| Index: net/third_party/nss/patches/ocspstapling.patch
|
| ===================================================================
|
| --- net/third_party/nss/patches/ocspstapling.patch (revision 196870)
|
| +++ net/third_party/nss/patches/ocspstapling.patch (working copy)
|
| @@ -1,487 +0,0 @@
|
| -diff -pu -r a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
|
| ---- a/net/third_party/nss/ssl/ssl3con.c 2012-11-09 15:21:56.747322689 -0800
|
| -+++ b/net/third_party/nss/ssl/ssl3con.c 2012-11-09 15:28:27.933078020 -0800
|
| -@@ -8365,6 +8365,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *ce
|
| - }
|
| -
|
| - /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
|
| -+ * ssl3 CertificateStatus message.
|
| -+ * Caller must hold Handshake and RecvBuf locks.
|
| -+ * This is always called before ssl3_HandleCertificate, even if the Certificate
|
| -+ * message is sent first.
|
| -+ */
|
| -+static SECStatus
|
| -+ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| -+{
|
| -+ PRInt32 status, len;
|
| -+ int errCode;
|
| -+ SSL3AlertDescription desc;
|
| -+
|
| -+ if (!ss->ssl3.hs.may_get_cert_status ||
|
| -+ ss->ssl3.hs.ws != wait_server_cert ||
|
| -+ !ss->ssl3.hs.pending_cert_msg.data ||
|
| -+ ss->ssl3.hs.cert_status.data) {
|
| -+ errCode = SSL_ERROR_RX_UNEXPECTED_CERT_STATUS;
|
| -+ desc = unexpected_message;
|
| -+ goto alert_loser;
|
| -+ }
|
| -+
|
| -+ /* Consume the CertificateStatusType enum */
|
| -+ status = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
|
| -+ if (status != 1 /* ocsp */) {
|
| -+ goto format_loser;
|
| -+ }
|
| -+
|
| -+ len = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
|
| -+ if (len != length) {
|
| -+ goto format_loser;
|
| -+ }
|
| -+
|
| -+ if (SECITEM_AllocItem(NULL, &ss->ssl3.hs.cert_status, length) == NULL) {
|
| -+ return SECFailure;
|
| -+ }
|
| -+ ss->ssl3.hs.cert_status.type = siBuffer;
|
| -+ PORT_Memcpy(ss->ssl3.hs.cert_status.data, b, length);
|
| -+
|
| -+ return SECSuccess;
|
| -+
|
| -+format_loser:
|
| -+ errCode = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT;
|
| -+ desc = bad_certificate_status_response;
|
| -+
|
| -+alert_loser:
|
| -+ (void)SSL3_SendAlert(ss, alert_fatal, desc);
|
| -+ (void)ssl_MapLowLevelError(errCode);
|
| -+ return SECFailure;
|
| -+}
|
| -+
|
| -+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
|
| - * ssl3 Certificate message.
|
| - * Caller must hold Handshake and RecvBuf locks.
|
| - */
|
| -@@ -9248,6 +9299,26 @@ ssl3_FinishHandshake(sslSocket * ss)
|
| - return SECSuccess;
|
| - }
|
| -
|
| -+/* This function handles any pending Certificate messages. Certificate messages
|
| -+ * can be pending if we expect a possible CertificateStatus message to follow.
|
| -+ *
|
| -+ * This function must be called immediately after handling the
|
| -+ * CertificateStatus message, and before handling any ServerKeyExchange or
|
| -+ * CertificateRequest messages.
|
| -+ */
|
| -+static SECStatus
|
| -+ssl3_MaybeHandlePendingCertificateMessage(sslSocket *ss)
|
| -+{
|
| -+ SECStatus rv = SECSuccess;
|
| -+
|
| -+ if (ss->ssl3.hs.pending_cert_msg.data) {
|
| -+ rv = ssl3_HandleCertificate(ss, ss->ssl3.hs.pending_cert_msg.data,
|
| -+ ss->ssl3.hs.pending_cert_msg.len);
|
| -+ SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
|
| -+ }
|
| -+ return rv;
|
| -+}
|
| -+
|
| - /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
|
| - * hanshake message.
|
| - * Caller must hold Handshake and RecvBuf locks.
|
| -@@ -9376,14 +9447,42 @@ ssl3_HandleHandshakeMessage(sslSocket *s
|
| - rv = dtls_HandleHelloVerifyRequest(ss, b, length);
|
| - break;
|
| - case certificate:
|
| -+ if (ss->ssl3.hs.may_get_cert_status) {
|
| -+ /* If we might get a CertificateStatus then we want to postpone the
|
| -+ * processing of the Certificate message until after we have
|
| -+ * processed the CertificateStatus */
|
| -+ if (ss->ssl3.hs.pending_cert_msg.data ||
|
| -+ ss->ssl3.hs.ws != wait_server_cert) {
|
| -+ (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
|
| -+ (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE);
|
| -+ return SECFailure;
|
| -+ }
|
| -+ if (SECITEM_AllocItem(NULL, &ss->ssl3.hs.pending_cert_msg,
|
| -+ length) == NULL) {
|
| -+ return SECFailure;
|
| -+ }
|
| -+ ss->ssl3.hs.pending_cert_msg.type = siBuffer;
|
| -+ PORT_Memcpy(ss->ssl3.hs.pending_cert_msg.data, b, length);
|
| -+ break;
|
| -+ }
|
| - rv = ssl3_HandleCertificate(ss, b, length);
|
| - break;
|
| -+ case certificate_status:
|
| -+ rv = ssl3_HandleCertificateStatus(ss, b, length);
|
| -+ if (rv != SECSuccess)
|
| -+ break;
|
| -+ PORT_Assert(ss->ssl3.hs.pending_cert_msg.data);
|
| -+ rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
|
| -+ break;
|
| - case server_key_exchange:
|
| - if (ss->sec.isServer) {
|
| - (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
|
| - PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
|
| - return SECFailure;
|
| - }
|
| -+ rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
|
| -+ if (rv != SECSuccess)
|
| -+ break;
|
| - rv = ssl3_HandleServerKeyExchange(ss, b, length);
|
| - break;
|
| - case certificate_request:
|
| -@@ -9392,6 +9491,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s
|
| - PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
|
| - return SECFailure;
|
| - }
|
| -+ rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
|
| -+ if (rv != SECSuccess)
|
| -+ break;
|
| - rv = ssl3_HandleCertificateRequest(ss, b, length);
|
| - break;
|
| - case server_hello_done:
|
| -@@ -9405,6 +9507,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s
|
| - PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
|
| - return SECFailure;
|
| - }
|
| -+ rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
|
| -+ if (rv != SECSuccess)
|
| -+ break;
|
| - rv = ssl3_HandleServerHelloDone(ss);
|
| - break;
|
| - case certificate_verify:
|
| -@@ -10369,6 +10474,12 @@ ssl3_DestroySSL3Info(sslSocket *ss)
|
| - ss->ssl3.hs.messages.len = 0;
|
| - ss->ssl3.hs.messages.space = 0;
|
| - }
|
| -+ if (ss->ssl3.hs.pending_cert_msg.data) {
|
| -+ SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
|
| -+ }
|
| -+ if (ss->ssl3.hs.cert_status.data) {
|
| -+ SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE);
|
| -+ }
|
| -
|
| - /* free the SSL3Buffer (msg_body) */
|
| - PORT_Free(ss->ssl3.hs.msg_body.buf);
|
| -diff -pu -r a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c
|
| ---- a/net/third_party/nss/ssl/ssl3ext.c 2012-09-20 17:28:05.000000000 -0700
|
| -+++ b/net/third_party/nss/ssl/ssl3ext.c 2012-11-09 15:32:11.606363256 -0800
|
| -@@ -234,6 +234,7 @@ static const ssl3HelloExtensionHandler s
|
| - { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
|
| - { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
|
| - { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn },
|
| -+ { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
|
| - { -1, NULL }
|
| - };
|
| -
|
| -@@ -258,7 +259,8 @@ ssl3HelloExtensionSender clientHelloSend
|
| - #endif
|
| - { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
|
| - { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
|
| -- { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }
|
| -+ { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
|
| -+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }
|
| - /* any extra entries will appear as { 0, NULL } */
|
| - };
|
| -
|
| -@@ -640,6 +642,80 @@ loser:
|
| - return -1;
|
| - }
|
| -
|
| -+SECStatus
|
| -+ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
|
| -+ SECItem *data)
|
| -+{
|
| -+ /* If we didn't request this extension, then the server may not echo it. */
|
| -+ if (!ss->opt.enableOCSPStapling)
|
| -+ return SECFailure;
|
| -+
|
| -+ /* The echoed extension must be empty. */
|
| -+ if (data->len != 0)
|
| -+ return SECFailure;
|
| -+
|
| -+ ss->ssl3.hs.may_get_cert_status = PR_TRUE;
|
| -+
|
| -+ /* Keep track of negotiated extensions. */
|
| -+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
|
| -+
|
| -+ return SECSuccess;
|
| -+}
|
| -+
|
| -+/* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the
|
| -+ * client side. See RFC 4366 section 3.6. */
|
| -+PRInt32
|
| -+ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append,
|
| -+ PRUint32 maxBytes)
|
| -+{
|
| -+ PRInt32 extension_length;
|
| -+
|
| -+ if (!ss->opt.enableOCSPStapling)
|
| -+ return 0;
|
| -+
|
| -+ /* extension_type (2-bytes) +
|
| -+ * length(extension_data) (2-bytes) +
|
| -+ * status_type (1) +
|
| -+ * responder_id_list length (2) +
|
| -+ * request_extensions length (2)
|
| -+ */
|
| -+ extension_length = 9;
|
| -+
|
| -+ if (append && maxBytes >= extension_length) {
|
| -+ SECStatus rv;
|
| -+ TLSExtensionData *xtnData;
|
| -+
|
| -+ /* extension_type */
|
| -+ rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
|
| -+ if (rv != SECSuccess)
|
| -+ return -1;
|
| -+ rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
|
| -+ if (rv != SECSuccess)
|
| -+ return -1;
|
| -+ rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1);
|
| -+ if (rv != SECSuccess)
|
| -+ return -1;
|
| -+ /* A zero length responder_id_list means that the responders are
|
| -+ * implicitly known to the server. */
|
| -+ rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
|
| -+ if (rv != SECSuccess)
|
| -+ return -1;
|
| -+ /* A zero length request_extensions means that there are no extensions.
|
| -+ * Specifically, we don't set the id-pkix-ocsp-nonce extension. This
|
| -+ * means that the server can replay a cached OCSP response to us. */
|
| -+ rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
|
| -+ if (rv != SECSuccess)
|
| -+ return -1;
|
| -+
|
| -+ xtnData = &ss->xtnData;
|
| -+ xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn;
|
| -+ } else if (maxBytes < extension_length) {
|
| -+ PORT_Assert(0);
|
| -+ return 0;
|
| -+ }
|
| -+ return extension_length;
|
| -+}
|
| -+
|
| - /*
|
| - * NewSessionTicket
|
| - * Called from ssl3_HandleFinished
|
| -diff -pu -r a/net/third_party/nss/ssl/ssl3prot.h b/net/third_party/nss/ssl/ssl3prot.h
|
| ---- a/net/third_party/nss/ssl/ssl3prot.h 2012-04-25 07:50:12.000000000 -0700
|
| -+++ b/net/third_party/nss/ssl/ssl3prot.h 2012-11-09 15:28:27.933078020 -0800
|
| -@@ -129,6 +129,7 @@ typedef enum {
|
| - certificate_verify = 15,
|
| - client_key_exchange = 16,
|
| - finished = 20,
|
| -+ certificate_status = 22,
|
| - next_proto = 67
|
| - } SSL3HandshakeType;
|
| -
|
| -diff -pu -r a/net/third_party/nss/ssl/sslerr.h b/net/third_party/nss/ssl/sslerr.h
|
| ---- a/net/third_party/nss/ssl/sslerr.h 2012-07-12 17:51:57.000000000 -0700
|
| -+++ b/net/third_party/nss/ssl/sslerr.h 2012-11-09 15:30:36.804971319 -0800
|
| -@@ -188,6 +188,8 @@ SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQ
|
| -
|
| - SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION = (SSL_ERROR_BASE + 124),
|
| -
|
| -+SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 125),
|
| -+
|
| - SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
|
| - } SSLErrorCodes;
|
| - #endif /* NO_SECURITY_ERROR_ENUM */
|
| -diff -pu -r a/net/third_party/nss/ssl/SSLerrs.h b/net/third_party/nss/ssl/SSLerrs.h
|
| ---- a/net/third_party/nss/ssl/SSLerrs.h 2012-07-12 17:51:57.000000000 -0700
|
| -+++ b/net/third_party/nss/ssl/SSLerrs.h 2012-11-09 15:30:19.924723400 -0800
|
| -@@ -400,3 +400,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY
|
| -
|
| - ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION, (SSL_ERROR_BASE + 124),
|
| - "SSL feature not supported for the protocol version.")
|
| -+
|
| -+ER3(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS, (SSL_ERROR_BASE + 125),
|
| -+"SSL received an unexpected Certificate Status handshake message.")
|
| -diff -pu -r a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
|
| ---- a/net/third_party/nss/ssl/ssl.h 2012-11-09 15:27:15.952019947 -0800
|
| -+++ b/net/third_party/nss/ssl/ssl.h 2012-11-09 15:28:27.933078020 -0800
|
| -@@ -158,6 +158,7 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
|
| - * accept fragmented alerts).
|
| - */
|
| - #define SSL_CBC_RANDOM_IV 23
|
| -+#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
|
| -
|
| - #ifdef SSL_DEPRECATED_FUNCTION
|
| - /* Old deprecated function names */
|
| -@@ -409,6 +410,23 @@ SSL_IMPORT SECStatus SSL_PeerCertificate
|
| - PRFileDesc *fd, CERTCertificate **certs,
|
| - unsigned int *numCerts, unsigned int maxNumCerts);
|
| -
|
| -+/* SSL_GetStapledOCSPResponse returns the OCSP response that was provided by
|
| -+ * the TLS server. The resulting data is copied to |out_data|. On entry, |*len|
|
| -+ * must contain the size of |out_data|. On exit, |*len| will contain the size
|
| -+ * of the OCSP stapled response. If the stapled response is too large to fit in
|
| -+ * |out_data| then it will be truncated. If no OCSP response was given by the
|
| -+ * server then it has zero length.
|
| -+ *
|
| -+ * You must set the SSL_ENABLE_OCSP_STAPLING option in order for OCSP responses
|
| -+ * to be provided by a server.
|
| -+ *
|
| -+ * You can call this function during the certificate verification callback or
|
| -+ * any time afterwards.
|
| -+ */
|
| -+SSL_IMPORT SECStatus SSL_GetStapledOCSPResponse(PRFileDesc *fd,
|
| -+ unsigned char *out_data,
|
| -+ unsigned int *len);
|
| -+
|
| - /*
|
| - ** Authenticate certificate hook. Called when a certificate comes in
|
| - ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
|
| -diff -pu -r a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
|
| ---- a/net/third_party/nss/ssl/sslimpl.h 2012-11-09 15:21:56.747322689 -0800
|
| -+++ b/net/third_party/nss/ssl/sslimpl.h 2012-11-09 15:28:27.943078167 -0800
|
| -@@ -316,6 +316,7 @@ typedef struct sslOptionsStr {
|
| - unsigned int requireSafeNegotiation : 1; /* 22 */
|
| - unsigned int enableFalseStart : 1; /* 23 */
|
| - unsigned int cbcRandomIV : 1; /* 24 */
|
| -+ unsigned int enableOCSPStapling : 1; /* 25 */
|
| - } sslOptions;
|
| -
|
| - typedef enum { sslHandshakingUndetermined = 0,
|
| -@@ -795,6 +796,14 @@ const ssl3CipherSuiteDef *suite_def;
|
| - PRBool isResuming; /* are we resuming a session */
|
| - PRBool usedStepDownKey; /* we did a server key exchange. */
|
| - PRBool sendingSCSV; /* instead of empty RI */
|
| -+ PRBool may_get_cert_status; /* the server echoed a
|
| -+ * status_request extension so
|
| -+ * may send a CertificateStatus
|
| -+ * handshake message. */
|
| -+ SECItem pending_cert_msg; /* a Certificate message which we
|
| -+ * save temporarily if we may get
|
| -+ * a CertificateStatus message */
|
| -+ SECItem cert_status; /* an OCSP response */
|
| - sslBuffer msgState; /* current state for handshake messages*/
|
| - /* protected by recvBufLock */
|
| - sslBuffer messages; /* Accumulated handshake messages */
|
| -@@ -1625,6 +1634,8 @@ extern SECStatus ssl3_HandleSupportedPoi
|
| - PRUint16 ex_type, SECItem *data);
|
| - extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
|
| - PRUint16 ex_type, SECItem *data);
|
| -+extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
|
| -+ PRUint16 ex_type, SECItem *data);
|
| - extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
|
| - PRUint16 ex_type, SECItem *data);
|
| -
|
| -@@ -1634,6 +1645,8 @@ extern SECStatus ssl3_ServerHandleSessio
|
| - */
|
| - extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append,
|
| - PRUint32 maxBytes);
|
| -+extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append,
|
| -+ PRUint32 maxBytes);
|
| -
|
| - /* ClientHello and ServerHello extension senders.
|
| - * The code is in ssl3ext.c.
|
| -diff -pu -r a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
|
| ---- a/net/third_party/nss/ssl/sslsock.c 2012-11-09 15:17:00.432983977 -0800
|
| -+++ b/net/third_party/nss/ssl/sslsock.c 2012-11-09 15:28:27.943078167 -0800
|
| -@@ -153,7 +153,8 @@ static sslOptions ssl_defaults = {
|
| - 2, /* enableRenegotiation (default: requires extension) */
|
| - PR_FALSE, /* requireSafeNegotiation */
|
| - PR_FALSE, /* enableFalseStart */
|
| -- PR_TRUE /* cbcRandomIV */
|
| -+ PR_TRUE, /* cbcRandomIV */
|
| -+ PR_FALSE, /* enableOCSPStapling */
|
| - };
|
| -
|
| - /*
|
| -@@ -827,6 +828,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
| - ss->opt.cbcRandomIV = on;
|
| - break;
|
| -
|
| -+ case SSL_ENABLE_OCSP_STAPLING:
|
| -+ ss->opt.enableOCSPStapling = on;
|
| -+ break;
|
| -+
|
| - default:
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| - rv = SECFailure;
|
| -@@ -896,6 +901,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
|
| - on = ss->opt.requireSafeNegotiation; break;
|
| - case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break;
|
| - case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
|
| -+ case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
|
| -
|
| - default:
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| -@@ -954,6 +960,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
|
| - break;
|
| - case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break;
|
| - case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break;
|
| -+ case SSL_ENABLE_OCSP_STAPLING:
|
| -+ on = ssl_defaults.enableOCSPStapling;
|
| -+ break;
|
| -
|
| - default:
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| -@@ -1117,6 +1126,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
|
| - ssl_defaults.cbcRandomIV = on;
|
| - break;
|
| -
|
| -+ case SSL_ENABLE_OCSP_STAPLING:
|
| -+ ssl_defaults.enableOCSPStapling = on;
|
| -+ break;
|
| -+
|
| - default:
|
| - PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| - return SECFailure;
|
| -@@ -1859,6 +1872,36 @@ SSL_VersionRangeSet(PRFileDesc *fd, cons
|
| - return SECSuccess;
|
| - }
|
| -
|
| -+SECStatus
|
| -+SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data,
|
| -+ unsigned int *len) {
|
| -+ sslSocket *ss = ssl_FindSocket(fd);
|
| -+
|
| -+ if (!ss) {
|
| -+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse",
|
| -+ SSL_GETPID(), fd));
|
| -+ return SECFailure;
|
| -+ }
|
| -+
|
| -+ ssl_Get1stHandshakeLock(ss);
|
| -+ ssl_GetSSL3HandshakeLock(ss);
|
| -+
|
| -+ if (ss->ssl3.hs.cert_status.data) {
|
| -+ unsigned int todo = ss->ssl3.hs.cert_status.len;
|
| -+ if (todo > *len)
|
| -+ todo = *len;
|
| -+ *len = ss->ssl3.hs.cert_status.len;
|
| -+ PORT_Memcpy(out_data, ss->ssl3.hs.cert_status.data, todo);
|
| -+ } else {
|
| -+ *len = 0;
|
| -+ }
|
| -+
|
| -+ ssl_ReleaseSSL3HandshakeLock(ss);
|
| -+ ssl_Release1stHandshakeLock(ss);
|
| -+
|
| -+ return SECSuccess;
|
| -+}
|
| -+
|
| - /************************************************************************/
|
| - /* The following functions are the TOP LEVEL SSL functions.
|
| - ** They all get called through the NSPRIOMethods table below.
|
| -diff -pu -r a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h
|
| ---- a/net/third_party/nss/ssl/sslt.h 2012-06-06 19:06:19.000000000 -0700
|
| -+++ b/net/third_party/nss/ssl/sslt.h 2012-11-09 15:29:10.333701086 -0800
|
| -@@ -175,6 +175,7 @@ typedef enum {
|
| - /* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */
|
| - typedef enum {
|
| - ssl_server_name_xtn = 0,
|
| -+ ssl_cert_status_xtn = 5,
|
| - #ifdef NSS_ENABLE_ECC
|
| - ssl_elliptic_curves_xtn = 10,
|
| - ssl_ec_point_formats_xtn = 11,
|
| -@@ -185,6 +186,6 @@ typedef enum {
|
| - ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
|
| - } SSLExtensionType;
|
| -
|
| --#define SSL_MAX_EXTENSIONS 7
|
| -+#define SSL_MAX_EXTENSIONS 8
|
| -
|
| - #endif /* __sslt_h_ */
|
|
|
Chromium Code Reviews
Issue 14522022:
Update NSS libSSL to NSS_3_15_BETA2. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/