Index: net/third_party/nss/patches/origin_bound_certs.patch |
=================================================================== |
--- net/third_party/nss/patches/origin_bound_certs.patch (revision 124804) |
+++ net/third_party/nss/patches/origin_bound_certs.patch (working copy) |
@@ -1,59 +1,44 @@ |
-From 68d651bb679cd9da8f162774c5dcf40aad5ae3f1 Mon Sep 17 00:00:00 2001 |
-From: Adam Langley <agl@chromium.org> |
-Date: Mon, 3 Oct 2011 12:25:10 -0400 |
-Subject: [PATCH] origin_bound_certs.patch |
- |
---- |
- mozilla/security/nss/lib/ssl/ssl.h | 1 + |
- mozilla/security/nss/lib/ssl/ssl3ext.c | 82 +++++++++++++++++++++++++++++++- |
- mozilla/security/nss/lib/ssl/sslimpl.h | 7 +++ |
- mozilla/security/nss/lib/ssl/sslsock.c | 13 +++++- |
- mozilla/security/nss/lib/ssl/sslt.h | 5 +- |
- 5 files changed, 104 insertions(+), 4 deletions(-) |
- |
-diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h |
-index c32438d..1115fa9 100644 |
---- a/mozilla/security/nss/lib/ssl/ssl.h |
-+++ b/mozilla/security/nss/lib/ssl/ssl.h |
-@@ -142,6 +142,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd); |
- #define SSL_ENABLE_OCSP_STAPLING 23 /* Request OCSP stapling (client) */ |
- #define SSL_ENABLE_CACHED_INFO 24 /* Enable TLS cached information */ |
- /* extension, off by default. */ |
+diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h |
+--- a/src/net/third_party/nss/ssl/ssl.h 2012-02-29 14:41:25.755295547 -0800 |
++++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-29 16:45:47.368569394 -0800 |
+@@ -168,6 +168,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi |
+ */ |
+ #define SSL_CBC_RANDOM_IV 23 |
+ #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ |
+#define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */ |
#ifdef SSL_DEPRECATED_FUNCTION |
/* Old deprecated function names */ |
-diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c |
-index 17898fb..887344b 100644 |
---- a/mozilla/security/nss/lib/ssl/ssl3ext.c |
-+++ b/mozilla/security/nss/lib/ssl/ssl3ext.c |
-@@ -237,6 +237,7 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = { |
+diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c |
+--- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-28 20:34:50.114663722 -0800 |
++++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-29 17:05:21.684414824 -0800 |
+@@ -242,6 +242,7 @@ static const ssl3HelloExtensionHandler c |
+ { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn }, |
{ ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
- { ssl_next_proto_neg_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, |
- { ssl_cached_info_xtn, &ssl3_ServerHandleCachedInfoXtn }, |
+ { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn }, |
+ { ssl_ob_cert_xtn, &ssl3_ServerHandleOBCertXtn }, |
{ -1, NULL } |
}; |
-@@ -250,6 +251,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { |
- { ssl_next_proto_neg_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
- { ssl_cached_info_xtn, &ssl3_ClientHandleCachedInfoXtn }, |
+@@ -254,6 +255,7 @@ static const ssl3HelloExtensionHandler s |
+ { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
+ { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
{ ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
+ { ssl_ob_cert_xtn, &ssl3_ClientHandleOBCertXtn }, |
{ -1, NULL } |
}; |
-@@ -275,7 +277,8 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { |
+@@ -278,7 +280,8 @@ ssl3HelloExtensionSender clientHelloSend |
+ #endif |
{ ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
- { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
- { ssl_cached_info_xtn, &ssl3_ClientSendCachedInfoXtn }, |
+ { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
- { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } |
+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
+ { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn } |
/* any extra entries will appear as { 0, NULL } */ |
}; |
-@@ -1973,3 +1976,80 @@ ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
+@@ -1723,3 +1726,80 @@ ssl3_HandleRenegotiationInfoXtn(sslSocke |
return rv; |
} |
@@ -134,19 +119,18 @@ |
+ |
+ return SECSuccess; |
+} |
-diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h |
-index f1e9a3e..973a3c9 100644 |
---- a/mozilla/security/nss/lib/ssl/sslimpl.h |
-+++ b/mozilla/security/nss/lib/ssl/sslimpl.h |
-@@ -341,6 +341,7 @@ typedef struct sslOptionsStr { |
+diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h |
+--- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 20:34:50.114663722 -0800 |
++++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 16:57:21.097919853 -0800 |
+@@ -349,6 +349,7 @@ typedef struct sslOptionsStr { |
unsigned int enableFalseStart : 1; /* 23 */ |
- unsigned int enableOCSPStapling : 1; /* 24 */ |
- unsigned int enableCachedInfo : 1; /* 25 */ |
+ unsigned int cbcRandomIV : 1; /* 24 */ |
+ unsigned int enableOCSPStapling : 1; /* 25 */ |
+ unsigned int enableOBCerts : 1; /* 26 */ |
} sslOptions; |
typedef enum { sslHandshakingUndetermined = 0, |
-@@ -1547,10 +1548,14 @@ extern SECStatus ssl3_ClientHandleCachedInfoXtn(sslSocket *ss, |
+@@ -1563,8 +1564,12 @@ extern SECStatus ssl3_ClientHandleSessio |
PRUint16 ex_type, SECItem *data); |
extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, |
PRUint16 ex_type, SECItem *data); |
@@ -154,36 +138,33 @@ |
+ PRUint16 ex_type, SECItem *data); |
extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, |
PRUint16 ex_type, SECItem *data); |
- extern SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, |
- PRUint16 ex_type, SECItem *data); |
+extern SECStatus ssl3_ServerHandleOBCertXtn(sslSocket *ss, |
+ PRUint16 ex_type, SECItem *data); |
/* ClientHello and ServerHello extension senders. |
* Note that not all extension senders are exposed here; only those that |
-@@ -1570,6 +1575,8 @@ extern PRInt32 ssl3_ClientSendCachedInfoXtn(sslSocket *ss, PRBool append, |
+@@ -1580,6 +1585,8 @@ extern PRInt32 ssl3_ClientSendStatusRequ |
+ */ |
+ extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append, |
PRUint32 maxBytes); |
- extern PRInt32 ssl3_ServerSendCachedInfoXtn(sslSocket *ss, PRBool append, |
- PRUint32 maxBytes); |
+extern PRInt32 ssl3_SendOBCertXtn(sslSocket *ss, PRBool append, |
+ PRUint32 maxBytes); |
/* Assigns new cert, cert chain and keys to ss->serverCerts |
* struct. If certChain is NULL, tries to find one. Aborts if |
-diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c |
-index 11b53da..7d12bfe 100644 |
---- a/mozilla/security/nss/lib/ssl/sslsock.c |
-+++ b/mozilla/security/nss/lib/ssl/sslsock.c |
+diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c |
+--- a/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 14:41:25.755295547 -0800 |
++++ b/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 17:03:16.272715683 -0800 |
@@ -187,6 +187,7 @@ static sslOptions ssl_defaults = { |
PR_FALSE, /* enableFalseStart */ |
+ PR_TRUE, /* cbcRandomIV */ |
PR_FALSE, /* enableOCSPStapling */ |
- PR_FALSE, /* enableCachedInfo */ |
+ PR_FALSE, /* enableOBCerts */ |
}; |
sslSessionIDLookupFunc ssl_sid_lookup; |
-@@ -748,6 +749,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on) |
- ss->opt.enableCachedInfo = on; |
+@@ -750,6 +751,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh |
+ ss->opt.enableOCSPStapling = on; |
break; |
+ case SSL_ENABLE_OB_CERTS: |
@@ -193,26 +174,24 @@ |
default: |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
rv = SECFailure; |
-@@ -813,7 +818,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn) |
- on = ss->opt.requireSafeNegotiation; break; |
+@@ -816,6 +821,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh |
case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; |
+ case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; |
case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
-- case SSL_ENABLE_CACHED_INFO: on = ss->opt.enableCachedInfo; break; |
-+ case SSL_ENABLE_CACHED_INFO: on = ss->opt.enableCachedInfo; break; |
+ case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break; |
default: |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
-@@ -869,6 +875,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn) |
+@@ -873,6 +879,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBo |
+ case SSL_ENABLE_OCSP_STAPLING: |
on = ssl_defaults.enableOCSPStapling; |
break; |
- case SSL_ENABLE_CACHED_INFO: on = ssl_defaults.enableCachedInfo; break; |
+ case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break; |
default: |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
-@@ -1024,6 +1031,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on) |
- ssl_defaults.enableCachedInfo = on; |
+@@ -1036,6 +1043,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo |
+ ssl_defaults.enableOCSPStapling = on; |
break; |
+ case SSL_ENABLE_OB_CERTS: |
@@ -222,20 +201,19 @@ |
default: |
PORT_SetError(SEC_ERROR_INVALID_ARGS); |
return SECFailure; |
-diff --git a/mozilla/security/nss/lib/ssl/sslt.h b/mozilla/security/nss/lib/ssl/sslt.h |
-index bca7496..5f852fe 100644 |
---- a/mozilla/security/nss/lib/ssl/sslt.h |
-+++ b/mozilla/security/nss/lib/ssl/sslt.h |
-@@ -206,9 +206,10 @@ typedef enum { |
+diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt.h |
+--- a/src/net/third_party/nss/ssl/sslt.h 2012-02-28 19:26:04.057351342 -0800 |
++++ b/src/net/third_party/nss/ssl/sslt.h 2012-02-29 17:05:03.744171015 -0800 |
+@@ -205,9 +205,10 @@ typedef enum { |
+ #endif |
ssl_session_ticket_xtn = 35, |
- ssl_next_proto_neg_xtn = 13172, |
- ssl_cached_info_xtn = 13173, |
+ ssl_next_proto_nego_xtn = 13172, |
- ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
+ ssl_renegotiation_info_xtn = 0xff01, /* experimental number */ |
+ ssl_ob_cert_xtn = 13175 /* experimental number */ |
} SSLExtensionType; |
--#define SSL_MAX_EXTENSIONS 8 |
-+#define SSL_MAX_EXTENSIONS 9 |
+-#define SSL_MAX_EXTENSIONS 7 |
++#define SSL_MAX_EXTENSIONS 8 |
#endif /* __sslt_h_ */ |