptedExtensions(sslSocket *ss)
80 +{ 147 +{
81 + static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature"; 148 + static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
(...skipping 20 matching lines...) Expand all
102 + 169 +
103 + SECStatus rv = SECFailure; 170 + SECStatus rv = SECFailure;
104 + SECItem *spki = NULL; 171 + SECItem *spki = NULL;
105 + SSL3Hashes hashes; 172 + SSL3Hashes hashes;
106 + const unsigned char *pub_bytes; 173 + const unsigned char *pub_bytes;
107 + unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)]; 174 + unsigned char signed_data[sizeof(CHANNEL_ID_MAGIC) + sizeof(SSL3Hashes)];
108 + unsigned char digest[SHA256_LENGTH]; 175 + unsigned char digest[SHA256_LENGTH];
109 + SECItem digest_item; 176 + SECItem digest_item;
110 + unsigned char signature[64]; 177 + unsigned char signature[64];
111 + SECItem signature_item; 178 + SECItem signature_item;
112 + SECKEYPrivateKey *channelID = NULL;
113 + SECKEYPublicKey *channelIDPub = NULL;
114 + 179 +
115 + PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 180 + PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
116 + PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 181 + PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
117 + 182 +
118 + if (ss->getChannelID == NULL || 183 + if (ss->ssl3.channelID == NULL)
119 +» !ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
120 + return SECSuccess; 184 + return SECSuccess;
121 + }
122 + 185 +
123 + rv = ss->getChannelID(ss->getChannelIDArg, ss->fd, 186 + PORT_Assert(ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn));
124 +» » » &channelIDPub, &channelID);
125 + if (rv != SECSuccess) {
126 +» PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED);
127 +» goto loser;
128 + }
129 + 187 +
130 + if (SECKEY_GetPrivateKeyType(channelID) != ecKey || 188 + if (SECKEY_GetPrivateKeyType(ss->ssl3.channelID) != ecKey ||
131 +» PK11_SignatureLen(channelID) != sizeof(signature)) { 189 +» PK11_SignatureLen(ss->ssl3.channelID) != sizeof(signature)) {
132 + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); 190 + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
133 + rv = SECFailure; 191 + rv = SECFailure;
134 + goto loser; 192 + goto loser;
135 + } 193 + }
136 + 194 +
137 + ssl_GetSpecReadLock(ss); 195 + ssl_GetSpecReadLock(ss);
138 + rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0); 196 + rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.cwSpec, &hashes, 0);
139 + ssl_ReleaseSpecReadLock(ss); 197 + ssl_ReleaseSpecReadLock(ss);
140 + 198 +
141 + if (rv != SECSuccess) 199 + if (rv != SECSuccess)
142 + goto loser; 200 + goto loser;
143 + 201 +
144 + rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions, 202 + rv = ssl3_AppendHandshakeHeader(ss, encrypted_extensions,
145 + 2 + 2 + CHANNEL_ID_LENGTH); 203 + 2 + 2 + CHANNEL_ID_LENGTH);
146 + if (rv != SECSuccess) 204 + if (rv != SECSuccess)
147 + goto loser; /* error code set by AppendHandshakeHeader */ 205 + goto loser; /* error code set by AppendHandshakeHeader */
148 + rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2); 206 + rv = ssl3_AppendHandshakeNumber(ss, ssl_channel_id_xtn, 2);
149 + if (rv != SECSuccess) 207 + if (rv != SECSuccess)
150 + goto loser; /* error code set by AppendHandshake */ 208 + goto loser; /* error code set by AppendHandshake */
151 + rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2); 209 + rv = ssl3_AppendHandshakeNumber(ss, CHANNEL_ID_LENGTH, 2);
152 + if (rv != SECSuccess) 210 + if (rv != SECSuccess)
153 + goto loser; /* error code set by AppendHandshake */ 211 + goto loser; /* error code set by AppendHandshake */
154 + 212 +
155 + spki = SECKEY_EncodeDERSubjectPublicKeyInfo(channelIDPub); 213 + spki = SECKEY_EncodeDERSubjectPublicKeyInfo(ss->ssl3.channelIDPub);
156 + 214 +
157 + if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH || 215 + if (spki->len != sizeof(P256_SPKI_PREFIX) + CHANNEL_ID_PUBLIC_KEY_LENGTH ||
158 + memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) { 216 + memcmp(spki->data, P256_SPKI_PREFIX, sizeof(P256_SPKI_PREFIX) != 0)) {
159 + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY); 217 + PORT_SetError(SSL_ERROR_INVALID_CHANNEL_ID_KEY);
160 + rv = SECFailure; 218 + rv = SECFailure;
161 + goto loser; 219 + goto loser;
162 + } 220 + }
163 + 221 +
164 + pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX); 222 + pub_bytes = spki->data + sizeof(P256_SPKI_PREFIX);
165 + 223 +
166 + memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC)); 224 + memcpy(signed_data, CHANNEL_ID_MAGIC, sizeof(CHANNEL_ID_MAGIC));
167 + memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), &hashes, sizeof(hashes)); 225 + memcpy(signed_data + sizeof(CHANNEL_ID_MAGIC), &hashes, sizeof(hashes));
168 + 226 +
169 + rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, sizeof(signed_data)) ; 227 + rv = PK11_HashBuf(SEC_OID_SHA256, digest, signed_data, sizeof(signed_data)) ;
170 + if (rv != SECSuccess) 228 + if (rv != SECSuccess)
171 + goto loser; 229 + goto loser;
172 + 230 +
173 + digest_item.data = digest; 231 + digest_item.data = digest;
174 + digest_item.len = sizeof(digest); 232 + digest_item.len = sizeof(digest);
175 + 233 +
176 + signature_item.data = signature; 234 + signature_item.data = signature;
177 + signature_item.len = sizeof(signature); 235 + signature_item.len = sizeof(signature);
178 + 236 +
179 + rv = PK11_Sign(channelID, &signature_item, &digest_item); 237 + rv = PK11_Sign(ss->ssl3.channelID, &signature_item, &digest_item);
180 + if (rv != SECSuccess) 238 + if (rv != SECSuccess)
181 + goto loser; 239 + goto loser;
182 + 240 +
183 + rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH); 241 + rv = ssl3_AppendHandshake(ss, pub_bytes, CHANNEL_ID_PUBLIC_KEY_LENGTH);
184 + if (rv != SECSuccess) 242 + if (rv != SECSuccess)
185 + goto loser; 243 + goto loser;
186 + rv = ssl3_AppendHandshake(ss, signature, sizeof(signature)); 244 + rv = ssl3_AppendHandshake(ss, signature, sizeof(signature));
187 + 245 +
188 +loser: 246 +loser:
189 + if (spki) 247 + if (spki)
190 + SECITEM_FreeItem(spki, PR_TRUE); 248 + SECITEM_FreeItem(spki, PR_TRUE);
191 + if (channelID) 249 + if (ss->ssl3.channelID) {
192 +» SECKEY_DestroyPrivateKey(channelID); 250 +» SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
193 + if (channelIDPub) 251 +» ss->ssl3.channelID = NULL;
194 +» SECKEY_DestroyPublicKey(channelIDPub); 252 + }
253 + if (ss->ssl3.channelIDPub) {
254 +» SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
255 +» ss->ssl3.channelIDPub = NULL;
256 + }
195 + 257 +
196 + return rv; 258 + return rv;
197 +} 259 +}
198 + 260 +
261 +/* ssl3_RestartHandshakeAfterChannelIDReq is called to restart a handshake
262 + * after a ChannelID callback returned SECWouldBlock. At this point we have
263 + * processed the server's ServerHello but not yet any further messages. We will
264 + * always get a message from the server after a ServerHello so either they are
265 + * waiting in the buffer or we'll get network I/O. */
266 +SECStatus
267 +ssl3_RestartHandshakeAfterChannelIDReq(sslSocket *ss,
268 + SECKEYPublicKey *channelIDPub,
269 + SECKEYPrivateKey *channelID)
270 +{
271 + if (ss->handshake == 0) {
272 + SECKEY_DestroyPublicKey(channelIDPub);
273 + SECKEY_DestroyPrivateKey(channelID);
274 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
275 + return SECFailure;
276 + }
277 +
278 + if (channelIDPub == NULL ||
279 + channelID == NULL) {
280 + if (channelIDPub)
281 + SECKEY_DestroyPublicKey(channelIDPub);
282 + if (channelID)
283 + SECKEY_DestroyPrivateKey(channelID);
284 + PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
285 + return SECFailure;
286 + }
287 +
288 + if (ss->ssl3.channelID)
289 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
290 + if (ss->ssl3.channelIDPub)
291 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
292 +
293 + ss->handshake = ssl_GatherRecord1stHandshake;
294 + ss->ssl3.channelID = channelID;
295 + ss->ssl3.channelIDPub = channelIDPub;
296 +
297 + return SECSuccess;
298 +}
299 +
199 /* called from ssl3_HandleServerHelloDone 300 /* called from ssl3_HandleServerHelloDone
200 * ssl3_HandleClientHello 301 * ssl3_HandleClientHello
201 * ssl3_HandleFinished 302 * ssl3_HandleFinished
202 @@ -9105,11 +9234,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint 32 length, 303 @@ -9105,11 +9296,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint 32 length,
203 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; 304 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
204 } 305 }
205 306
206 - if (!isServer && !ss->firstHsDone) { 307 - if (!isServer && !ss->firstHsDone) {
207 - rv = ssl3_SendNextProto(ss); 308 - rv = ssl3_SendNextProto(ss);
208 - if (rv != SECSuccess) { 309 - if (rv != SECSuccess) {
209 - goto xmit_loser; /* err code was set. */ 310 - goto xmit_loser; /* err code was set. */
210 + if (!isServer) { 311 + if (!isServer) {
211 + if (!ss->firstHsDone) { 312 + if (!ss->firstHsDone) {
212 + rv = ssl3_SendNextProto(ss); 313 + rv = ssl3_SendNextProto(ss);
213 + if (rv != SECSuccess) { 314 + if (rv != SECSuccess) {
214 + goto xmit_loser; /* err code was set. */ 315 + goto xmit_loser; /* err code was set. */
215 + } 316 + }
216 } 317 }
217 + rv = ssl3_SendEncryptedExtensions(ss); 318 + rv = ssl3_SendEncryptedExtensions(ss);
218 + if (rv != SECSuccess) 319 + if (rv != SECSuccess)
219 + goto xmit_loser; /* err code was set. */ 320 + goto xmit_loser; /* err code was set. */
220 } 321 }
221 322
222 if (IS_DTLS(ss)) { 323 if (IS_DTLS(ss)) {
324 @@ -10376,6 +10572,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
325 ssl_FreePlatformKey(ss->ssl3.platformClientKey);
326 #endif /* NSS_PLATFORM_CLIENT_AUTH */
327
328 + if (ss->ssl3.channelID)
329 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
330 + if (ss->ssl3.channelIDPub)
331 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
332 +
333 if (ss->ssl3.peerCertArena != NULL)
334 ssl3_CleanupPeerCerts(ss);
335
223 diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext .c 336 diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext .c
224 index b9fd6e7..029487e 100644 337 index b9fd6e7..029487e 100644
225 --- a/net/third_party/nss/ssl/ssl3ext.c 338 --- a/net/third_party/nss/ssl/ssl3ext.c
226 +++ b/net/third_party/nss/ssl/ssl3ext.c 339 +++ b/net/third_party/nss/ssl/ssl3ext.c
227 @@ -80,10 +80,14 @@ static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket * ss, 340 @@ -80,10 +80,14 @@ static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket * ss,
228 PRUint16 ex_type, SECItem *data); 341 PRUint16 ex_type, SECItem *data);
229 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, 342 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
230 PRUint16 ex_type, SECItem *data); 343 PRUint16 ex_type, SECItem *data);
231 +static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, 344 +static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss,
232 + PRUint16 ex_type, SECItem *data); 345 + PRUint16 ex_type, SECItem *data);
(...skipping 127 matching lines...) Expand 10 before | Expand all | Expand 10 after
360 SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 123), 473 SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST = (SSL_ERROR_BASE + 123),
361 474
362 +SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 124), 475 +SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 124),
363 +SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 125), 476 +SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 125),
364 +SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 126), 477 +SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 126),
365 + 478 +
366 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ 479 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
367 } SSLErrorCodes; 480 } SSLErrorCodes;
368 #endif /* NO_SECURITY_ERROR_ENUM */ 481 #endif /* NO_SECURITY_ERROR_ENUM */
369 diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl .h 482 diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl .h
370 index 8ab865a..7cd2298 100644 483 index 8ab865a..d7335ae 100644
371 --- a/net/third_party/nss/ssl/sslimpl.h 484 --- a/net/third_party/nss/ssl/sslimpl.h
372 +++ b/net/third_party/nss/ssl/sslimpl.h 485 +++ b/net/third_party/nss/ssl/sslimpl.h
373 @@ -1198,6 +1198,8 @@ const unsigned char * preferredCipher; 486 @@ -930,6 +930,9 @@ struct ssl3StateStr {
487 CERTCertificateList *clientCertChain; /* used by client */
488 PRBool sendEmptyCert; /* used by client */
489
490 + SECKEYPrivateKey *channelID; /* used by client */
491 + SECKEYPublicKey *channelIDPub; /* used by client */
492 +
493 int policy;
494 » » » /* This says what cipher suites we can do, and should
495 » » » * be either SSL_ALLOWED or SSL_RESTRICTED
496 @@ -1198,6 +1201,8 @@ const unsigned char * preferredCipher;
374 void *pkcs11PinArg; 497 void *pkcs11PinArg;
375 SSLNextProtoCallback nextProtoCallback; 498 SSLNextProtoCallback nextProtoCallback;
376 void *nextProtoArg; 499 void *nextProtoArg;
377 + SSLClientChannelIDCallback getChannelID; 500 + SSLClientChannelIDCallback getChannelID;
378 + void *getChannelIDArg; 501 + void *getChannelIDArg;
379 502
380 PRIntervalTime rTimeout; /* timeout for NSPR I/O */ 503 PRIntervalTime rTimeout; /* timeout for NSPR I/O */
381 PRIntervalTime wTimeout; /* timeout for NSPR I/O */ 504 PRIntervalTime wTimeout; /* timeout for NSPR I/O */
505 @@ -1529,6 +1534,11 @@ extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSoc ket * ss,
506 SECKEYPrivateKey * key,
507 CERTCertificateList *certChain);
508
509 +extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq(
510 + sslSocket *ss,
511 + SECKEYPublicKey *channelIDPub,
512 + SECKEYPrivateKey *channelID);
513 +
514 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error) ;
515
516 /*
517 diff --git a/net/third_party/nss/ssl/sslsecur.c b/net/third_party/nss/ssl/sslsec ur.c
518 index e4804d0..526d654 100644
519 --- a/net/third_party/nss/ssl/sslsecur.c
520 +++ b/net/third_party/nss/ssl/sslsecur.c
521 @@ -1535,6 +1535,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileDesc * fd,
522 return ret;
523 }
524
525 +SECStatus
526 +SSL_RestartHandshakeAfterChannelIDReq(PRFileDesc * fd,
527 + SECKEYPublicKey * channelIDPub,
528 + SECKEYPrivateKey *channelID)
529 +{
530 + sslSocket * ss = ssl_FindSocket(fd);
531 + SECStatus ret;
532 +
533 + if (!ss) {
534 + SSL_DBG(("%d: SSL[%d]: bad socket in"
535 + " SSL_RestartHandshakeAfterChannelIDReq",
536 + SSL_GETPID(), fd));
537 + goto loser;
538 + }
539 +
540 +
541 + ssl_Get1stHandshakeLock(ss);
542 +
543 + if (ss->version < SSL_LIBRARY_VERSION_3_0) {
544 + PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
545 + ssl_Release1stHandshakeLock(ss);
546 + goto loser;
547 + }
548 +
549 + ret = ssl3_RestartHandshakeAfterChannelIDReq(ss, channelIDPub,
550 + channelID);
551 + ssl_Release1stHandshakeLock(ss);
552 +
553 + return ret;
554 +
555 +loser:
556 + SECKEY_DestroyPublicKey(channelIDPub);
557 + SECKEY_DestroyPrivateKey(channelID);
558 + return SECFailure;
559 +}
560 +
561 /* DO NOT USE. This function was exported in ssl.def with the wrong signature;
562 * this implementation exists to maintain link-time compatibility.
563 */
382 diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock .c 564 diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock .c
383 index ebc245a..9498828 100644 565 index ebc245a..9498828 100644
384 --- a/net/third_party/nss/ssl/sslsock.c 566 --- a/net/third_party/nss/ssl/sslsock.c
385 +++ b/net/third_party/nss/ssl/sslsock.c 567 +++ b/net/third_party/nss/ssl/sslsock.c
386 @@ -374,6 +374,8 @@ ssl_DupSocket(sslSocket *os) 568 @@ -374,6 +374,8 @@ ssl_DupSocket(sslSocket *os)
387 ss->handshakeCallback = os->handshakeCallback; 569 ss->handshakeCallback = os->handshakeCallback;
388 ss->handshakeCallbackData = os->handshakeCallbackData; 570 ss->handshakeCallbackData = os->handshakeCallbackData;
389 ss->pkcs11PinArg = os->pkcs11PinArg; 571 ss->pkcs11PinArg = os->pkcs11PinArg;
390 + ss->getChannelID = os->getChannelID; 572 + ss->getChannelID = os->getChannelID;
391 + ss->getChannelIDArg = os->getChannelIDArg; 573 + ss->getChannelIDArg = os->getChannelIDArg;
(...skipping 29 matching lines...) Expand all
421 ssl_session_ticket_xtn = 35, 603 ssl_session_ticket_xtn = 35,
422 ssl_next_proto_nego_xtn = 13172, 604 ssl_next_proto_nego_xtn = 13172,
423 + ssl_channel_id_xtn = 30031, 605 + ssl_channel_id_xtn = 30031,
424 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ 606 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
425 } SSLExtensionType; 607 } SSLExtensionType;
426 608
427 -#define SSL_MAX_EXTENSIONS 7 609 -#define SSL_MAX_EXTENSIONS 7
428 +#define SSL_MAX_EXTENSIONS 8 610 +#define SSL_MAX_EXTENSIONS 8
429 611
430 #endif /* __sslt_h_ */ 612 #endif /* __sslt_h_ */
OLDNEW
« no previous file with comments | « no previous file | net/third_party/nss/ssl/ssl.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698