Index: net/third_party/nss/patches/encryptedclientcerts.patch |
=================================================================== |
--- net/third_party/nss/patches/encryptedclientcerts.patch (revision 124804) |
+++ net/third_party/nss/patches/encryptedclientcerts.patch (working copy) |
@@ -1,208 +1,34 @@ |
-Index: net/third_party/nss/ssl/ssl.h |
-=================================================================== |
---- net/third_party/nss/ssl/ssl.h (revision 108962) |
-+++ net/third_party/nss/ssl/ssl.h (working copy) |
-@@ -143,6 +143,7 @@ |
- #define SSL_ENABLE_CACHED_INFO 24 /* Enable TLS cached information */ |
- /* extension, off by default. */ |
+diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h |
+--- a/src/net/third_party/nss/ssl/ssl.h 2012-02-29 19:15:20.975171099 -0800 |
++++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-29 19:18:21.947702106 -0800 |
+@@ -169,6 +169,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi |
+ #define SSL_CBC_RANDOM_IV 23 |
+ #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ |
#define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */ |
+#define SSL_ENCRYPT_CLIENT_CERTS 26 /* Enable encrypted client certs. */ |
#ifdef SSL_DEPRECATED_FUNCTION |
/* Old deprecated function names */ |
-Index: net/third_party/nss/ssl/sslimpl.h |
-=================================================================== |
---- net/third_party/nss/ssl/sslimpl.h (revision 108962) |
-+++ net/third_party/nss/ssl/sslimpl.h (working copy) |
-@@ -350,6 +350,7 @@ |
- unsigned int enableOCSPStapling : 1; /* 24 */ |
- unsigned int enableCachedInfo : 1; /* 25 */ |
+diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h |
+--- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 19:15:20.975171099 -0800 |
++++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 19:19:26.478604857 -0800 |
+@@ -350,6 +350,7 @@ typedef struct sslOptionsStr { |
+ unsigned int cbcRandomIV : 1; /* 24 */ |
+ unsigned int enableOCSPStapling : 1; /* 25 */ |
unsigned int enableOBCerts : 1; /* 26 */ |
+ unsigned int encryptClientCerts : 1; /* 27 */ |
} sslOptions; |
typedef enum { sslHandshakingUndetermined = 0, |
-Index: net/third_party/nss/ssl/ssl3ext.c |
-=================================================================== |
---- net/third_party/nss/ssl/ssl3ext.c (revision 108962) |
-+++ net/third_party/nss/ssl/ssl3ext.c (working copy) |
-@@ -78,6 +78,12 @@ |
- PRBool append, PRUint32 maxBytes); |
- static SECStatus ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, |
- PRUint16 ex_type, SECItem *data); |
-+static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, |
-+ PRUint16 ex_type, SECItem *data); |
-+static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, |
-+ PRUint16 ex_type, SECItem *data); |
-+static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss, |
-+ PRBool append, PRUint32 maxBytes); |
+diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c |
+--- a/src/net/third_party/nss/ssl/ssl3con.c 2012-02-29 19:15:20.975171099 -0800 |
++++ b/src/net/third_party/nss/ssl/ssl3con.c 2012-02-29 20:00:15.851981917 -0800 |
+@@ -2863,7 +2863,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket * |
- /* |
- * Write bytes. Using this function means the SECItem structure |
-@@ -234,6 +240,7 @@ |
- { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, |
- #endif |
- { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, |
-+ { ssl_encrypted_client_certs, &ssl3_ServerHandleEncryptedClientCertsXtn }, |
- { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
- { ssl_next_proto_neg_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, |
- { ssl_cached_info_xtn, &ssl3_ServerHandleCachedInfoXtn }, |
-@@ -247,6 +254,7 @@ |
- { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, |
- /* TODO: add a handler for ssl_ec_point_formats_xtn */ |
- { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, |
-+ { ssl_encrypted_client_certs, &ssl3_ClientHandleEncryptedClientCertsXtn }, |
- { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
- { ssl_next_proto_neg_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
- { ssl_cached_info_xtn, &ssl3_ClientHandleCachedInfoXtn }, |
-@@ -275,6 +283,7 @@ |
- { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, |
- #endif |
- { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
-+ { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn }, |
- { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
- { ssl_cached_info_xtn, &ssl3_ClientSendCachedInfoXtn }, |
- { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
-@@ -1318,6 +1327,18 @@ |
- return SECSuccess; |
- } |
- |
-+static SECStatus |
-+ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type, |
-+ SECItem *data) |
-+{ |
-+ if (data->len != 0) |
-+ return SECFailure; |
-+ |
-+ /* Keep track of negotiated extensions. */ |
-+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
-+ return SECSuccess; |
-+} |
-+ |
- SECStatus |
- ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, |
- SECItem *data) |
-@@ -1728,6 +1749,24 @@ |
- return rv; |
- } |
- |
-+static SECStatus |
-+ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type, |
-+ SECItem *data) |
-+{ |
-+ SECStatus rv = SECSuccess; |
-+ |
-+ if (data->len != 0) |
-+ return SECFailure; |
-+ |
-+ if (ss->opt.encryptClientCerts) { |
-+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
-+ rv = ssl3_RegisterServerHelloExtensionSender( |
-+ ss, ex_type, ssl3_SendEncryptedClientCertsXtn); |
-+ } |
-+ |
-+ return rv; |
-+} |
-+ |
- /* |
- * Read bytes. Using this function means the SECItem structure |
- * cannot be freed. The caller is expected to call this function |
-@@ -1927,6 +1966,33 @@ |
- return needed; |
- } |
- |
-+static PRInt32 |
-+ssl3_SendEncryptedClientCertsXtn( |
-+ sslSocket * ss, |
-+ PRBool append, |
-+ PRUint32 maxBytes) |
-+{ |
-+ PRInt32 needed; |
-+ |
-+ if (!ss->opt.encryptClientCerts) |
-+ return 0; |
-+ |
-+ needed = 4; /* two bytes of type and two of length. */ |
-+ if (append && maxBytes >= needed) { |
-+ SECStatus rv; |
-+ rv = ssl3_AppendHandshakeNumber(ss, ssl_encrypted_client_certs, 2); |
-+ if (rv != SECSuccess) |
-+ return -1; |
-+ rv = ssl3_AppendHandshakeNumber(ss, 0 /* length */, 2); |
-+ if (rv != SECSuccess) |
-+ return -1; |
-+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
-+ ssl_encrypted_client_certs; |
-+ } |
-+ |
-+ return needed; |
-+} |
-+ |
- /* This function runs in both the client and server. */ |
- static SECStatus |
- ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
-Index: net/third_party/nss/ssl/sslsock.c |
-=================================================================== |
---- net/third_party/nss/ssl/sslsock.c (revision 108962) |
-+++ net/third_party/nss/ssl/sslsock.c (working copy) |
-@@ -188,6 +188,7 @@ |
- PR_FALSE, /* enableOCSPStapling */ |
- PR_FALSE, /* enableCachedInfo */ |
- PR_FALSE, /* enableOBCerts */ |
-+ PR_FALSE, /* encryptClientCerts */ |
- }; |
- |
- sslSessionIDLookupFunc ssl_sid_lookup; |
-@@ -757,6 +758,10 @@ |
- ss->opt.enableOBCerts = on; |
- break; |
- |
-+ case SSL_ENCRYPT_CLIENT_CERTS: |
-+ ss->opt.encryptClientCerts = on; |
-+ break; |
-+ |
- default: |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- rv = SECFailure; |
-@@ -824,6 +829,8 @@ |
- case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
- case SSL_ENABLE_CACHED_INFO: on = ss->opt.enableCachedInfo; break; |
- case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break; |
-+ case SSL_ENCRYPT_CLIENT_CERTS: |
-+ on = ss->opt.encryptClientCerts; break; |
- |
- default: |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
-@@ -880,6 +887,8 @@ |
- break; |
- case SSL_ENABLE_CACHED_INFO: on = ssl_defaults.enableCachedInfo; break; |
- case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break; |
-+ case SSL_ENCRYPT_CLIENT_CERTS: |
-+ on = ssl_defaults.encryptClientCerts; break; |
- |
- default: |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
-@@ -1039,6 +1048,10 @@ |
- ssl_defaults.enableOBCerts = on; |
- break; |
- |
-+ case SSL_ENCRYPT_CLIENT_CERTS: |
-+ ssl_defaults.encryptClientCerts = on; |
-+ break; |
-+ |
- default: |
- PORT_SetError(SEC_ERROR_INVALID_ARGS); |
- return SECFailure; |
-Index: net/third_party/nss/ssl/ssl3con.c |
-=================================================================== |
---- net/third_party/nss/ssl/ssl3con.c (revision 108962) |
-+++ net/third_party/nss/ssl/ssl3con.c (working copy) |
-@@ -2835,8 +2835,15 @@ |
- |
ss->ssl3.prSpec = ss->ssl3.crSpec; |
ss->ssl3.crSpec = prSpec; |
- ss->ssl3.hs.ws = wait_finished; |
- |
++ |
+ if (ss->sec.isServer && |
+ ss->opt.requestCertificate && |
+ ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
@@ -210,11 +36,10 @@ |
+ } else { |
+ ss->ssl3.hs.ws = wait_finished; |
+ } |
-+ |
+ |
SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending", |
SSL_GETPID(), ss->fd )); |
- |
-@@ -4850,10 +4857,11 @@ |
+@@ -4877,10 +4884,11 @@ loser: |
static SECStatus |
ssl3_SendCertificateVerify(sslSocket *ss) |
{ |
@@ -230,7 +55,7 @@ |
PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
-@@ -4862,13 +4870,17 @@ |
+@@ -4889,13 +4897,17 @@ ssl3_SendCertificateVerify(sslSocket *ss |
SSL_GETPID(), ss->fd)); |
ssl_GetSpecReadLock(ss); |
@@ -250,19 +75,18 @@ |
if (ss->ssl3.platformClientKey) { |
#ifdef NSS_PLATFORM_CLIENT_AUTH |
rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey, |
-@@ -5840,7 +5852,10 @@ |
+@@ -5912,6 +5924,10 @@ ssl3_SendClientSecondRound(sslSocket *ss |
{ |
- SECStatus rv; |
- SSL3WaitState ws = ss->ssl3.hs.ws; |
-- PRBool send_verify = PR_FALSE; |
-+ PRBool sendEmptyCert, sendCert; |
-+ int n = 0, i; |
+ SECStatus rv; |
+ PRBool sendClientCert; |
++ PRBool sendEmptyCert; |
++ int n = 0, i; |
+ typedef SECStatus (*SendFunction)(sslSocket*); |
+ SendFunction send_funcs[5]; |
- SSL_TRC(3, ("%d: SSL3[%d]: handle server_hello_done handshake", |
- SSL_GETPID(), ss->fd)); |
-@@ -5858,46 +5873,45 @@ |
+ PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
+ PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
+@@ -5958,35 +5974,40 @@ ssl3_SendClientSecondRound(sslSocket *ss |
ssl_GetXmitBufLock(ss); /*******************************/ |
@@ -273,18 +97,7 @@ |
- if (rv != SECSuccess) { |
- goto loser; /* error code is set. */ |
- } |
-- } else if (ss->ssl3.clientCertChain != NULL && |
-- ss->ssl3.platformClientKey) { |
--#ifdef NSS_PLATFORM_CLIENT_AUTH |
-- send_verify = PR_TRUE; |
-- rv = ssl3_SendCertificate(ss); |
-- if (rv != SECSuccess) { |
-- goto loser; /* error code is set. */ |
-- } |
--#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
-- } else if (ss->ssl3.clientCertChain != NULL && |
-- ss->ssl3.clientPrivateKey != NULL) { |
-- send_verify = PR_TRUE; |
+- } else if (sendClientCert) { |
- rv = ssl3_SendCertificate(ss); |
- if (rv != SECSuccess) { |
- goto loser; /* error code is set. */ |
@@ -292,10 +105,6 @@ |
- } |
+ sendEmptyCert = ss->ssl3.sendEmptyCert; |
+ ss->ssl3.sendEmptyCert = PR_FALSE; |
-+ sendCert = !sendEmptyCert && |
-+ ss->ssl3.clientCertChain != NULL && |
-+ (ss->ssl3.platformClientKey || |
-+ ss->ssl3.clientPrivateKey != NULL); |
- rv = ssl3_SendClientKeyExchange(ss); |
- if (rv != SECSuccess) { |
@@ -306,7 +115,7 @@ |
+ if (sendEmptyCert) { |
+ send_funcs[n++] = ssl3_SendEmptyCertificate; |
+ } |
-+ if (sendCert) { |
++ if (sendClientCert) { |
+ send_funcs[n++] = ssl3_SendCertificate; |
+ send_funcs[n++] = ssl3_SendCertificateVerify; |
+ } |
@@ -314,36 +123,36 @@ |
+ if (sendEmptyCert) { |
+ send_funcs[n++] = ssl3_SendEmptyCertificate; |
+ } |
-+ if (sendCert) { |
++ if (sendClientCert) { |
+ send_funcs[n++] = ssl3_SendCertificate; |
+ } |
+ send_funcs[n++] = ssl3_SendClientKeyExchange; |
-+ if (sendCert) { |
++ if (sendClientCert) { |
+ send_funcs[n++] = ssl3_SendCertificateVerify; |
+ } |
+ send_funcs[n++] = ssl3_SendChangeCipherSpecs; |
} |
-- if (send_verify) { |
+- if (sendClientCert) { |
- rv = ssl3_SendCertificateVerify(ss); |
+- if (rv != SECSuccess) { |
+- goto loser; /* err is set. */ |
+- } |
+- } |
+ PORT_Assert(n <= sizeof(send_funcs)/sizeof(send_funcs[0])); |
-+ |
+ |
+- rv = ssl3_SendChangeCipherSpecs(ss); |
+- if (rv != SECSuccess) { |
+- goto loser; /* err code was set. */ |
+ for (i = 0; i < n; i++) { |
+ rv = send_funcs[i](ss); |
- if (rv != SECSuccess) { |
-- goto loser; /* err is set. */ |
-- } |
++ if (rv != SECSuccess) { |
+ goto loser; /* err code was set. */ |
+ } |
} |
-- rv = ssl3_SendChangeCipherSpecs(ss); |
-- if (rv != SECSuccess) { |
-- goto loser; /* err code was set. */ |
-- } |
- /* We don't send NPN in a renegotiation as it's explicitly disallowed by |
- * the spec. */ |
-@@ -6110,8 +6124,13 @@ |
+ /* XXX: If the server's certificate hasn't been authenticated by this |
+@@ -6201,8 +6222,13 @@ ssl3_SendServerHelloSequence(sslSocket * |
return rv; /* err code is set. */ |
} |
@@ -359,7 +168,7 @@ |
return SECSuccess; |
} |
-@@ -7355,7 +7374,11 @@ |
+@@ -7446,7 +7472,11 @@ ssl3_HandleCertificateVerify(sslSocket * |
desc = isTLS ? decode_error : illegal_parameter; |
goto alert_loser; /* malformed */ |
} |
@@ -372,20 +181,20 @@ |
return SECSuccess; |
alert_loser: |
-@@ -8348,7 +8371,11 @@ |
- |
- cert_block: |
- if (ss->sec.isServer) { |
+@@ -8346,7 +8376,11 @@ ssl3_HandleCertificate(sslSocket *ss, SS |
+ } |
+ } else { |
+ server_no_cert: |
- ss->ssl3.hs.ws = wait_client_key; |
+ if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
+ ss->ssl3.hs.ws = wait_cert_verify; |
+ } else { |
+ ss->ssl3.hs.ws = wait_client_key; |
+ } |
- } else { |
- ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */ |
- if (ss->ssl3.hs.kea_def->is_limited || |
-@@ -8978,6 +9005,8 @@ |
+ } |
+ |
+ PORT_Assert(rv == SECSuccess); |
+@@ -8959,6 +8993,8 @@ ssl3_HandleHandshakeMessage(sslSocket *s |
if (type == finished) { |
sender = ss->sec.isServer ? sender_client : sender_server; |
rSpec = ss->ssl3.crSpec; |
@@ -394,20 +203,188 @@ |
} |
rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); |
} |
-Index: net/third_party/nss/ssl/sslt.h |
-=================================================================== |
---- net/third_party/nss/ssl/sslt.h (revision 108962) |
-+++ net/third_party/nss/ssl/sslt.h (working copy) |
-@@ -206,10 +206,11 @@ |
+diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c |
+--- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-29 17:12:15.720044263 -0800 |
++++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-29 20:00:15.851981917 -0800 |
+@@ -84,6 +84,12 @@ static SECStatus ssl3_ServerHandleNextPr |
+ PRUint16 ex_type, SECItem *data); |
+ static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, |
+ PRUint32 maxBytes); |
++static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, |
++ PRUint16 ex_type, SECItem *data); |
++static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, |
++ PRUint16 ex_type, SECItem *data); |
++static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss, |
++ PRBool append, PRUint32 maxBytes); |
+ |
+ /* |
+ * Write bytes. Using this function means the SECItem structure |
+@@ -240,6 +246,7 @@ static const ssl3HelloExtensionHandler c |
+ { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn }, |
+ #endif |
+ { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, |
++ { ssl_encrypted_client_certs, &ssl3_ServerHandleEncryptedClientCertsXtn }, |
+ { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
+ { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, |
+ { ssl_ob_cert_xtn, &ssl3_ServerHandleOBCertXtn }, |
+@@ -252,6 +259,7 @@ static const ssl3HelloExtensionHandler s |
+ { ssl_server_name_xtn, &ssl3_HandleServerNameXtn }, |
+ /* TODO: add a handler for ssl_ec_point_formats_xtn */ |
+ { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, |
++ { ssl_encrypted_client_certs, &ssl3_ClientHandleEncryptedClientCertsXtn }, |
+ { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
+ { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
+ { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
+@@ -279,6 +287,7 @@ ssl3HelloExtensionSender clientHelloSend |
+ { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, |
+ #endif |
+ { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
++ { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn }, |
+ { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
+ { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn } |
+@@ -1083,6 +1092,18 @@ ssl3_ClientHandleSessionTicketXtn(sslSoc |
+ return SECSuccess; |
+ } |
+ |
++static SECStatus |
++ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type, |
++ SECItem *data) |
++{ |
++ if (data->len != 0) |
++ return SECFailure; |
++ |
++ /* Keep track of negotiated extensions. */ |
++ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
++ return SECSuccess; |
++} |
++ |
+ SECStatus |
+ ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, |
+ SECItem *data) |
+@@ -1496,6 +1517,24 @@ loser: |
+ return rv; |
+ } |
+ |
++static SECStatus |
++ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type, |
++ SECItem *data) |
++{ |
++ SECStatus rv = SECSuccess; |
++ |
++ if (data->len != 0) |
++ return SECFailure; |
++ |
++ if (ss->opt.encryptClientCerts) { |
++ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
++ rv = ssl3_RegisterServerHelloExtensionSender( |
++ ss, ex_type, ssl3_SendEncryptedClientCertsXtn); |
++ } |
++ |
++ return rv; |
++} |
++ |
+ /* |
+ * Read bytes. Using this function means the SECItem structure |
+ * cannot be freed. The caller is expected to call this function |
+@@ -1695,6 +1734,33 @@ ssl3_SendRenegotiationInfoXtn( |
+ return needed; |
+ } |
+ |
++static PRInt32 |
++ssl3_SendEncryptedClientCertsXtn( |
++ sslSocket * ss, |
++ PRBool append, |
++ PRUint32 maxBytes) |
++{ |
++ PRInt32 needed; |
++ |
++ if (!ss->opt.encryptClientCerts) |
++ return 0; |
++ |
++ needed = 4; /* two bytes of type and two of length. */ |
++ if (append && maxBytes >= needed) { |
++ SECStatus rv; |
++ rv = ssl3_AppendHandshakeNumber(ss, ssl_encrypted_client_certs, 2); |
++ if (rv != SECSuccess) |
++ return -1; |
++ rv = ssl3_AppendHandshakeNumber(ss, 0 /* length */, 2); |
++ if (rv != SECSuccess) |
++ return -1; |
++ ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
++ ssl_encrypted_client_certs; |
++ } |
++ |
++ return needed; |
++} |
++ |
+ /* This function runs in both the client and server. */ |
+ static SECStatus |
+ ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
+diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c |
+--- a/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 17:49:08.431530583 -0800 |
++++ b/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 20:00:15.851981917 -0800 |
+@@ -188,6 +188,7 @@ static sslOptions ssl_defaults = { |
+ PR_TRUE, /* cbcRandomIV */ |
+ PR_FALSE, /* enableOCSPStapling */ |
+ PR_FALSE, /* enableOBCerts */ |
++ PR_FALSE, /* encryptClientCerts */ |
+ }; |
+ |
+ sslSessionIDLookupFunc ssl_sid_lookup; |
+@@ -755,6 +756,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh |
+ ss->opt.enableOBCerts = on; |
+ break; |
+ |
++ case SSL_ENCRYPT_CLIENT_CERTS: |
++ ss->opt.encryptClientCerts = on; |
++ break; |
++ |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ rv = SECFailure; |
+@@ -822,6 +827,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh |
+ case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; |
+ case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
+ case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break; |
++ case SSL_ENCRYPT_CLIENT_CERTS: |
++ on = ss->opt.encryptClientCerts; break; |
+ |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+@@ -880,6 +887,8 @@ SSL_OptionGetDefault(PRInt32 which, PRBo |
+ on = ssl_defaults.enableOCSPStapling; |
+ break; |
+ case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break; |
++ case SSL_ENCRYPT_CLIENT_CERTS: |
++ on = ssl_defaults.encryptClientCerts; break; |
+ |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+@@ -1047,6 +1056,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo |
+ ssl_defaults.enableOBCerts = on; |
+ break; |
+ |
++ case SSL_ENCRYPT_CLIENT_CERTS: |
++ ssl_defaults.encryptClientCerts = on; |
++ break; |
++ |
+ default: |
+ PORT_SetError(SEC_ERROR_INVALID_ARGS); |
+ return SECFailure; |
+diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt.h |
+--- a/src/net/third_party/nss/ssl/sslt.h 2012-02-29 17:12:15.780045080 -0800 |
++++ b/src/net/third_party/nss/ssl/sslt.h 2012-02-29 19:34:43.921452065 -0800 |
+@@ -205,10 +205,11 @@ typedef enum { |
+ #endif |
ssl_session_ticket_xtn = 35, |
- ssl_next_proto_neg_xtn = 13172, |
- ssl_cached_info_xtn = 13173, |
+ ssl_next_proto_nego_xtn = 13172, |
+ ssl_encrypted_client_certs = 13180, /* not IANA assigned. */ |
ssl_renegotiation_info_xtn = 0xff01, /* experimental number */ |
ssl_ob_cert_xtn = 13175 /* experimental number */ |
} SSLExtensionType; |
--#define SSL_MAX_EXTENSIONS 9 |
-+#define SSL_MAX_EXTENSIONS 10 |
+-#define SSL_MAX_EXTENSIONS 8 |
++#define SSL_MAX_EXTENSIONS 9 |
#endif /* __sslt_h_ */ |