Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(671)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/third_party/nss/patches/ocspstapling.patch

Issue 9558017: Update net/third_party/nss to NSS 3.13.3. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Add new files in NSS 3.13.3 Created 8 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/third_party/nss/README.chromium ('K') | « net/third_party/nss/patches/nextproto.patch ('k') | net/third_party/nss/patches/origin_bound_certs.patch » ('j') | net/third_party/nss/ssl/ssl3con.c » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/third_party/nss/patches/ocspstapling.patch
===================================================================
--- net/third_party/nss/patches/ocspstapling.patch (revision 124098)
+++ net/third_party/nss/patches/ocspstapling.patch (working copy)
@@ -1,47 +1,17 @@
-From 5d8c33901f2b1be41afd1b0211bee5d5236a868d Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl@chromium.org>
-Date: Mon, 3 Oct 2011 12:21:00 -0400
-Subject: [PATCH] ocspstapling.patch
-
----
- mozilla/security/nss/lib/ssl/ssl.def | 1 +
- mozilla/security/nss/lib/ssl/ssl.h | 18 +++++
- mozilla/security/nss/lib/ssl/ssl3con.c | 111 +++++++++++++++++++++++++++++++
- mozilla/security/nss/lib/ssl/ssl3ext.c | 78 +++++++++++++++++++++-
- mozilla/security/nss/lib/ssl/ssl3prot.h | 1 +
- mozilla/security/nss/lib/ssl/sslerr.h | 2 +
- mozilla/security/nss/lib/ssl/sslimpl.h | 13 ++++
- mozilla/security/nss/lib/ssl/sslsock.c | 43 ++++++++++++
- mozilla/security/nss/lib/ssl/sslt.h | 3 +-
- 9 files changed, 268 insertions(+), 2 deletions(-)
-
-diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def
-index 0fa8777..35cc1e3 100644
---- a/mozilla/security/nss/lib/ssl/ssl.def
-+++ b/mozilla/security/nss/lib/ssl/ssl.def
-@@ -155,6 +155,7 @@ SSL_SNISocketConfigHook;
- ;+NSS_CHROMIUM {
- ;+ global:
- SSL_GetNextProto;
-+SSL_GetStapledOCSPResponse;
- SSL_PeerCertificateChain;
- SSL_SetNextProtoNego;
- ;+ local:
-diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h
-index cccb49a..221fe2d 100644
---- a/mozilla/security/nss/lib/ssl/ssl.h
-+++ b/mozilla/security/nss/lib/ssl/ssl.h
-@@ -139,6 +139,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
- /* occur on RSA or DH ciphersuites where the cipher's key length is >= 80 */
- /* bits. The advantage of False Start is that it saves a round trip for */
- /* client-speaks-first protocols when performing a full handshake. */
-+#define SSL_ENABLE_OCSP_STAPLING 23 /* Request OCSP stapling (client) */
+diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
+--- a/src/net/third_party/nss/ssl/ssl.h 2012-02-28 18:34:23.263186340 -0800
++++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-28 18:47:14.683775498 -0800
+@@ -167,6 +167,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi
+ * accept fragmented alerts).
+ */
+ #define SSL_CBC_RANDOM_IV 23
++#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
#ifdef SSL_DEPRECATED_FUNCTION
/* Old deprecated function names */
-@@ -274,6 +275,23 @@ SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
- SSL_IMPORT SECStatus SSL_PeerCertificateChain(
- PRFileDesc *fd, CERTCertificate **certs, unsigned int *certs_size);
+@@ -347,6 +348,23 @@ SSL_IMPORT SECStatus SSL_PeerCertificate
+ PRFileDesc *fd, CERTCertificate **certs,
+ unsigned int *numCerts, unsigned int maxNumCerts);
+/* SSL_GetStapledOCSPResponse returns the OCSP response that was provided by
+ * the TLS server. The resulting data is copied to |out_data|. On entry, |*len|
@@ -63,11 +33,10 @@
/*
** Authenticate certificate hook. Called when a certificate comes in
** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
-diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
-index 9830e65..ca2793f 100644
---- a/mozilla/security/nss/lib/ssl/ssl3con.c
-+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
-@@ -7803,6 +7803,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid)
+diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c
+--- a/src/net/third_party/nss/ssl/ssl3con.c 2012-02-28 17:48:46.326209244 -0800
++++ b/src/net/third_party/nss/ssl/ssl3con.c 2012-02-28 19:12:51.845953454 -0800
+@@ -7887,6 +7887,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *ce
}
/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
@@ -125,7 +94,7 @@
* ssl3 Certificate message.
* Caller must hold Handshake and RecvBuf locks.
*/
-@@ -8605,6 +8656,26 @@ xmit_loser:
+@@ -8679,6 +8730,26 @@ ssl3_FinishHandshake(sslSocket * ss)
return SECSuccess;
}
@@ -152,7 +121,7 @@
/* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
* hanshake message.
* Caller must hold Handshake and RecvBuf locks.
-@@ -8699,14 +8770,42 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -8773,14 +8844,42 @@ ssl3_HandleHandshakeMessage(sslSocket *s
rv = ssl3_HandleServerHello(ss, b, length);
break;
case certificate:
@@ -195,7 +164,7 @@
rv = ssl3_HandleServerKeyExchange(ss, b, length);
break;
case certificate_request:
-@@ -8715,6 +8814,9 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -8789,6 +8888,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s
PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
return SECFailure;
}
@@ -205,7 +174,7 @@
rv = ssl3_HandleCertificateRequest(ss, b, length);
break;
case server_hello_done:
-@@ -8728,6 +8830,9 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -8802,6 +8904,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s
PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
return SECFailure;
}
@@ -215,7 +184,7 @@
rv = ssl3_HandleServerHelloDone(ss);
break;
case certificate_verify:
-@@ -9578,6 +9683,12 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+@@ -9646,6 +9751,12 @@ ssl3_DestroySSL3Info(sslSocket *ss)
ss->ssl3.hs.messages.len = 0;
ss->ssl3.hs.messages.space = 0;
}
@@ -228,29 +197,28 @@
/* free the SSL3Buffer (msg_body) */
PORT_Free(ss->ssl3.hs.msg_body.buf);
-diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c
-index fbd5a91..4e3d9cc 100644
---- a/mozilla/security/nss/lib/ssl/ssl3ext.c
-+++ b/mozilla/security/nss/lib/ssl/ssl3ext.c
-@@ -247,6 +247,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
+diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c
+--- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-15 13:52:08.000000000 -0800
++++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-28 19:14:28.617352538 -0800
+@@ -253,6 +253,7 @@ static const ssl3HelloExtensionHandler s
{ ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
{ ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
- { ssl_next_proto_neg_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
+ { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
+ { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
{ -1, NULL }
};
-@@ -270,7 +271,8 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
+@@ -276,7 +277,8 @@ ssl3HelloExtensionSender clientHelloSend
{ ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
#endif
{ ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
-- { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn }
-+ { ssl_next_proto_neg_xtn, &ssl3_ClientSendNextProtoNegoXtn },
+- { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }
++ { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }
/* any extra entries will appear as { 0, NULL } */
};
-@@ -654,6 +656,80 @@ ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss,
+@@ -659,6 +661,80 @@ loser:
return -1;
}
@@ -331,10 +299,9 @@
/*
* NewSessionTicket
* Called from ssl3_HandleFinished
-diff --git a/mozilla/security/nss/lib/ssl/ssl3prot.h b/mozilla/security/nss/lib/ssl/ssl3prot.h
-index f3c950e..aeaacdd 100644
---- a/mozilla/security/nss/lib/ssl/ssl3prot.h
-+++ b/mozilla/security/nss/lib/ssl/ssl3prot.h
+diff -up a/src/net/third_party/nss/ssl/ssl3prot.h b/src/net/third_party/nss/ssl/ssl3prot.h
+--- a/src/net/third_party/nss/ssl/ssl3prot.h 2011-10-28 17:29:11.000000000 -0700
++++ b/src/net/third_party/nss/ssl/ssl3prot.h 2012-02-28 19:12:51.845953454 -0800
@@ -158,6 +158,7 @@ typedef enum {
certificate_verify = 15,
client_key_exchange = 16,
@@ -343,33 +310,31 @@
next_proto = 67
} SSL3HandshakeType;
-diff --git a/mozilla/security/nss/lib/ssl/sslerr.h b/mozilla/security/nss/lib/ssl/sslerr.h
-index a2f6524..c940f95 100644
---- a/mozilla/security/nss/lib/ssl/sslerr.h
-+++ b/mozilla/security/nss/lib/ssl/sslerr.h
-@@ -203,6 +203,8 @@ SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD = (SSL_ERROR_BASE + 114),
+diff -up a/src/net/third_party/nss/ssl/sslerr.h b/src/net/third_party/nss/ssl/sslerr.h
+--- a/src/net/third_party/nss/ssl/sslerr.h 2012-02-11 04:55:58.000000000 -0800
++++ b/src/net/third_party/nss/ssl/sslerr.h 2012-02-28 18:58:06.733056235 -0800
+@@ -211,6 +211,8 @@ SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2
+ SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS = (SSL_ERROR_BASE + 118),
+ SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIENTS = (SSL_ERROR_BASE + 119),
- SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = (SSL_ERROR_BASE + 115),
-
-+SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 116),
++SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 120),
+
SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
} SSLErrorCodes;
#endif /* NO_SECURITY_ERROR_ENUM */
-diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
-index 48d6d83..8e2bd14 100644
---- a/mozilla/security/nss/lib/ssl/sslimpl.h
-+++ b/mozilla/security/nss/lib/ssl/sslimpl.h
+diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
+--- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 17:48:46.326209244 -0800
++++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 19:05:14.299310096 -0800
@@ -339,6 +339,7 @@ typedef struct sslOptionsStr {
- unsigned int enableRenegotiation : 2; /* 20-21 */
unsigned int requireSafeNegotiation : 1; /* 22 */
unsigned int enableFalseStart : 1; /* 23 */
-+ unsigned int enableOCSPStapling : 1; /* 24 */
+ unsigned int cbcRandomIV : 1; /* 24 */
++ unsigned int enableOCSPStapling : 1; /* 25 */
} sslOptions;
typedef enum { sslHandshakingUndetermined = 0,
@@ -782,6 +783,14 @@ const ssl3CipherSuiteDef *suite_def;
- * when this one finishes */
+ PRBool isResuming; /* are we resuming a session */
PRBool usedStepDownKey; /* we did a server key exchange. */
PRBool sendingSCSV; /* instead of empty RI */
+ PRBool may_get_cert_status; /* the server echoed a
@@ -383,16 +348,16 @@
sslBuffer msgState; /* current state for handshake messages*/
/* protected by recvBufLock */
sslBuffer messages; /* Accumulated handshake messages */
-@@ -1515,6 +1524,8 @@ extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
+@@ -1527,6 +1536,8 @@ extern SECStatus ssl3_HandleSupportedPoi
PRUint16 ex_type, SECItem *data);
- extern SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
+ extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
PRUint16 ex_type, SECItem *data);
+extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
+ PRUint16 ex_type, SECItem *data);
extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
PRUint16 ex_type, SECItem *data);
- extern SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
-@@ -1526,6 +1537,8 @@ extern SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
+
+@@ -1536,6 +1547,8 @@ extern SECStatus ssl3_ServerHandleSessio
*/
extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append,
PRUint32 maxBytes);
@@ -401,20 +366,21 @@
/* ClientHello and ServerHello extension senders.
* The code is in ssl3ext.c.
-diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
-index b7e32a2..4c4df3f 100644
---- a/mozilla/security/nss/lib/ssl/sslsock.c
-+++ b/mozilla/security/nss/lib/ssl/sslsock.c
-@@ -185,6 +185,7 @@ static sslOptions ssl_defaults = {
+diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c
+--- a/src/net/third_party/nss/ssl/sslsock.c 2012-02-28 16:15:34.790321976 -0800
++++ b/src/net/third_party/nss/ssl/sslsock.c 2012-02-28 19:12:51.845953454 -0800
+@@ -185,7 +185,8 @@ static sslOptions ssl_defaults = {
2, /* enableRenegotiation (default: requires extension) */
PR_FALSE, /* requireSafeNegotiation */
PR_FALSE, /* enableFalseStart */
+- PR_TRUE /* cbcRandomIV */
++ PR_TRUE, /* cbcRandomIV */
+ PR_FALSE, /* enableOCSPStapling */
};
sslSessionIDLookupFunc ssl_sid_lookup;
-@@ -738,6 +739,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
- ss->opt.enableFalseStart = on;
+@@ -741,6 +742,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ ss->opt.cbcRandomIV = on;
break;
+ case SSL_ENABLE_OCSP_STAPLING:
@@ -424,26 +390,26 @@
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
-@@ -802,6 +807,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
- case SSL_REQUIRE_SAFE_NEGOTIATION:
+@@ -806,6 +811,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
on = ss->opt.requireSafeNegotiation; break;
case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break;
+ case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
+ case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -853,6 +859,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
- on = ssl_defaults.requireSafeNegotiation;
+@@ -860,6 +866,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
break;
case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break;
+ case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break;
+ case SSL_ENABLE_OCSP_STAPLING:
+ on = ssl_defaults.enableOCSPStapling;
+ break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -1000,6 +1009,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
- ssl_defaults.enableFalseStart = on;
+@@ -1019,6 +1028,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
+ ssl_defaults.cbcRandomIV = on;
break;
+ case SSL_ENABLE_OCSP_STAPLING:
@@ -453,7 +419,7 @@
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
-@@ -1453,6 +1466,36 @@ loser:
+@@ -1537,6 +1550,36 @@ loser:
#endif
}
@@ -490,10 +456,9 @@
/************************************************************************/
/* The following functions are the TOP LEVEL SSL functions.
** They all get called through the NSPRIOMethods table below.
-diff --git a/mozilla/security/nss/lib/ssl/sslt.h b/mozilla/security/nss/lib/ssl/sslt.h
-index f6e0b62..917c093 100644
---- a/mozilla/security/nss/lib/ssl/sslt.h
-+++ b/mozilla/security/nss/lib/ssl/sslt.h
+diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt.h
+--- a/src/net/third_party/nss/ssl/sslt.h 2012-02-15 13:52:08.000000000 -0800
++++ b/src/net/third_party/nss/ssl/sslt.h 2012-02-28 19:12:51.845953454 -0800
@@ -198,6 +198,7 @@ typedef enum {
/* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */
typedef enum {
« net/third_party/nss/README.chromium ('K') | « net/third_party/nss/patches/nextproto.patch ('k') | net/third_party/nss/patches/origin_bound_certs.patch » ('j') | net/third_party/nss/ssl/ssl3con.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698