| OLD | NEW |
| 1 diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h | 1 diff -pu -r a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ss
l.h |
| 2 --- a/src/net/third_party/nss/ssl/ssl.h»2012-02-28 18:34:23.263186340 -0800 | 2 --- a/src/net/third_party/nss/ssl/ssl.h»2012-03-19 14:34:10.103984357 -0700 |
| 3 +++ b/src/net/third_party/nss/ssl/ssl.h»2012-02-28 18:47:14.683775498 -0800 | 3 +++ b/src/net/third_party/nss/ssl/ssl.h»2012-03-19 14:34:51.624539293 -0700 |
| 4 @@ -167,6 +167,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi | 4 @@ -184,6 +184,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi |
| 5 * accept fragmented alerts). | 5 * accept fragmented alerts). |
| 6 */ | 6 */ |
| 7 #define SSL_CBC_RANDOM_IV 23 | 7 #define SSL_CBC_RANDOM_IV 23 |
| 8 +#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ | 8 +#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ |
| 9 | 9 |
| 10 #ifdef SSL_DEPRECATED_FUNCTION | 10 #ifdef SSL_DEPRECATED_FUNCTION |
| 11 /* Old deprecated function names */ | 11 /* Old deprecated function names */ |
| 12 @@ -347,6 +348,23 @@ SSL_IMPORT SECStatus SSL_PeerCertificate | 12 @@ -435,6 +436,23 @@ SSL_IMPORT SECStatus SSL_PeerCertificate |
| 13 PRFileDesc *fd, CERTCertificate **certs, | 13 PRFileDesc *fd, CERTCertificate **certs, |
| 14 unsigned int *numCerts, unsigned int maxNumCerts); | 14 unsigned int *numCerts, unsigned int maxNumCerts); |
| 15 | 15 |
| 16 +/* SSL_GetStapledOCSPResponse returns the OCSP response that was provided by | 16 +/* SSL_GetStapledOCSPResponse returns the OCSP response that was provided by |
| 17 + * the TLS server. The resulting data is copied to |out_data|. On entry, |*len| | 17 + * the TLS server. The resulting data is copied to |out_data|. On entry, |*len| |
| 18 + * must contain the size of |out_data|. On exit, |*len| will contain the size | 18 + * must contain the size of |out_data|. On exit, |*len| will contain the size |
| 19 + * of the OCSP stapled response. If the stapled response is too large to fit in | 19 + * of the OCSP stapled response. If the stapled response is too large to fit in |
| 20 + * |out_data| then it will be truncated. If no OCSP response was given by the | 20 + * |out_data| then it will be truncated. If no OCSP response was given by the |
| 21 + * server then it has zero length. | 21 + * server then it has zero length. |
| 22 + * | 22 + * |
| 23 + * You must set the SSL_ENABLE_OCSP_STAPLING option in order for OCSP responses | 23 + * You must set the SSL_ENABLE_OCSP_STAPLING option in order for OCSP responses |
| 24 + * to be provided by a server. | 24 + * to be provided by a server. |
| 25 + * | 25 + * |
| 26 + * You can call this function during the certificate verification callback or | 26 + * You can call this function during the certificate verification callback or |
| 27 + * any time afterwards. | 27 + * any time afterwards. |
| 28 + */ | 28 + */ |
| 29 +SSL_IMPORT SECStatus SSL_GetStapledOCSPResponse(PRFileDesc *fd, | 29 +SSL_IMPORT SECStatus SSL_GetStapledOCSPResponse(PRFileDesc *fd, |
| 30 + unsigned char *out_data, | 30 + unsigned char *out_data, |
| 31 + unsigned int *len); | 31 + unsigned int *len); |
| 32 + | 32 + |
| 33 /* | 33 /* |
| 34 ** Authenticate certificate hook. Called when a certificate comes in | 34 ** Authenticate certificate hook. Called when a certificate comes in |
| 35 ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the | 35 ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the |
| 36 diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/s
sl3con.c | 36 diff -pu -r a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ss
l/ssl3con.c |
| 37 --- a/src/net/third_party/nss/ssl/ssl3con.c» 2012-02-28 17:48:46.326209244 -0
800 | 37 --- a/src/net/third_party/nss/ssl/ssl3con.c» 2012-03-19 14:34:10.093984221 -0
700 |
| 38 +++ b/src/net/third_party/nss/ssl/ssl3con.c» 2012-02-28 19:12:51.845953454 -0
800 | 38 +++ b/src/net/third_party/nss/ssl/ssl3con.c» 2012-03-19 14:34:51.624539293 -0
700 |
| 39 @@ -7887,6 +7887,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *ce | 39 @@ -7899,6 +7899,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *ce |
| 40 } | 40 } |
| 41 | 41 |
| 42 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 42 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
| 43 + * ssl3 CertificateStatus message. | 43 + * ssl3 CertificateStatus message. |
| 44 + * Caller must hold Handshake and RecvBuf locks. | 44 + * Caller must hold Handshake and RecvBuf locks. |
| 45 + * This is always called before ssl3_HandleCertificate, even if the Certificate | 45 + * This is always called before ssl3_HandleCertificate, even if the Certificate |
| 46 + * message is sent first. | 46 + * message is sent first. |
| 47 + */ | 47 + */ |
| 48 +static SECStatus | 48 +static SECStatus |
| 49 +ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 49 +ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 87 +alert_loser: | 87 +alert_loser: |
| 88 + (void)SSL3_SendAlert(ss, alert_fatal, desc); | 88 + (void)SSL3_SendAlert(ss, alert_fatal, desc); |
| 89 + (void)ssl_MapLowLevelError(errCode); | 89 + (void)ssl_MapLowLevelError(errCode); |
| 90 + return SECFailure; | 90 + return SECFailure; |
| 91 +} | 91 +} |
| 92 + | 92 + |
| 93 +/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 93 +/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
| 94 * ssl3 Certificate message. | 94 * ssl3 Certificate message. |
| 95 * Caller must hold Handshake and RecvBuf locks. | 95 * Caller must hold Handshake and RecvBuf locks. |
| 96 */ | 96 */ |
| 97 @@ -8679,6 +8730,26 @@ ssl3_FinishHandshake(sslSocket * ss) | 97 @@ -8707,6 +8758,26 @@ ssl3_FinishHandshake(sslSocket * ss) |
| 98 return SECSuccess; | 98 return SECSuccess; |
| 99 } | 99 } |
| 100 | 100 |
| 101 +/* This function handles any pending Certificate messages. Certificate messages | 101 +/* This function handles any pending Certificate messages. Certificate messages |
| 102 + * can be pending if we expect a possible CertificateStatus message to follow. | 102 + * can be pending if we expect a possible CertificateStatus message to follow. |
| 103 + * | 103 + * |
| 104 + * This function must be called immediately after handling the | 104 + * This function must be called immediately after handling the |
| 105 + * CertificateStatus message, and before handling any ServerKeyExchange or | 105 + * CertificateStatus message, and before handling any ServerKeyExchange or |
| 106 + * CertificateRequest messages. | 106 + * CertificateRequest messages. |
| 107 + */ | 107 + */ |
| 108 +static SECStatus | 108 +static SECStatus |
| 109 +ssl3_MaybeHandlePendingCertificateMessage(sslSocket *ss) | 109 +ssl3_MaybeHandlePendingCertificateMessage(sslSocket *ss) |
| 110 +{ | 110 +{ |
| 111 + SECStatus rv = SECSuccess; | 111 + SECStatus rv = SECSuccess; |
| 112 + | 112 + |
| 113 + if (ss->ssl3.hs.pending_cert_msg.data) { | 113 + if (ss->ssl3.hs.pending_cert_msg.data) { |
| 114 + rv = ssl3_HandleCertificate(ss, ss->ssl3.hs.pending_cert_msg.data, | 114 + rv = ssl3_HandleCertificate(ss, ss->ssl3.hs.pending_cert_msg.data, |
| 115 + ss->ssl3.hs.pending_cert_msg.len); | 115 + ss->ssl3.hs.pending_cert_msg.len); |
| 116 + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); | 116 + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); |
| 117 + } | 117 + } |
| 118 + return rv; | 118 + return rv; |
| 119 +} | 119 +} |
| 120 + | 120 + |
| 121 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 | 121 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 |
| 122 * hanshake message. | 122 * hanshake message. |
| 123 * Caller must hold Handshake and RecvBuf locks. | 123 * Caller must hold Handshake and RecvBuf locks. |
| 124 @@ -8773,14 +8844,42 @@ ssl3_HandleHandshakeMessage(sslSocket *s | 124 @@ -8801,14 +8872,42 @@ ssl3_HandleHandshakeMessage(sslSocket *s |
| 125 rv = ssl3_HandleServerHello(ss, b, length); | 125 rv = ssl3_HandleServerHello(ss, b, length); |
| 126 break; | 126 break; |
| 127 case certificate: | 127 case certificate: |
| 128 + if (ss->ssl3.hs.may_get_cert_status) { | 128 + if (ss->ssl3.hs.may_get_cert_status) { |
| 129 + /* If we might get a CertificateStatus then we want to postpone the | 129 + /* If we might get a CertificateStatus then we want to postpone the |
| 130 + * processing of the Certificate message until after we have | 130 + * processing of the Certificate message until after we have |
| 131 + * processed the CertificateStatus */ | 131 + * processed the CertificateStatus */ |
| 132 + if (ss->ssl3.hs.pending_cert_msg.data || | 132 + if (ss->ssl3.hs.pending_cert_msg.data || |
| 133 + ss->ssl3.hs.ws != wait_server_cert) { | 133 + ss->ssl3.hs.ws != wait_server_cert) { |
| 134 + (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 134 + (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
| (...skipping 22 matching lines...) Expand all Loading... |
| 157 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 157 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
| 158 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH); | 158 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH); |
| 159 return SECFailure; | 159 return SECFailure; |
| 160 } | 160 } |
| 161 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); | 161 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); |
| 162 + if (rv != SECSuccess) | 162 + if (rv != SECSuccess) |
| 163 + break; | 163 + break; |
| 164 rv = ssl3_HandleServerKeyExchange(ss, b, length); | 164 rv = ssl3_HandleServerKeyExchange(ss, b, length); |
| 165 break; | 165 break; |
| 166 case certificate_request: | 166 case certificate_request: |
| 167 @@ -8789,6 +8888,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s | 167 @@ -8817,6 +8916,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s |
| 168 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST); | 168 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST); |
| 169 return SECFailure; | 169 return SECFailure; |
| 170 } | 170 } |
| 171 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); | 171 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); |
| 172 + if (rv != SECSuccess) | 172 + if (rv != SECSuccess) |
| 173 + break; | 173 + break; |
| 174 rv = ssl3_HandleCertificateRequest(ss, b, length); | 174 rv = ssl3_HandleCertificateRequest(ss, b, length); |
| 175 break; | 175 break; |
| 176 case server_hello_done: | 176 case server_hello_done: |
| 177 @@ -8802,6 +8904,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s | 177 @@ -8830,6 +8932,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s |
| 178 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); | 178 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); |
| 179 return SECFailure; | 179 return SECFailure; |
| 180 } | 180 } |
| 181 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); | 181 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); |
| 182 + if (rv != SECSuccess) | 182 + if (rv != SECSuccess) |
| 183 + break; | 183 + break; |
| 184 rv = ssl3_HandleServerHelloDone(ss); | 184 rv = ssl3_HandleServerHelloDone(ss); |
| 185 break; | 185 break; |
| 186 case certificate_verify: | 186 case certificate_verify: |
| 187 @@ -9646,6 +9751,12 @@ ssl3_DestroySSL3Info(sslSocket *ss) | 187 @@ -9719,6 +9824,12 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
| 188 ss->ssl3.hs.messages.len = 0; | 188 ss->ssl3.hs.messages.len = 0; |
| 189 ss->ssl3.hs.messages.space = 0; | 189 ss->ssl3.hs.messages.space = 0; |
| 190 } | 190 } |
| 191 + if (ss->ssl3.hs.pending_cert_msg.data) { | 191 + if (ss->ssl3.hs.pending_cert_msg.data) { |
| 192 + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); | 192 + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); |
| 193 + } | 193 + } |
| 194 + if (ss->ssl3.hs.cert_status.data) { | 194 + if (ss->ssl3.hs.cert_status.data) { |
| 195 + SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE); | 195 + SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE); |
| 196 + } | 196 + } |
| 197 | 197 |
| 198 /* free the SSL3Buffer (msg_body) */ | 198 /* free the SSL3Buffer (msg_body) */ |
| 199 PORT_Free(ss->ssl3.hs.msg_body.buf); | 199 PORT_Free(ss->ssl3.hs.msg_body.buf); |
| 200 diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/s
sl3ext.c | 200 diff -pu -r a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ss
l/ssl3ext.c |
| 201 --- a/src/net/third_party/nss/ssl/ssl3ext.c» 2012-02-15 13:52:08.000000000 -0
800 | 201 --- a/src/net/third_party/nss/ssl/ssl3ext.c» 2012-03-12 12:14:12.000000000 -0
700 |
| 202 +++ b/src/net/third_party/nss/ssl/ssl3ext.c» 2012-02-28 19:14:28.617352538 -0
800 | 202 +++ b/src/net/third_party/nss/ssl/ssl3ext.c» 2012-03-19 14:34:51.624539293 -0
700 |
| 203 @@ -253,6 +253,7 @@ static const ssl3HelloExtensionHandler s | 203 @@ -253,6 +253,7 @@ static const ssl3HelloExtensionHandler s |
| 204 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, | 204 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, |
| 205 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 205 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
| 206 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, | 206 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
| 207 + { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, | 207 + { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
| 208 { -1, NULL } | 208 { -1, NULL } |
| 209 }; | 209 }; |
| 210 | 210 |
| 211 @@ -276,7 +277,8 @@ ssl3HelloExtensionSender clientHelloSend | 211 @@ -276,7 +277,8 @@ ssl3HelloExtensionSender clientHelloSend |
| 212 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, | 212 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, |
| 213 #endif | 213 #endif |
| 214 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, | 214 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
| 215 - { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn } | 215 - { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn } |
| 216 + { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, | 216 + { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
| 217 + { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } | 217 + { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } |
| 218 /* any extra entries will appear as { 0, NULL } */ | 218 /* any extra entries will appear as { 0, NULL } */ |
| 219 }; | 219 }; |
| 220 | 220 |
| 221 @@ -659,6 +661,80 @@ loser: | 221 @@ -658,6 +660,80 @@ loser: |
| 222 return -1; | 222 return -1; |
| 223 } | 223 } |
| 224 | 224 |
| 225 +SECStatus | 225 +SECStatus |
| 226 +ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, | 226 +ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, |
| 227 + SECItem *data) | 227 + SECItem *data) |
| 228 +{ | 228 +{ |
| 229 + /* If we didn't request this extension, then the server may not echo it. */ | 229 + /* If we didn't request this extension, then the server may not echo it. */ |
| 230 + if (!ss->opt.enableOCSPStapling) | 230 + if (!ss->opt.enableOCSPStapling) |
| 231 + return SECFailure; | 231 + return SECFailure; |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 292 + } else if (maxBytes < extension_length) { | 292 + } else if (maxBytes < extension_length) { |
| 293 + PORT_Assert(0); | 293 + PORT_Assert(0); |
| 294 + return 0; | 294 + return 0; |
| 295 + } | 295 + } |
| 296 + return extension_length; | 296 + return extension_length; |
| 297 +} | 297 +} |
| 298 + | 298 + |
| 299 /* | 299 /* |
| 300 * NewSessionTicket | 300 * NewSessionTicket |
| 301 * Called from ssl3_HandleFinished | 301 * Called from ssl3_HandleFinished |
| 302 diff -up a/src/net/third_party/nss/ssl/ssl3prot.h b/src/net/third_party/nss/ssl/
ssl3prot.h | 302 diff -pu -r a/src/net/third_party/nss/ssl/ssl3prot.h b/src/net/third_party/nss/s
sl/ssl3prot.h |
| 303 --- a/src/net/third_party/nss/ssl/ssl3prot.h 2011-10-28 17:29:11.000000000 -0
700 | 303 --- a/src/net/third_party/nss/ssl/ssl3prot.h 2011-10-28 17:29:11.000000000 -0
700 |
| 304 +++ b/src/net/third_party/nss/ssl/ssl3prot.h» 2012-02-28 19:12:51.845953454 -0
800 | 304 +++ b/src/net/third_party/nss/ssl/ssl3prot.h» 2012-03-19 14:34:51.624539293 -0
700 |
| 305 @@ -158,6 +158,7 @@ typedef enum { | 305 @@ -158,6 +158,7 @@ typedef enum { |
| 306 certificate_verify = 15, | 306 certificate_verify = 15, |
| 307 client_key_exchange = 16, | 307 client_key_exchange = 16, |
| 308 finished = 20, | 308 finished = 20, |
| 309 + certificate_status = 22, | 309 + certificate_status = 22, |
| 310 next_proto = 67 | 310 next_proto = 67 |
| 311 } SSL3HandshakeType; | 311 } SSL3HandshakeType; |
| 312 | 312 |
| 313 diff -up a/src/net/third_party/nss/ssl/sslerr.h b/src/net/third_party/nss/ssl/ss
lerr.h | 313 diff -pu -r a/src/net/third_party/nss/ssl/sslerr.h b/src/net/third_party/nss/ssl
/sslerr.h |
| 314 --- a/src/net/third_party/nss/ssl/sslerr.h» 2012-02-11 04:55:58.000000000 -0
800 | 314 --- a/src/net/third_party/nss/ssl/sslerr.h» 2012-03-10 20:32:35.000000000 -0
800 |
| 315 +++ b/src/net/third_party/nss/ssl/sslerr.h» 2012-02-28 18:58:06.733056235 -0
800 | 315 +++ b/src/net/third_party/nss/ssl/sslerr.h» 2012-03-19 14:35:47.275278925 -0
700 |
| 316 @@ -211,6 +211,8 @@ SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2 | 316 @@ -213,6 +213,8 @@ SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIE |
| 317 SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS = (SSL_ERROR_BASE + 118), | |
| 318 SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIENTS = (SSL_ERROR_BASE + 119), | |
| 319 | 317 |
| 320 +SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 120), | 318 SSL_ERROR_INVALID_VERSION_RANGE» » = (SSL_ERROR_BASE + 120), |
| 319 |
| 320 +SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 121), |
| 321 + | 321 + |
| 322 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ | 322 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ |
| 323 } SSLErrorCodes; | 323 } SSLErrorCodes; |
| 324 #endif /* NO_SECURITY_ERROR_ENUM */ | 324 #endif /* NO_SECURITY_ERROR_ENUM */ |
| 325 diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/s
slimpl.h | 325 diff -pu -r a/src/net/third_party/nss/ssl/SSLerrs.h b/src/net/third_party/nss/ss
l/SSLerrs.h |
| 326 --- a/src/net/third_party/nss/ssl/sslimpl.h» 2012-02-28 17:48:46.326209244 -0
800 | 326 --- a/src/net/third_party/nss/ssl/SSLerrs.h» 2012-03-10 20:32:34.000000000 -0
800 |
| 327 +++ b/src/net/third_party/nss/ssl/sslimpl.h» 2012-02-28 19:05:14.299310096 -0
800 | 327 +++ b/src/net/third_party/nss/ssl/SSLerrs.h» 2012-03-19 14:38:37.757544584 -0
700 |
| 328 @@ -420,3 +420,6 @@ ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_ |
| 329 |
| 330 ER3(SSL_ERROR_INVALID_VERSION_RANGE, (SSL_ERROR_BASE + 120), |
| 331 "SSL version range is not valid.") |
| 332 + |
| 333 +ER3(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS, (SSL_ERROR_BASE + 121), |
| 334 +"SSL received an unexpected Certificate Status handshake message.") |
| 335 diff -pu -r a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ss
l/sslimpl.h |
| 336 --- a/src/net/third_party/nss/ssl/sslimpl.h» 2012-03-19 14:34:10.093984221 -0
700 |
| 337 +++ b/src/net/third_party/nss/ssl/sslimpl.h» 2012-03-19 14:34:51.634539426 -0
700 |
| 328 @@ -339,6 +339,7 @@ typedef struct sslOptionsStr { | 338 @@ -339,6 +339,7 @@ typedef struct sslOptionsStr { |
| 329 unsigned int requireSafeNegotiation : 1; /* 22 */ | 339 unsigned int requireSafeNegotiation : 1; /* 22 */ |
| 330 unsigned int enableFalseStart : 1; /* 23 */ | 340 unsigned int enableFalseStart : 1; /* 23 */ |
| 331 unsigned int cbcRandomIV : 1; /* 24 */ | 341 unsigned int cbcRandomIV : 1; /* 24 */ |
| 332 + unsigned int enableOCSPStapling : 1; /* 25 */ | 342 + unsigned int enableOCSPStapling : 1; /* 25 */ |
| 333 } sslOptions; | 343 } sslOptions; |
| 334 | 344 |
| 335 typedef enum { sslHandshakingUndetermined = 0, | 345 typedef enum { sslHandshakingUndetermined = 0, |
| 336 @@ -782,6 +783,14 @@ const ssl3CipherSuiteDef *suite_def; | 346 @@ -783,6 +784,14 @@ const ssl3CipherSuiteDef *suite_def; |
| 337 PRBool isResuming; /* are we resuming a session */ | 347 PRBool isResuming; /* are we resuming a session */ |
| 338 PRBool usedStepDownKey; /* we did a server key exchange. */ | 348 PRBool usedStepDownKey; /* we did a server key exchange. */ |
| 339 PRBool sendingSCSV; /* instead of empty RI */ | 349 PRBool sendingSCSV; /* instead of empty RI */ |
| 340 + PRBool may_get_cert_status; /* the server echoed a | 350 + PRBool may_get_cert_status; /* the server echoed a |
| 341 + * status_request extension so | 351 + * status_request extension so |
| 342 + * may send a CertificateStatus | 352 + * may send a CertificateStatus |
| 343 + * handshake message. */ | 353 + * handshake message. */ |
| 344 + SECItem pending_cert_msg; /* a Certificate message which we | 354 + SECItem pending_cert_msg; /* a Certificate message which we |
| 345 + * save temporarily if we may get | 355 + * save temporarily if we may get |
| 346 + * a CertificateStatus message */ | 356 + * a CertificateStatus message */ |
| 347 + SECItem cert_status; /* an OCSP response */ | 357 + SECItem cert_status; /* an OCSP response */ |
| 348 sslBuffer msgState; /* current state for handshake messages*
/ | 358 sslBuffer msgState; /* current state for handshake messages*
/ |
| 349 /* protected by recvBufLock */ | 359 /* protected by recvBufLock */ |
| 350 sslBuffer messages; /* Accumulated handshake messages */ | 360 sslBuffer messages; /* Accumulated handshake messages */ |
| 351 @@ -1527,6 +1536,8 @@ extern SECStatus ssl3_HandleSupportedPoi | 361 @@ -1548,6 +1557,8 @@ extern SECStatus ssl3_HandleSupportedPoi |
| 352 PRUint16 ex_type, SECItem *data); | 362 PRUint16 ex_type, SECItem *data); |
| 353 extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, | 363 extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, |
| 354 PRUint16 ex_type, SECItem *data); | 364 PRUint16 ex_type, SECItem *data); |
| 355 +extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, | 365 +extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, |
| 356 + PRUint16 ex_type, SECItem *data); | 366 + PRUint16 ex_type, SECItem *data); |
| 357 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, | 367 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, |
| 358 PRUint16 ex_type, SECItem *data); | 368 PRUint16 ex_type, SECItem *data); |
| 359 | 369 |
| 360 @@ -1536,6 +1547,8 @@ extern SECStatus ssl3_ServerHandleSessio | 370 @@ -1557,6 +1568,8 @@ extern SECStatus ssl3_ServerHandleSessio |
| 361 */ | 371 */ |
| 362 extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append, | 372 extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append, |
| 363 PRUint32 maxBytes); | 373 PRUint32 maxBytes); |
| 364 +extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append, | 374 +extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append, |
| 365 + PRUint32 maxBytes); | 375 + PRUint32 maxBytes); |
| 366 | 376 |
| 367 /* ClientHello and ServerHello extension senders. | 377 /* ClientHello and ServerHello extension senders. |
| 368 * The code is in ssl3ext.c. | 378 * The code is in ssl3ext.c. |
| 369 diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/s
slsock.c | 379 diff -pu -r a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ss
l/sslsock.c |
| 370 --- a/src/net/third_party/nss/ssl/sslsock.c» 2012-02-28 16:15:34.790321976 -0
800 | 380 --- a/src/net/third_party/nss/ssl/sslsock.c» 2012-03-19 14:34:10.083984085 -0
700 |
| 371 +++ b/src/net/third_party/nss/ssl/sslsock.c» 2012-02-28 19:12:51.845953454 -0
800 | 381 +++ b/src/net/third_party/nss/ssl/sslsock.c» 2012-03-19 14:34:51.634539426 -0
700 |
| 372 @@ -185,7 +185,8 @@ static sslOptions ssl_defaults = { | 382 @@ -185,7 +185,8 @@ static sslOptions ssl_defaults = { |
| 373 2, /* enableRenegotiation (default: requires extension) */ | 383 2, /* enableRenegotiation (default: requires extension) */ |
| 374 PR_FALSE, /* requireSafeNegotiation */ | 384 PR_FALSE, /* requireSafeNegotiation */ |
| 375 PR_FALSE, /* enableFalseStart */ | 385 PR_FALSE, /* enableFalseStart */ |
| 376 - PR_TRUE /* cbcRandomIV */ | 386 - PR_TRUE /* cbcRandomIV */ |
| 377 + PR_TRUE, /* cbcRandomIV */ | 387 + PR_TRUE, /* cbcRandomIV */ |
| 378 + PR_FALSE, /* enableOCSPStapling */ | 388 + PR_FALSE, /* enableOCSPStapling */ |
| 379 }; | 389 }; |
| 380 | 390 |
| 381 sslSessionIDLookupFunc ssl_sid_lookup; | 391 /* |
| 382 @@ -741,6 +742,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh | 392 @@ -812,6 +813,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh |
| 383 ss->opt.cbcRandomIV = on; | 393 ss->opt.cbcRandomIV = on; |
| 384 break; | 394 break; |
| 385 | 395 |
| 386 + case SSL_ENABLE_OCSP_STAPLING: | 396 + case SSL_ENABLE_OCSP_STAPLING: |
| 387 + ss->opt.enableOCSPStapling = on; | 397 + ss->opt.enableOCSPStapling = on; |
| 388 + break; | 398 + break; |
| 389 + | 399 + |
| 390 default: | 400 default: |
| 391 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 401 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 392 rv = SECFailure; | 402 rv = SECFailure; |
| 393 @@ -806,6 +811,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh | 403 @@ -881,6 +886,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh |
| 394 on = ss->opt.requireSafeNegotiation; break; | 404 on = ss->opt.requireSafeNegotiation; break; |
| 395 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; | 405 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; |
| 396 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; | 406 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; |
| 397 + case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; | 407 + case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
| 398 | 408 |
| 399 default: | 409 default: |
| 400 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 410 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 401 @@ -860,6 +866,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo | 411 @@ -939,6 +945,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo |
| 402 break; | 412 break; |
| 403 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; | 413 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; |
| 404 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; | 414 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; |
| 405 + case SSL_ENABLE_OCSP_STAPLING: | 415 + case SSL_ENABLE_OCSP_STAPLING: |
| 406 + on = ssl_defaults.enableOCSPStapling; | 416 + on = ssl_defaults.enableOCSPStapling; |
| 407 + break; | 417 + break; |
| 408 | 418 |
| 409 default: | 419 default: |
| 410 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 420 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 411 @@ -1019,6 +1028,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo | 421 @@ -1098,6 +1107,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo |
| 412 ssl_defaults.cbcRandomIV = on; | 422 ssl_defaults.cbcRandomIV = on; |
| 413 break; | 423 break; |
| 414 | 424 |
| 415 + case SSL_ENABLE_OCSP_STAPLING: | 425 + case SSL_ENABLE_OCSP_STAPLING: |
| 416 + ssl_defaults.enableOCSPStapling = on; | 426 + ssl_defaults.enableOCSPStapling = on; |
| 417 + break; | 427 + break; |
| 418 + | 428 + |
| 419 default: | 429 default: |
| 420 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 430 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 421 return SECFailure; | 431 return SECFailure; |
| 422 @@ -1537,6 +1550,36 @@ loser: | 432 @@ -1735,6 +1748,36 @@ SSL_VersionRangeSet(PRFileDesc *fd, cons |
| 423 #endif | 433 return SECSuccess; |
| 424 } | 434 } |
| 425 | 435 |
| 426 +SECStatus | 436 +SECStatus |
| 427 +SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data, | 437 +SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data, |
| 428 + unsigned int *len) { | 438 + unsigned int *len) { |
| 429 + sslSocket *ss = ssl_FindSocket(fd); | 439 + sslSocket *ss = ssl_FindSocket(fd); |
| 430 + | 440 + |
| 431 + if (!ss) { | 441 + if (!ss) { |
| 432 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse", | 442 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse", |
| 433 + SSL_GETPID(), fd)); | 443 + SSL_GETPID(), fd)); |
| (...skipping 15 matching lines...) Expand all Loading... |
| 449 + | 459 + |
| 450 + ssl_ReleaseSSL3HandshakeLock(ss); | 460 + ssl_ReleaseSSL3HandshakeLock(ss); |
| 451 + ssl_Release1stHandshakeLock(ss); | 461 + ssl_Release1stHandshakeLock(ss); |
| 452 + | 462 + |
| 453 + return SECSuccess; | 463 + return SECSuccess; |
| 454 +} | 464 +} |
| 455 + | 465 + |
| 456 /************************************************************************/ | 466 /************************************************************************/ |
| 457 /* The following functions are the TOP LEVEL SSL functions. | 467 /* The following functions are the TOP LEVEL SSL functions. |
| 458 ** They all get called through the NSPRIOMethods table below. | 468 ** They all get called through the NSPRIOMethods table below. |
| 459 diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt
.h | 469 diff -pu -r a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/s
slt.h |
| 460 --- a/src/net/third_party/nss/ssl/sslt.h» 2012-02-15 13:52:08.000000000 -0
800 | 470 --- a/src/net/third_party/nss/ssl/sslt.h» 2012-03-15 18:23:55.000000000 -0
700 |
| 461 +++ b/src/net/third_party/nss/ssl/sslt.h» 2012-02-28 19:12:51.845953454 -0
800 | 471 +++ b/src/net/third_party/nss/ssl/sslt.h» 2012-03-19 14:34:51.634539426 -0
700 |
| 462 @@ -198,6 +198,7 @@ typedef enum { | 472 @@ -207,6 +207,7 @@ typedef enum { |
| 463 /* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */ | 473 /* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */ |
| 464 typedef enum { | 474 typedef enum { |
| 465 ssl_server_name_xtn = 0, | 475 ssl_server_name_xtn = 0, |
| 466 + ssl_cert_status_xtn = 5, | 476 + ssl_cert_status_xtn = 5, |
| 467 #ifdef NSS_ENABLE_ECC | 477 #ifdef NSS_ENABLE_ECC |
| 468 ssl_elliptic_curves_xtn = 10, | 478 ssl_elliptic_curves_xtn = 10, |
| 469 ssl_ec_point_formats_xtn = 11, | 479 ssl_ec_point_formats_xtn = 11, |
| 470 @@ -207,6 +208,6 @@ typedef enum { | 480 @@ -216,6 +217,6 @@ typedef enum { |
| 471 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ | 481 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
| 472 } SSLExtensionType; | 482 } SSLExtensionType; |
| 473 | 483 |
| 474 -#define SSL_MAX_EXTENSIONS 6 | 484 -#define SSL_MAX_EXTENSIONS 6 |
| 475 +#define SSL_MAX_EXTENSIONS 7 | 485 +#define SSL_MAX_EXTENSIONS 7 |
| 476 | 486 |
| 477 #endif /* __sslt_h_ */ | 487 #endif /* __sslt_h_ */ |
| OLD | NEW |