Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(376)

Side by Side Diff: net/third_party/nss/patches/ocspstapling.patch

Issue 9733012: Update NSS to NSS 3.13.4 pre-release snapshot 20120319. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Forgot to update the sslerr.h and SSLerrs.h files Created 8 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h 1 diff -pu -r a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ss l.h
2 --- a/src/net/third_party/nss/ssl/ssl.h»2012-02-28 18:34:23.263186340 -0800 2 --- a/src/net/third_party/nss/ssl/ssl.h»2012-03-19 14:34:10.103984357 -0700
3 +++ b/src/net/third_party/nss/ssl/ssl.h»2012-02-28 18:47:14.683775498 -0800 3 +++ b/src/net/third_party/nss/ssl/ssl.h»2012-03-19 14:34:51.624539293 -0700
4 @@ -167,6 +167,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi 4 @@ -184,6 +184,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi
5 * accept fragmented alerts). 5 * accept fragmented alerts).
6 */ 6 */
7 #define SSL_CBC_RANDOM_IV 23 7 #define SSL_CBC_RANDOM_IV 23
8 +#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ 8 +#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
9 9
10 #ifdef SSL_DEPRECATED_FUNCTION 10 #ifdef SSL_DEPRECATED_FUNCTION
11 /* Old deprecated function names */ 11 /* Old deprecated function names */
12 @@ -347,6 +348,23 @@ SSL_IMPORT SECStatus SSL_PeerCertificate 12 @@ -435,6 +436,23 @@ SSL_IMPORT SECStatus SSL_PeerCertificate
13 PRFileDesc *fd, CERTCertificate **certs, 13 PRFileDesc *fd, CERTCertificate **certs,
14 unsigned int *numCerts, unsigned int maxNumCerts); 14 unsigned int *numCerts, unsigned int maxNumCerts);
15 15
16 +/* SSL_GetStapledOCSPResponse returns the OCSP response that was provided by 16 +/* SSL_GetStapledOCSPResponse returns the OCSP response that was provided by
17 + * the TLS server. The resulting data is copied to |out_data|. On entry, |*len| 17 + * the TLS server. The resulting data is copied to |out_data|. On entry, |*len|
18 + * must contain the size of |out_data|. On exit, |*len| will contain the size 18 + * must contain the size of |out_data|. On exit, |*len| will contain the size
19 + * of the OCSP stapled response. If the stapled response is too large to fit in 19 + * of the OCSP stapled response. If the stapled response is too large to fit in
20 + * |out_data| then it will be truncated. If no OCSP response was given by the 20 + * |out_data| then it will be truncated. If no OCSP response was given by the
21 + * server then it has zero length. 21 + * server then it has zero length.
22 + * 22 + *
23 + * You must set the SSL_ENABLE_OCSP_STAPLING option in order for OCSP responses 23 + * You must set the SSL_ENABLE_OCSP_STAPLING option in order for OCSP responses
24 + * to be provided by a server. 24 + * to be provided by a server.
25 + * 25 + *
26 + * You can call this function during the certificate verification callback or 26 + * You can call this function during the certificate verification callback or
27 + * any time afterwards. 27 + * any time afterwards.
28 + */ 28 + */
29 +SSL_IMPORT SECStatus SSL_GetStapledOCSPResponse(PRFileDesc *fd, 29 +SSL_IMPORT SECStatus SSL_GetStapledOCSPResponse(PRFileDesc *fd,
30 + unsigned char *out_data, 30 + unsigned char *out_data,
31 + unsigned int *len); 31 + unsigned int *len);
32 + 32 +
33 /* 33 /*
34 ** Authenticate certificate hook. Called when a certificate comes in 34 ** Authenticate certificate hook. Called when a certificate comes in
35 ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the 35 ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
36 diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/s sl3con.c 36 diff -pu -r a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ss l/ssl3con.c
37 --- a/src/net/third_party/nss/ssl/ssl3con.c» 2012-02-28 17:48:46.326209244 -0 800 37 --- a/src/net/third_party/nss/ssl/ssl3con.c» 2012-03-19 14:34:10.093984221 -0 700
38 +++ b/src/net/third_party/nss/ssl/ssl3con.c» 2012-02-28 19:12:51.845953454 -0 800 38 +++ b/src/net/third_party/nss/ssl/ssl3con.c» 2012-03-19 14:34:51.624539293 -0 700
39 @@ -7887,6 +7887,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *ce 39 @@ -7899,6 +7899,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *ce
40 } 40 }
41 41
42 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 42 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
43 + * ssl3 CertificateStatus message. 43 + * ssl3 CertificateStatus message.
44 + * Caller must hold Handshake and RecvBuf locks. 44 + * Caller must hold Handshake and RecvBuf locks.
45 + * This is always called before ssl3_HandleCertificate, even if the Certificate 45 + * This is always called before ssl3_HandleCertificate, even if the Certificate
46 + * message is sent first. 46 + * message is sent first.
47 + */ 47 + */
48 +static SECStatus 48 +static SECStatus
49 +ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length) 49 +ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after
87 +alert_loser: 87 +alert_loser:
88 + (void)SSL3_SendAlert(ss, alert_fatal, desc); 88 + (void)SSL3_SendAlert(ss, alert_fatal, desc);
89 + (void)ssl_MapLowLevelError(errCode); 89 + (void)ssl_MapLowLevelError(errCode);
90 + return SECFailure; 90 + return SECFailure;
91 +} 91 +}
92 + 92 +
93 +/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete 93 +/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
94 * ssl3 Certificate message. 94 * ssl3 Certificate message.
95 * Caller must hold Handshake and RecvBuf locks. 95 * Caller must hold Handshake and RecvBuf locks.
96 */ 96 */
97 @@ -8679,6 +8730,26 @@ ssl3_FinishHandshake(sslSocket * ss) 97 @@ -8707,6 +8758,26 @@ ssl3_FinishHandshake(sslSocket * ss)
98 return SECSuccess; 98 return SECSuccess;
99 } 99 }
100 100
101 +/* This function handles any pending Certificate messages. Certificate messages 101 +/* This function handles any pending Certificate messages. Certificate messages
102 + * can be pending if we expect a possible CertificateStatus message to follow. 102 + * can be pending if we expect a possible CertificateStatus message to follow.
103 + * 103 + *
104 + * This function must be called immediately after handling the 104 + * This function must be called immediately after handling the
105 + * CertificateStatus message, and before handling any ServerKeyExchange or 105 + * CertificateStatus message, and before handling any ServerKeyExchange or
106 + * CertificateRequest messages. 106 + * CertificateRequest messages.
107 + */ 107 + */
108 +static SECStatus 108 +static SECStatus
109 +ssl3_MaybeHandlePendingCertificateMessage(sslSocket *ss) 109 +ssl3_MaybeHandlePendingCertificateMessage(sslSocket *ss)
110 +{ 110 +{
111 + SECStatus rv = SECSuccess; 111 + SECStatus rv = SECSuccess;
112 + 112 +
113 + if (ss->ssl3.hs.pending_cert_msg.data) { 113 + if (ss->ssl3.hs.pending_cert_msg.data) {
114 + rv = ssl3_HandleCertificate(ss, ss->ssl3.hs.pending_cert_msg.data, 114 + rv = ssl3_HandleCertificate(ss, ss->ssl3.hs.pending_cert_msg.data,
115 + ss->ssl3.hs.pending_cert_msg.len); 115 + ss->ssl3.hs.pending_cert_msg.len);
116 + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); 116 + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
117 + } 117 + }
118 + return rv; 118 + return rv;
119 +} 119 +}
120 + 120 +
121 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 121 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
122 * hanshake message. 122 * hanshake message.
123 * Caller must hold Handshake and RecvBuf locks. 123 * Caller must hold Handshake and RecvBuf locks.
124 @@ -8773,14 +8844,42 @@ ssl3_HandleHandshakeMessage(sslSocket *s 124 @@ -8801,14 +8872,42 @@ ssl3_HandleHandshakeMessage(sslSocket *s
125 rv = ssl3_HandleServerHello(ss, b, length); 125 rv = ssl3_HandleServerHello(ss, b, length);
126 break; 126 break;
127 case certificate: 127 case certificate:
128 + if (ss->ssl3.hs.may_get_cert_status) { 128 + if (ss->ssl3.hs.may_get_cert_status) {
129 + /* If we might get a CertificateStatus then we want to postpone the 129 + /* If we might get a CertificateStatus then we want to postpone the
130 + * processing of the Certificate message until after we have 130 + * processing of the Certificate message until after we have
131 + * processed the CertificateStatus */ 131 + * processed the CertificateStatus */
132 + if (ss->ssl3.hs.pending_cert_msg.data || 132 + if (ss->ssl3.hs.pending_cert_msg.data ||
133 + ss->ssl3.hs.ws != wait_server_cert) { 133 + ss->ssl3.hs.ws != wait_server_cert) {
134 + (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 134 + (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
(...skipping 22 matching lines...) Expand all
157 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); 157 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
158 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH); 158 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
159 return SECFailure; 159 return SECFailure;
160 } 160 }
161 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); 161 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
162 + if (rv != SECSuccess) 162 + if (rv != SECSuccess)
163 + break; 163 + break;
164 rv = ssl3_HandleServerKeyExchange(ss, b, length); 164 rv = ssl3_HandleServerKeyExchange(ss, b, length);
165 break; 165 break;
166 case certificate_request: 166 case certificate_request:
167 @@ -8789,6 +8888,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s 167 @@ -8817,6 +8916,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s
168 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST); 168 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
169 return SECFailure; 169 return SECFailure;
170 } 170 }
171 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); 171 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
172 + if (rv != SECSuccess) 172 + if (rv != SECSuccess)
173 + break; 173 + break;
174 rv = ssl3_HandleCertificateRequest(ss, b, length); 174 rv = ssl3_HandleCertificateRequest(ss, b, length);
175 break; 175 break;
176 case server_hello_done: 176 case server_hello_done:
177 @@ -8802,6 +8904,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s 177 @@ -8830,6 +8932,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s
178 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); 178 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
179 return SECFailure; 179 return SECFailure;
180 } 180 }
181 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); 181 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
182 + if (rv != SECSuccess) 182 + if (rv != SECSuccess)
183 + break; 183 + break;
184 rv = ssl3_HandleServerHelloDone(ss); 184 rv = ssl3_HandleServerHelloDone(ss);
185 break; 185 break;
186 case certificate_verify: 186 case certificate_verify:
187 @@ -9646,6 +9751,12 @@ ssl3_DestroySSL3Info(sslSocket *ss) 187 @@ -9719,6 +9824,12 @@ ssl3_DestroySSL3Info(sslSocket *ss)
188 ss->ssl3.hs.messages.len = 0; 188 ss->ssl3.hs.messages.len = 0;
189 ss->ssl3.hs.messages.space = 0; 189 ss->ssl3.hs.messages.space = 0;
190 } 190 }
191 + if (ss->ssl3.hs.pending_cert_msg.data) { 191 + if (ss->ssl3.hs.pending_cert_msg.data) {
192 + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); 192 + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
193 + } 193 + }
194 + if (ss->ssl3.hs.cert_status.data) { 194 + if (ss->ssl3.hs.cert_status.data) {
195 + SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE); 195 + SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE);
196 + } 196 + }
197 197
198 /* free the SSL3Buffer (msg_body) */ 198 /* free the SSL3Buffer (msg_body) */
199 PORT_Free(ss->ssl3.hs.msg_body.buf); 199 PORT_Free(ss->ssl3.hs.msg_body.buf);
200 diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/s sl3ext.c 200 diff -pu -r a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ss l/ssl3ext.c
201 --- a/src/net/third_party/nss/ssl/ssl3ext.c» 2012-02-15 13:52:08.000000000 -0 800 201 --- a/src/net/third_party/nss/ssl/ssl3ext.c» 2012-03-12 12:14:12.000000000 -0 700
202 +++ b/src/net/third_party/nss/ssl/ssl3ext.c» 2012-02-28 19:14:28.617352538 -0 800 202 +++ b/src/net/third_party/nss/ssl/ssl3ext.c» 2012-03-19 14:34:51.624539293 -0 700
203 @@ -253,6 +253,7 @@ static const ssl3HelloExtensionHandler s 203 @@ -253,6 +253,7 @@ static const ssl3HelloExtensionHandler s
204 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, 204 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
205 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, 205 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
206 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, 206 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
207 + { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, 207 + { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
208 { -1, NULL } 208 { -1, NULL }
209 }; 209 };
210 210
211 @@ -276,7 +277,8 @@ ssl3HelloExtensionSender clientHelloSend 211 @@ -276,7 +277,8 @@ ssl3HelloExtensionSender clientHelloSend
212 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, 212 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
213 #endif 213 #endif
214 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, 214 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
215 - { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn } 215 - { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }
216 + { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, 216 + { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
217 + { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } 217 + { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }
218 /* any extra entries will appear as { 0, NULL } */ 218 /* any extra entries will appear as { 0, NULL } */
219 }; 219 };
220 220
221 @@ -659,6 +661,80 @@ loser: 221 @@ -658,6 +660,80 @@ loser:
222 return -1; 222 return -1;
223 } 223 }
224 224
225 +SECStatus 225 +SECStatus
226 +ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, 226 +ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
227 + SECItem *data) 227 + SECItem *data)
228 +{ 228 +{
229 + /* If we didn't request this extension, then the server may not echo it. */ 229 + /* If we didn't request this extension, then the server may not echo it. */
230 + if (!ss->opt.enableOCSPStapling) 230 + if (!ss->opt.enableOCSPStapling)
231 + return SECFailure; 231 + return SECFailure;
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after
292 + } else if (maxBytes < extension_length) { 292 + } else if (maxBytes < extension_length) {
293 + PORT_Assert(0); 293 + PORT_Assert(0);
294 + return 0; 294 + return 0;
295 + } 295 + }
296 + return extension_length; 296 + return extension_length;
297 +} 297 +}
298 + 298 +
299 /* 299 /*
300 * NewSessionTicket 300 * NewSessionTicket
301 * Called from ssl3_HandleFinished 301 * Called from ssl3_HandleFinished
302 diff -up a/src/net/third_party/nss/ssl/ssl3prot.h b/src/net/third_party/nss/ssl/ ssl3prot.h 302 diff -pu -r a/src/net/third_party/nss/ssl/ssl3prot.h b/src/net/third_party/nss/s sl/ssl3prot.h
303 --- a/src/net/third_party/nss/ssl/ssl3prot.h 2011-10-28 17:29:11.000000000 -0 700 303 --- a/src/net/third_party/nss/ssl/ssl3prot.h 2011-10-28 17:29:11.000000000 -0 700
304 +++ b/src/net/third_party/nss/ssl/ssl3prot.h» 2012-02-28 19:12:51.845953454 -0 800 304 +++ b/src/net/third_party/nss/ssl/ssl3prot.h» 2012-03-19 14:34:51.624539293 -0 700
305 @@ -158,6 +158,7 @@ typedef enum { 305 @@ -158,6 +158,7 @@ typedef enum {
306 certificate_verify = 15, 306 certificate_verify = 15,
307 client_key_exchange = 16, 307 client_key_exchange = 16,
308 finished = 20, 308 finished = 20,
309 + certificate_status = 22, 309 + certificate_status = 22,
310 next_proto = 67 310 next_proto = 67
311 } SSL3HandshakeType; 311 } SSL3HandshakeType;
312 312
313 diff -up a/src/net/third_party/nss/ssl/sslerr.h b/src/net/third_party/nss/ssl/ss lerr.h 313 diff -pu -r a/src/net/third_party/nss/ssl/sslerr.h b/src/net/third_party/nss/ssl /sslerr.h
314 --- a/src/net/third_party/nss/ssl/sslerr.h» 2012-02-11 04:55:58.000000000 -0 800 314 --- a/src/net/third_party/nss/ssl/sslerr.h» 2012-03-10 20:32:35.000000000 -0 800
315 +++ b/src/net/third_party/nss/ssl/sslerr.h» 2012-02-28 18:58:06.733056235 -0 800 315 +++ b/src/net/third_party/nss/ssl/sslerr.h» 2012-03-19 14:35:47.275278925 -0 700
316 @@ -211,6 +211,8 @@ SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2 316 @@ -213,6 +213,8 @@ SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIE
317 SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS = (SSL_ERROR_BASE + 118),
318 SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIENTS = (SSL_ERROR_BASE + 119),
319 317
320 +SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 120), 318 SSL_ERROR_INVALID_VERSION_RANGE» » = (SSL_ERROR_BASE + 120),
319
320 +SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 121),
321 + 321 +
322 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ 322 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
323 } SSLErrorCodes; 323 } SSLErrorCodes;
324 #endif /* NO_SECURITY_ERROR_ENUM */ 324 #endif /* NO_SECURITY_ERROR_ENUM */
325 diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/s slimpl.h 325 diff -pu -r a/src/net/third_party/nss/ssl/SSLerrs.h b/src/net/third_party/nss/ss l/SSLerrs.h
326 --- a/src/net/third_party/nss/ssl/sslimpl.h» 2012-02-28 17:48:46.326209244 -0 800 326 --- a/src/net/third_party/nss/ssl/SSLerrs.h» 2012-03-10 20:32:34.000000000 -0 800
327 +++ b/src/net/third_party/nss/ssl/sslimpl.h» 2012-02-28 19:05:14.299310096 -0 800 327 +++ b/src/net/third_party/nss/ssl/SSLerrs.h» 2012-03-19 14:38:37.757544584 -0 700
328 @@ -420,3 +420,6 @@ ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_
329
330 ER3(SSL_ERROR_INVALID_VERSION_RANGE, (SSL_ERROR_BASE + 120),
331 "SSL version range is not valid.")
332 +
333 +ER3(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS, (SSL_ERROR_BASE + 121),
334 +"SSL received an unexpected Certificate Status handshake message.")
335 diff -pu -r a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ss l/sslimpl.h
336 --- a/src/net/third_party/nss/ssl/sslimpl.h» 2012-03-19 14:34:10.093984221 -0 700
337 +++ b/src/net/third_party/nss/ssl/sslimpl.h» 2012-03-19 14:34:51.634539426 -0 700
328 @@ -339,6 +339,7 @@ typedef struct sslOptionsStr { 338 @@ -339,6 +339,7 @@ typedef struct sslOptionsStr {
329 unsigned int requireSafeNegotiation : 1; /* 22 */ 339 unsigned int requireSafeNegotiation : 1; /* 22 */
330 unsigned int enableFalseStart : 1; /* 23 */ 340 unsigned int enableFalseStart : 1; /* 23 */
331 unsigned int cbcRandomIV : 1; /* 24 */ 341 unsigned int cbcRandomIV : 1; /* 24 */
332 + unsigned int enableOCSPStapling : 1; /* 25 */ 342 + unsigned int enableOCSPStapling : 1; /* 25 */
333 } sslOptions; 343 } sslOptions;
334 344
335 typedef enum { sslHandshakingUndetermined = 0, 345 typedef enum { sslHandshakingUndetermined = 0,
336 @@ -782,6 +783,14 @@ const ssl3CipherSuiteDef *suite_def; 346 @@ -783,6 +784,14 @@ const ssl3CipherSuiteDef *suite_def;
337 PRBool isResuming; /* are we resuming a session */ 347 PRBool isResuming; /* are we resuming a session */
338 PRBool usedStepDownKey; /* we did a server key exchange. */ 348 PRBool usedStepDownKey; /* we did a server key exchange. */
339 PRBool sendingSCSV; /* instead of empty RI */ 349 PRBool sendingSCSV; /* instead of empty RI */
340 + PRBool may_get_cert_status; /* the server echoed a 350 + PRBool may_get_cert_status; /* the server echoed a
341 + * status_request extension so 351 + * status_request extension so
342 + * may send a CertificateStatus 352 + * may send a CertificateStatus
343 + * handshake message. */ 353 + * handshake message. */
344 + SECItem pending_cert_msg; /* a Certificate message which we 354 + SECItem pending_cert_msg; /* a Certificate message which we
345 + * save temporarily if we may get 355 + * save temporarily if we may get
346 + * a CertificateStatus message */ 356 + * a CertificateStatus message */
347 + SECItem cert_status; /* an OCSP response */ 357 + SECItem cert_status; /* an OCSP response */
348 sslBuffer msgState; /* current state for handshake messages* / 358 sslBuffer msgState; /* current state for handshake messages* /
349 /* protected by recvBufLock */ 359 /* protected by recvBufLock */
350 sslBuffer messages; /* Accumulated handshake messages */ 360 sslBuffer messages; /* Accumulated handshake messages */
351 @@ -1527,6 +1536,8 @@ extern SECStatus ssl3_HandleSupportedPoi 361 @@ -1548,6 +1557,8 @@ extern SECStatus ssl3_HandleSupportedPoi
352 PRUint16 ex_type, SECItem *data); 362 PRUint16 ex_type, SECItem *data);
353 extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, 363 extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
354 PRUint16 ex_type, SECItem *data); 364 PRUint16 ex_type, SECItem *data);
355 +extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, 365 +extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
356 + PRUint16 ex_type, SECItem *data); 366 + PRUint16 ex_type, SECItem *data);
357 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, 367 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
358 PRUint16 ex_type, SECItem *data); 368 PRUint16 ex_type, SECItem *data);
359 369
360 @@ -1536,6 +1547,8 @@ extern SECStatus ssl3_ServerHandleSessio 370 @@ -1557,6 +1568,8 @@ extern SECStatus ssl3_ServerHandleSessio
361 */ 371 */
362 extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append, 372 extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append,
363 PRUint32 maxBytes); 373 PRUint32 maxBytes);
364 +extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append, 374 +extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append,
365 + PRUint32 maxBytes); 375 + PRUint32 maxBytes);
366 376
367 /* ClientHello and ServerHello extension senders. 377 /* ClientHello and ServerHello extension senders.
368 * The code is in ssl3ext.c. 378 * The code is in ssl3ext.c.
369 diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/s slsock.c 379 diff -pu -r a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ss l/sslsock.c
370 --- a/src/net/third_party/nss/ssl/sslsock.c» 2012-02-28 16:15:34.790321976 -0 800 380 --- a/src/net/third_party/nss/ssl/sslsock.c» 2012-03-19 14:34:10.083984085 -0 700
371 +++ b/src/net/third_party/nss/ssl/sslsock.c» 2012-02-28 19:12:51.845953454 -0 800 381 +++ b/src/net/third_party/nss/ssl/sslsock.c» 2012-03-19 14:34:51.634539426 -0 700
372 @@ -185,7 +185,8 @@ static sslOptions ssl_defaults = { 382 @@ -185,7 +185,8 @@ static sslOptions ssl_defaults = {
373 2, /* enableRenegotiation (default: requires extension) */ 383 2, /* enableRenegotiation (default: requires extension) */
374 PR_FALSE, /* requireSafeNegotiation */ 384 PR_FALSE, /* requireSafeNegotiation */
375 PR_FALSE, /* enableFalseStart */ 385 PR_FALSE, /* enableFalseStart */
376 - PR_TRUE /* cbcRandomIV */ 386 - PR_TRUE /* cbcRandomIV */
377 + PR_TRUE, /* cbcRandomIV */ 387 + PR_TRUE, /* cbcRandomIV */
378 + PR_FALSE, /* enableOCSPStapling */ 388 + PR_FALSE, /* enableOCSPStapling */
379 }; 389 };
380 390
381 sslSessionIDLookupFunc ssl_sid_lookup; 391 /*
382 @@ -741,6 +742,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh 392 @@ -812,6 +813,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
383 ss->opt.cbcRandomIV = on; 393 ss->opt.cbcRandomIV = on;
384 break; 394 break;
385 395
386 + case SSL_ENABLE_OCSP_STAPLING: 396 + case SSL_ENABLE_OCSP_STAPLING:
387 + ss->opt.enableOCSPStapling = on; 397 + ss->opt.enableOCSPStapling = on;
388 + break; 398 + break;
389 + 399 +
390 default: 400 default:
391 PORT_SetError(SEC_ERROR_INVALID_ARGS); 401 PORT_SetError(SEC_ERROR_INVALID_ARGS);
392 rv = SECFailure; 402 rv = SECFailure;
393 @@ -806,6 +811,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh 403 @@ -881,6 +886,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
394 on = ss->opt.requireSafeNegotiation; break; 404 on = ss->opt.requireSafeNegotiation; break;
395 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; 405 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break;
396 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; 406 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
397 + case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; 407 + case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
398 408
399 default: 409 default:
400 PORT_SetError(SEC_ERROR_INVALID_ARGS); 410 PORT_SetError(SEC_ERROR_INVALID_ARGS);
401 @@ -860,6 +866,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo 411 @@ -939,6 +945,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
402 break; 412 break;
403 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; 413 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break;
404 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; 414 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break;
405 + case SSL_ENABLE_OCSP_STAPLING: 415 + case SSL_ENABLE_OCSP_STAPLING:
406 + on = ssl_defaults.enableOCSPStapling; 416 + on = ssl_defaults.enableOCSPStapling;
407 + break; 417 + break;
408 418
409 default: 419 default:
410 PORT_SetError(SEC_ERROR_INVALID_ARGS); 420 PORT_SetError(SEC_ERROR_INVALID_ARGS);
411 @@ -1019,6 +1028,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo 421 @@ -1098,6 +1107,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
412 ssl_defaults.cbcRandomIV = on; 422 ssl_defaults.cbcRandomIV = on;
413 break; 423 break;
414 424
415 + case SSL_ENABLE_OCSP_STAPLING: 425 + case SSL_ENABLE_OCSP_STAPLING:
416 + ssl_defaults.enableOCSPStapling = on; 426 + ssl_defaults.enableOCSPStapling = on;
417 + break; 427 + break;
418 + 428 +
419 default: 429 default:
420 PORT_SetError(SEC_ERROR_INVALID_ARGS); 430 PORT_SetError(SEC_ERROR_INVALID_ARGS);
421 return SECFailure; 431 return SECFailure;
422 @@ -1537,6 +1550,36 @@ loser: 432 @@ -1735,6 +1748,36 @@ SSL_VersionRangeSet(PRFileDesc *fd, cons
423 #endif 433 return SECSuccess;
424 } 434 }
425 435
426 +SECStatus 436 +SECStatus
427 +SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data, 437 +SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data,
428 + unsigned int *len) { 438 + unsigned int *len) {
429 + sslSocket *ss = ssl_FindSocket(fd); 439 + sslSocket *ss = ssl_FindSocket(fd);
430 + 440 +
431 + if (!ss) { 441 + if (!ss) {
432 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse", 442 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse",
433 + SSL_GETPID(), fd)); 443 + SSL_GETPID(), fd));
(...skipping 15 matching lines...) Expand all
449 + 459 +
450 + ssl_ReleaseSSL3HandshakeLock(ss); 460 + ssl_ReleaseSSL3HandshakeLock(ss);
451 + ssl_Release1stHandshakeLock(ss); 461 + ssl_Release1stHandshakeLock(ss);
452 + 462 +
453 + return SECSuccess; 463 + return SECSuccess;
454 +} 464 +}
455 + 465 +
456 /************************************************************************/ 466 /************************************************************************/
457 /* The following functions are the TOP LEVEL SSL functions. 467 /* The following functions are the TOP LEVEL SSL functions.
458 ** They all get called through the NSPRIOMethods table below. 468 ** They all get called through the NSPRIOMethods table below.
459 diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt .h 469 diff -pu -r a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/s slt.h
460 --- a/src/net/third_party/nss/ssl/sslt.h» 2012-02-15 13:52:08.000000000 -0 800 470 --- a/src/net/third_party/nss/ssl/sslt.h» 2012-03-15 18:23:55.000000000 -0 700
461 +++ b/src/net/third_party/nss/ssl/sslt.h» 2012-02-28 19:12:51.845953454 -0 800 471 +++ b/src/net/third_party/nss/ssl/sslt.h» 2012-03-19 14:34:51.634539426 -0 700
462 @@ -198,6 +198,7 @@ typedef enum { 472 @@ -207,6 +207,7 @@ typedef enum {
463 /* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */ 473 /* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */
464 typedef enum { 474 typedef enum {
465 ssl_server_name_xtn = 0, 475 ssl_server_name_xtn = 0,
466 + ssl_cert_status_xtn = 5, 476 + ssl_cert_status_xtn = 5,
467 #ifdef NSS_ENABLE_ECC 477 #ifdef NSS_ENABLE_ECC
468 ssl_elliptic_curves_xtn = 10, 478 ssl_elliptic_curves_xtn = 10,
469 ssl_ec_point_formats_xtn = 11, 479 ssl_ec_point_formats_xtn = 11,
470 @@ -207,6 +208,6 @@ typedef enum { 480 @@ -216,6 +217,6 @@ typedef enum {
471 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ 481 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
472 } SSLExtensionType; 482 } SSLExtensionType;
473 483
474 -#define SSL_MAX_EXTENSIONS 6 484 -#define SSL_MAX_EXTENSIONS 6
475 +#define SSL_MAX_EXTENSIONS 7 485 +#define SSL_MAX_EXTENSIONS 7
476 486
477 #endif /* __sslt_h_ */ 487 #endif /* __sslt_h_ */
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698