| OLD | NEW |
|---|
| 1 From 3759b424e3347153e8c9011d9f462f9a351120bb Mon Sep 17 00:00:00 2001 | 1 From 0c2f72b38711abdd4ada08ae8d7e96dce79a672b Mon Sep 17 00:00:00 2001 |
| 2 From: Adam Langley <agl@chromium.org> | 2 From: Adam Langley <agl@chromium.org> |
| 3 Date: Mon, 3 Oct 2011 12:19:28 -0400 | 3 Date: Mon, 3 Oct 2011 12:19:28 -0400 |
| 4 Subject: [PATCH 01/15] nextproto.patch | 4 Subject: [PATCH 01/15] nextproto.patch |
| 5 | 5 |
| 6 --- | 6 --- |
| 7 mozilla/security/nss/lib/ssl/ssl.def | 8 ++ | 7 mozilla/security/nss/lib/ssl/ssl.def | 8 ++ |
| 8 mozilla/security/nss/lib/ssl/ssl.h | 51 ++++++++++++ | 8 mozilla/security/nss/lib/ssl/ssl.h | 51 ++++++++++++ |
| 9 mozilla/security/nss/lib/ssl/ssl3con.c | 54 +++++++++++++ | 9 mozilla/security/nss/lib/ssl/ssl3con.c | 58 +++++++++++++ |
| 10 mozilla/security/nss/lib/ssl/ssl3ext.c | 104 ++++++++++++++++++++++++- | 10 mozilla/security/nss/lib/ssl/ssl3ext.c | 104 ++++++++++++++++++++++++- |
| 11 mozilla/security/nss/lib/ssl/ssl3prot.h | 3 +- | 11 mozilla/security/nss/lib/ssl/ssl3prot.h | 3 +- |
| 12 mozilla/security/nss/lib/ssl/sslerr.h | 2 + | 12 mozilla/security/nss/lib/ssl/sslerr.h | 2 + |
| 13 mozilla/security/nss/lib/ssl/sslimpl.h | 21 +++++ | 13 mozilla/security/nss/lib/ssl/sslimpl.h | 21 +++++ |
| 14 mozilla/security/nss/lib/ssl/sslsock.c | 131 +++++++++++++++++++++++++++++++ | 14 mozilla/security/nss/lib/ssl/sslsock.c | 134 +++++++++++++++++++++++++++++++ |
| 15 mozilla/security/nss/lib/ssl/sslt.h | 3 +- | 15 mozilla/security/nss/lib/ssl/sslt.h | 3 +- |
| 16 9 files changed, 374 insertions(+), 3 deletions(-) | 16 9 files changed, 381 insertions(+), 3 deletions(-) |
| 17 | 17 |
| 18 diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl
/ssl.def | 18 diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl
/ssl.def |
| 19 index d3f455c..6ea48c0 100644 | 19 index d3f455c..6ea48c0 100644 |
| 20 --- a/mozilla/security/nss/lib/ssl/ssl.def | 20 --- a/mozilla/security/nss/lib/ssl/ssl.def |
| 21 +++ b/mozilla/security/nss/lib/ssl/ssl.def | 21 +++ b/mozilla/security/nss/lib/ssl/ssl.def |
| 22 @@ -152,3 +152,11 @@ SSL_SNISocketConfigHook; | 22 @@ -152,3 +152,11 @@ SSL_SNISocketConfigHook; |
| 23 ;+ local: | 23 ;+ local: |
| 24 ;+*; | 24 ;+*; |
| 25 ;+}; | 25 ;+}; |
| 26 +;+NSS_CHROMIUM { | 26 +;+NSS_CHROMIUM { |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 87 + | 87 + |
| 88 +/* TODO(wtc): it may be a good idea to define these as an enum type. */ | 88 +/* TODO(wtc): it may be a good idea to define these as an enum type. */ |
| 89 +#define SSL_NEXT_PROTO_NO_SUPPORT 0 /* No peer support */ | 89 +#define SSL_NEXT_PROTO_NO_SUPPORT 0 /* No peer support */ |
| 90 +#define SSL_NEXT_PROTO_NEGOTIATED 1 /* Mutual agreement */ | 90 +#define SSL_NEXT_PROTO_NEGOTIATED 1 /* Mutual agreement */ |
| 91 +#define SSL_NEXT_PROTO_NO_OVERLAP 2 /* No protocol overlap found */ | 91 +#define SSL_NEXT_PROTO_NO_OVERLAP 2 /* No protocol overlap found */ |
| 92 + | 92 + |
| 93 /* | 93 /* |
| 94 ** Control ciphers that SSL uses. If on is non-zero then the named cipher | 94 ** Control ciphers that SSL uses. If on is non-zero then the named cipher |
| 95 ** is enabled, otherwise it is disabled. | 95 ** is enabled, otherwise it is disabled. |
| 96 diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/s
sl/ssl3con.c | 96 diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/s
sl/ssl3con.c |
| 97 index 8048913..8f860a9 100644 | 97 index 8048913..d2d4f91 100644 |
| 98 --- a/mozilla/security/nss/lib/ssl/ssl3con.c | 98 --- a/mozilla/security/nss/lib/ssl/ssl3con.c |
| 99 +++ b/mozilla/security/nss/lib/ssl/ssl3con.c | 99 +++ b/mozilla/security/nss/lib/ssl/ssl3con.c |
| 100 @@ -81,6 +81,7 @@ static SECStatus ssl3_InitState( sslSocket *ss); | 100 @@ -81,6 +81,7 @@ static SECStatus ssl3_InitState( sslSocket *ss); |
| 101 static SECStatus ssl3_SendCertificate( sslSocket *ss); | 101 static SECStatus ssl3_SendCertificate( sslSocket *ss); |
| 102 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); | 102 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); |
| 103 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); | 103 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); |
| 104 +static SECStatus ssl3_SendNextProto( sslSocket *ss); | 104 +static SECStatus ssl3_SendNextProto( sslSocket *ss); |
| 105 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); | 105 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
| 106 static SECStatus ssl3_SendServerHello( sslSocket *ss); | 106 static SECStatus ssl3_SendServerHello( sslSocket *ss); |
| 107 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); | 107 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
| 108 @@ -5742,6 +5743,12 @@ ssl3_HandleServerHelloDone(sslSocket *ss) | 108 @@ -5742,6 +5743,16 @@ ssl3_HandleServerHelloDone(sslSocket *ss) |
| 109 if (rv != SECSuccess) { | 109 if (rv != SECSuccess) { |
| 110 goto loser; /* err code was set. */ | 110 goto loser; /* err code was set. */ |
| 111 } | 111 } |
| 112 + | 112 + |
| 113 + rv = ssl3_SendNextProto(ss); | 113 + /* We don't send NPN in a renegotiation as it's explicitly disallowed by |
| 114 + if (rv != SECSuccess) { | 114 + * the spec. */ |
| 115 +» goto loser;» /* err code was set. */ | 115 + if (!ss->firstHsDone) { |
| 116 +» rv = ssl3_SendNextProto(ss); |
| 117 +» if (rv != SECSuccess) { |
| 118 +» goto loser;»/* err code was set. */ |
| 119 +» } |
| 116 + } | 120 + } |
| 117 + | 121 + |
| 118 rv = ssl3_SendFinished(ss, 0); | 122 rv = ssl3_SendFinished(ss, 0); |
| 119 if (rv != SECSuccess) { | 123 if (rv != SECSuccess) { |
| 120 goto loser; /* err code was set. */ | 124 goto loser; /* err code was set. */ |
| 121 @@ -8169,6 +8176,40 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, | 125 @@ -8169,6 +8180,40 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec, |
| 122 } | 126 } |
| 123 | 127 |
| 124 /* called from ssl3_HandleServerHelloDone | 128 /* called from ssl3_HandleServerHelloDone |
| 125 + */ | 129 + */ |
| 126 +static SECStatus | 130 +static SECStatus |
| 127 +ssl3_SendNextProto(sslSocket *ss) | 131 +ssl3_SendNextProto(sslSocket *ss) |
| 128 +{ | 132 +{ |
| 129 + SECStatus rv; | 133 + SECStatus rv; |
| 130 + int padding_len; | 134 + int padding_len; |
| 131 + static const unsigned char padding[32] = {0}; | 135 + static const unsigned char padding[32] = {0}; |
| (...skipping 20 matching lines...) Expand all Loading... |
| 152 + if (rv != SECSuccess) { | 156 + if (rv != SECSuccess) { |
| 153 + return rv; /* error code set by AppendHandshake */ | 157 + return rv; /* error code set by AppendHandshake */ |
| 154 + } | 158 + } |
| 155 + return rv; | 159 + return rv; |
| 156 +} | 160 +} |
| 157 + | 161 + |
| 158 +/* called from ssl3_HandleServerHelloDone | 162 +/* called from ssl3_HandleServerHelloDone |
| 159 * ssl3_HandleClientHello | 163 * ssl3_HandleClientHello |
| 160 * ssl3_HandleFinished | 164 * ssl3_HandleFinished |
| 161 */ | 165 */ |
| 162 @@ -8421,6 +8462,14 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint3
2 length, | 166 @@ -8421,6 +8466,14 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint3
2 length, |
| 163 if (doStepUp || ss->writerThread == PR_GetCurrentThread()) { | 167 if (doStepUp || ss->writerThread == PR_GetCurrentThread()) { |
| 164 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; | 168 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; |
| 165 } | 169 } |
| 166 + | 170 + |
| 167 +» if (!isServer) { | 171 +» if (!isServer && !ss->firstHsDone) { |
| 168 + rv = ssl3_SendNextProto(ss); | 172 + rv = ssl3_SendNextProto(ss); |
| 169 + if (rv != SECSuccess) { | 173 + if (rv != SECSuccess) { |
| 170 + goto xmit_loser; /* err code was set. */ | 174 + goto xmit_loser; /* err code was set. */ |
| 171 + } | 175 + } |
| 172 + } | 176 + } |
| 173 + | 177 + |
| 174 rv = ssl3_SendFinished(ss, flags); | 178 rv = ssl3_SendFinished(ss, flags); |
| 175 if (rv != SECSuccess) { | 179 if (rv != SECSuccess) { |
| 176 goto xmit_loser; /* err is set. */ | 180 goto xmit_loser; /* err is set. */ |
| 177 @@ -9488,6 +9537,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) | 181 @@ -9488,6 +9541,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
| 178 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); | 182 ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/); |
| 179 | 183 |
| 180 ss->ssl3.initialized = PR_FALSE; | 184 ss->ssl3.initialized = PR_FALSE; |
| 181 + | 185 + |
| 182 + if (ss->ssl3.nextProto.data) { | 186 + if (ss->ssl3.nextProto.data) { |
| 183 + PORT_Free(ss->ssl3.nextProto.data); | 187 + PORT_Free(ss->ssl3.nextProto.data); |
| 184 + ss->ssl3.nextProto.data = NULL; | 188 + ss->ssl3.nextProto.data = NULL; |
| 185 + } | 189 + } |
| 186 } | 190 } |
| 187 | 191 |
| (...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 405 PRBool append, PRUint32 maxBytes); | 409 PRBool append, PRUint32 maxBytes); |
| 406 #endif | 410 #endif |
| 407 +extern PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, | 411 +extern PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, |
| 408 + PRUint32 maxBytes); | 412 + PRUint32 maxBytes); |
| 409 +extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data, | 413 +extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data, |
| 410 + unsigned short length); | 414 + unsigned short length); |
| 411 | 415 |
| 412 /* call the registered extension handlers. */ | 416 /* call the registered extension handlers. */ |
| 413 extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss, | 417 extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss, |
| 414 diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/s
sl/sslsock.c | 418 diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/s
sl/sslsock.c |
| 415 index bc770a1..769ea0a 100644 | 419 index bc770a1..829103b 100644 |
| 416 --- a/mozilla/security/nss/lib/ssl/sslsock.c | 420 --- a/mozilla/security/nss/lib/ssl/sslsock.c |
| 417 +++ b/mozilla/security/nss/lib/ssl/sslsock.c | 421 +++ b/mozilla/security/nss/lib/ssl/sslsock.c |
| 418 @@ -163,6 +163,7 @@ static const sslSocketOps ssl_secure_ops = { /* SSL.
*/ | 422 @@ -163,6 +163,7 @@ static const sslSocketOps ssl_secure_ops = { /* SSL.
*/ |
| 419 ** default settings for socket enables | 423 ** default settings for socket enables |
| 420 */ | 424 */ |
| 421 static sslOptions ssl_defaults = { | 425 static sslOptions ssl_defaults = { |
| 422 + { siBuffer, NULL, 0 }, /* nextProtoNego */ | 426 + { siBuffer, NULL, 0 }, /* nextProtoNego */ |
| 423 PR_TRUE, /* useSecurity */ | 427 PR_TRUE, /* useSecurity */ |
| 424 PR_FALSE, /* useSocks */ | 428 PR_FALSE, /* useSocks */ |
| 425 PR_FALSE, /* requestCertificate */ | 429 PR_FALSE, /* requestCertificate */ |
| 426 @@ -438,6 +439,10 @@ ssl_DestroySocketContents(sslSocket *ss) | 430 @@ -438,6 +439,10 @@ ssl_DestroySocketContents(sslSocket *ss) |
| 427 ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair); | 431 ssl3_FreeKeyPair(ss->ephemeralECDHKeyPair); |
| 428 ss->ephemeralECDHKeyPair = NULL; | 432 ss->ephemeralECDHKeyPair = NULL; |
| 429 } | 433 } |
| 430 + if (ss->opt.nextProtoNego.data) { | 434 + if (ss->opt.nextProtoNego.data) { |
| 431 + PORT_Free(ss->opt.nextProtoNego.data); | 435 + PORT_Free(ss->opt.nextProtoNego.data); |
| 432 + ss->opt.nextProtoNego.data = NULL; | 436 + ss->opt.nextProtoNego.data = NULL; |
| 433 + } | 437 + } |
| 434 PORT_Assert(!ss->xtnData.sniNameArr); | 438 PORT_Assert(!ss->xtnData.sniNameArr); |
| 435 if (ss->xtnData.sniNameArr) { | 439 if (ss->xtnData.sniNameArr) { |
| 436 PORT_Free(ss->xtnData.sniNameArr); | 440 PORT_Free(ss->xtnData.sniNameArr); |
| 437 @@ -1266,6 +1271,132 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) | 441 @@ -1266,6 +1271,135 @@ SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd) |
| 438 return fd; | 442 return fd; |
| 439 } | 443 } |
| 440 | 444 |
| 441 +SECStatus | 445 +SECStatus |
| 442 +SSL_SetNextProtoCallback(PRFileDesc *fd, | 446 +SSL_SetNextProtoCallback(PRFileDesc *fd, |
| 443 + SSLNextProtoCallback callback, | 447 + SSLNextProtoCallback callback, |
| 444 + void *arg) { | 448 + void *arg) { |
| 445 + sslSocket *ss = ssl_FindSocket(fd); | 449 + sslSocket *ss = ssl_FindSocket(fd); |
| 446 + | 450 + |
| 447 + if (!ss) { | 451 + if (!ss) { |
| 448 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", SSL_GETPID()
, | 452 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", SSL_GETPID()
, |
| 449 + fd)); | 453 + fd)); |
| 454 + PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 450 + return SECFailure; | 455 + return SECFailure; |
| 451 + } | 456 + } |
| 452 + | 457 + |
| 453 + ssl_GetSSL3HandshakeLock(ss); | 458 + ssl_GetSSL3HandshakeLock(ss); |
| 454 + ss->nextProtoCallback = callback; | 459 + ss->nextProtoCallback = callback; |
| 455 + ss->nextProtoArg = arg; | 460 + ss->nextProtoArg = arg; |
| 456 + ssl_ReleaseSSL3HandshakeLock(ss); | 461 + ssl_ReleaseSSL3HandshakeLock(ss); |
| 462 + return SECSuccess; |
| 457 +} | 463 +} |
| 458 + | 464 + |
| 459 +/* NextProtoStandardCallback is set as an NPN callback for the case when the | 465 +/* NextProtoStandardCallback is set as an NPN callback for the case when the |
| 460 + * user of the sockets wants the standard selection algorithm. */ | 466 + * user of the sockets wants the standard selection algorithm. */ |
| 461 +static SECStatus | 467 +static SECStatus |
| 462 +NextProtoStandardCallback(void *arg, | 468 +NextProtoStandardCallback(void *arg, |
| 463 + PRFileDesc *fd, | 469 + PRFileDesc *fd, |
| 464 + const unsigned char *protos, | 470 + const unsigned char *protos, |
| 465 + unsigned int protos_len, | 471 + unsigned int protos_len, |
| 466 + unsigned char *protoOut, | 472 + unsigned char *protoOut, |
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 508 +SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data, | 514 +SSL_SetNextProtoNego(PRFileDesc *fd, const unsigned char *data, |
| 509 + unsigned int length) | 515 + unsigned int length) |
| 510 +{ | 516 +{ |
| 511 + SECStatus rv; | 517 + SECStatus rv; |
| 512 + | 518 + |
| 513 + sslSocket *ss = ssl_FindSocket(fd); | 519 + sslSocket *ss = ssl_FindSocket(fd); |
| 514 + | 520 + |
| 515 + if (!ss) { | 521 + if (!ss) { |
| 516 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", | 522 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetNextProtoNego", |
| 517 + SSL_GETPID(), fd)); | 523 + SSL_GETPID(), fd)); |
| 524 + PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 518 + return SECFailure; | 525 + return SECFailure; |
| 519 + } | 526 + } |
| 520 + | 527 + |
| 521 + if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess) | 528 + if (ssl3_ValidateNextProtoNego(data, length) != SECSuccess) |
| 522 + return SECFailure; | 529 + return SECFailure; |
| 523 + | 530 + |
| 524 + ssl_GetSSL3HandshakeLock(ss); | 531 + ssl_GetSSL3HandshakeLock(ss); |
| 525 + if (ss->opt.nextProtoNego.data) | 532 + if (ss->opt.nextProtoNego.data) |
| 526 + PORT_Free(ss->opt.nextProtoNego.data); | 533 + PORT_Free(ss->opt.nextProtoNego.data); |
| 527 + ss->opt.nextProtoNego.data = PORT_Alloc(length); | 534 + ss->opt.nextProtoNego.data = PORT_Alloc(length); |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 576 #endif | 583 #endif |
| 577 ssl_session_ticket_xtn = 35, | 584 ssl_session_ticket_xtn = 35, |
| 578 + ssl_next_proto_neg_xtn = 13172, | 585 + ssl_next_proto_neg_xtn = 13172, |
| 579 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ | 586 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
| 580 } SSLExtensionType; | 587 } SSLExtensionType; |
| 581 | 588 |
| 582 -#define SSL_MAX_EXTENSIONS 5 | 589 -#define SSL_MAX_EXTENSIONS 5 |
| 583 +#define SSL_MAX_EXTENSIONS 6 | 590 +#define SSL_MAX_EXTENSIONS 6 |
| 584 | 591 |
| 585 #endif /* __sslt_h_ */ | 592 #endif /* __sslt_h_ */ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 8417032:
net: add missing return value in SSL_SetNextProtoCallback (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src