| Index: net/third_party/nss/patches/nextproto.patch
|
| diff --git a/net/third_party/nss/patches/nextproto.patch b/net/third_party/nss/patches/nextproto.patch
|
| index a01f2404b15b992ae578bcd462e360ef5de5797a..289c2256bab36ff9763ac06c8e0a7c361e94eeca 100644
|
| --- a/net/third_party/nss/patches/nextproto.patch
|
| +++ b/net/third_party/nss/patches/nextproto.patch
|
| @@ -1,77 +1,68 @@
|
| -From 6b594dc531e7a1d1d5bca2f0f78e7bc0ac3ff937 Mon Sep 17 00:00:00 2001
|
| +From 85ecb73392e484ebd783e9414a968a1f5668d87b Mon Sep 17 00:00:00 2001
|
| From: Adam Langley <agl@chromium.org>
|
| Date: Mon, 3 Oct 2011 12:19:28 -0400
|
| Subject: [PATCH] nextproto.patch
|
|
|
| ---
|
| - mozilla/security/nss/cmd/tstclnt/tstclnt.c | 6 ++
|
| - mozilla/security/nss/lib/ssl/ssl.def | 7 ++
|
| - mozilla/security/nss/lib/ssl/ssl.h | 12 +++
|
| - mozilla/security/nss/lib/ssl/ssl3con.c | 54 ++++++++++++
|
| - mozilla/security/nss/lib/ssl/ssl3ext.c | 122 +++++++++++++++++++++++++++-
|
| - mozilla/security/nss/lib/ssl/ssl3prot.h | 3 +-
|
| - mozilla/security/nss/lib/ssl/sslimpl.h | 24 ++++++
|
| - mozilla/security/nss/lib/ssl/sslsock.c | 74 +++++++++++++++++
|
| - mozilla/security/nss/lib/ssl/sslt.h | 3 +-
|
| - 9 files changed, 302 insertions(+), 3 deletions(-)
|
| + mozilla/security/nss/lib/ssl/ssl.def | 6 ++
|
| + mozilla/security/nss/lib/ssl/ssl.h | 22 +++++++
|
| + mozilla/security/nss/lib/ssl/ssl3con.c | 54 +++++++++++++++++
|
| + mozilla/security/nss/lib/ssl/ssl3ext.c | 98 ++++++++++++++++++++++++++++++-
|
| + mozilla/security/nss/lib/ssl/ssl3prot.h | 3 +-
|
| + mozilla/security/nss/lib/ssl/sslimpl.h | 16 +++++
|
| + mozilla/security/nss/lib/ssl/sslsock.c | 18 ++++++
|
| + mozilla/security/nss/lib/ssl/sslt.h | 3 +-
|
| + 8 files changed, 217 insertions(+), 3 deletions(-)
|
|
|
| -diff --git a/mozilla/security/nss/cmd/tstclnt/tstclnt.c b/mozilla/security/nss/cmd/tstclnt/tstclnt.c
|
| -index 55684e6..d209a33 100644
|
| ---- a/mozilla/security/nss/cmd/tstclnt/tstclnt.c
|
| -+++ b/mozilla/security/nss/cmd/tstclnt/tstclnt.c
|
| -@@ -868,6 +868,12 @@ int main(int argc, char **argv)
|
| - return 1;
|
| - }
|
| -
|
| -+ rv = SSL_SetNextProtoNego(s, "\004flip\004http1.1", 10);
|
| -+ if (rv != SECSuccess) {
|
| -+ SECU_PrintError(progName, "error enabling next protocol negotiation");
|
| -+ return 1;
|
| -+ }
|
| -+
|
| - /* enable false start. */
|
| - rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
|
| - if (rv != SECSuccess) {
|
| diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def
|
| -index d3f455c..a1f4b51 100644
|
| +index d3f455c..5256ae2 100644
|
| --- a/mozilla/security/nss/lib/ssl/ssl.def
|
| +++ b/mozilla/security/nss/lib/ssl/ssl.def
|
| -@@ -152,3 +152,10 @@ SSL_SNISocketConfigHook;
|
| +@@ -152,3 +152,9 @@ SSL_SNISocketConfigHook;
|
| ;+ local:
|
| ;+*;
|
| ;+};
|
| +;+NSS_CHROMIUM {
|
| +;+ global:
|
| -+SSL_GetNextProto;
|
| -+SSL_SetNextProtoNego;
|
| ++SSL_SetNextProtoCallback;
|
| +;+ local:
|
| +;+*;
|
| +;+};
|
| diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h
|
| -index 4a9e89d..ffa973c 100644
|
| +index 4a9e89d..5fbb676 100644
|
| --- a/mozilla/security/nss/lib/ssl/ssl.h
|
| +++ b/mozilla/security/nss/lib/ssl/ssl.h
|
| -@@ -153,6 +153,18 @@ SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on);
|
| +@@ -153,6 +153,28 @@ SSL_IMPORT SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on);
|
| SSL_IMPORT SECStatus SSL_OptionGetDefault(PRInt32 option, PRBool *on);
|
| SSL_IMPORT SECStatus SSL_CertDBHandleSet(PRFileDesc *fd, CERTCertDBHandle *dbHandle);
|
|
|
| -+SSL_IMPORT SECStatus SSL_SetNextProtoNego(PRFileDesc *fd,
|
| -+ const unsigned char *data,
|
| -+ unsigned short length);
|
| -+SSL_IMPORT SECStatus SSL_GetNextProto(PRFileDesc *fd,
|
| -+ int *state,
|
| -+ unsigned char *buf,
|
| -+ unsigned *length,
|
| -+ unsigned buf_len);
|
| -+#define SSL_NEXT_PROTO_NO_SUPPORT 0 /* No peer support */
|
| -+#define SSL_NEXT_PROTO_NEGOTIATED 1 /* Mutual agreement */
|
| -+#define SSL_NEXT_PROTO_NO_OVERLAP 2 /* No protocol overlap found */
|
| ++#define SSL_NEXT_PROTO_NEGOTIATION_SUPPORTED 1
|
| ++
|
| ++/* SSLNextProtoCallback is called, during the handshake, when the server has
|
| ++ * sent a Next Protocol Negotiation extension. |protos| and |protosLen| define
|
| ++ * a buffer which contains the server's advertisement. This data is guaranteed
|
| ++ * to be well formed per the NPN spec. |protoOut| is a buffer of length 255
|
| ++ * (the maximum allowed by the protocol) which, on successful return, must
|
| ++ * contain the protocol to be announced to the server. */
|
| ++typedef SECStatus (PR_CALLBACK *SSLNextProtoCallback)(
|
| ++ void *arg,
|
| ++ PRFileDesc *fd,
|
| ++ const unsigned char* protos,
|
| ++ unsigned short protosLen,
|
| ++ unsigned char* protoOut,
|
| ++ unsigned char* protoOutLen);
|
| ++
|
| ++/* SSL_SetNextProtoCallback sets a callback function to handle Next Protocol
|
| ++ * Negotiation. It causes a client to advertise NPN. */
|
| ++SSL_IMPORT SECStatus SSL_SetNextProtoCallback(PRFileDesc *fd,
|
| ++ SSLNextProtoCallback callback,
|
| ++ void *arg);
|
| +
|
| /*
|
| ** Control ciphers that SSL uses. If on is non-zero then the named cipher
|
| ** is enabled, otherwise it is disabled.
|
| diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
|
| -index 8048913..e0cb4e9 100644
|
| +index 8048913..8f860a9 100644
|
| --- a/mozilla/security/nss/lib/ssl/ssl3con.c
|
| +++ b/mozilla/security/nss/lib/ssl/ssl3con.c
|
| @@ -81,6 +81,7 @@ static SECStatus ssl3_InitState( sslSocket *ss);
|
| @@ -107,7 +98,7 @@ index 8048913..e0cb4e9 100644
|
| + int padding_len;
|
| + static const unsigned char padding[32] = {0};
|
| +
|
| -+ if (ss->ssl3.nextProtoState == SSL_NEXT_PROTO_NO_SUPPORT)
|
| ++ if (ss->ssl3.nextProto.len == 0)
|
| + return SECSuccess;
|
| +
|
| + PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
|
| @@ -164,7 +155,7 @@ index 8048913..e0cb4e9 100644
|
|
|
| /* End of ssl3con.c */
|
| diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c
|
| -index becbfe9..fbd5a91 100644
|
| +index becbfe9..e5311e6 100644
|
| --- a/mozilla/security/nss/lib/ssl/ssl3ext.c
|
| +++ b/mozilla/security/nss/lib/ssl/ssl3ext.c
|
| @@ -235,6 +235,7 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
|
| @@ -193,7 +184,7 @@ index becbfe9..fbd5a91 100644
|
| /* any extra entries will appear as { 0, NULL } */
|
| };
|
|
|
| -@@ -534,6 +537,123 @@ ssl3_SendSessionTicketXtn(
|
| +@@ -534,6 +537,99 @@ ssl3_SendSessionTicketXtn(
|
| return -1;
|
| }
|
|
|
| @@ -206,12 +197,11 @@ index becbfe9..fbd5a91 100644
|
| + return SECFailure;
|
| + }
|
| +
|
| -+ ss->ssl3.hs.nextProtoNego = PR_TRUE;
|
| + return SECSuccess;
|
| +}
|
| +
|
| +/* ssl3_ValidateNextProtoNego checks that the given block of data is valid: none
|
| -+ * of the length may be 0 and the sum of the lengths must equal the length of
|
| ++ * of the lengths may be 0 and the sum of the lengths must equal the length of
|
| + * the block. */
|
| +SECStatus
|
| +ssl3_ValidateNextProtoNego(const unsigned char* data, unsigned short length)
|
| @@ -233,50 +223,27 @@ index becbfe9..fbd5a91 100644
|
| +
|
| +SECStatus
|
| +ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
|
| -+ SECItem *data)
|
| ++ SECItem *data)
|
| +{
|
| -+ unsigned int i, j;
|
| + SECStatus rv;
|
| -+ unsigned char *result;
|
| -+
|
| -+ if (data->len == 0) {
|
| -+ /* The server supports the extension, but doesn't have any
|
| -+ * protocols configured. In this case we request our favoured
|
| -+ * protocol. */
|
| -+ goto pick_first;
|
| -+ }
|
| ++ unsigned char result[255];
|
| ++ unsigned char result_len;
|
| +
|
| + rv = ssl3_ValidateNextProtoNego(data->data, data->len);
|
| + if (rv != SECSuccess)
|
| + return rv;
|
| +
|
| -+ /* For each protocol in server preference order, see if we support it. */
|
| -+ for (i = 0; i < data->len; ) {
|
| -+ for (j = 0; j < ss->opt.nextProtoNego.len; ) {
|
| -+ if (data->data[i] == ss->opt.nextProtoNego.data[j] &&
|
| -+ memcmp(&data->data[i+1], &ss->opt.nextProtoNego.data[j+1],
|
| -+ data->data[i]) == 0) {
|
| -+ /* We found a match */
|
| -+ ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NEGOTIATED;
|
| -+ result = &data->data[i];
|
| -+ goto found;
|
| -+ }
|
| -+ j += (unsigned int)ss->opt.nextProtoNego.data[j] + 1;
|
| -+ }
|
| -+
|
| -+ i += (unsigned int)data->data[i] + 1;
|
| -+ }
|
| -+
|
| -+ pick_first:
|
| -+ ss->ssl3.nextProtoState = SSL_NEXT_PROTO_NO_OVERLAP;
|
| -+ result = ss->opt.nextProtoNego.data;
|
| ++ rv = ss->nextProtoCallback(ss->nextProtoArg, ss->fd,
|
| ++ data->data, data->len,
|
| ++ result, &result_len);
|
| ++ if (rv != SECSuccess)
|
| ++ return rv;
|
| +
|
| -+ found:
|
| + if (ss->ssl3.nextProto.data)
|
| + PORT_Free(ss->ssl3.nextProto.data);
|
| -+ ss->ssl3.nextProto.data = PORT_Alloc(result[0]);
|
| -+ PORT_Memcpy(ss->ssl3.nextProto.data, result + 1, result[0]);
|
| -+ ss->ssl3.nextProto.len = result[0];
|
| ++ ss->ssl3.nextProto.data = PORT_Alloc(result_len);
|
| ++ PORT_Memcpy(ss->ssl3.nextProto.data, result, result_len);
|
| ++ ss->ssl3.nextProto.len = result_len;
|
| + return SECSuccess;
|
| +}
|
| +
|
| @@ -288,7 +255,7 @@ index becbfe9..fbd5a91 100644
|
| + PRInt32 extension_length;
|
| +
|
| + /* Renegotiations do not send this extension. */
|
| -+ if (ss->opt.nextProtoNego.len == 0 || ss->firstHsDone) {
|
| ++ if (!ss->nextProtoCallback || ss->firstHsDone) {
|
| + return 0;
|
| + }
|
| +
|
| @@ -332,47 +299,32 @@ index 4702fcc..f3c950e 100644
|
|
|
| typedef struct {
|
| diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
|
| -index 9af471d..d1c1181 100644
|
| +index 9af471d..cc39a0d 100644
|
| --- a/mozilla/security/nss/lib/ssl/sslimpl.h
|
| +++ b/mozilla/security/nss/lib/ssl/sslimpl.h
|
| -@@ -313,6 +313,11 @@ typedef struct {
|
| - #endif /* NSS_ENABLE_ECC */
|
| -
|
| - typedef struct sslOptionsStr {
|
| -+ /* For clients, this is a validated list of protocols in preference order
|
| -+ * and wire format. For servers, this is the list of support protocols,
|
| -+ * also in wire format. */
|
| -+ SECItem nextProtoNego;
|
| -+
|
| - unsigned int useSecurity : 1; /* 1 */
|
| - unsigned int useSocks : 1; /* 2 */
|
| - unsigned int requestCertificate : 1; /* 3 */
|
| -@@ -786,6 +791,7 @@ const ssl3CipherSuiteDef *suite_def;
|
| - #ifdef NSS_ENABLE_ECC
|
| - PRUint32 negotiatedECCurves; /* bit mask */
|
| - #endif /* NSS_ENABLE_ECC */
|
| -+ PRBool nextProtoNego;/* Our peer has sent this extension */
|
| - } SSL3HandshakeState;
|
| -
|
| -
|
| -@@ -827,6 +833,16 @@ struct ssl3StateStr {
|
| +@@ -827,6 +827,12 @@ struct ssl3StateStr {
|
| PRBool initialized;
|
| SSL3HandshakeState hs;
|
| ssl3CipherSpec specs[2]; /* one is current, one is pending. */
|
| +
|
| + /* In a client: if the server supports Next Protocol Negotiation, then
|
| + * this is the protocol that was requested.
|
| -+ * In a server: this is the protocol that the client requested via Next
|
| -+ * Protocol Negotiation.
|
| + *
|
| -+ * In either case, if the data pointer is non-NULL, then it is malloced
|
| -+ * data. */
|
| ++ * If the data pointer is non-NULL, then it is malloced data. */
|
| + SECItem nextProto;
|
| -+ int nextProtoState; /* See SSL_NEXT_PROTO_* defines */
|
| };
|
|
|
| typedef struct {
|
| -@@ -1494,8 +1510,12 @@ extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss,
|
| +@@ -1058,6 +1064,8 @@ const unsigned char * preferredCipher;
|
| + SSLHandshakeCallback handshakeCallback;
|
| + void *handshakeCallbackData;
|
| + void *pkcs11PinArg;
|
| ++ SSLNextProtoCallback nextProtoCallback;
|
| ++ void *nextProtoArg;
|
| +
|
| + PRIntervalTime rTimeout; /* timeout for NSPR I/O */
|
| + PRIntervalTime wTimeout; /* timeout for NSPR I/O */
|
| +@@ -1494,8 +1502,12 @@ extern SECStatus ssl3_HandleSupportedPointFormatsXtn(sslSocket * ss,
|
| PRUint16 ex_type, SECItem *data);
|
| extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
|
| PRUint16 ex_type, SECItem *data);
|
| @@ -385,7 +337,7 @@ index 9af471d..d1c1181 100644
|
|
|
| /* ClientHello and ServerHello extension senders.
|
| * Note that not all extension senders are exposed here; only those that
|
| -@@ -1526,6 +1546,10 @@ extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss,
|
| +@@ -1526,6 +1538,10 @@ extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss,
|
| extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss,
|
| PRBool append, PRUint32 maxBytes);
|
| #endif
|
| @@ -397,38 +349,17 @@ index 9af471d..d1c1181 100644
|
| /* call the registered extension handlers. */
|
| extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss,
|
| diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
|
| -index bc770a1..4c8fbfd 100644
|
| +index bc770a1..0d92ff7 100644
|
| --- a/mozilla/security/nss/lib/ssl/sslsock.c
|
| +++ b/mozilla/security/nss/lib/ssl/sslsock.c
|
| -@@ -163,6 +163,7 @@ static const sslSocketOps ssl_secure_ops = { /* SSL. */
|
| - ** default settings for socket enables
|
| - */
|
| - static sslOptions ssl_defaults = {
|
| -+ { siBuffer, NULL, 0 }, /* nextProtoNego */
|
| - PR_TRUE, /* useSecurity */
|
| - PR_FALSE, /* useSocks */
|
| - PR_FALSE, /* requestCertificate */
|
| -@@ -438,6 +439,10 @@ ssl_DestroySocketContents(sslSocket *ss)
|
| - ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair);
|
| - ss->ephemeralECDHKeyPair = NULL;
|
| - }
|
| -+ if (ss->opt.nextProtoNego.data) {
|
| -+ PORT_Free(ss->opt.nextProtoNego.data);
|
| -+ ss->opt.nextProtoNego.data = NULL;
|
| -+ }
|
| - PORT_Assert(!ss->xtnData.sniNameArr);
|
| - if (ss->xtnData.sniNameArr) {
|
| - PORT_Free(ss->xtnData.sniNameArr);
|
| -@@ -1266,6 +1271,75 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
|
| +@@ -1266,6 +1266,24 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd)
|
| return fd;
|
| }
|
|
|
| -+/* SSL_SetNextProtoNego sets the list of supported protocols for the given
|
| -+ * socket. The list is a series of 8-bit, length prefixed strings. */
|
| +SECStatus
|
| -+SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data,
|
| -+ unsigned short length)
|
| -+{
|
| ++SSL_SetNextProtoCallback(PRFileDesc *fd,
|
| ++ SSLNextProtoCallback callback,
|
| ++ void *arg) {
|
| + sslSocket *ss = ssl_FindSocket(fd);
|
| +
|
| + if (!ss) {
|
| @@ -437,59 +368,10 @@ index bc770a1..4c8fbfd 100644
|
| + return SECFailure;
|
| + }
|
| +
|
| -+ if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess)
|
| -+ return SECFailure;
|
| -+
|
| + ssl_GetSSL3HandshakeLock(ss);
|
| -+ if (ss->opt.nextProtoNego.data)
|
| -+ PORT_Free(ss->opt.nextProtoNego.data);
|
| -+ ss->opt.nextProtoNego.data = PORT_Alloc(length);
|
| -+ if (!ss->opt.nextProtoNego.data) {
|
| -+ ssl_ReleaseSSL3HandshakeLock(ss);
|
| -+ return SECFailure;
|
| -+ }
|
| -+ memcpy(ss->opt.nextProtoNego.data, data, length);
|
| -+ ss->opt.nextProtoNego.len = length;
|
| -+ ss->opt.nextProtoNego.type = siBuffer;
|
| ++ ss->nextProtoCallback = callback;
|
| ++ ss->nextProtoArg = arg;
|
| + ssl_ReleaseSSL3HandshakeLock(ss);
|
| -+
|
| -+ return SECSuccess;
|
| -+}
|
| -+
|
| -+/* SSL_GetNextProto reads the resulting Next Protocol Negotiation result for
|
| -+ * the given socket. It's only valid to call this once the handshake has
|
| -+ * completed.
|
| -+ *
|
| -+ * state is set to one of the SSL_NEXT_PROTO_* constants. The negotiated
|
| -+ * protocol, if any, is written into buf, which must be at least buf_len
|
| -+ * bytes long. If the negotiated protocol is longer than this, it is truncated.
|
| -+ * The number of bytes copied is written into length.
|
| -+ */
|
| -+SECStatus
|
| -+SSL_GetNextProto(PRFileDesc *fd, int *state, unsigned char *buf,
|
| -+ unsigned int *length, unsigned int buf_len)
|
| -+{
|
| -+ sslSocket *ss = ssl_FindSocket(fd);
|
| -+
|
| -+ if (!ss) {
|
| -+ SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetNextProto", SSL_GETPID(),
|
| -+ fd));
|
| -+ return SECFailure;
|
| -+ }
|
| -+
|
| -+ *state = ss->ssl3.nextProtoState;
|
| -+
|
| -+ if (ss->ssl3.nextProtoState != SSL_NEXT_PROTO_NO_SUPPORT &&
|
| -+ ss->ssl3.nextProto.data) {
|
| -+ *length = ss->ssl3.nextProto.len;
|
| -+ if (*length > buf_len)
|
| -+ *length = buf_len;
|
| -+ PORT_Memcpy(buf, ss->ssl3.nextProto.data, *length);
|
| -+ } else {
|
| -+ *length = 0;
|
| -+ }
|
| -+
|
| -+ return SECSuccess;
|
| +}
|
| +
|
| PRFileDesc *
|
|
|
Chromium Code Reviews
Issue 8156001:
net: rework the NPN patch. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src