| OLD | NEW |
| 1 diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h | 1 diff -pu -r a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ss
l.h |
| 2 --- a/src/net/third_party/nss/ssl/ssl.h»2012-02-29 19:15:20.975171099 -0800 | 2 --- a/src/net/third_party/nss/ssl/ssl.h»2012-03-19 13:49:12.517522610 -0700 |
| 3 +++ b/src/net/third_party/nss/ssl/ssl.h»2012-02-29 19:18:21.947702106 -0800 | 3 +++ b/src/net/third_party/nss/ssl/ssl.h»2012-03-19 13:49:29.507749795 -0700 |
| 4 @@ -169,6 +169,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi | 4 @@ -186,6 +186,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi |
| 5 #define SSL_CBC_RANDOM_IV 23 | 5 #define SSL_CBC_RANDOM_IV 23 |
| 6 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ | 6 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ |
| 7 #define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */ | 7 #define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */ |
| 8 +#define SSL_ENCRYPT_CLIENT_CERTS 26 /* Enable encrypted client certs. */ | 8 +#define SSL_ENCRYPT_CLIENT_CERTS 26 /* Enable encrypted client certs. */ |
| 9 | 9 |
| 10 #ifdef SSL_DEPRECATED_FUNCTION | 10 #ifdef SSL_DEPRECATED_FUNCTION |
| 11 /* Old deprecated function names */ | 11 /* Old deprecated function names */ |
| 12 diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/s
slimpl.h | 12 diff -pu -r a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ss
l/sslimpl.h |
| 13 --- a/src/net/third_party/nss/ssl/sslimpl.h» 2012-02-29 19:15:20.975171099 -0
800 | 13 --- a/src/net/third_party/nss/ssl/sslimpl.h» 2012-03-19 13:49:12.557523144 -0
700 |
| 14 +++ b/src/net/third_party/nss/ssl/sslimpl.h» 2012-02-29 19:19:26.478604857 -0
800 | 14 +++ b/src/net/third_party/nss/ssl/sslimpl.h» 2012-03-19 13:49:29.507749795 -0
700 |
| 15 @@ -350,6 +350,7 @@ typedef struct sslOptionsStr { | 15 @@ -350,6 +350,7 @@ typedef struct sslOptionsStr { |
| 16 unsigned int cbcRandomIV : 1; /* 24 */ | 16 unsigned int cbcRandomIV : 1; /* 24 */ |
| 17 unsigned int enableOCSPStapling : 1; /* 25 */ | 17 unsigned int enableOCSPStapling : 1; /* 25 */ |
| 18 unsigned int enableOBCerts : 1; /* 26 */ | 18 unsigned int enableOBCerts : 1; /* 26 */ |
| 19 + unsigned int encryptClientCerts : 1; /* 27 */ | 19 + unsigned int encryptClientCerts : 1; /* 27 */ |
| 20 } sslOptions; | 20 } sslOptions; |
| 21 | 21 |
| 22 typedef enum { sslHandshakingUndetermined = 0, | 22 typedef enum { sslHandshakingUndetermined = 0, |
| 23 diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/s
sl3con.c | 23 diff -pu -r a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ss
l/ssl3con.c |
| 24 --- a/src/net/third_party/nss/ssl/ssl3con.c» 2012-02-29 19:15:20.975171099 -0
800 | 24 --- a/src/net/third_party/nss/ssl/ssl3con.c» 2012-03-19 13:49:12.527522744 -0
700 |
| 25 +++ b/src/net/third_party/nss/ssl/ssl3con.c» 2012-02-29 20:00:15.851981917 -0
800 | 25 +++ b/src/net/third_party/nss/ssl/ssl3con.c» 2012-03-19 13:49:29.507749795 -0
700 |
| 26 @@ -2863,7 +2863,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket * | 26 @@ -2882,7 +2882,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket * |
| 27 | 27 |
| 28 ss->ssl3.prSpec = ss->ssl3.crSpec; | 28 ss->ssl3.prSpec = ss->ssl3.crSpec; |
| 29 ss->ssl3.crSpec = prSpec; | 29 ss->ssl3.crSpec = prSpec; |
| 30 - ss->ssl3.hs.ws = wait_finished; | 30 - ss->ssl3.hs.ws = wait_finished; |
| 31 + | 31 + |
| 32 + if (ss->sec.isServer && | 32 + if (ss->sec.isServer && |
| 33 + ss->opt.requestCertificate && | 33 + ss->opt.requestCertificate && |
| 34 + ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | 34 + ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
| 35 + ss->ssl3.hs.ws = wait_client_cert; | 35 + ss->ssl3.hs.ws = wait_client_cert; |
| 36 + } else { | 36 + } else { |
| 37 + ss->ssl3.hs.ws = wait_finished; | 37 + ss->ssl3.hs.ws = wait_finished; |
| 38 + } | 38 + } |
| 39 | 39 |
| 40 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending", | 40 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending", |
| 41 SSL_GETPID(), ss->fd )); | 41 SSL_GETPID(), ss->fd )); |
| 42 @@ -4877,10 +4884,11 @@ loser: | 42 @@ -4898,10 +4905,11 @@ loser: |
| 43 static SECStatus | 43 static SECStatus |
| 44 ssl3_SendCertificateVerify(sslSocket *ss) | 44 ssl3_SendCertificateVerify(sslSocket *ss) |
| 45 { | 45 { |
| 46 - SECStatus rv = SECFailure; | 46 - SECStatus rv = SECFailure; |
| 47 - PRBool isTLS; | 47 - PRBool isTLS; |
| 48 - SECItem buf = {siBuffer, NULL, 0}; | 48 - SECItem buf = {siBuffer, NULL, 0}; |
| 49 - SSL3Hashes hashes; | 49 - SSL3Hashes hashes; |
| 50 + SECStatus rv = SECFailure; | 50 + SECStatus rv = SECFailure; |
| 51 + PRBool isTLS; | 51 + PRBool isTLS; |
| 52 + SECItem buf = {siBuffer, NULL, 0}; | 52 + SECItem buf = {siBuffer, NULL, 0}; |
| 53 + SSL3Hashes hashes; | 53 + SSL3Hashes hashes; |
| 54 + ssl3CipherSpec *spec; | 54 + ssl3CipherSpec *spec; |
| 55 | 55 |
| 56 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); | 56 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
| 57 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); | 57 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
| 58 @@ -4889,13 +4897,17 @@ ssl3_SendCertificateVerify(sslSocket *ss | 58 @@ -4910,13 +4918,17 @@ ssl3_SendCertificateVerify(sslSocket *ss |
| 59 SSL_GETPID(), ss->fd)); | 59 SSL_GETPID(), ss->fd)); |
| 60 | 60 |
| 61 ssl_GetSpecReadLock(ss); | 61 ssl_GetSpecReadLock(ss); |
| 62 - rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); | 62 - rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); |
| 63 + spec = ss->ssl3.pwSpec; | 63 + spec = ss->ssl3.pwSpec; |
| 64 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | 64 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
| 65 + spec = ss->ssl3.cwSpec; | 65 + spec = ss->ssl3.cwSpec; |
| 66 + } | 66 + } |
| 67 + rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0); | 67 + rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0); |
| 68 ssl_ReleaseSpecReadLock(ss); | 68 ssl_ReleaseSpecReadLock(ss); |
| 69 if (rv != SECSuccess) { | 69 if (rv != SECSuccess) { |
| 70 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ | 70 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ |
| 71 } | 71 } |
| 72 | 72 |
| 73 - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); | 73 - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); |
| 74 + isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); | 74 + isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); |
| 75 if (ss->ssl3.platformClientKey) { | 75 if (ss->ssl3.platformClientKey) { |
| 76 #ifdef NSS_PLATFORM_CLIENT_AUTH | 76 #ifdef NSS_PLATFORM_CLIENT_AUTH |
| 77 rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey, | 77 rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey, |
| 78 @@ -5912,6 +5924,10 @@ ssl3_SendClientSecondRound(sslSocket *ss | 78 @@ -5924,6 +5936,10 @@ ssl3_SendClientSecondRound(sslSocket *ss |
| 79 { | 79 { |
| 80 SECStatus rv; | 80 SECStatus rv; |
| 81 PRBool sendClientCert; | 81 PRBool sendClientCert; |
| 82 + PRBool sendEmptyCert; | 82 + PRBool sendEmptyCert; |
| 83 + int n = 0, i; | 83 + int n = 0, i; |
| 84 + typedef SECStatus (*SendFunction)(sslSocket*); | 84 + typedef SECStatus (*SendFunction)(sslSocket*); |
| 85 + SendFunction send_funcs[5]; | 85 + SendFunction send_funcs[5]; |
| 86 | 86 |
| 87 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); | 87 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); |
| 88 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); | 88 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); |
| 89 @@ -5958,35 +5974,40 @@ ssl3_SendClientSecondRound(sslSocket *ss | 89 @@ -5970,35 +5986,40 @@ ssl3_SendClientSecondRound(sslSocket *ss |
| 90 | 90 |
| 91 ssl_GetXmitBufLock(ss); /*******************************/ | 91 ssl_GetXmitBufLock(ss); /*******************************/ |
| 92 | 92 |
| 93 - if (ss->ssl3.sendEmptyCert) { | 93 - if (ss->ssl3.sendEmptyCert) { |
| 94 - ss->ssl3.sendEmptyCert = PR_FALSE; | 94 - ss->ssl3.sendEmptyCert = PR_FALSE; |
| 95 - rv = ssl3_SendEmptyCertificate(ss); | 95 - rv = ssl3_SendEmptyCertificate(ss); |
| 96 - /* Don't send verify */ | 96 - /* Don't send verify */ |
| 97 - if (rv != SECSuccess) { | 97 - if (rv != SECSuccess) { |
| 98 - goto loser; /* error code is set. */ | 98 - goto loser; /* error code is set. */ |
| 99 - } | 99 - } |
| (...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 145 - if (rv != SECSuccess) { | 145 - if (rv != SECSuccess) { |
| 146 - goto loser; /* err code was set. */ | 146 - goto loser; /* err code was set. */ |
| 147 + for (i = 0; i < n; i++) { | 147 + for (i = 0; i < n; i++) { |
| 148 + rv = send_funcs[i](ss); | 148 + rv = send_funcs[i](ss); |
| 149 + if (rv != SECSuccess) { | 149 + if (rv != SECSuccess) { |
| 150 + goto loser; /* err code was set. */ | 150 + goto loser; /* err code was set. */ |
| 151 + } | 151 + } |
| 152 } | 152 } |
| 153 | 153 |
| 154 /* XXX: If the server's certificate hasn't been authenticated by this | 154 /* XXX: If the server's certificate hasn't been authenticated by this |
| 155 @@ -6201,8 +6222,13 @@ ssl3_SendServerHelloSequence(sslSocket * | 155 @@ -6213,8 +6234,13 @@ ssl3_SendServerHelloSequence(sslSocket * |
| 156 return rv; /* err code is set. */ | 156 return rv; /* err code is set. */ |
| 157 } | 157 } |
| 158 | 158 |
| 159 - ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert | 159 - ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert |
| 160 - : wait_client_key; | 160 - : wait_client_key; |
| 161 + if (ss->opt.requestCertificate && | 161 + if (ss->opt.requestCertificate && |
| 162 + !ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | 162 + !ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
| 163 + ss->ssl3.hs.ws = wait_client_cert; | 163 + ss->ssl3.hs.ws = wait_client_cert; |
| 164 + } else { | 164 + } else { |
| 165 + ss->ssl3.hs.ws = wait_client_key; | 165 + ss->ssl3.hs.ws = wait_client_key; |
| 166 + } | 166 + } |
| 167 + | 167 + |
| 168 return SECSuccess; | 168 return SECSuccess; |
| 169 } | 169 } |
| 170 | 170 |
| 171 @@ -7446,7 +7472,11 @@ ssl3_HandleCertificateVerify(sslSocket * | 171 @@ -7458,7 +7484,11 @@ ssl3_HandleCertificateVerify(sslSocket * |
| 172 desc = isTLS ? decode_error : illegal_parameter; | 172 desc = isTLS ? decode_error : illegal_parameter; |
| 173 goto alert_loser; /* malformed */ | 173 goto alert_loser; /* malformed */ |
| 174 } | 174 } |
| 175 - ss->ssl3.hs.ws = wait_change_cipher; | 175 - ss->ssl3.hs.ws = wait_change_cipher; |
| 176 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | 176 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
| 177 + ss->ssl3.hs.ws = wait_finished; | 177 + ss->ssl3.hs.ws = wait_finished; |
| 178 + } else { | 178 + } else { |
| 179 + ss->ssl3.hs.ws = wait_change_cipher; | 179 + ss->ssl3.hs.ws = wait_change_cipher; |
| 180 + } | 180 + } |
| 181 return SECSuccess; | 181 return SECSuccess; |
| 182 | 182 |
| 183 alert_loser: | 183 alert_loser: |
| 184 @@ -8346,7 +8376,11 @@ ssl3_HandleCertificate(sslSocket *ss, SS | 184 @@ -8358,7 +8388,11 @@ ssl3_HandleCertificate(sslSocket *ss, SS |
| 185 } | 185 } |
| 186 } else { | 186 } else { |
| 187 server_no_cert: | 187 server_no_cert: |
| 188 - ss->ssl3.hs.ws = wait_client_key; | 188 - ss->ssl3.hs.ws = wait_client_key; |
| 189 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | 189 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
| 190 + ss->ssl3.hs.ws = wait_cert_verify; | 190 + ss->ssl3.hs.ws = wait_cert_verify; |
| 191 + } else { | 191 + } else { |
| 192 + ss->ssl3.hs.ws = wait_client_key; | 192 + ss->ssl3.hs.ws = wait_client_key; |
| 193 + } | 193 + } |
| 194 } | 194 } |
| 195 | 195 |
| 196 PORT_Assert(rv == SECSuccess); | 196 PORT_Assert(rv == SECSuccess); |
| 197 @@ -8959,6 +8993,8 @@ ssl3_HandleHandshakeMessage(sslSocket *s | 197 @@ -8968,6 +9002,8 @@ ssl3_HandleHandshakeMessage(sslSocket *s |
| 198 if (type == finished) { | 198 if (type == finished) { |
| 199 sender = ss->sec.isServer ? sender_client : sender_server; | 199 sender = ss->sec.isServer ? sender_client : sender_server; |
| 200 rSpec = ss->ssl3.crSpec; | 200 rSpec = ss->ssl3.crSpec; |
| 201 + } else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { | 201 + } else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { |
| 202 + rSpec = ss->ssl3.crSpec; | 202 + rSpec = ss->ssl3.crSpec; |
| 203 } | 203 } |
| 204 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); | 204 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); |
| 205 } | 205 } |
| 206 diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/s
sl3ext.c | 206 diff -pu -r a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ss
l/ssl3ext.c |
| 207 --- a/src/net/third_party/nss/ssl/ssl3ext.c» 2012-02-29 17:12:15.720044263 -0
800 | 207 --- a/src/net/third_party/nss/ssl/ssl3ext.c» 2012-03-19 12:50:32.610015524 -0
700 |
| 208 +++ b/src/net/third_party/nss/ssl/ssl3ext.c» 2012-02-29 20:00:15.851981917 -0
800 | 208 +++ b/src/net/third_party/nss/ssl/ssl3ext.c» 2012-03-19 13:49:29.507749795 -0
700 |
| 209 @@ -84,6 +84,12 @@ static SECStatus ssl3_ServerHandleNextPr | 209 @@ -84,6 +84,12 @@ static SECStatus ssl3_ServerHandleNextPr |
| 210 PRUint16 ex_type, SECItem *data); | 210 PRUint16 ex_type, SECItem *data); |
| 211 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, | 211 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, |
| 212 PRUint32 maxBytes); | 212 PRUint32 maxBytes); |
| 213 +static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, | 213 +static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, |
| 214 + PRUint16 ex_type, SECItem *data); | 214 + PRUint16 ex_type, SECItem *data); |
| 215 +static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, | 215 +static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, |
| 216 + PRUint16 ex_type, SECItem *data); | 216 + PRUint16 ex_type, SECItem *data); |
| 217 +static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss, | 217 +static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss, |
| 218 + PRBool append, PRUint32 maxBytes); | 218 + PRBool append, PRUint32 maxBytes); |
| (...skipping 17 matching lines...) Expand all Loading... |
| 236 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, | 236 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
| 237 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, | 237 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
| 238 @@ -279,6 +287,7 @@ ssl3HelloExtensionSender clientHelloSend | 238 @@ -279,6 +287,7 @@ ssl3HelloExtensionSender clientHelloSend |
| 239 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, | 239 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, |
| 240 #endif | 240 #endif |
| 241 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, | 241 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
| 242 + { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn }, | 242 + { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn }, |
| 243 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, | 243 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
| 244 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, | 244 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
| 245 { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn } | 245 { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn } |
| 246 @@ -1083,6 +1092,18 @@ ssl3_ClientHandleSessionTicketXtn(sslSoc | 246 @@ -1082,6 +1091,18 @@ ssl3_ClientHandleSessionTicketXtn(sslSoc |
| 247 return SECSuccess; | 247 return SECSuccess; |
| 248 } | 248 } |
| 249 | 249 |
| 250 +static SECStatus | 250 +static SECStatus |
| 251 +ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type, | 251 +ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type, |
| 252 + SECItem *data) | 252 + SECItem *data) |
| 253 +{ | 253 +{ |
| 254 + if (data->len != 0) | 254 + if (data->len != 0) |
| 255 + return SECFailure; | 255 + return SECFailure; |
| 256 + | 256 + |
| 257 + /* Keep track of negotiated extensions. */ | 257 + /* Keep track of negotiated extensions. */ |
| 258 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 258 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
| 259 + return SECSuccess; | 259 + return SECSuccess; |
| 260 +} | 260 +} |
| 261 + | 261 + |
| 262 SECStatus | 262 SECStatus |
| 263 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, | 263 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, |
| 264 SECItem *data) | 264 SECItem *data) |
| 265 @@ -1496,6 +1517,24 @@ loser: | 265 @@ -1495,6 +1516,24 @@ loser: |
| 266 return rv; | 266 return rv; |
| 267 } | 267 } |
| 268 | 268 |
| 269 +static SECStatus | 269 +static SECStatus |
| 270 +ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type, | 270 +ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type, |
| 271 + SECItem *data) | 271 + SECItem *data) |
| 272 +{ | 272 +{ |
| 273 + SECStatus rv = SECSuccess; | 273 + SECStatus rv = SECSuccess; |
| 274 + | 274 + |
| 275 + if (data->len != 0) | 275 + if (data->len != 0) |
| 276 + return SECFailure; | 276 + return SECFailure; |
| 277 + | 277 + |
| 278 + if (ss->opt.encryptClientCerts) { | 278 + if (ss->opt.encryptClientCerts) { |
| 279 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 279 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
| 280 + rv = ssl3_RegisterServerHelloExtensionSender( | 280 + rv = ssl3_RegisterServerHelloExtensionSender( |
| 281 + ss, ex_type, ssl3_SendEncryptedClientCertsXtn); | 281 + ss, ex_type, ssl3_SendEncryptedClientCertsXtn); |
| 282 + } | 282 + } |
| 283 + | 283 + |
| 284 + return rv; | 284 + return rv; |
| 285 +} | 285 +} |
| 286 + | 286 + |
| 287 /* | 287 /* |
| 288 * Read bytes. Using this function means the SECItem structure | 288 * Read bytes. Using this function means the SECItem structure |
| 289 * cannot be freed. The caller is expected to call this function | 289 * cannot be freed. The caller is expected to call this function |
| 290 @@ -1695,6 +1734,33 @@ ssl3_SendRenegotiationInfoXtn( | 290 @@ -1694,6 +1733,33 @@ ssl3_SendRenegotiationInfoXtn( |
| 291 return needed; | 291 return needed; |
| 292 } | 292 } |
| 293 | 293 |
| 294 +static PRInt32 | 294 +static PRInt32 |
| 295 +ssl3_SendEncryptedClientCertsXtn( | 295 +ssl3_SendEncryptedClientCertsXtn( |
| 296 + sslSocket * ss, | 296 + sslSocket * ss, |
| 297 + PRBool append, | 297 + PRBool append, |
| 298 + PRUint32 maxBytes) | 298 + PRUint32 maxBytes) |
| 299 +{ | 299 +{ |
| 300 + PRInt32 needed; | 300 + PRInt32 needed; |
| (...skipping 13 matching lines...) Expand all Loading... |
| 314 + ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 314 + ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
| 315 + ssl_encrypted_client_certs; | 315 + ssl_encrypted_client_certs; |
| 316 + } | 316 + } |
| 317 + | 317 + |
| 318 + return needed; | 318 + return needed; |
| 319 +} | 319 +} |
| 320 + | 320 + |
| 321 /* This function runs in both the client and server. */ | 321 /* This function runs in both the client and server. */ |
| 322 static SECStatus | 322 static SECStatus |
| 323 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) | 323 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
| 324 diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/s
slsock.c | 324 diff -pu -r a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ss
l/sslsock.c |
| 325 --- a/src/net/third_party/nss/ssl/sslsock.c» 2012-02-29 17:49:08.431530583 -0
800 | 325 --- a/src/net/third_party/nss/ssl/sslsock.c» 2012-03-19 12:59:07.586991902 -0
700 |
| 326 +++ b/src/net/third_party/nss/ssl/sslsock.c» 2012-02-29 20:00:15.851981917 -0
800 | 326 +++ b/src/net/third_party/nss/ssl/sslsock.c» 2012-03-19 13:49:29.517749929 -0
700 |
| 327 @@ -188,6 +188,7 @@ static sslOptions ssl_defaults = { | 327 @@ -188,6 +188,7 @@ static sslOptions ssl_defaults = { |
| 328 PR_TRUE, /* cbcRandomIV */ | 328 PR_TRUE, /* cbcRandomIV */ |
| 329 PR_FALSE, /* enableOCSPStapling */ | 329 PR_FALSE, /* enableOCSPStapling */ |
| 330 PR_FALSE, /* enableOBCerts */ | 330 PR_FALSE, /* enableOBCerts */ |
| 331 + PR_FALSE, /* encryptClientCerts */ | 331 + PR_FALSE, /* encryptClientCerts */ |
| 332 }; | 332 }; |
| 333 | 333 |
| 334 sslSessionIDLookupFunc ssl_sid_lookup; | 334 /* |
| 335 @@ -755,6 +756,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh | 335 @@ -826,6 +827,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh |
| 336 ss->opt.enableOBCerts = on; | 336 ss->opt.enableOBCerts = on; |
| 337 break; | 337 break; |
| 338 | 338 |
| 339 + case SSL_ENCRYPT_CLIENT_CERTS: | 339 + case SSL_ENCRYPT_CLIENT_CERTS: |
| 340 + ss->opt.encryptClientCerts = on; | 340 + ss->opt.encryptClientCerts = on; |
| 341 + break; | 341 + break; |
| 342 + | 342 + |
| 343 default: | 343 default: |
| 344 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 344 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 345 rv = SECFailure; | 345 rv = SECFailure; |
| 346 @@ -822,6 +827,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh | 346 @@ -897,6 +902,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh |
| 347 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; | 347 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; |
| 348 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; | 348 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
| 349 case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break; | 349 case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break; |
| 350 + case SSL_ENCRYPT_CLIENT_CERTS: | 350 + case SSL_ENCRYPT_CLIENT_CERTS: |
| 351 + on = ss->opt.encryptClientCerts; break; | 351 + on = ss->opt.encryptClientCerts; break; |
| 352 | 352 |
| 353 default: | 353 default: |
| 354 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 354 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 355 @@ -880,6 +887,8 @@ SSL_OptionGetDefault(PRInt32 which, PRBo | 355 @@ -959,6 +966,8 @@ SSL_OptionGetDefault(PRInt32 which, PRBo |
| 356 on = ssl_defaults.enableOCSPStapling; | 356 on = ssl_defaults.enableOCSPStapling; |
| 357 break; | 357 break; |
| 358 case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break; | 358 case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break; |
| 359 + case SSL_ENCRYPT_CLIENT_CERTS: | 359 + case SSL_ENCRYPT_CLIENT_CERTS: |
| 360 + on = ssl_defaults.encryptClientCerts; break; | 360 + on = ssl_defaults.encryptClientCerts; break; |
| 361 | 361 |
| 362 default: | 362 default: |
| 363 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 363 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 364 @@ -1047,6 +1056,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo | 364 @@ -1126,6 +1135,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo |
| 365 ssl_defaults.enableOBCerts = on; | 365 ssl_defaults.enableOBCerts = on; |
| 366 break; | 366 break; |
| 367 | 367 |
| 368 + case SSL_ENCRYPT_CLIENT_CERTS: | 368 + case SSL_ENCRYPT_CLIENT_CERTS: |
| 369 + ssl_defaults.encryptClientCerts = on; | 369 + ssl_defaults.encryptClientCerts = on; |
| 370 + break; | 370 + break; |
| 371 + | 371 + |
| 372 default: | 372 default: |
| 373 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 373 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 374 return SECFailure; | 374 return SECFailure; |
| 375 diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt
.h | 375 diff -pu -r a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/s
slt.h |
| 376 --- a/src/net/third_party/nss/ssl/sslt.h» 2012-02-29 17:12:15.780045080 -0
800 | 376 --- a/src/net/third_party/nss/ssl/sslt.h» 2012-03-19 12:50:32.610015524 -0
700 |
| 377 +++ b/src/net/third_party/nss/ssl/sslt.h» 2012-02-29 19:34:43.921452065 -0
800 | 377 +++ b/src/net/third_party/nss/ssl/sslt.h» 2012-03-19 13:49:29.517749929 -0
700 |
| 378 @@ -205,10 +205,11 @@ typedef enum { | 378 @@ -214,10 +214,11 @@ typedef enum { |
| 379 #endif | 379 #endif |
| 380 ssl_session_ticket_xtn = 35, | 380 ssl_session_ticket_xtn = 35, |
| 381 ssl_next_proto_nego_xtn = 13172, | 381 ssl_next_proto_nego_xtn = 13172, |
| 382 + ssl_encrypted_client_certs = 13180, /* not IANA assigned. */ | 382 + ssl_encrypted_client_certs = 13180, /* not IANA assigned. */ |
| 383 ssl_renegotiation_info_xtn = 0xff01, /* experimental number */ | 383 ssl_renegotiation_info_xtn = 0xff01, /* experimental number */ |
| 384 ssl_ob_cert_xtn = 13175 /* experimental number */ | 384 ssl_ob_cert_xtn = 13175 /* experimental number */ |
| 385 } SSLExtensionType; | 385 } SSLExtensionType; |
| 386 | 386 |
| 387 -#define SSL_MAX_EXTENSIONS 8 | 387 -#define SSL_MAX_EXTENSIONS 8 |
| 388 +#define SSL_MAX_EXTENSIONS 9 | 388 +#define SSL_MAX_EXTENSIONS 9 |
| 389 | 389 |
| 390 #endif /* __sslt_h_ */ | 390 #endif /* __sslt_h_ */ |
| OLD | NEW |