| OLD | NEW |
|---|
| 1 From 3759b424e3347153e8c9011d9f462f9a351120bb Mon Sep 17 00:00:00 2001 | 1 From f434973f6175ed8f1b8af3d7631dff7c0af801dd Mon Sep 17 00:00:00 2001 |
| 2 From: Adam Langley <agl@chromium.org> | 2 From: Adam Langley <agl@chromium.org> |
| 3 Date: Mon, 3 Oct 2011 12:19:28 -0400 | 3 Date: Mon, 3 Oct 2011 12:19:28 -0400 |
| 4 Subject: [PATCH 01/15] nextproto.patch | 4 Subject: [PATCH 01/15] nextproto.patch |
| 5 | 5 |
| 6 --- | 6 --- |
| 7 mozilla/security/nss/lib/ssl/ssl.def | 8 ++ | 7 mozilla/security/nss/lib/ssl/ssl.def | 8 ++ |
| 8 mozilla/security/nss/lib/ssl/ssl.h | 51 ++++++++++++ | 8 mozilla/security/nss/lib/ssl/ssl.h | 51 ++++++++++++ |
| 9 mozilla/security/nss/lib/ssl/ssl3con.c | 54 +++++++++++++ | 9 mozilla/security/nss/lib/ssl/ssl3con.c | 56 +++++++++++++ |
| 10 mozilla/security/nss/lib/ssl/ssl3ext.c | 104 ++++++++++++++++++++++++- | 10 mozilla/security/nss/lib/ssl/ssl3ext.c | 104 ++++++++++++++++++++++++- |
| 11 mozilla/security/nss/lib/ssl/ssl3prot.h | 3 +- | 11 mozilla/security/nss/lib/ssl/ssl3prot.h | 3 +- |
| 12 mozilla/security/nss/lib/ssl/sslerr.h | 2 + | 12 mozilla/security/nss/lib/ssl/sslerr.h | 2 + |
| 13 mozilla/security/nss/lib/ssl/sslimpl.h | 21 +++++ | 13 mozilla/security/nss/lib/ssl/sslimpl.h | 21 +++++ |
| 14 mozilla/security/nss/lib/ssl/sslsock.c | 131 +++++++++++++++++++++++++++++++ | 14 mozilla/security/nss/lib/ssl/sslsock.c | 134 +++++++++++++++++++++++++++++++ |
| 15 mozilla/security/nss/lib/ssl/sslt.h | 3 +- | 15 mozilla/security/nss/lib/ssl/sslt.h | 3 +- |
| 16 9 files changed, 374 insertions(+), 3 deletions(-) | 16 9 files changed, 379 insertions(+), 3 deletions(-) |
| 17 | 17 |
| 18 diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl
/ssl.def | 18 diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl
/ssl.def |
| 19 index d3f455c..6ea48c0 100644 | 19 index d3f455c..6ea48c0 100644 |
| 20 --- a/mozilla/security/nss/lib/ssl/ssl.def | 20 --- a/mozilla/security/nss/lib/ssl/ssl.def |
| 21 +++ b/mozilla/security/nss/lib/ssl/ssl.def | 21 +++ b/mozilla/security/nss/lib/ssl/ssl.def |
| 22 @@ -152,3 +152,11 @@ SSL_SNISocketConfigHook; | 22 @@ -152,3 +152,11 @@ SSL_SNISocketConfigHook; |
| 23 ;+ local: | 23 ;+ local: |
| 24 ;+*; | 24 ;+*; |
| 25 ;+}; | 25 ;+}; |
| 26 +;+NSS_CHROMIUM { | 26 +;+NSS_CHROMIUM { |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 87 + | 87 + |
| 88 +/* TODO(wtc): it may be a good idea to define these as an enum type. */ | 88 +/* TODO(wtc): it may be a good idea to define these as an enum type. */ |
| 89 +#define SSL_NEXT_PROTO_NO_SUPPORT 0 /* No peer support */ | 89 +#define SSL_NEXT_PROTO_NO_SUPPORT 0 /* No peer support */ |
| 90 +#define SSL_NEXT_PROTO_NEGOTIATED 1 /* Mutual agreement */ | 90 +#define SSL_NEXT_PROTO_NEGOTIATED 1 /* Mutual agreement */ |
| 91 +#define SSL_NEXT_PROTO_NO_OVERLAP 2 /* No protocol overlap found */ | 91 +#define SSL_NEXT_PROTO_NO_OVERLAP 2 /* No protocol overlap found */ |
| 92 + | 92 + |
| 93 /* | 93 /* |
| 94 ** Control ciphers that SSL uses. If on is non-zero then the named cipher | 94 ** Control ciphers that SSL uses. If on is non-zero then the named cipher |
| 95 ** is enabled, otherwise it is disabled. | 95 ** is enabled, otherwise it is disabled. |
| 96 diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/s
sl/ssl3con.c | 96 diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/s
sl/ssl3con.c |
| 97 index 8048913..8f860a9 100644 | 97 index 8048913..288822b 100644 |
| 98 --- a/mozilla/security/nss/lib/ssl/ssl3con.c | 98 --- a/mozilla/security/nss/lib/ssl/ssl3con.c |
| 99 +++ b/mozilla/security/nss/lib/ssl/ssl3con.c | 99 +++ b/mozilla/security/nss/lib/ssl/ssl3con.c |
| 100 @@ -81,6 +81,7 @@ static SECStatus ssl3_InitState( sslSocket *ss); | 100 @@ -81,6 +81,7 @@ static SECStatus ssl3_InitState( sslSocket *ss); |
| 101 static SECStatus ssl3_SendCertificate( sslSocket *ss); | 101 static SECStatus ssl3_SendCertificate( sslSocket *ss); |
| 102 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); | 102 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); |
| 103 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); | 103 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); |
| 104 +static SECStatus ssl3_SendNextProto( sslSocket *ss); | 104 +static SECStatus ssl3_SendNextProto( sslSocket *ss); |
| 105 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); | 105 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
| 106 static SECStatus ssl3_SendServerHello( sslSocket *ss); | 106 static SECStatus ssl3_SendServerHello( sslSocket *ss); |
| 107 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); | 107 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
| 108 @@ -5742,6 +5743,12 @@ ssl3_HandleServerHelloDone(sslSocket *ss) | 108 @@ -5742,6 +5743,14 @@ ssl3_HandleServerHelloDone(sslSocket *ss) |
| 109 if (rv != SECSuccess) { | 109 if (rv != SECSuccess) { |
| 110 goto loser; /* err code was set. */ | 110 goto loser; /* err code was set. */ |
| 111 } | 111 } |
| 112 + | 112 + |
| 113 + rv = ssl3_SendNextProto(ss); | 113 + if (!ss->firstHsDone) { |
| 114 + if (rv != SECSuccess) { | 114 +» rv = ssl3_SendNextProto(ss); |
| 115 +» goto loser;» /* err code was set. */ | 115 +» if (rv != SECSuccess) { |
| 116 +» goto loser;»/* err code was set. */ |
| 117 +» } |
| 116 + } | 118 + } |
| 117 + | 119 + |
| 118 rv = ssl3_SendFinished(ss, 0); | 120 rv = ssl3_SendFinished(ss, 0); |
| 119 if (rv != SECSuccess) { | 121 if (rv != SECSuccess) { |
| 120 goto loser; /* err code was set. */ | 122 goto loser; /* err code was set. */ |
| 121 @@ -8169,6 +8176,40 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, | 123 @@ -8169,6 +8178,40 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
| 122 } | 124 } |
| 123 | 125 |
| 124 /* called from ssl3_HandleServerHelloDone | 126 /* called from ssl3_HandleServerHelloDone |
| 125 + */ | 127 + */ |
| 126 +static SECStatus | 128 +static SECStatus |
| 127 +ssl3_SendNextProto(sslSocket *ss) | 129 +ssl3_SendNextProto(sslSocket *ss) |
| 128 +{ | 130 +{ |
| 129 + SECStatus rv; | 131 + SECStatus rv; |
| 130 + int padding_len; | 132 + int padding_len; |
| 131 + static const unsigned char padding[32] = {0}; | 133 + static const unsigned char padding[32] = {0}; |
| (...skipping 20 matching lines...) Expand all Loading... |
| 152 + if (rv != SECSuccess) { | 154 + if (rv != SECSuccess) { |
| 153 + return rv; /* error code set by AppendHandshake */ | 155 + return rv; /* error code set by AppendHandshake */ |
| 154 + } | 156 + } |
| 155 + return rv; | 157 + return rv; |
| 156 +} | 158 +} |
| 157 + | 159 + |
| 158 +/* called from ssl3_HandleServerHelloDone | 160 +/* called from ssl3_HandleServerHelloDone |
| 159 * ssl3_HandleClientHello | 161 * ssl3_HandleClientHello |
| 160 * ssl3_HandleFinished | 162 * ssl3_HandleFinished |
| 161 */ | 163 */ |
| 162 @@ -8421,6 +8462,14 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint3
2 length, | 164 @@ -8421,6 +8464,14 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint3
2 length, |
| 163 if (doStepUp || ss->writerThread == PR_GetCurrentThread()) { | 165 if (doStepUp || ss->writerThread == PR_GetCurrentThread()) { |
| 164 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; | 166 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; |
| 165 } | 167 } |
| 166 + | 168 + |
| 167 +» if (!isServer) { | 169 +» if (!isServer && !ss->firstHsDone) { |
| 168 + rv = ssl3_SendNextProto(ss); | 170 + rv = ssl3_SendNextProto(ss); |
| 169 + if (rv != SECSuccess) { | 171 + if (rv != SECSuccess) { |
| 170 + goto xmit_loser; /* err code was set. */ | 172 + goto xmit_loser; /* err code was set. */ |
| 171 + } | 173 + } |
| 172 + } | 174 + } |
| 173 + | 175 + |
| 174 rv = ssl3_SendFinished(ss, flags); | 176 rv = ssl3_SendFinished(ss, flags); |
| 175 if (rv != SECSuccess) { | 177 if (rv != SECSuccess) { |
| 176 goto xmit_loser; /* err is set. */ | 178 goto xmit_loser; /* err is set. */ |
| 177 @@ -9488,6 +9537,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) | 179 @@ -9488,6 +9539,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
| 178 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); | 180 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); |
| 179 | 181 |
| 180 ss->ssl3.initialized = PR_FALSE; | 182 ss->ssl3.initialized = PR_FALSE; |
| 181 + | 183 + |
| 182 + if (ss->ssl3.nextProto.data) { | 184 + if (ss->ssl3.nextProto.data) { |
| 183 + PORT_Free(ss->ssl3.nextProto.data); | 185 + PORT_Free(ss->ssl3.nextProto.data); |
| 184 + ss->ssl3.nextProto.data = NULL; | 186 + ss->ssl3.nextProto.data = NULL; |
| 185 + } | 187 + } |
| 186 } | 188 } |
| 187 | 189 |
| (...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 405 PRBool append, PRUint32 maxBytes); | 407 PRBool append, PRUint32 maxBytes); |
| 406 #endif | 408 #endif |
| 407 +extern PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, | 409 +extern PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, |
| 408 + PRUint32 maxBytes); | 410 + PRUint32 maxBytes); |
| 409 +extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data, | 411 +extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data, |
| 410 + unsigned short length); | 412 + unsigned short length); |
| 411 | 413 |
| 412 /* call the registered extension handlers. */ | 414 /* call the registered extension handlers. */ |
| 413 extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss, | 415 extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss, |
| 414 diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/s
sl/sslsock.c | 416 diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/s
sl/sslsock.c |
| 415 index bc770a1..769ea0a 100644 | 417 index bc770a1..829103b 100644 |
| 416 --- a/mozilla/security/nss/lib/ssl/sslsock.c | 418 --- a/mozilla/security/nss/lib/ssl/sslsock.c |
| 417 +++ b/mozilla/security/nss/lib/ssl/sslsock.c | 419 +++ b/mozilla/security/nss/lib/ssl/sslsock.c |
| 418 @@ -163,6 +163,7 @@ static const sslSocketOps ssl_secure_ops = { /* SSL.
*/ | 420 @@ -163,6 +163,7 @@ static const sslSocketOps ssl_secure_ops = { /* SSL.
*/ |
| 419 ** default settings for socket enables | 421 ** default settings for socket enables |
| 420 */ | 422 */ |
| 421 static sslOptions ssl_defaults = { | 423 static sslOptions ssl_defaults = { |
| 422 + { siBuffer, NULL, 0 }, /* nextProtoNego */ | 424 + { siBuffer, NULL, 0 }, /* nextProtoNego */ |
| 423 PR_TRUE, /* useSecurity */ | 425 PR_TRUE, /* useSecurity */ |
| 424 PR_FALSE, /* useSocks */ | 426 PR_FALSE, /* useSocks */ |
| 425 PR_FALSE, /* requestCertificate */ | 427 PR_FALSE, /* requestCertificate */ |
| 426 @@ -438,6 +439,10 @@ ssl_DestroySocketContents(sslSocket *ss) | 428 @@ -438,6 +439,10 @@ ssl_DestroySocketContents(sslSocket *ss) |
| 427 ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair); | 429 ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair); |
| 428 ss->ephemeralECDHKeyPair = NULL; | 430 ss->ephemeralECDHKeyPair = NULL; |
| 429 } | 431 } |
| 430 + if (ss->opt.nextProtoNego.data) { | 432 + if (ss->opt.nextProtoNego.data) { |
| 431 + PORT_Free(ss->opt.nextProtoNego.data); | 433 + PORT_Free(ss->opt.nextProtoNego.data); |
| 432 + ss->opt.nextProtoNego.data = NULL; | 434 + ss->opt.nextProtoNego.data = NULL; |
| 433 + } | 435 + } |
| 434 PORT_Assert(!ss->xtnData.sniNameArr); | 436 PORT_Assert(!ss->xtnData.sniNameArr); |
| 435 if (ss->xtnData.sniNameArr) { | 437 if (ss->xtnData.sniNameArr) { |
| 436 PORT_Free(ss->xtnData.sniNameArr); | 438 PORT_Free(ss->xtnData.sniNameArr); |
| 437 @@ -1266,6 +1271,132 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) | 439 @@ -1266,6 +1271,135 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) |
| 438 return fd; | 440 return fd; |
| 439 } | 441 } |
| 440 | 442 |
| 441 +SECStatus | 443 +SECStatus |
| 442 +SSL_SetNextProtoCallback(PRFileDesc *fd, | 444 +SSL_SetNextProtoCallback(PRFileDesc *fd, |
| 443 + SSLNextProtoCallback callback, | 445 + SSLNextProtoCallback callback, |
| 444 + void *arg) { | 446 + void *arg) { |
| 445 + sslSocket *ss = ssl_FindSocket(fd); | 447 + sslSocket *ss = ssl_FindSocket(fd); |
| 446 + | 448 + |
| 447 + if (!ss) { | 449 + if (!ss) { |
| 448 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", SSL_GETPID()
, | 450 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", SSL_GETPID()
, |
| 449 + fd)); | 451 + fd)); |
| 452 + PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 450 + return SECFailure; | 453 + return SECFailure; |
| 451 + } | 454 + } |
| 452 + | 455 + |
| 453 + ssl_GetSSL3HandshakeLock(ss); | 456 + ssl_GetSSL3HandshakeLock(ss); |
| 454 + ss->nextProtoCallback = callback; | 457 + ss->nextProtoCallback = callback; |
| 455 + ss->nextProtoArg = arg; | 458 + ss->nextProtoArg = arg; |
| 456 + ssl_ReleaseSSL3HandshakeLock(ss); | 459 + ssl_ReleaseSSL3HandshakeLock(ss); |
| 460 + return SECSuccess; |
| 457 +} | 461 +} |
| 458 + | 462 + |
| 459 +/* NextProtoStandardCallback is set as an NPN callback for the case when the | 463 +/* NextProtoStandardCallback is set as an NPN callback for the case when the |
| 460 + * user of the sockets wants the standard selection algorithm. */ | 464 + * user of the sockets wants the standard selection algorithm. */ |
| 461 +static SECStatus | 465 +static SECStatus |
| 462 +NextProtoStandardCallback(void *arg, | 466 +NextProtoStandardCallback(void *arg, |
| 463 + PRFileDesc *fd, | 467 + PRFileDesc *fd, |
| 464 + const unsigned char *protos, | 468 + const unsigned char *protos, |
| 465 + unsigned int protos_len, | 469 + unsigned int protos_len, |
| 466 + unsigned char *protoOut, | 470 + unsigned char *protoOut, |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 508 +SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data, | 512 +SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data, |
| 509 + unsigned int length) | 513 + unsigned int length) |
| 510 +{ | 514 +{ |
| 511 + SECStatus rv; | 515 + SECStatus rv; |
| 512 + | 516 + |
| 513 + sslSocket *ss = ssl_FindSocket(fd); | 517 + sslSocket *ss = ssl_FindSocket(fd); |
| 514 + | 518 + |
| 515 + if (!ss) { | 519 + if (!ss) { |
| 516 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", | 520 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", |
| 517 + SSL_GETPID(), fd)); | 521 + SSL_GETPID(), fd)); |
| 522 + PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 518 + return SECFailure; | 523 + return SECFailure; |
| 519 + } | 524 + } |
| 520 + | 525 + |
| 521 + if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess) | 526 + if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess) |
| 522 + return SECFailure; | 527 + return SECFailure; |
| 523 + | 528 + |
| 524 + ssl_GetSSL3HandshakeLock(ss); | 529 + ssl_GetSSL3HandshakeLock(ss); |
| 525 + if (ss->opt.nextProtoNego.data) | 530 + if (ss->opt.nextProtoNego.data) |
| 526 + PORT_Free(ss->opt.nextProtoNego.data); | 531 + PORT_Free(ss->opt.nextProtoNego.data); |
| 527 + ss->opt.nextProtoNego.data = PORT_Alloc(length); | 532 + ss->opt.nextProtoNego.data = PORT_Alloc(length); |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 576 #endif | 581 #endif |
| 577 ssl_session_ticket_xtn = 35, | 582 ssl_session_ticket_xtn = 35, |
| 578 + ssl_next_proto_neg_xtn = 13172, | 583 + ssl_next_proto_neg_xtn = 13172, |
| 579 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ | 584 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
| 580 } SSLExtensionType; | 585 } SSLExtensionType; |
| 581 | 586 |
| 582 -#define SSL_MAX_EXTENSIONS 5 | 587 -#define SSL_MAX_EXTENSIONS 5 |
| 583 +#define SSL_MAX_EXTENSIONS 6 | 588 +#define SSL_MAX_EXTENSIONS 6 |
| 584 | 589 |
| 585 #endif /* __sslt_h_ */ | 590 #endif /* __sslt_h_ */ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8417032:
net: add missing return value in SSL_SetNextProtoCallback (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src