Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(155)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/third_party/nss/patches/encryptedclientcerts.patch

Issue 9558017: Update net/third_party/nss to NSS 3.13.3. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Upload before checkin Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/third_party/nss/patches/didhandshakeresume.patch ('k') | net/third_party/nss/patches/getrequestedclientcerttypes.patch » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 Index: net/third_party/nss/ssl/ssl.h 1 diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
2 =================================================================== 2 --- a/src/net/third_party/nss/ssl/ssl.h»2012-02-29 19:15:20.975171099 -0800
3 --- net/third_party/nss/ssl/ssl.h» (revision 108962) 3 +++ b/src/net/third_party/nss/ssl/ssl.h»2012-02-29 19:18:21.947702106 -0800
4 +++ net/third_party/nss/ssl/ssl.h» (working copy) 4 @@ -169,6 +169,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi
5 @@ -143,6 +143,7 @@ 5 #define SSL_CBC_RANDOM_IV 23
6 #define SSL_ENABLE_CACHED_INFO 24 /* Enable TLS cached information */ 6 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
7 /* extension, off by default. */
8 #define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */ 7 #define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */
9 +#define SSL_ENCRYPT_CLIENT_CERTS 26 /* Enable encrypted client certs. */ 8 +#define SSL_ENCRYPT_CLIENT_CERTS 26 /* Enable encrypted client certs. */
10 9
11 #ifdef SSL_DEPRECATED_FUNCTION 10 #ifdef SSL_DEPRECATED_FUNCTION
12 /* Old deprecated function names */ 11 /* Old deprecated function names */
13 Index: net/third_party/nss/ssl/sslimpl.h 12 diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/s slimpl.h
14 =================================================================== 13 --- a/src/net/third_party/nss/ssl/sslimpl.h» 2012-02-29 19:15:20.975171099 -0 800
15 --- net/third_party/nss/ssl/sslimpl.h» (revision 108962) 14 +++ b/src/net/third_party/nss/ssl/sslimpl.h» 2012-02-29 19:19:26.478604857 -0 800
16 +++ net/third_party/nss/ssl/sslimpl.h» (working copy) 15 @@ -350,6 +350,7 @@ typedef struct sslOptionsStr {
17 @@ -350,6 +350,7 @@ 16 unsigned int cbcRandomIV : 1; /* 24 */
18 unsigned int enableOCSPStapling : 1; /* 24 */ 17 unsigned int enableOCSPStapling : 1; /* 25 */
19 unsigned int enableCachedInfo : 1; /* 25 */
20 unsigned int enableOBCerts : 1; /* 26 */ 18 unsigned int enableOBCerts : 1; /* 26 */
21 + unsigned int encryptClientCerts : 1; /* 27 */ 19 + unsigned int encryptClientCerts : 1; /* 27 */
22 } sslOptions; 20 } sslOptions;
23 21
24 typedef enum { sslHandshakingUndetermined = 0, 22 typedef enum { sslHandshakingUndetermined = 0,
25 Index: net/third_party/nss/ssl/ssl3ext.c 23 diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/s sl3con.c
26 =================================================================== 24 --- a/src/net/third_party/nss/ssl/ssl3con.c» 2012-02-29 19:15:20.975171099 -0 800
27 --- net/third_party/nss/ssl/ssl3ext.c» (revision 108962) 25 +++ b/src/net/third_party/nss/ssl/ssl3con.c» 2012-02-29 20:00:15.851981917 -0 800
28 +++ net/third_party/nss/ssl/ssl3ext.c» (working copy) 26 @@ -2863,7 +2863,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket *
29 @@ -78,6 +78,12 @@
30 PRBool append, PRUint32 maxBytes);
31 static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss,
32 PRUint16 ex_type, SECItem *data);
33 +static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss,
34 + PRUint16 ex_type, SECItem *data);
35 +static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss,
36 + PRUint16 ex_type, SECItem *data);
37 +static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss,
38 + PRBool append, PRUint32 maxBytes);
39
40 /*
41 * Write bytes. Using this function means the SECItem structure
42 @@ -234,6 +240,7 @@
43 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn },
44 #endif
45 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn },
46 + { ssl_encrypted_client_certs, &ssl3_ServerHandleEncryptedClientCertsXtn },
47 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
48 { ssl_next_proto_neg_xtn, &ssl3_ServerHandleNextProtoNegoXtn },
49 { ssl_cached_info_xtn, &ssl3_ServerHandleCachedInfoXtn },
50 @@ -247,6 +254,7 @@
51 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn },
52 /* TODO: add a handler for ssl_ec_point_formats_xtn */
53 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
54 + { ssl_encrypted_client_certs, &ssl3_ClientHandleEncryptedClientCertsXtn },
55 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
56 { ssl_next_proto_neg_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
57 { ssl_cached_info_xtn, &ssl3_ClientHandleCachedInfoXtn },
58 @@ -275,6 +283,7 @@
59 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
60 #endif
61 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
62 + { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn },
63 { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn },
64 { ssl_cached_info_xtn, &ssl3_ClientSendCachedInfoXtn },
65 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
66 @@ -1318,6 +1327,18 @@
67 return SECSuccess;
68 }
69
70 +static SECStatus
71 +ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
72 +» SECItem *data)
73 +{
74 + if (data->len != 0)
75 +» return SECFailure;
76 +
77 + /* Keep track of negotiated extensions. */
78 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
79 + return SECSuccess;
80 +}
81 +
82 SECStatus
83 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
84 SECItem *data)
85 @@ -1728,6 +1749,24 @@
86 return rv;
87 }
88
89 +static SECStatus
90 +ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
91 +» SECItem *data)
92 +{
93 + SECStatus rv = SECSuccess;
94 +
95 + if (data->len != 0)
96 +» return SECFailure;
97 +
98 + if (ss->opt.encryptClientCerts) {
99 +» ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
100 +» rv = ssl3_RegisterServerHelloExtensionSender(
101 +» ss, ex_type, ssl3_SendEncryptedClientCertsXtn);
102 + }
103 +
104 + return rv;
105 +}
106 +
107 /*
108 * Read bytes. Using this function means the SECItem structure
109 * cannot be freed. The caller is expected to call this function
110 @@ -1927,6 +1966,33 @@
111 return needed;
112 }
113
114 +static PRInt32
115 +ssl3_SendEncryptedClientCertsXtn(
116 +» » » sslSocket * ss,
117 +» » » PRBool append,
118 +» » » PRUint32 maxBytes)
119 +{
120 + PRInt32 needed;
121 +
122 + if (!ss->opt.encryptClientCerts)
123 +» return 0;
124 +
125 + needed = 4; /* two bytes of type and two of length. */
126 + if (append && maxBytes >= needed) {
127 +» SECStatus rv;
128 +» rv = ssl3_AppendHandshakeNumber(ss, ssl_encrypted_client_certs, 2);
129 +» if (rv != SECSuccess)
130 +» return -1;
131 +» rv = ssl3_AppendHandshakeNumber(ss, 0 /* length */, 2);
132 +» if (rv != SECSuccess)
133 +» return -1;
134 +» ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
135 +» ssl_encrypted_client_certs;
136 + }
137 +
138 + return needed;
139 +}
140 +
141 /* This function runs in both the client and server. */
142 static SECStatus
143 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
144 Index: net/third_party/nss/ssl/sslsock.c
145 ===================================================================
146 --- net/third_party/nss/ssl/sslsock.c» (revision 108962)
147 +++ net/third_party/nss/ssl/sslsock.c» (working copy)
148 @@ -188,6 +188,7 @@
149 PR_FALSE, /* enableOCSPStapling */
150 PR_FALSE, /* enableCachedInfo */
151 PR_FALSE, /* enableOBCerts */
152 + PR_FALSE, /* encryptClientCerts */
153 };
154
155 sslSessionIDLookupFunc ssl_sid_lookup;
156 @@ -757,6 +758,10 @@
157 » ss->opt.enableOBCerts = on;
158 » break;
159
160 + case SSL_ENCRYPT_CLIENT_CERTS:
161 +» ss->opt.encryptClientCerts = on;
162 +» break;
163 +
164 default:
165 » PORT_SetError(SEC_ERROR_INVALID_ARGS);
166 » rv = SECFailure;
167 @@ -824,6 +829,8 @@
168 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
169 case SSL_ENABLE_CACHED_INFO: on = ss->opt.enableCachedInfo; break;
170 case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break;
171 + case SSL_ENCRYPT_CLIENT_CERTS:
172 + on = ss->opt.encryptClientCerts; break;
173
174 default:
175 » PORT_SetError(SEC_ERROR_INVALID_ARGS);
176 @@ -880,6 +887,8 @@
177 » break;
178 case SSL_ENABLE_CACHED_INFO: on = ssl_defaults.enableCachedInfo; break;
179 case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break;
180 + case SSL_ENCRYPT_CLIENT_CERTS:
181 + on = ssl_defaults.encryptClientCerts; break;
182
183 default:
184 » PORT_SetError(SEC_ERROR_INVALID_ARGS);
185 @@ -1039,6 +1048,10 @@
186 » ssl_defaults.enableOBCerts = on;
187 » break;
188
189 + case SSL_ENCRYPT_CLIENT_CERTS:
190 +» ssl_defaults.encryptClientCerts = on;
191 +» break;
192 +
193 default:
194 » PORT_SetError(SEC_ERROR_INVALID_ARGS);
195 » return SECFailure;
196 Index: net/third_party/nss/ssl/ssl3con.c
197 ===================================================================
198 --- net/third_party/nss/ssl/ssl3con.c» (revision 108962)
199 +++ net/third_party/nss/ssl/ssl3con.c» (working copy)
200 @@ -2835,8 +2835,15 @@
201 27
202 ss->ssl3.prSpec = ss->ssl3.crSpec; 28 ss->ssl3.prSpec = ss->ssl3.crSpec;
203 ss->ssl3.crSpec = prSpec; 29 ss->ssl3.crSpec = prSpec;
204 - ss->ssl3.hs.ws = wait_finished; 30 - ss->ssl3.hs.ws = wait_finished;
205 31 +
206 + if (ss->sec.isServer && 32 + if (ss->sec.isServer &&
207 + ss->opt.requestCertificate && 33 + ss->opt.requestCertificate &&
208 + ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 34 + ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
209 + ss->ssl3.hs.ws = wait_client_cert; 35 + ss->ssl3.hs.ws = wait_client_cert;
210 + } else { 36 + } else {
211 + ss->ssl3.hs.ws = wait_finished; 37 + ss->ssl3.hs.ws = wait_finished;
212 + } 38 + }
213 + 39
214 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending", 40 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
215 SSL_GETPID(), ss->fd )); 41 SSL_GETPID(), ss->fd ));
216 42 @@ -4877,10 +4884,11 @@ loser:
217 @@ -4850,10 +4857,11 @@
218 static SECStatus 43 static SECStatus
219 ssl3_SendCertificateVerify(sslSocket *ss) 44 ssl3_SendCertificateVerify(sslSocket *ss)
220 { 45 {
221 - SECStatus rv = SECFailure; 46 - SECStatus rv = SECFailure;
222 - PRBool isTLS; 47 - PRBool isTLS;
223 - SECItem buf = {siBuffer, NULL, 0}; 48 - SECItem buf = {siBuffer, NULL, 0};
224 - SSL3Hashes hashes; 49 - SSL3Hashes hashes;
225 + SECStatus rv = SECFailure; 50 + SECStatus rv = SECFailure;
226 + PRBool isTLS; 51 + PRBool isTLS;
227 + SECItem buf = {siBuffer, NULL, 0}; 52 + SECItem buf = {siBuffer, NULL, 0};
228 + SSL3Hashes hashes; 53 + SSL3Hashes hashes;
229 + ssl3CipherSpec *spec; 54 + ssl3CipherSpec *spec;
230 55
231 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 56 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
232 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 57 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
233 @@ -4862,13 +4870,17 @@ 58 @@ -4889,13 +4897,17 @@ ssl3_SendCertificateVerify(sslSocket *ss
234 SSL_GETPID(), ss->fd)); 59 SSL_GETPID(), ss->fd));
235 60
236 ssl_GetSpecReadLock(ss); 61 ssl_GetSpecReadLock(ss);
237 - rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); 62 - rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
238 + spec = ss->ssl3.pwSpec; 63 + spec = ss->ssl3.pwSpec;
239 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 64 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
240 + spec = ss->ssl3.cwSpec; 65 + spec = ss->ssl3.cwSpec;
241 + } 66 + }
242 + rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0); 67 + rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0);
243 ssl_ReleaseSpecReadLock(ss); 68 ssl_ReleaseSpecReadLock(ss);
244 if (rv != SECSuccess) { 69 if (rv != SECSuccess) {
245 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ 70 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
246 } 71 }
247 72
248 - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 73 - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
249 + isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); 74 + isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
250 if (ss->ssl3.platformClientKey) { 75 if (ss->ssl3.platformClientKey) {
251 #ifdef NSS_PLATFORM_CLIENT_AUTH 76 #ifdef NSS_PLATFORM_CLIENT_AUTH
252 rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey, 77 rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
253 @@ -5840,7 +5852,10 @@ 78 @@ -5912,6 +5924,10 @@ ssl3_SendClientSecondRound(sslSocket *ss
254 { 79 {
255 SECStatus rv; 80 SECStatus rv;
256 SSL3WaitState ws = ss->ssl3.hs.ws; 81 PRBool sendClientCert;
257 - PRBool send_verify = PR_FALSE; 82 + PRBool sendEmptyCert;
258 + PRBool sendEmptyCert, sendCert; 83 + int n = 0, i;
259 + int n = 0, i;
260 + typedef SECStatus (*SendFunction)(sslSocket*); 84 + typedef SECStatus (*SendFunction)(sslSocket*);
261 + SendFunction send_funcs[5]; 85 + SendFunction send_funcs[5];
262 86
263 SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake", 87 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
264 » » SSL_GETPID(), ss->fd)); 88 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
265 @@ -5858,46 +5873,45 @@ 89 @@ -5958,35 +5974,40 @@ ssl3_SendClientSecondRound(sslSocket *ss
266 90
267 ssl_GetXmitBufLock(ss); /*******************************/ 91 ssl_GetXmitBufLock(ss); /*******************************/
268 92
269 - if (ss->ssl3.sendEmptyCert) { 93 - if (ss->ssl3.sendEmptyCert) {
270 - ss->ssl3.sendEmptyCert = PR_FALSE; 94 - ss->ssl3.sendEmptyCert = PR_FALSE;
271 - rv = ssl3_SendEmptyCertificate(ss); 95 - rv = ssl3_SendEmptyCertificate(ss);
272 - /* Don't send verify */ 96 - /* Don't send verify */
273 - if (rv != SECSuccess) { 97 - if (rv != SECSuccess) {
274 - goto loser; /* error code is set. */ 98 - goto loser; /* error code is set. */
275 - } 99 - }
276 - } else if (ss->ssl3.clientCertChain != NULL && 100 - } else if (sendClientCert) {
277 - ss->ssl3.platformClientKey) {
278 -#ifdef NSS_PLATFORM_CLIENT_AUTH
279 - send_verify = PR_TRUE;
280 - rv = ssl3_SendCertificate(ss);
281 - if (rv != SECSuccess) {
282 - goto loser; /* error code is set. */
283 - }
284 -#endif /* NSS_PLATFORM_CLIENT_AUTH */
285 - } else if (ss->ssl3.clientCertChain != NULL &&
286 - ss->ssl3.clientPrivateKey != NULL) {
287 -» send_verify = PR_TRUE;
288 - rv = ssl3_SendCertificate(ss); 101 - rv = ssl3_SendCertificate(ss);
289 - if (rv != SECSuccess) { 102 - if (rv != SECSuccess) {
290 - goto loser; /* error code is set. */ 103 - goto loser; /* error code is set. */
291 - } 104 - }
292 - } 105 - }
293 + sendEmptyCert = ss->ssl3.sendEmptyCert; 106 + sendEmptyCert = ss->ssl3.sendEmptyCert;
294 + ss->ssl3.sendEmptyCert = PR_FALSE; 107 + ss->ssl3.sendEmptyCert = PR_FALSE;
295 + sendCert = !sendEmptyCert &&
296 + ss->ssl3.clientCertChain != NULL &&
297 + (ss->ssl3.platformClientKey ||
298 + ss->ssl3.clientPrivateKey != NULL);
299 108
300 - rv = ssl3_SendClientKeyExchange(ss); 109 - rv = ssl3_SendClientKeyExchange(ss);
301 - if (rv != SECSuccess) { 110 - if (rv != SECSuccess) {
302 - goto loser; /* err is set. */ 111 - goto loser; /* err is set. */
303 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 112 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
304 + send_funcs[n++] = ssl3_SendClientKeyExchange; 113 + send_funcs[n++] = ssl3_SendClientKeyExchange;
305 + send_funcs[n++] = ssl3_SendChangeCipherSpecs; 114 + send_funcs[n++] = ssl3_SendChangeCipherSpecs;
306 + if (sendEmptyCert) { 115 + if (sendEmptyCert) {
307 + send_funcs[n++] = ssl3_SendEmptyCertificate; 116 + send_funcs[n++] = ssl3_SendEmptyCertificate;
308 + } 117 + }
309 +» if (sendCert) { 118 +» if (sendClientCert) {
310 + send_funcs[n++] = ssl3_SendCertificate; 119 + send_funcs[n++] = ssl3_SendCertificate;
311 + send_funcs[n++] = ssl3_SendCertificateVerify; 120 + send_funcs[n++] = ssl3_SendCertificateVerify;
312 + } 121 + }
313 + } else { 122 + } else {
314 + if (sendEmptyCert) { 123 + if (sendEmptyCert) {
315 + send_funcs[n++] = ssl3_SendEmptyCertificate; 124 + send_funcs[n++] = ssl3_SendEmptyCertificate;
316 + } 125 + }
317 +» if (sendCert) { 126 +» if (sendClientCert) {
318 + send_funcs[n++] = ssl3_SendCertificate; 127 + send_funcs[n++] = ssl3_SendCertificate;
319 + } 128 + }
320 + send_funcs[n++] = ssl3_SendClientKeyExchange; 129 + send_funcs[n++] = ssl3_SendClientKeyExchange;
321 +» if (sendCert) { 130 +» if (sendClientCert) {
322 + send_funcs[n++] = ssl3_SendCertificateVerify; 131 + send_funcs[n++] = ssl3_SendCertificateVerify;
323 + } 132 + }
324 + send_funcs[n++] = ssl3_SendChangeCipherSpecs; 133 + send_funcs[n++] = ssl3_SendChangeCipherSpecs;
325 } 134 }
326 135
327 - if (send_verify) { 136 - if (sendClientCert) {
328 - rv = ssl3_SendCertificateVerify(ss); 137 - rv = ssl3_SendCertificateVerify(ss);
138 - if (rv != SECSuccess) {
139 - goto loser; /* err is set. */
140 - }
141 - }
329 + PORT_Assert(n <= sizeof(send_funcs)/sizeof(send_funcs[0])); 142 + PORT_Assert(n <= sizeof(send_funcs)/sizeof(send_funcs[0]));
330 + 143
144 - rv = ssl3_SendChangeCipherSpecs(ss);
145 - if (rv != SECSuccess) {
146 -» goto loser;» /* err code was set. */
331 + for (i = 0; i < n; i++) { 147 + for (i = 0; i < n; i++) {
332 + rv = send_funcs[i](ss); 148 + rv = send_funcs[i](ss);
333 » if (rv != SECSuccess) { 149 +» if (rv != SECSuccess) {
334 -» goto loser;»/* err is set. */
335 - }
336 + goto loser; /* err code was set. */ 150 + goto loser; /* err code was set. */
337 + } 151 + }
338 } 152 }
339 - rv = ssl3_SendChangeCipherSpecs(ss);
340 - if (rv != SECSuccess) {
341 - goto loser; /* err code was set. */
342 - }
343 153
344 /* We don't send NPN in a renegotiation as it's explicitly disallowed by 154 /* XXX: If the server's certificate hasn't been authenticated by this
345 * the spec. */ 155 @@ -6201,8 +6222,13 @@ ssl3_SendServerHelloSequence(sslSocket *
346 @@ -6110,8 +6124,13 @@
347 return rv; /* err code is set. */ 156 return rv; /* err code is set. */
348 } 157 }
349 158
350 - ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert 159 - ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
351 - : wait_client_key; 160 - : wait_client_key;
352 + if (ss->opt.requestCertificate && 161 + if (ss->opt.requestCertificate &&
353 + !ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 162 + !ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
354 + ss->ssl3.hs.ws = wait_client_cert; 163 + ss->ssl3.hs.ws = wait_client_cert;
355 + } else { 164 + } else {
356 + ss->ssl3.hs.ws = wait_client_key; 165 + ss->ssl3.hs.ws = wait_client_key;
357 + } 166 + }
358 + 167 +
359 return SECSuccess; 168 return SECSuccess;
360 } 169 }
361 170
362 @@ -7355,7 +7374,11 @@ 171 @@ -7446,7 +7472,11 @@ ssl3_HandleCertificateVerify(sslSocket *
363 desc = isTLS ? decode_error : illegal_parameter; 172 desc = isTLS ? decode_error : illegal_parameter;
364 goto alert_loser; /* malformed */ 173 goto alert_loser; /* malformed */
365 } 174 }
366 - ss->ssl3.hs.ws = wait_change_cipher; 175 - ss->ssl3.hs.ws = wait_change_cipher;
367 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 176 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
368 + ss->ssl3.hs.ws = wait_finished; 177 + ss->ssl3.hs.ws = wait_finished;
369 + } else { 178 + } else {
370 + ss->ssl3.hs.ws = wait_change_cipher; 179 + ss->ssl3.hs.ws = wait_change_cipher;
371 + } 180 + }
372 return SECSuccess; 181 return SECSuccess;
373 182
374 alert_loser: 183 alert_loser:
375 @@ -8348,7 +8371,11 @@ 184 @@ -8346,7 +8376,11 @@ ssl3_HandleCertificate(sslSocket *ss, SS
376 185 » }
377 cert_block: 186 } else {
378 if (ss->sec.isServer) { 187 server_no_cert:
379 - ss->ssl3.hs.ws = wait_client_key; 188 - ss->ssl3.hs.ws = wait_client_key;
380 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 189 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
381 + ss->ssl3.hs.ws = wait_cert_verify; 190 + ss->ssl3.hs.ws = wait_cert_verify;
382 + } else { 191 + } else {
383 + ss->ssl3.hs.ws = wait_client_key; 192 + ss->ssl3.hs.ws = wait_client_key;
384 + } 193 + }
385 } else { 194 }
386 » ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */ 195
387 » if (ss->ssl3.hs.kea_def->is_limited || 196 PORT_Assert(rv == SECSuccess);
388 @@ -8978,6 +9005,8 @@ 197 @@ -8959,6 +8993,8 @@ ssl3_HandleHandshakeMessage(sslSocket *s
389 if (type == finished) { 198 if (type == finished) {
390 sender = ss->sec.isServer ? sender_client : sender_server; 199 sender = ss->sec.isServer ? sender_client : sender_server;
391 rSpec = ss->ssl3.crSpec; 200 rSpec = ss->ssl3.crSpec;
392 + } else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 201 + } else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
393 + rSpec = ss->ssl3.crSpec; 202 + rSpec = ss->ssl3.crSpec;
394 } 203 }
395 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); 204 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
396 } 205 }
397 Index: net/third_party/nss/ssl/sslt.h 206 diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/s sl3ext.c
398 =================================================================== 207 --- a/src/net/third_party/nss/ssl/ssl3ext.c» 2012-02-29 17:12:15.720044263 -0 800
399 --- net/third_party/nss/ssl/sslt.h» (revision 108962) 208 +++ b/src/net/third_party/nss/ssl/ssl3ext.c» 2012-02-29 20:00:15.851981917 -0 800
400 +++ net/third_party/nss/ssl/sslt.h» (working copy) 209 @@ -84,6 +84,12 @@ static SECStatus ssl3_ServerHandleNextPr
401 @@ -206,10 +206,11 @@ 210 » » » PRUint16 ex_type, SECItem *data);
211 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
212 » » » » » PRUint32 maxBytes);
213 +static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss,
214 + PRUint16 ex_type, SECItem *data);
215 +static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss,
216 + PRUint16 ex_type, SECItem *data);
217 +static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss,
218 + PRBool append, PRUint32 maxBytes);
219
220 /*
221 * Write bytes. Using this function means the SECItem structure
222 @@ -240,6 +246,7 @@ static const ssl3HelloExtensionHandler c
223 { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn },
224 #endif
225 { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn },
226 + { ssl_encrypted_client_certs, &ssl3_ServerHandleEncryptedClientCertsXtn },
227 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
228 { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn },
229 { ssl_ob_cert_xtn, &ssl3_ServerHandleOBCertXtn },
230 @@ -252,6 +259,7 @@ static const ssl3HelloExtensionHandler s
231 { ssl_server_name_xtn, &ssl3_HandleServerNameXtn },
232 /* TODO: add a handler for ssl_ec_point_formats_xtn */
233 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
234 + { ssl_encrypted_client_certs, &ssl3_ClientHandleEncryptedClientCertsXtn },
235 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
236 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
237 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
238 @@ -279,6 +287,7 @@ ssl3HelloExtensionSender clientHelloSend
239 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
240 #endif
241 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
242 + { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn },
243 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
244 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
245 { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn }
246 @@ -1083,6 +1092,18 @@ ssl3_ClientHandleSessionTicketXtn(sslSoc
247 return SECSuccess;
248 }
249
250 +static SECStatus
251 +ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
252 +» SECItem *data)
253 +{
254 + if (data->len != 0)
255 +» return SECFailure;
256 +
257 + /* Keep track of negotiated extensions. */
258 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
259 + return SECSuccess;
260 +}
261 +
262 SECStatus
263 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
264 SECItem *data)
265 @@ -1496,6 +1517,24 @@ loser:
266 return rv;
267 }
268
269 +static SECStatus
270 +ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
271 +» SECItem *data)
272 +{
273 + SECStatus rv = SECSuccess;
274 +
275 + if (data->len != 0)
276 +» return SECFailure;
277 +
278 + if (ss->opt.encryptClientCerts) {
279 +» ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
280 +» rv = ssl3_RegisterServerHelloExtensionSender(
281 +» ss, ex_type, ssl3_SendEncryptedClientCertsXtn);
282 + }
283 +
284 + return rv;
285 +}
286 +
287 /*
288 * Read bytes. Using this function means the SECItem structure
289 * cannot be freed. The caller is expected to call this function
290 @@ -1695,6 +1734,33 @@ ssl3_SendRenegotiationInfoXtn(
291 return needed;
292 }
293
294 +static PRInt32
295 +ssl3_SendEncryptedClientCertsXtn(
296 +» » » sslSocket * ss,
297 +» » » PRBool append,
298 +» » » PRUint32 maxBytes)
299 +{
300 + PRInt32 needed;
301 +
302 + if (!ss->opt.encryptClientCerts)
303 +» return 0;
304 +
305 + needed = 4; /* two bytes of type and two of length. */
306 + if (append && maxBytes >= needed) {
307 +» SECStatus rv;
308 +» rv = ssl3_AppendHandshakeNumber(ss, ssl_encrypted_client_certs, 2);
309 +» if (rv != SECSuccess)
310 +» return -1;
311 +» rv = ssl3_AppendHandshakeNumber(ss, 0 /* length */, 2);
312 +» if (rv != SECSuccess)
313 +» return -1;
314 +» ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
315 +» ssl_encrypted_client_certs;
316 + }
317 +
318 + return needed;
319 +}
320 +
321 /* This function runs in both the client and server. */
322 static SECStatus
323 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
324 diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/s slsock.c
325 --- a/src/net/third_party/nss/ssl/sslsock.c» 2012-02-29 17:49:08.431530583 -0 800
326 +++ b/src/net/third_party/nss/ssl/sslsock.c» 2012-02-29 20:00:15.851981917 -0 800
327 @@ -188,6 +188,7 @@ static sslOptions ssl_defaults = {
328 PR_TRUE, /* cbcRandomIV */
329 PR_FALSE, /* enableOCSPStapling */
330 PR_FALSE, /* enableOBCerts */
331 + PR_FALSE, /* encryptClientCerts */
332 };
333
334 sslSessionIDLookupFunc ssl_sid_lookup;
335 @@ -755,6 +756,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
336 » ss->opt.enableOBCerts = on;
337 » break;
338
339 + case SSL_ENCRYPT_CLIENT_CERTS:
340 +» ss->opt.encryptClientCerts = on;
341 +» break;
342 +
343 default:
344 » PORT_SetError(SEC_ERROR_INVALID_ARGS);
345 » rv = SECFailure;
346 @@ -822,6 +827,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
347 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
348 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
349 case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break;
350 + case SSL_ENCRYPT_CLIENT_CERTS:
351 + on = ss->opt.encryptClientCerts; break;
352
353 default:
354 » PORT_SetError(SEC_ERROR_INVALID_ARGS);
355 @@ -880,6 +887,8 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
356 » on = ssl_defaults.enableOCSPStapling;
357 » break;
358 case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break;
359 + case SSL_ENCRYPT_CLIENT_CERTS:
360 + on = ssl_defaults.encryptClientCerts; break;
361
362 default:
363 » PORT_SetError(SEC_ERROR_INVALID_ARGS);
364 @@ -1047,6 +1056,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
365 » ssl_defaults.enableOBCerts = on;
366 » break;
367
368 + case SSL_ENCRYPT_CLIENT_CERTS:
369 +» ssl_defaults.encryptClientCerts = on;
370 +» break;
371 +
372 default:
373 » PORT_SetError(SEC_ERROR_INVALID_ARGS);
374 » return SECFailure;
375 diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt .h
376 --- a/src/net/third_party/nss/ssl/sslt.h» 2012-02-29 17:12:15.780045080 -0 800
377 +++ b/src/net/third_party/nss/ssl/sslt.h» 2012-02-29 19:34:43.921452065 -0 800
378 @@ -205,10 +205,11 @@ typedef enum {
379 #endif
402 ssl_session_ticket_xtn = 35, 380 ssl_session_ticket_xtn = 35,
403 ssl_next_proto_neg_xtn = 13172, 381 ssl_next_proto_nego_xtn = 13172,
404 ssl_cached_info_xtn = 13173,
405 + ssl_encrypted_client_certs = 13180, /* not IANA assigned. */ 382 + ssl_encrypted_client_certs = 13180, /* not IANA assigned. */
406 ssl_renegotiation_info_xtn = 0xff01, /* experimental number */ 383 ssl_renegotiation_info_xtn = 0xff01, /* experimental number */
407 ssl_ob_cert_xtn = 13175 /* experimental number */ 384 ssl_ob_cert_xtn = 13175 /* experimental number */
408 } SSLExtensionType; 385 } SSLExtensionType;
409 386
410 -#define SSL_MAX_EXTENSIONS 9 387 -#define SSL_MAX_EXTENSIONS 8
411 +#define SSL_MAX_EXTENSIONS 10 388 +#define SSL_MAX_EXTENSIONS 9
412 389
413 #endif /* __sslt_h_ */ 390 #endif /* __sslt_h_ */
OLDNEW
« no previous file with comments | « net/third_party/nss/patches/didhandshakeresume.patch ('k') | net/third_party/nss/patches/getrequestedclientcerttypes.patch » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698