Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(783)

Side by Side Diff: net/third_party/nss/ssl/ssl3ext.c

Issue 7327029: Add client-side support for the origin bound certificate TLS extension. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 9 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 /* 1 /*
2 * SSL3 Protocol 2 * SSL3 Protocol
3 * 3 *
4 * ***** BEGIN LICENSE BLOCK ***** 4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1 5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 * 6 *
7 * The contents of this file are subject to the Mozilla Public License Version 7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with 8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at 9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/ 10 * http://www.mozilla.org/MPL/
(...skipping 230 matching lines...) Expand 10 before | Expand all | Expand 10 after
241 241
242 /* These two tables are used by the client, to handle server hello 242 /* These two tables are used by the client, to handle server hello
243 * extensions. */ 243 * extensions. */
244 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { 244 static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
245 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, 245 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn },
246 /* TODO: add a handler for ssl_ec_point_formats_xtn */ 246 /* TODO: add a handler for ssl_ec_point_formats_xtn */
247 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, 247 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
248 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 248 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
249 { ssl_next_proto_neg_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, 249 { ssl_next_proto_neg_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
250 { ssl_cached_info_xtn, &ssl3_ClientHandleCachedInfoXtn }, 250 { ssl_cached_info_xtn, &ssl3_ClientHandleCachedInfoXtn },
251 { ssl_ob_cert_xtn, &ssl3_ClientHandleOBCertXtn },
wtc 2011/07/13 01:17:15 Nit: list this after ssl_cert_status_xtn for consi
251 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 252 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
252 { -1, NULL } 253 { -1, NULL }
253 }; 254 };
254 255
255 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = { 256 static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = {
256 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 257 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
258 { ssl_ob_cert_xtn, &ssl3_ClientHandleOBCertXtn },
wtc 2011/07/13 01:17:15 BUG: remove this. In SSL 3.0 the only extension w
257 { -1, NULL } 259 { -1, NULL }
258 }; 260 };
259 261
260 /* Tables of functions to format TLS hello extensions, one function per 262 /* Tables of functions to format TLS hello extensions, one function per
261 * extension. 263 * extension.
262 * These static tables are for the formatting of client hello extensions. 264 * These static tables are for the formatting of client hello extensions.
263 * The server's table of hello senders is dynamic, in the socket struct, 265 * The server's table of hello senders is dynamic, in the socket struct,
264 * and sender functions are registered there. 266 * and sender functions are registered there.
265 */ 267 */
266 static const 268 static const
267 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { 269 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
268 { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, 270 { ssl_server_name_xtn, &ssl3_SendServerNameXtn },
269 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, 271 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
270 #ifdef NSS_ENABLE_ECC 272 #ifdef NSS_ENABLE_ECC
271 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, 273 { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
272 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, 274 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
273 #endif 275 #endif
274 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, 276 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
275 { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn }, 277 { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn },
276 { ssl_cached_info_xtn, &ssl3_ClientSendCachedInfoXtn }, 278 { ssl_cached_info_xtn, &ssl3_ClientSendCachedInfoXtn },
277 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } 279 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
280 { ssl_ob_cert_xtn, &ssl3_ClientSendOBCertXtn }
278 /* any extra entries will appear as { 0, NULL } */ 281 /* any extra entries will appear as { 0, NULL } */
279 }; 282 };
280 283
281 static const 284 static const
282 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = { 285 ssl3HelloExtensionSender clientHelloSendersSSL3[SSL_MAX_EXTENSIONS] = {
283 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn } 286 { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }
284 /* any extra entries will appear as { 0, NULL } */ 287 /* any extra entries will appear as { 0, NULL } */
285 }; 288 };
286 289
287 static PRBool 290 static PRBool
(...skipping 1572 matching lines...) Expand 10 before | Expand all | Expand 10 after
1860 ss->peerRequestedProtection = 1; 1863 ss->peerRequestedProtection = 1;
1861 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 1864 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
1862 if (ss->sec.isServer) { 1865 if (ss->sec.isServer) {
1863 /* prepare to send back the appropriate response */ 1866 /* prepare to send back the appropriate response */
1864 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type, 1867 rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
1865 ssl3_SendRenegotiationInfoXtn); 1868 ssl3_SendRenegotiationInfoXtn);
1866 } 1869 }
1867 return rv; 1870 return rv;
1868 } 1871 }
1869 1872
1873 PRInt32
1874 ssl3_ClientSendOBCertXtn(sslSocket * ss, PRBool append,
1875 PRUint32 maxBytes)
wtc 2011/07/13 01:17:15 Align the arguments properly. Make the same chang
1876 {
1877 SECStatus rv;
1878 TLSExtensionData *xtnData = &ss->xtnData;
1879
1880 if (!ss)
wtc 2011/07/13 01:17:15 Indentation seems wrong.
1881 return 0;
1882
1883 /* extension length = extension_type (2-bytes) +
1884 * length(extension_data) (2-bytes) +
1885 */
1886
1887 PRUint32 extension_length = 4;
1888
1889 if (append && maxBytes >= extension_length) {
1890 /* extension_type */
1891 rv = ssl3_AppendHandshakeNumber(ss, ssl_ob_cert_xtn, 2);
1892 if (rv != SECSuccess) return -1;
1893 /* length of extension_data */
1894 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
1895 if (rv != SECSuccess) return -1;
1896
1897 xtnData = &ss->xtnData;
1898 xtnData->advertised[xtnData->numAdvertised++] = ssl_ob_cert_xtn;
1899 }
1900
1901 return extension_length;
1902 }
1903
1904 SECStatus
1905 ssl3_ServerHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
1906 SECItem *data)
1907 {
1908 SECStatus rv;
1909
1910 /* TODO(rkn): Is enableOBCerts true only when we actually want an OBCert? */
wtc 2011/07/13 01:17:15 Good question. I believe that the condition "we a
1911 /* Ignore the OBCert extension if it is disabled. */
1912 if (!ss->opt.enableOBCerts)
1913 return SECSuccess;
1914
1915 /* The echoed extension must be empty. */
1916 if (data->len != 0)
1917 return SECFailure;
1918
1919 /* Keep track of negotiated extensions. */
1920 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
1921
1922 return SECSuccess;
1923 }
1924
1925 PRInt32
1926 ssl3_ServerSendOBCertXtn(sslSocket * ss, PRBool append,
1927 PRUint32 maxBytes)
1928 {
1929 SECStatus rv;
1930 if (!ss)
1931 return 0;
1932
1933 /* extension length = extension_type (2-bytes) +
1934 * length(extension_data) (2-bytes) +
1935 */
1936
1937 PRUint32 extension_length = 4;
1938
1939 if (append && maxBytes >= extension_length) {
1940 /* extension_type */
1941 rv = ssl3_AppendHandshakeNumber(ss, ssl_ob_cert_xtn, 2);
1942 if (rv != SECSuccess) return -1;
1943 /* length of extension_data */
1944 rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
1945 if (rv != SECSuccess) return -1;
1946 }
1947
1948 return extension_length;
1949 }
1950
1951 SECStatus
1952 ssl3_ClientHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
1953 SECItem *data)
1954 {
1955 /* If we didn't request this extension, then the server may not echo it. */
1956 if (!ss->opt.enableOBCerts)
1957 return SECFailure;
1958
1959 /* The echoed extension must be empty. */
1960 if (data->len != 0)
1961 return SECFailure;
1962
1963 ss->ssl3.hs.may_get_cert_status = PR_TRUE;
wtc 2011/07/13 01:17:15 I think this line should be deleted. (It must hav
1964
1965 /* Keep track of negotiated extensions. */
1966 ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
1967
1968 return SECSuccess;
1969 }
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698