Chromium Code Reviews| Index: net/third_party/nss/ssl/ssl3ext.c |
| =================================================================== |
| --- net/third_party/nss/ssl/ssl3ext.c (revision 91902) |
| +++ net/third_party/nss/ssl/ssl3ext.c (working copy) |
| @@ -248,12 +248,14 @@ |
| { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
| { ssl_next_proto_neg_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
| { ssl_cached_info_xtn, &ssl3_ClientHandleCachedInfoXtn }, |
| + { ssl_ob_cert_xtn, &ssl3_ClientHandleOBCertXtn }, |
|
wtc
2011/07/13 01:17:15
Nit: list this after ssl_cert_status_xtn for consi
|
| { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
| { -1, NULL } |
| }; |
| static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = { |
| { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
| + { ssl_ob_cert_xtn, &ssl3_ClientHandleOBCertXtn }, |
|
wtc
2011/07/13 01:17:15
BUG: remove this. In SSL 3.0 the only extension w
|
| { -1, NULL } |
| }; |
| @@ -274,7 +276,8 @@ |
| { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
| { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
| { ssl_cached_info_xtn, &ssl3_ClientSendCachedInfoXtn }, |
| - { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } |
| + { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
| + { ssl_ob_cert_xtn, &ssl3_ClientSendOBCertXtn } |
| /* any extra entries will appear as { 0, NULL } */ |
| }; |
| @@ -1867,3 +1870,100 @@ |
| return rv; |
| } |
| +PRInt32 |
| +ssl3_ClientSendOBCertXtn(sslSocket * ss, PRBool append, |
| + PRUint32 maxBytes) |
|
wtc
2011/07/13 01:17:15
Align the arguments properly.
Make the same chang
|
| +{ |
| + SECStatus rv; |
| + TLSExtensionData *xtnData = &ss->xtnData; |
| + |
| + if (!ss) |
|
wtc
2011/07/13 01:17:15
Indentation seems wrong.
|
| + return 0; |
| + |
| + /* extension length = extension_type (2-bytes) + |
| + * length(extension_data) (2-bytes) + |
| + */ |
| + |
| + PRUint32 extension_length = 4; |
| + |
| + if (append && maxBytes >= extension_length) { |
| + /* extension_type */ |
| + rv = ssl3_AppendHandshakeNumber(ss, ssl_ob_cert_xtn, 2); |
| + if (rv != SECSuccess) return -1; |
| + /* length of extension_data */ |
| + rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
| + if (rv != SECSuccess) return -1; |
| + |
| + xtnData = &ss->xtnData; |
| + xtnData->advertised[xtnData->numAdvertised++] = ssl_ob_cert_xtn; |
| + } |
| + |
| + return extension_length; |
| +} |
| + |
| +SECStatus |
| +ssl3_ServerHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type, |
| + SECItem *data) |
| +{ |
| + SECStatus rv; |
| + |
| + /* TODO(rkn): Is enableOBCerts true only when we actually want an OBCert? */ |
|
wtc
2011/07/13 01:17:15
Good question. I believe that the condition "we a
|
| + /* Ignore the OBCert extension if it is disabled. */ |
| + if (!ss->opt.enableOBCerts) |
| + return SECSuccess; |
| + |
| + /* The echoed extension must be empty. */ |
| + if (data->len != 0) |
| + return SECFailure; |
| + |
| + /* Keep track of negotiated extensions. */ |
| + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
| + |
| + return SECSuccess; |
| +} |
| + |
| +PRInt32 |
| +ssl3_ServerSendOBCertXtn(sslSocket * ss, PRBool append, |
| + PRUint32 maxBytes) |
| +{ |
| + SECStatus rv; |
| + if (!ss) |
| + return 0; |
| + |
| + /* extension length = extension_type (2-bytes) + |
| + * length(extension_data) (2-bytes) + |
| + */ |
| + |
| + PRUint32 extension_length = 4; |
| + |
| + if (append && maxBytes >= extension_length) { |
| + /* extension_type */ |
| + rv = ssl3_AppendHandshakeNumber(ss, ssl_ob_cert_xtn, 2); |
| + if (rv != SECSuccess) return -1; |
| + /* length of extension_data */ |
| + rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
| + if (rv != SECSuccess) return -1; |
| + } |
| + |
| + return extension_length; |
| +} |
| + |
| +SECStatus |
| +ssl3_ClientHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type, |
| + SECItem *data) |
| +{ |
| + /* If we didn't request this extension, then the server may not echo it. */ |
| + if (!ss->opt.enableOBCerts) |
| + return SECFailure; |
| + |
| + /* The echoed extension must be empty. */ |
| + if (data->len != 0) |
| + return SECFailure; |
| + |
| + ss->ssl3.hs.may_get_cert_status = PR_TRUE; |
|
wtc
2011/07/13 01:17:15
I think this line should be deleted. (It must hav
|
| + |
| + /* Keep track of negotiated extensions. */ |
| + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
| + |
| + return SECSuccess; |
| +} |