| OLD | NEW |
|---|
| (Empty) | |
| 1 diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h |
| 2 index 8e9ba24..077874e 100644 |
| 3 --- a/net/third_party/nss/ssl/ssl.h |
| 4 +++ b/net/third_party/nss/ssl/ssl.h |
| 5 @@ -204,6 +204,11 @@ SSL_IMPORT SECStatus SSL_SetNextProtoCallback(PRFileDesc *f
d, |
| 6 * protocol in server-preference order. If no matching protocol is found it |
| 7 * selects the first supported protocol. |
| 8 * |
| 9 + * Using this function also allows the client to transparently support ALPN. |
| 10 + * The same set of protocols will be advertised via ALPN and, if the server |
| 11 + * uses ALPN to select a protocol, SSL_GetNextProto will return |
| 12 + * SSL_NEXT_PROTO_SELECTED as the state. |
| 13 + * |
| 14 * The supported protocols are specified in |data| in wire-format (8-bit |
| 15 * length-prefixed). For example: "\010http/1.1\006spdy/2". */ |
| 16 SSL_IMPORT SECStatus SSL_SetNextProtoNego(PRFileDesc *fd, |
| 17 @@ -213,7 +218,8 @@ SSL_IMPORT SECStatus SSL_SetNextProtoNego(PRFileDesc *fd, |
| 18 typedef enum SSLNextProtoState { |
| 19 SSL_NEXT_PROTO_NO_SUPPORT = 0, /* No peer support */ |
| 20 SSL_NEXT_PROTO_NEGOTIATED = 1, /* Mutual agreement */ |
| 21 - SSL_NEXT_PROTO_NO_OVERLAP = 2 /* No protocol overlap found */ |
| 22 + SSL_NEXT_PROTO_NO_OVERLAP = 2, /* No protocol overlap found */ |
| 23 + SSL_NEXT_PROTO_SELECTED = 3, /* Server selected proto (ALPN) */ |
| 24 } SSLNextProtoState; |
| 25 |
| 26 /* SSL_GetNextProto can be used in the HandshakeCallback or any time after |
| 27 diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con
.c |
| 28 index 00c83db..4916dfc 100644 |
| 29 --- a/net/third_party/nss/ssl/ssl3con.c |
| 30 +++ b/net/third_party/nss/ssl/ssl3con.c |
| 31 @@ -9907,8 +9907,10 @@ ssl3_SendNextProto(sslSocket *ss) |
| 32 int padding_len; |
| 33 static const unsigned char padding[32] = {0}; |
| 34 |
| 35 - if (ss->ssl3.nextProto.len == 0) |
| 36 + if (ss->ssl3.nextProto.len == 0 || |
| 37 + ss->ssl3.nextProtoState == SSL_NEXT_PROTO_SELECTED) { |
| 38 return SECSuccess; |
| 39 + } |
| 40 |
| 41 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 42 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 43 diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext
.c |
| 44 index c0ce548..a059ccb 100644 |
| 45 --- a/net/third_party/nss/ssl/ssl3ext.c |
| 46 +++ b/net/third_party/nss/ssl/ssl3ext.c |
| 47 @@ -53,8 +53,12 @@ static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *s
s, |
| 48 PRUint16 ex_type, SECItem *data); |
| 49 static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, |
| 50 PRUint16 ex_type, SECItem *data); |
| 51 +static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss, |
| 52 + PRUint16 ex_type, SECItem *data); |
| 53 static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, |
| 54 PRUint16 ex_type, SECItem *data); |
| 55 +static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, |
| 56 + PRUint32 maxBytes); |
| 57 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, |
| 58 PRUint32 maxBytes); |
| 59 static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, |
| 60 @@ -247,14 +251,15 @@ static const ssl3HelloExtensionHandler clientHelloHandlers
[] = { |
| 61 /* These two tables are used by the client, to handle server hello |
| 62 * extensions. */ |
| 63 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { |
| 64 - { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, |
| 65 + { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, |
| 66 /* TODO: add a handler for ssl_ec_point_formats_xtn */ |
| 67 - { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, |
| 68 - { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
| 69 - { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
| 70 - { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, |
| 71 - { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, |
| 72 - { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
| 73 + { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, |
| 74 + { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
| 75 + { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
| 76 + { ssl_application_layer_protocol, &ssl3_ClientHandleAppProtoXtn }, |
| 77 + { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, |
| 78 + { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, |
| 79 + { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
| 80 { -1, NULL } |
| 81 }; |
| 82 |
| 83 @@ -271,17 +276,18 @@ static const ssl3HelloExtensionHandler serverHelloHandlers
SSL3[] = { |
| 84 */ |
| 85 static const |
| 86 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { |
| 87 - { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, |
| 88 - { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, |
| 89 + { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, |
| 90 + { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, |
| 91 #ifdef NSS_ENABLE_ECC |
| 92 - { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, |
| 93 - { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, |
| 94 + { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, |
| 95 + { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, |
| 96 #endif |
| 97 - { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
| 98 - { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
| 99 - { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, |
| 100 - { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
| 101 - { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
| 102 + { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
| 103 + { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
| 104 + { ssl_application_layer_protocol, &ssl3_ClientSendAppProtoXtn }, |
| 105 + { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, |
| 106 + { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
| 107 + { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
| 108 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } |
| 109 /* any extra entries will appear as { 0, NULL } */ |
| 110 }; |
| 111 @@ -606,6 +612,11 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 e
x_type, |
| 112 |
| 113 PORT_Assert(!ss->firstHsDone); |
| 114 |
| 115 + if (ssl3_ExtensionNegotiated(ss, ssl_application_layer_protocol)) { |
| 116 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 117 + return SECFailure; |
| 118 + } |
| 119 + |
| 120 rv = ssl3_ValidateNextProtoNego(data->data, data->len); |
| 121 if (rv != SECSuccess) |
| 122 return rv; |
| 123 @@ -639,6 +650,44 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 e
x_type, |
| 124 return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result); |
| 125 } |
| 126 |
| 127 +static SECStatus |
| 128 +ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
| 129 +{ |
| 130 + const unsigned char* d = data->data; |
| 131 + PRUint16 name_list_len; |
| 132 + SECItem protocol_name; |
| 133 + |
| 134 + if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) { |
| 135 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| 136 + return SECFailure; |
| 137 + } |
| 138 + |
| 139 + /* The extension data from the server has the following format: |
| 140 + * uint16 name_list_len; |
| 141 + * uint8 len; |
| 142 + * uint8 protocol_name[len]; */ |
| 143 + if (data->len < 4 || data->len > 2 + 1 + 255) { |
| 144 + PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
| 145 + return SECFailure; |
| 146 + } |
| 147 + |
| 148 + name_list_len = ((PRUint16) d[0]) << 8 | |
| 149 + ((PRUint16) d[1]); |
| 150 + if (name_list_len != data->len - 2 || |
| 151 + d[2] != data->len - 3) { |
| 152 + PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
| 153 + return SECFailure; |
| 154 + } |
| 155 + |
| 156 + protocol_name.data = data->data + 3; |
| 157 + protocol_name.len = data->len - 3; |
| 158 + |
| 159 + SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
| 160 + ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED; |
| 161 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
| 162 + return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name); |
| 163 +} |
| 164 + |
| 165 static PRInt32 |
| 166 ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, |
| 167 PRUint32 maxBytes) |
| 168 @@ -672,6 +721,44 @@ loser: |
| 169 return -1; |
| 170 } |
| 171 |
| 172 +static PRInt32 |
| 173 +ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) |
| 174 +{ |
| 175 + PRInt32 extension_length; |
| 176 + |
| 177 + /* Renegotiations do not send this extension. */ |
| 178 + if (!ss->opt.nextProtoNego.data || ss->firstHsDone) { |
| 179 + return 0; |
| 180 + } |
| 181 + |
| 182 + extension_length = 2 /* extension type */ + 2 /* extension length */ + |
| 183 + 2 /* protocol name list length */ + |
| 184 + ss->opt.nextProtoNego.len; |
| 185 + |
| 186 + if (append && maxBytes >= extension_length) { |
| 187 + SECStatus rv; |
| 188 + rv = ssl3_AppendHandshakeNumber(ss, ssl_application_layer_protocol, 2); |
| 189 + if (rv != SECSuccess) |
| 190 + goto loser; |
| 191 + rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
| 192 + if (rv != SECSuccess) |
| 193 + goto loser; |
| 194 + rv = ssl3_AppendHandshakeVariable(ss, ss->opt.nextProtoNego.data, |
| 195 + ss->opt.nextProtoNego.len, 2); |
| 196 + if (rv != SECSuccess) |
| 197 + goto loser; |
| 198 + ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
| 199 + ssl_application_layer_protocol; |
| 200 + } else if (maxBytes < extension_length) { |
| 201 + return 0; |
| 202 + } |
| 203 + |
| 204 + return extension_length; |
| 205 + |
| 206 +loser: |
| 207 + return -1; |
| 208 +} |
| 209 + |
| 210 static SECStatus |
| 211 ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, |
| 212 SECItem *data) |
| 213 diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h |
| 214 index 109640c..96ec04e 100644 |
| 215 --- a/net/third_party/nss/ssl/sslt.h |
| 216 +++ b/net/third_party/nss/ssl/sslt.h |
| 217 @@ -196,12 +196,13 @@ typedef enum { |
| 218 #endif |
| 219 ssl_signature_algorithms_xtn = 13, |
| 220 ssl_use_srtp_xtn = 14, |
| 221 + ssl_application_layer_protocol = 16, |
| 222 ssl_session_ticket_xtn = 35, |
| 223 ssl_next_proto_nego_xtn = 13172, |
| 224 ssl_channel_id_xtn = 30031, |
| 225 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
| 226 } SSLExtensionType; |
| 227 |
| 228 -#define SSL_MAX_EXTENSIONS 10 |
| 229 +#define SSL_MAX_EXTENSIONS 11 |
| 230 |
| 231 #endif /* __sslt_h_ */ |
| OLD | NEW |
|---|
Chromium Code Reviews
