Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(240)

Side by Side Diff: net/third_party/nss/patches/encryptedclientcerts.patch

Issue 9733012: Update NSS to NSS 3.13.4 pre-release snapshot 20120319. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Forgot to update the sslerr.h and SSLerrs.h files Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h 1 diff -pu -r a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ss l.h
2 --- a/src/net/third_party/nss/ssl/ssl.h»2012-02-29 19:15:20.975171099 -0800 2 --- a/src/net/third_party/nss/ssl/ssl.h»2012-03-19 13:49:12.517522610 -0700
3 +++ b/src/net/third_party/nss/ssl/ssl.h»2012-02-29 19:18:21.947702106 -0800 3 +++ b/src/net/third_party/nss/ssl/ssl.h»2012-03-19 13:49:29.507749795 -0700
4 @@ -169,6 +169,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi 4 @@ -186,6 +186,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi
5 #define SSL_CBC_RANDOM_IV 23 5 #define SSL_CBC_RANDOM_IV 23
6 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ 6 #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
7 #define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */ 7 #define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */
8 +#define SSL_ENCRYPT_CLIENT_CERTS 26 /* Enable encrypted client certs. */ 8 +#define SSL_ENCRYPT_CLIENT_CERTS 26 /* Enable encrypted client certs. */
9 9
10 #ifdef SSL_DEPRECATED_FUNCTION 10 #ifdef SSL_DEPRECATED_FUNCTION
11 /* Old deprecated function names */ 11 /* Old deprecated function names */
12 diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/s slimpl.h 12 diff -pu -r a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ss l/sslimpl.h
13 --- a/src/net/third_party/nss/ssl/sslimpl.h» 2012-02-29 19:15:20.975171099 -0 800 13 --- a/src/net/third_party/nss/ssl/sslimpl.h» 2012-03-19 13:49:12.557523144 -0 700
14 +++ b/src/net/third_party/nss/ssl/sslimpl.h» 2012-02-29 19:19:26.478604857 -0 800 14 +++ b/src/net/third_party/nss/ssl/sslimpl.h» 2012-03-19 13:49:29.507749795 -0 700
15 @@ -350,6 +350,7 @@ typedef struct sslOptionsStr { 15 @@ -350,6 +350,7 @@ typedef struct sslOptionsStr {
16 unsigned int cbcRandomIV : 1; /* 24 */ 16 unsigned int cbcRandomIV : 1; /* 24 */
17 unsigned int enableOCSPStapling : 1; /* 25 */ 17 unsigned int enableOCSPStapling : 1; /* 25 */
18 unsigned int enableOBCerts : 1; /* 26 */ 18 unsigned int enableOBCerts : 1; /* 26 */
19 + unsigned int encryptClientCerts : 1; /* 27 */ 19 + unsigned int encryptClientCerts : 1; /* 27 */
20 } sslOptions; 20 } sslOptions;
21 21
22 typedef enum { sslHandshakingUndetermined = 0, 22 typedef enum { sslHandshakingUndetermined = 0,
23 diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/s sl3con.c 23 diff -pu -r a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ss l/ssl3con.c
24 --- a/src/net/third_party/nss/ssl/ssl3con.c» 2012-02-29 19:15:20.975171099 -0 800 24 --- a/src/net/third_party/nss/ssl/ssl3con.c» 2012-03-19 13:49:12.527522744 -0 700
25 +++ b/src/net/third_party/nss/ssl/ssl3con.c» 2012-02-29 20:00:15.851981917 -0 800 25 +++ b/src/net/third_party/nss/ssl/ssl3con.c» 2012-03-19 13:49:29.507749795 -0 700
26 @@ -2863,7 +2863,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket * 26 @@ -2882,7 +2882,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket *
27 27
28 ss->ssl3.prSpec = ss->ssl3.crSpec; 28 ss->ssl3.prSpec = ss->ssl3.crSpec;
29 ss->ssl3.crSpec = prSpec; 29 ss->ssl3.crSpec = prSpec;
30 - ss->ssl3.hs.ws = wait_finished; 30 - ss->ssl3.hs.ws = wait_finished;
31 + 31 +
32 + if (ss->sec.isServer && 32 + if (ss->sec.isServer &&
33 + ss->opt.requestCertificate && 33 + ss->opt.requestCertificate &&
34 + ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 34 + ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
35 + ss->ssl3.hs.ws = wait_client_cert; 35 + ss->ssl3.hs.ws = wait_client_cert;
36 + } else { 36 + } else {
37 + ss->ssl3.hs.ws = wait_finished; 37 + ss->ssl3.hs.ws = wait_finished;
38 + } 38 + }
39 39
40 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending", 40 SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
41 SSL_GETPID(), ss->fd )); 41 SSL_GETPID(), ss->fd ));
42 @@ -4877,10 +4884,11 @@ loser: 42 @@ -4898,10 +4905,11 @@ loser:
43 static SECStatus 43 static SECStatus
44 ssl3_SendCertificateVerify(sslSocket *ss) 44 ssl3_SendCertificateVerify(sslSocket *ss)
45 { 45 {
46 - SECStatus rv = SECFailure; 46 - SECStatus rv = SECFailure;
47 - PRBool isTLS; 47 - PRBool isTLS;
48 - SECItem buf = {siBuffer, NULL, 0}; 48 - SECItem buf = {siBuffer, NULL, 0};
49 - SSL3Hashes hashes; 49 - SSL3Hashes hashes;
50 + SECStatus rv = SECFailure; 50 + SECStatus rv = SECFailure;
51 + PRBool isTLS; 51 + PRBool isTLS;
52 + SECItem buf = {siBuffer, NULL, 0}; 52 + SECItem buf = {siBuffer, NULL, 0};
53 + SSL3Hashes hashes; 53 + SSL3Hashes hashes;
54 + ssl3CipherSpec *spec; 54 + ssl3CipherSpec *spec;
55 55
56 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); 56 PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
57 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); 57 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
58 @@ -4889,13 +4897,17 @@ ssl3_SendCertificateVerify(sslSocket *ss 58 @@ -4910,13 +4918,17 @@ ssl3_SendCertificateVerify(sslSocket *ss
59 SSL_GETPID(), ss->fd)); 59 SSL_GETPID(), ss->fd));
60 60
61 ssl_GetSpecReadLock(ss); 61 ssl_GetSpecReadLock(ss);
62 - rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0); 62 - rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
63 + spec = ss->ssl3.pwSpec; 63 + spec = ss->ssl3.pwSpec;
64 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 64 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
65 + spec = ss->ssl3.cwSpec; 65 + spec = ss->ssl3.cwSpec;
66 + } 66 + }
67 + rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0); 67 + rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0);
68 ssl_ReleaseSpecReadLock(ss); 68 ssl_ReleaseSpecReadLock(ss);
69 if (rv != SECSuccess) { 69 if (rv != SECSuccess) {
70 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */ 70 goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
71 } 71 }
72 72
73 - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0); 73 - isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
74 + isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); 74 + isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
75 if (ss->ssl3.platformClientKey) { 75 if (ss->ssl3.platformClientKey) {
76 #ifdef NSS_PLATFORM_CLIENT_AUTH 76 #ifdef NSS_PLATFORM_CLIENT_AUTH
77 rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey, 77 rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
78 @@ -5912,6 +5924,10 @@ ssl3_SendClientSecondRound(sslSocket *ss 78 @@ -5924,6 +5936,10 @@ ssl3_SendClientSecondRound(sslSocket *ss
79 { 79 {
80 SECStatus rv; 80 SECStatus rv;
81 PRBool sendClientCert; 81 PRBool sendClientCert;
82 + PRBool sendEmptyCert; 82 + PRBool sendEmptyCert;
83 + int n = 0, i; 83 + int n = 0, i;
84 + typedef SECStatus (*SendFunction)(sslSocket*); 84 + typedef SECStatus (*SendFunction)(sslSocket*);
85 + SendFunction send_funcs[5]; 85 + SendFunction send_funcs[5];
86 86
87 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); 87 PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
88 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) ); 88 PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
89 @@ -5958,35 +5974,40 @@ ssl3_SendClientSecondRound(sslSocket *ss 89 @@ -5970,35 +5986,40 @@ ssl3_SendClientSecondRound(sslSocket *ss
90 90
91 ssl_GetXmitBufLock(ss); /*******************************/ 91 ssl_GetXmitBufLock(ss); /*******************************/
92 92
93 - if (ss->ssl3.sendEmptyCert) { 93 - if (ss->ssl3.sendEmptyCert) {
94 - ss->ssl3.sendEmptyCert = PR_FALSE; 94 - ss->ssl3.sendEmptyCert = PR_FALSE;
95 - rv = ssl3_SendEmptyCertificate(ss); 95 - rv = ssl3_SendEmptyCertificate(ss);
96 - /* Don't send verify */ 96 - /* Don't send verify */
97 - if (rv != SECSuccess) { 97 - if (rv != SECSuccess) {
98 - goto loser; /* error code is set. */ 98 - goto loser; /* error code is set. */
99 - } 99 - }
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after
145 - if (rv != SECSuccess) { 145 - if (rv != SECSuccess) {
146 - goto loser; /* err code was set. */ 146 - goto loser; /* err code was set. */
147 + for (i = 0; i < n; i++) { 147 + for (i = 0; i < n; i++) {
148 + rv = send_funcs[i](ss); 148 + rv = send_funcs[i](ss);
149 + if (rv != SECSuccess) { 149 + if (rv != SECSuccess) {
150 + goto loser; /* err code was set. */ 150 + goto loser; /* err code was set. */
151 + } 151 + }
152 } 152 }
153 153
154 /* XXX: If the server's certificate hasn't been authenticated by this 154 /* XXX: If the server's certificate hasn't been authenticated by this
155 @@ -6201,8 +6222,13 @@ ssl3_SendServerHelloSequence(sslSocket * 155 @@ -6213,8 +6234,13 @@ ssl3_SendServerHelloSequence(sslSocket *
156 return rv; /* err code is set. */ 156 return rv; /* err code is set. */
157 } 157 }
158 158
159 - ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert 159 - ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
160 - : wait_client_key; 160 - : wait_client_key;
161 + if (ss->opt.requestCertificate && 161 + if (ss->opt.requestCertificate &&
162 + !ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 162 + !ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
163 + ss->ssl3.hs.ws = wait_client_cert; 163 + ss->ssl3.hs.ws = wait_client_cert;
164 + } else { 164 + } else {
165 + ss->ssl3.hs.ws = wait_client_key; 165 + ss->ssl3.hs.ws = wait_client_key;
166 + } 166 + }
167 + 167 +
168 return SECSuccess; 168 return SECSuccess;
169 } 169 }
170 170
171 @@ -7446,7 +7472,11 @@ ssl3_HandleCertificateVerify(sslSocket * 171 @@ -7458,7 +7484,11 @@ ssl3_HandleCertificateVerify(sslSocket *
172 desc = isTLS ? decode_error : illegal_parameter; 172 desc = isTLS ? decode_error : illegal_parameter;
173 goto alert_loser; /* malformed */ 173 goto alert_loser; /* malformed */
174 } 174 }
175 - ss->ssl3.hs.ws = wait_change_cipher; 175 - ss->ssl3.hs.ws = wait_change_cipher;
176 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 176 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
177 + ss->ssl3.hs.ws = wait_finished; 177 + ss->ssl3.hs.ws = wait_finished;
178 + } else { 178 + } else {
179 + ss->ssl3.hs.ws = wait_change_cipher; 179 + ss->ssl3.hs.ws = wait_change_cipher;
180 + } 180 + }
181 return SECSuccess; 181 return SECSuccess;
182 182
183 alert_loser: 183 alert_loser:
184 @@ -8346,7 +8376,11 @@ ssl3_HandleCertificate(sslSocket *ss, SS 184 @@ -8358,7 +8388,11 @@ ssl3_HandleCertificate(sslSocket *ss, SS
185 } 185 }
186 } else { 186 } else {
187 server_no_cert: 187 server_no_cert:
188 - ss->ssl3.hs.ws = wait_client_key; 188 - ss->ssl3.hs.ws = wait_client_key;
189 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 189 + if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
190 + ss->ssl3.hs.ws = wait_cert_verify; 190 + ss->ssl3.hs.ws = wait_cert_verify;
191 + } else { 191 + } else {
192 + ss->ssl3.hs.ws = wait_client_key; 192 + ss->ssl3.hs.ws = wait_client_key;
193 + } 193 + }
194 } 194 }
195 195
196 PORT_Assert(rv == SECSuccess); 196 PORT_Assert(rv == SECSuccess);
197 @@ -8959,6 +8993,8 @@ ssl3_HandleHandshakeMessage(sslSocket *s 197 @@ -8968,6 +9002,8 @@ ssl3_HandleHandshakeMessage(sslSocket *s
198 if (type == finished) { 198 if (type == finished) {
199 sender = ss->sec.isServer ? sender_client : sender_server; 199 sender = ss->sec.isServer ? sender_client : sender_server;
200 rSpec = ss->ssl3.crSpec; 200 rSpec = ss->ssl3.crSpec;
201 + } else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) { 201 + } else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
202 + rSpec = ss->ssl3.crSpec; 202 + rSpec = ss->ssl3.crSpec;
203 } 203 }
204 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender); 204 rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
205 } 205 }
206 diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/s sl3ext.c 206 diff -pu -r a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ss l/ssl3ext.c
207 --- a/src/net/third_party/nss/ssl/ssl3ext.c» 2012-02-29 17:12:15.720044263 -0 800 207 --- a/src/net/third_party/nss/ssl/ssl3ext.c» 2012-03-19 12:50:32.610015524 -0 700
208 +++ b/src/net/third_party/nss/ssl/ssl3ext.c» 2012-02-29 20:00:15.851981917 -0 800 208 +++ b/src/net/third_party/nss/ssl/ssl3ext.c» 2012-03-19 13:49:29.507749795 -0 700
209 @@ -84,6 +84,12 @@ static SECStatus ssl3_ServerHandleNextPr 209 @@ -84,6 +84,12 @@ static SECStatus ssl3_ServerHandleNextPr
210 PRUint16 ex_type, SECItem *data); 210 PRUint16 ex_type, SECItem *data);
211 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, 211 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
212 PRUint32 maxBytes); 212 PRUint32 maxBytes);
213 +static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, 213 +static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss,
214 + PRUint16 ex_type, SECItem *data); 214 + PRUint16 ex_type, SECItem *data);
215 +static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, 215 +static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss,
216 + PRUint16 ex_type, SECItem *data); 216 + PRUint16 ex_type, SECItem *data);
217 +static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss, 217 +static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss,
218 + PRBool append, PRUint32 maxBytes); 218 + PRBool append, PRUint32 maxBytes);
(...skipping 17 matching lines...) Expand all
236 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, 236 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
237 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 237 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
238 @@ -279,6 +287,7 @@ ssl3HelloExtensionSender clientHelloSend 238 @@ -279,6 +287,7 @@ ssl3HelloExtensionSender clientHelloSend
239 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, 239 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
240 #endif 240 #endif
241 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, 241 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
242 + { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn }, 242 + { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn },
243 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, 243 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
244 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, 244 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
245 { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn } 245 { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn }
246 @@ -1083,6 +1092,18 @@ ssl3_ClientHandleSessionTicketXtn(sslSoc 246 @@ -1082,6 +1091,18 @@ ssl3_ClientHandleSessionTicketXtn(sslSoc
247 return SECSuccess; 247 return SECSuccess;
248 } 248 }
249 249
250 +static SECStatus 250 +static SECStatus
251 +ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type, 251 +ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
252 + SECItem *data) 252 + SECItem *data)
253 +{ 253 +{
254 + if (data->len != 0) 254 + if (data->len != 0)
255 + return SECFailure; 255 + return SECFailure;
256 + 256 +
257 + /* Keep track of negotiated extensions. */ 257 + /* Keep track of negotiated extensions. */
258 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 258 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
259 + return SECSuccess; 259 + return SECSuccess;
260 +} 260 +}
261 + 261 +
262 SECStatus 262 SECStatus
263 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type, 263 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
264 SECItem *data) 264 SECItem *data)
265 @@ -1496,6 +1517,24 @@ loser: 265 @@ -1495,6 +1516,24 @@ loser:
266 return rv; 266 return rv;
267 } 267 }
268 268
269 +static SECStatus 269 +static SECStatus
270 +ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type, 270 +ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
271 + SECItem *data) 271 + SECItem *data)
272 +{ 272 +{
273 + SECStatus rv = SECSuccess; 273 + SECStatus rv = SECSuccess;
274 + 274 +
275 + if (data->len != 0) 275 + if (data->len != 0)
276 + return SECFailure; 276 + return SECFailure;
277 + 277 +
278 + if (ss->opt.encryptClientCerts) { 278 + if (ss->opt.encryptClientCerts) {
279 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; 279 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
280 + rv = ssl3_RegisterServerHelloExtensionSender( 280 + rv = ssl3_RegisterServerHelloExtensionSender(
281 + ss, ex_type, ssl3_SendEncryptedClientCertsXtn); 281 + ss, ex_type, ssl3_SendEncryptedClientCertsXtn);
282 + } 282 + }
283 + 283 +
284 + return rv; 284 + return rv;
285 +} 285 +}
286 + 286 +
287 /* 287 /*
288 * Read bytes. Using this function means the SECItem structure 288 * Read bytes. Using this function means the SECItem structure
289 * cannot be freed. The caller is expected to call this function 289 * cannot be freed. The caller is expected to call this function
290 @@ -1695,6 +1734,33 @@ ssl3_SendRenegotiationInfoXtn( 290 @@ -1694,6 +1733,33 @@ ssl3_SendRenegotiationInfoXtn(
291 return needed; 291 return needed;
292 } 292 }
293 293
294 +static PRInt32 294 +static PRInt32
295 +ssl3_SendEncryptedClientCertsXtn( 295 +ssl3_SendEncryptedClientCertsXtn(
296 + sslSocket * ss, 296 + sslSocket * ss,
297 + PRBool append, 297 + PRBool append,
298 + PRUint32 maxBytes) 298 + PRUint32 maxBytes)
299 +{ 299 +{
300 + PRInt32 needed; 300 + PRInt32 needed;
(...skipping 13 matching lines...) Expand all
314 + ss->xtnData.advertised[ss->xtnData.numAdvertised++] = 314 + ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
315 + ssl_encrypted_client_certs; 315 + ssl_encrypted_client_certs;
316 + } 316 + }
317 + 317 +
318 + return needed; 318 + return needed;
319 +} 319 +}
320 + 320 +
321 /* This function runs in both the client and server. */ 321 /* This function runs in both the client and server. */
322 static SECStatus 322 static SECStatus
323 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) 323 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
324 diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/s slsock.c 324 diff -pu -r a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ss l/sslsock.c
325 --- a/src/net/third_party/nss/ssl/sslsock.c» 2012-02-29 17:49:08.431530583 -0 800 325 --- a/src/net/third_party/nss/ssl/sslsock.c» 2012-03-19 12:59:07.586991902 -0 700
326 +++ b/src/net/third_party/nss/ssl/sslsock.c» 2012-02-29 20:00:15.851981917 -0 800 326 +++ b/src/net/third_party/nss/ssl/sslsock.c» 2012-03-19 13:49:29.517749929 -0 700
327 @@ -188,6 +188,7 @@ static sslOptions ssl_defaults = { 327 @@ -188,6 +188,7 @@ static sslOptions ssl_defaults = {
328 PR_TRUE, /* cbcRandomIV */ 328 PR_TRUE, /* cbcRandomIV */
329 PR_FALSE, /* enableOCSPStapling */ 329 PR_FALSE, /* enableOCSPStapling */
330 PR_FALSE, /* enableOBCerts */ 330 PR_FALSE, /* enableOBCerts */
331 + PR_FALSE, /* encryptClientCerts */ 331 + PR_FALSE, /* encryptClientCerts */
332 }; 332 };
333 333
334 sslSessionIDLookupFunc ssl_sid_lookup; 334 /*
335 @@ -755,6 +756,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh 335 @@ -826,6 +827,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
336 ss->opt.enableOBCerts = on; 336 ss->opt.enableOBCerts = on;
337 break; 337 break;
338 338
339 + case SSL_ENCRYPT_CLIENT_CERTS: 339 + case SSL_ENCRYPT_CLIENT_CERTS:
340 + ss->opt.encryptClientCerts = on; 340 + ss->opt.encryptClientCerts = on;
341 + break; 341 + break;
342 + 342 +
343 default: 343 default:
344 PORT_SetError(SEC_ERROR_INVALID_ARGS); 344 PORT_SetError(SEC_ERROR_INVALID_ARGS);
345 rv = SECFailure; 345 rv = SECFailure;
346 @@ -822,6 +827,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh 346 @@ -897,6 +902,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
347 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; 347 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
348 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; 348 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
349 case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break; 349 case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break;
350 + case SSL_ENCRYPT_CLIENT_CERTS: 350 + case SSL_ENCRYPT_CLIENT_CERTS:
351 + on = ss->opt.encryptClientCerts; break; 351 + on = ss->opt.encryptClientCerts; break;
352 352
353 default: 353 default:
354 PORT_SetError(SEC_ERROR_INVALID_ARGS); 354 PORT_SetError(SEC_ERROR_INVALID_ARGS);
355 @@ -880,6 +887,8 @@ SSL_OptionGetDefault(PRInt32 which, PRBo 355 @@ -959,6 +966,8 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
356 on = ssl_defaults.enableOCSPStapling; 356 on = ssl_defaults.enableOCSPStapling;
357 break; 357 break;
358 case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break; 358 case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break;
359 + case SSL_ENCRYPT_CLIENT_CERTS: 359 + case SSL_ENCRYPT_CLIENT_CERTS:
360 + on = ssl_defaults.encryptClientCerts; break; 360 + on = ssl_defaults.encryptClientCerts; break;
361 361
362 default: 362 default:
363 PORT_SetError(SEC_ERROR_INVALID_ARGS); 363 PORT_SetError(SEC_ERROR_INVALID_ARGS);
364 @@ -1047,6 +1056,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo 364 @@ -1126,6 +1135,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
365 ssl_defaults.enableOBCerts = on; 365 ssl_defaults.enableOBCerts = on;
366 break; 366 break;
367 367
368 + case SSL_ENCRYPT_CLIENT_CERTS: 368 + case SSL_ENCRYPT_CLIENT_CERTS:
369 + ssl_defaults.encryptClientCerts = on; 369 + ssl_defaults.encryptClientCerts = on;
370 + break; 370 + break;
371 + 371 +
372 default: 372 default:
373 PORT_SetError(SEC_ERROR_INVALID_ARGS); 373 PORT_SetError(SEC_ERROR_INVALID_ARGS);
374 return SECFailure; 374 return SECFailure;
375 diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt .h 375 diff -pu -r a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/s slt.h
376 --- a/src/net/third_party/nss/ssl/sslt.h» 2012-02-29 17:12:15.780045080 -0 800 376 --- a/src/net/third_party/nss/ssl/sslt.h» 2012-03-19 12:50:32.610015524 -0 700
377 +++ b/src/net/third_party/nss/ssl/sslt.h» 2012-02-29 19:34:43.921452065 -0 800 377 +++ b/src/net/third_party/nss/ssl/sslt.h» 2012-03-19 13:49:29.517749929 -0 700
378 @@ -205,10 +205,11 @@ typedef enum { 378 @@ -214,10 +214,11 @@ typedef enum {
379 #endif 379 #endif
380 ssl_session_ticket_xtn = 35, 380 ssl_session_ticket_xtn = 35,
381 ssl_next_proto_nego_xtn = 13172, 381 ssl_next_proto_nego_xtn = 13172,
382 + ssl_encrypted_client_certs = 13180, /* not IANA assigned. */ 382 + ssl_encrypted_client_certs = 13180, /* not IANA assigned. */
383 ssl_renegotiation_info_xtn = 0xff01, /* experimental number */ 383 ssl_renegotiation_info_xtn = 0xff01, /* experimental number */
384 ssl_ob_cert_xtn = 13175 /* experimental number */ 384 ssl_ob_cert_xtn = 13175 /* experimental number */
385 } SSLExtensionType; 385 } SSLExtensionType;
386 386
387 -#define SSL_MAX_EXTENSIONS 8 387 -#define SSL_MAX_EXTENSIONS 8
388 +#define SSL_MAX_EXTENSIONS 9 388 +#define SSL_MAX_EXTENSIONS 9
389 389
390 #endif /* __sslt_h_ */ 390 #endif /* __sslt_h_ */
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698