OLD | NEW |
1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c | 1 diff --git a/ssl/SSLerrs.h b/ssl/SSLerrs.h |
2 --- a/nss/lib/ssl/ssl3con.c» 2014-01-18 10:39:50.799150460 -0800 | 2 index 174037b..81da41c 100644 |
3 +++ b/nss/lib/ssl/ssl3con.c» 2014-01-18 10:40:15.489552270 -0800 | 3 --- a/ssl/SSLerrs.h |
4 @@ -55,6 +55,7 @@ static SECStatus ssl3_SendCertificateSta | 4 +++ b/ssl/SSLerrs.h |
| 5 @@ -422,3 +422,12 @@ ER3(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL, (SSL_ERROR_BASE +
130), |
| 6 ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 131), |
| 7 "The server rejected the handshake because the client downgraded to a lower " |
| 8 "TLS version than the server supports.") |
| 9 + |
| 10 +ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 132), |
| 11 +"SSL received a malformed TLS Channel ID extension.") |
| 12 + |
| 13 +ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 133), |
| 14 +"The application provided an invalid TLS Channel ID key.") |
| 15 + |
| 16 +ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 134), |
| 17 +"The application could not get a TLS Channel ID.") |
| 18 diff --git a/ssl/ssl.h b/ssl/ssl.h |
| 19 index 593dd00..716537d 100644 |
| 20 --- a/ssl/ssl.h |
| 21 +++ b/ssl/ssl.h |
| 22 @@ -1025,6 +1025,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRF
ileDesc * socket, |
| 23 SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd, |
| 24 PRBool *last_handshake_resumed
); |
| 25 |
| 26 +/* See SSL_SetClientChannelIDCallback for usage. If the callback returns |
| 27 + * SECWouldBlock then SSL_RestartHandshakeAfterChannelIDReq should be called in |
| 28 + * the future to restart the handshake. On SECSuccess, the callback must have |
| 29 + * written a P-256, EC key pair to |*out_public_key| and |*out_private_key|. */ |
| 30 +typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)( |
| 31 + void *arg, |
| 32 + PRFileDesc *fd, |
| 33 + SECKEYPublicKey **out_public_key, |
| 34 + SECKEYPrivateKey **out_private_key); |
| 35 + |
| 36 +/* SSL_RestartHandshakeAfterChannelIDReq attempts to restart the handshake |
| 37 + * after a ChannelID callback returned SECWouldBlock. |
| 38 + * |
| 39 + * This function takes ownership of |channelIDPub| and |channelID|. */ |
| 40 +SSL_IMPORT SECStatus SSL_RestartHandshakeAfterChannelIDReq( |
| 41 + PRFileDesc *fd, |
| 42 + SECKEYPublicKey *channelIDPub, |
| 43 + SECKEYPrivateKey *channelID); |
| 44 + |
| 45 +/* SSL_SetClientChannelIDCallback sets a callback function that will be called |
| 46 + * once the server's ServerHello has been processed. This is only applicable to |
| 47 + * a client socket and setting this callback causes the TLS Channel ID |
| 48 + * extension to be advertised. */ |
| 49 +SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback( |
| 50 + PRFileDesc *fd, |
| 51 + SSLClientChannelIDCallback callback, |
| 52 + void *arg); |
| 53 + |
| 54 /* |
| 55 ** How long should we wait before retransmitting the next flight of |
| 56 ** the DTLS handshake? Returns SECFailure if not DTLS or not in a |
| 57 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c |
| 58 index 1852806..45c3454 100644 |
| 59 --- a/ssl/ssl3con.c |
| 60 +++ b/ssl/ssl3con.c |
| 61 @@ -55,6 +55,7 @@ static SECStatus ssl3_SendCertificateStatus( sslSocket *ss); |
5 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); | 62 static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); |
6 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); | 63 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); |
7 static SECStatus ssl3_SendNextProto( sslSocket *ss); | 64 static SECStatus ssl3_SendNextProto( sslSocket *ss); |
8 +static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); | 65 +static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss); |
9 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); | 66 static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
10 static SECStatus ssl3_SendServerHello( sslSocket *ss); | 67 static SECStatus ssl3_SendServerHello( sslSocket *ss); |
11 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); | 68 static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
12 @@ -6221,6 +6222,15 @@ ssl3_HandleServerHello(sslSocket *ss, SS | 69 @@ -6281,6 +6282,15 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUi
nt32 length) |
13 } | 70 } |
14 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 71 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
15 | 72 |
16 + if (ss->ssl3.channelID != NULL) { | 73 + if (ss->ssl3.channelID != NULL) { |
17 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID); | 74 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID); |
18 + ss->ssl3.channelID = NULL; | 75 + ss->ssl3.channelID = NULL; |
19 + } | 76 + } |
20 + if (ss->ssl3.channelIDPub != NULL) { | 77 + if (ss->ssl3.channelIDPub != NULL) { |
21 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); | 78 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); |
22 + ss->ssl3.channelIDPub = NULL; | 79 + ss->ssl3.channelIDPub = NULL; |
23 + } | 80 + } |
24 + | 81 + |
25 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); | 82 temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
26 if (temp < 0) { | 83 if (temp < 0) { |
27 goto loser; /* alert has been sent */ | 84 goto loser; /* alert has been sent */ |
28 @@ -6503,7 +6513,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS | 85 @@ -6563,7 +6573,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUin
t32 length) |
29 if (rv != SECSuccess) { | 86 if (rv != SECSuccess) { |
30 goto alert_loser; /* err code was set */ | 87 goto alert_loser; /* err code was set */ |
31 } | 88 } |
32 - return SECSuccess; | 89 - return SECSuccess; |
33 + goto winner; | 90 + goto winner; |
34 } while (0); | 91 } while (0); |
35 | 92 |
36 if (sid_match) | 93 if (sid_match) |
37 @@ -6529,6 +6539,27 @@ ssl3_HandleServerHello(sslSocket *ss, SS | 94 @@ -6589,6 +6599,27 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUi
nt32 length) |
38 | 95 |
39 ss->ssl3.hs.isResuming = PR_FALSE; | 96 ss->ssl3.hs.isResuming = PR_FALSE; |
40 ss->ssl3.hs.ws = wait_server_cert; | 97 ss->ssl3.hs.ws = wait_server_cert; |
41 + | 98 + |
42 +winner: | 99 +winner: |
43 + /* If we will need a ChannelID key then we make the callback now. This | 100 + /* If we will need a ChannelID key then we make the callback now. This |
44 + * allows the handshake to be restarted cleanly if the callback returns | 101 + * allows the handshake to be restarted cleanly if the callback returns |
45 + * SECWouldBlock. */ | 102 + * SECWouldBlock. */ |
46 + if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) { | 103 + if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) { |
47 + rv = ss->getChannelID(ss->getChannelIDArg, ss->fd, | 104 + rv = ss->getChannelID(ss->getChannelIDArg, ss->fd, |
48 + &ss->ssl3.channelIDPub, &ss->ssl3.channelID); | 105 + &ss->ssl3.channelIDPub, &ss->ssl3.channelID); |
49 + if (rv == SECWouldBlock) { | 106 + if (rv == SECWouldBlock) { |
50 + ssl3_SetAlwaysBlock(ss); | 107 + ssl3_SetAlwaysBlock(ss); |
51 + return rv; | 108 + return rv; |
52 + } | 109 + } |
53 + if (rv != SECSuccess || | 110 + if (rv != SECSuccess || |
54 + ss->ssl3.channelIDPub == NULL || | 111 + ss->ssl3.channelIDPub == NULL || |
55 + ss->ssl3.channelID == NULL) { | 112 + ss->ssl3.channelID == NULL) { |
56 + PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED); | 113 + PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED); |
57 + desc = internal_error; | 114 + desc = internal_error; |
58 + goto alert_loser; | 115 + goto alert_loser; |
59 + } | 116 + } |
60 + } | 117 + } |
61 + | 118 + |
62 return SECSuccess; | 119 return SECSuccess; |
63 | 120 |
64 alert_loser: | 121 alert_loser: |
65 @@ -7490,7 +7521,14 @@ ssl3_SendClientSecondRound(sslSocket *ss | 122 @@ -7550,7 +7581,14 @@ ssl3_SendClientSecondRound(sslSocket *ss) |
66 if (rv != SECSuccess) { | 123 if (rv != SECSuccess) { |
67 goto loser; /* err code was set. */ | 124 goto loser; /* err code was set. */ |
68 } | 125 } |
69 + } | 126 + } |
70 | 127 + |
71 + rv = ssl3_SendEncryptedExtensions(ss); | 128 + rv = ssl3_SendEncryptedExtensions(ss); |
72 + if (rv != SECSuccess) { | 129 + if (rv != SECSuccess) { |
73 + goto loser; /* err code was set. */ | 130 + goto loser; /* err code was set. */ |
74 + } | 131 + } |
75 + | 132 |
76 + if (!ss->firstHsDone) { | 133 + if (!ss->firstHsDone) { |
77 if (ss->opt.enableFalseStart) { | 134 if (ss->opt.enableFalseStart) { |
78 if (!ss->ssl3.hs.authCertificatePending) { | 135 if (!ss->ssl3.hs.authCertificatePending) { |
79 /* When we fix bug 589047, we will need to know whether we are | 136 /* When we fix bug 589047, we will need to know whether we are |
80 @@ -7527,6 +7565,33 @@ ssl3_SendClientSecondRound(sslSocket *ss | 137 @@ -7587,6 +7625,33 @@ ssl3_SendClientSecondRound(sslSocket *ss) |
81 | 138 |
82 ssl_ReleaseXmitBufLock(ss); /*******************************
/ | 139 ssl_ReleaseXmitBufLock(ss); /*******************************
/ |
83 | 140 |
84 + if (!ss->ssl3.hs.isResuming && | 141 + if (!ss->ssl3.hs.isResuming && |
85 + ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) { | 142 + ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) { |
86 + /* If we are negotiating ChannelID on a full handshake then we record | 143 + /* If we are negotiating ChannelID on a full handshake then we record |
87 + * the handshake hashes in |sid| at this point. They will be needed in | 144 + * the handshake hashes in |sid| at this point. They will be needed in |
88 + * the event that we resume this session and use ChannelID on the | 145 + * the event that we resume this session and use ChannelID on the |
89 + * resumption handshake. */ | 146 + * resumption handshake. */ |
90 + SSL3Hashes hashes; | 147 + SSL3Hashes hashes; |
(...skipping 13 matching lines...) Expand all Loading... |
104 + originalHandshakeHash->data = PORT_Alloc(hashes.len); | 161 + originalHandshakeHash->data = PORT_Alloc(hashes.len); |
105 + if (!originalHandshakeHash->data) | 162 + if (!originalHandshakeHash->data) |
106 + return SECFailure; | 163 + return SECFailure; |
107 + originalHandshakeHash->len = hashes.len; | 164 + originalHandshakeHash->len = hashes.len; |
108 + memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len); | 165 + memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len); |
109 + } | 166 + } |
110 + | 167 + |
111 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) | 168 if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) |
112 ss->ssl3.hs.ws = wait_new_session_ticket; | 169 ss->ssl3.hs.ws = wait_new_session_ticket; |
113 else | 170 else |
114 @@ -10494,6 +10559,184 @@ ssl3_RecordKeyLog(sslSocket *ss) | 171 @@ -10582,6 +10647,184 @@ ssl3_RecordKeyLog(sslSocket *ss) |
115 } | 172 } |
116 | 173 |
117 /* called from ssl3_SendClientSecondRound | 174 /* called from ssl3_SendClientSecondRound |
118 + * ssl3_HandleFinished | 175 + * ssl3_HandleFinished |
119 + */ | 176 + */ |
120 +static SECStatus | 177 +static SECStatus |
121 +ssl3_SendEncryptedExtensions(sslSocket *ss) | 178 +ssl3_SendEncryptedExtensions(sslSocket *ss) |
122 +{ | 179 +{ |
123 + static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature"; | 180 + static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature"; |
124 + static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption"; | 181 + static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption"; |
(...skipping 164 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
289 + ss->ssl3.channelID = channelID; | 346 + ss->ssl3.channelID = channelID; |
290 + ss->ssl3.channelIDPub = channelIDPub; | 347 + ss->ssl3.channelIDPub = channelIDPub; |
291 + | 348 + |
292 + return SECSuccess; | 349 + return SECSuccess; |
293 +} | 350 +} |
294 + | 351 + |
295 +/* called from ssl3_SendClientSecondRound | 352 +/* called from ssl3_SendClientSecondRound |
296 * ssl3_HandleClientHello | 353 * ssl3_HandleClientHello |
297 * ssl3_HandleFinished | 354 * ssl3_HandleFinished |
298 */ | 355 */ |
299 @@ -10753,11 +10996,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O | 356 @@ -10841,11 +11084,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUi
nt32 length, |
300 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; | 357 flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; |
301 } | 358 } |
302 | 359 |
303 - if (!isServer && !ss->firstHsDone) { | 360 - if (!isServer && !ss->firstHsDone) { |
304 - rv = ssl3_SendNextProto(ss); | 361 - rv = ssl3_SendNextProto(ss); |
305 - if (rv != SECSuccess) { | 362 - if (rv != SECSuccess) { |
306 - goto xmit_loser; /* err code was set. */ | 363 - goto xmit_loser; /* err code was set. */ |
307 + if (!isServer) { | 364 + if (!isServer) { |
308 + if (!ss->firstHsDone) { | 365 + if (!ss->firstHsDone) { |
309 + rv = ssl3_SendNextProto(ss); | 366 + rv = ssl3_SendNextProto(ss); |
310 + if (rv != SECSuccess) { | 367 + if (rv != SECSuccess) { |
311 + goto xmit_loser; /* err code was set. */ | 368 + goto xmit_loser; /* err code was set. */ |
312 + } | 369 + } |
313 } | 370 } |
314 + rv = ssl3_SendEncryptedExtensions(ss); | 371 + rv = ssl3_SendEncryptedExtensions(ss); |
315 + if (rv != SECSuccess) | 372 + if (rv != SECSuccess) |
316 + goto xmit_loser; /* err code was set. */ | 373 + goto xmit_loser; /* err code was set. */ |
317 } | 374 } |
318 | 375 |
319 if (IS_DTLS(ss)) { | 376 if (IS_DTLS(ss)) { |
320 @@ -12237,6 +12485,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) | 377 @@ -12325,6 +12573,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
321 ssl_FreePlatformKey(ss->ssl3.platformClientKey); | 378 ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
322 #endif /* NSS_PLATFORM_CLIENT_AUTH */ | 379 #endif /* NSS_PLATFORM_CLIENT_AUTH */ |
323 | 380 |
324 + if (ss->ssl3.channelID) | 381 + if (ss->ssl3.channelID) |
325 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID); | 382 + SECKEY_DestroyPrivateKey(ss->ssl3.channelID); |
326 + if (ss->ssl3.channelIDPub) | 383 + if (ss->ssl3.channelIDPub) |
327 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); | 384 + SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub); |
328 + | 385 + |
329 if (ss->ssl3.peerCertArena != NULL) | 386 if (ss->ssl3.peerCertArena != NULL) |
330 ssl3_CleanupPeerCerts(ss); | 387 ssl3_CleanupPeerCerts(ss); |
331 | 388 |
332 diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c | 389 diff --git a/ssl/ssl3ext.c b/ssl/ssl3ext.c |
333 --- a/nss/lib/ssl/ssl3ext.c» 2014-01-18 10:39:50.749149654 -0800 | 390 index 9345be8..b6ed17d 100644 |
334 +++ b/nss/lib/ssl/ssl3ext.c» 2014-01-18 10:43:52.543083984 -0800 | 391 --- a/ssl/ssl3ext.c |
335 @@ -64,6 +64,10 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSo | 392 +++ b/ssl/ssl3ext.c |
| 393 @@ -68,6 +68,10 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool appe
nd, |
336 PRUint32 maxBytes); | 394 PRUint32 maxBytes); |
337 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, | 395 static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, |
338 SECItem *data); | 396 SECItem *data); |
339 +static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, | 397 +static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss, |
340 + PRUint16 ex_type, SECItem *data); | 398 + PRUint16 ex_type, SECItem *data); |
341 +static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, | 399 +static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, |
342 + PRUint32 maxBytes); | 400 + PRUint32 maxBytes); |
343 static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss, | 401 static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss, |
344 PRBool append, PRUint32 maxBytes); | 402 PRBool append, PRUint32 maxBytes); |
345 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, | 403 static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, |
346 @@ -253,6 +257,7 @@ static const ssl3HelloExtensionHandler s | 404 @@ -264,6 +268,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTL
S[] = { |
347 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, | 405 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
348 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, | 406 { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, |
349 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, | 407 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, |
350 + { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, | 408 + { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, |
351 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, | 409 { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
352 { -1, NULL } | 410 { -1, NULL } |
353 }; | 411 }; |
354 @@ -280,6 +285,7 @@ ssl3HelloExtensionSender clientHelloSend | 412 @@ -291,6 +296,7 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTEN
SIONS] = { |
355 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, | 413 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
356 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, | 414 { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, |
357 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, | 415 { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, |
358 + { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, | 416 + { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
359 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, | 417 { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
360 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } | 418 { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, |
361 /* any extra entries will appear as { 0, NULL } */ | 419 { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn }, |
362 @@ -795,6 +801,61 @@ loser: | 420 @@ -910,6 +916,61 @@ ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, P
RUint32 maxBytes) |
363 return -1; | |
364 } | 421 } |
365 | 422 |
366 +static SECStatus | 423 static SECStatus |
367 +ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, | 424 +ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, |
368 + SECItem *data) | 425 + SECItem *data) |
369 +{ | 426 +{ |
370 + PORT_Assert(ss->getChannelID != NULL); | 427 + PORT_Assert(ss->getChannelID != NULL); |
371 + | 428 + |
372 + if (data->len) { | 429 + if (data->len) { |
373 + PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA); | 430 + PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA); |
374 + return SECFailure; | 431 + return SECFailure; |
375 + } | 432 + } |
376 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; | 433 + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
411 + ss->xtnData.advertised[ss->xtnData.numAdvertised++] = | 468 + ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
412 + ssl_channel_id_xtn; | 469 + ssl_channel_id_xtn; |
413 + } | 470 + } |
414 + | 471 + |
415 + return extension_length; | 472 + return extension_length; |
416 + | 473 + |
417 +loser: | 474 +loser: |
418 + return -1; | 475 + return -1; |
419 +} | 476 +} |
420 + | 477 + |
421 static SECStatus | 478 +static SECStatus |
422 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, | 479 ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, |
423 SECItem *data) | 480 SECItem *data) |
424 diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h | 481 { |
425 --- a/nss/lib/ssl/ssl3prot.h» 2014-01-18 10:39:34.278881614 -0800 | 482 diff --git a/ssl/ssl3prot.h b/ssl/ssl3prot.h |
426 +++ b/nss/lib/ssl/ssl3prot.h» 2014-01-18 10:40:15.499552430 -0800 | 483 index 485d7dd..78fbcaa 100644 |
427 @@ -129,7 +129,8 @@ typedef enum { | 484 --- a/ssl/ssl3prot.h |
428 client_key_exchange» = 16, | 485 +++ b/ssl/ssl3prot.h |
429 finished» » = 20, | 486 @@ -136,7 +136,8 @@ typedef enum { |
| 487 client_key_exchange = 16, |
| 488 finished = 20, |
430 certificate_status = 22, | 489 certificate_status = 22, |
431 - next_proto»» = 67 | 490 - next_proto = 67 |
432 + next_proto»» = 67, | 491 + next_proto = 67, |
433 + encrypted_extensions= 203 | 492 + encrypted_extensions = 203, |
434 } SSL3HandshakeType; | 493 } SSL3HandshakeType; |
435 | 494 |
436 typedef struct { | 495 typedef struct { |
437 diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c | 496 diff --git a/ssl/sslauth.c b/ssl/sslauth.c |
438 --- a/nss/lib/ssl/sslauth.c» 2014-01-18 10:39:50.749149654 -0800 | 497 index 7f9c43b..c2d9201 100644 |
439 +++ b/nss/lib/ssl/sslauth.c» 2014-01-18 10:40:15.499552430 -0800 | 498 --- a/ssl/sslauth.c |
440 @@ -216,6 +216,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, | 499 +++ b/ssl/sslauth.c |
| 500 @@ -216,6 +216,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthDa
ta func, |
441 return SECSuccess; | 501 return SECSuccess; |
442 } | 502 } |
443 | 503 |
444 +SECStatus | 504 +SECStatus |
445 +SSL_SetClientChannelIDCallback(PRFileDesc *fd, | 505 +SSL_SetClientChannelIDCallback(PRFileDesc *fd, |
446 + SSLClientChannelIDCallback callback, | 506 + SSLClientChannelIDCallback callback, |
447 + void *arg) { | 507 + void *arg) { |
448 + sslSocket *ss = ssl_FindSocket(fd); | 508 + sslSocket *ss = ssl_FindSocket(fd); |
449 + | 509 + |
450 + if (!ss) { | 510 + if (!ss) { |
451 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback", | 511 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback", |
452 + SSL_GETPID(), fd)); | 512 + SSL_GETPID(), fd)); |
453 + return SECFailure; | 513 + return SECFailure; |
454 + } | 514 + } |
455 + | 515 + |
456 + ss->getChannelID = callback; | 516 + ss->getChannelID = callback; |
457 + ss->getChannelIDArg = arg; | 517 + ss->getChannelIDArg = arg; |
458 + | 518 + |
459 + return SECSuccess; | 519 + return SECSuccess; |
460 +} | 520 +} |
461 + | 521 + |
462 #ifdef NSS_PLATFORM_CLIENT_AUTH | 522 #ifdef NSS_PLATFORM_CLIENT_AUTH |
463 /* NEED LOCKS IN HERE. */ | 523 /* NEED LOCKS IN HERE. */ |
464 SECStatus | 524 SECStatus |
465 diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h | 525 diff --git a/ssl/sslerr.h b/ssl/sslerr.h |
466 --- a/nss/lib/ssl/sslerr.h» 2014-01-18 10:39:34.288881780 -0800 | 526 index 12dbb1d..24bf893 100644 |
467 +++ b/nss/lib/ssl/sslerr.h» 2014-01-18 10:40:15.499552430 -0800 | 527 --- a/ssl/sslerr.h |
468 @@ -193,6 +193,10 @@ SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM = ( | 528 +++ b/ssl/sslerr.h |
469 SSL_ERROR_DIGEST_FAILURE = (SSL_ERROR_BASE + 127), | 529 @@ -198,6 +198,10 @@ SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL = (SSL_ERROR_BASE +
130), |
470 SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128), | |
471 | 530 |
472 +SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129), | 531 SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT = (SSL_ERROR_BASE + 131), |
473 +SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130), | 532 |
474 +SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 131), | 533 +SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 132), |
| 534 +SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 133), |
| 535 +SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 134), |
475 + | 536 + |
476 SSL_ERROR_END_OF_LIST» /* let the c compiler determine the value of this. */ | 537 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ |
477 } SSLErrorCodes; | 538 } SSLErrorCodes; |
478 #endif /* NO_SECURITY_ERROR_ENUM */ | 539 #endif /* NO_SECURITY_ERROR_ENUM */ |
479 diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h | 540 diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h |
480 --- a/nss/lib/ssl/SSLerrs.h» 2014-01-18 10:39:34.238880964 -0800 | 541 index c6ac398..57346cb 100644 |
481 +++ b/nss/lib/ssl/SSLerrs.h» 2014-01-18 10:40:15.499552430 -0800 | 542 --- a/ssl/sslimpl.h |
482 @@ -412,3 +412,12 @@ ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR | 543 +++ b/ssl/sslimpl.h |
483 | 544 @@ -711,6 +711,14 @@ struct sslSessionIDStr { |
484 ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128), | |
485 "Incorrect signature algorithm specified in a digitally-signed element.") | |
486 + | |
487 +ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 129), | |
488 +"SSL received a malformed TLS Channel ID extension.") | |
489 + | |
490 +ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 130), | |
491 +"The application provided an invalid TLS Channel ID key.") | |
492 + | |
493 +ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131), | |
494 +"The application could not get a TLS Channel ID.") | |
495 diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h | |
496 --- a/nss/lib/ssl/ssl.h»2014-01-18 10:39:50.799150460 -0800 | |
497 +++ b/nss/lib/ssl/ssl.h»2014-01-18 10:40:15.499552430 -0800 | |
498 @@ -1015,6 +1015,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti | |
499 SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd, | |
500 PRBool *last_handshake_resumed
); | |
501 | |
502 +/* See SSL_SetClientChannelIDCallback for usage. If the callback returns | |
503 + * SECWouldBlock then SSL_RestartHandshakeAfterChannelIDReq should be called in | |
504 + * the future to restart the handshake. On SECSuccess, the callback must have | |
505 + * written a P-256, EC key pair to |*out_public_key| and |*out_private_key|. */ | |
506 +typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)( | |
507 + void *arg, | |
508 + PRFileDesc *fd, | |
509 + SECKEYPublicKey **out_public_key, | |
510 + SECKEYPrivateKey **out_private_key); | |
511 + | |
512 +/* SSL_RestartHandshakeAfterChannelIDReq attempts to restart the handshake | |
513 + * after a ChannelID callback returned SECWouldBlock. | |
514 + * | |
515 + * This function takes ownership of |channelIDPub| and |channelID|. */ | |
516 +SSL_IMPORT SECStatus SSL_RestartHandshakeAfterChannelIDReq( | |
517 + PRFileDesc *fd, | |
518 + SECKEYPublicKey *channelIDPub, | |
519 + SECKEYPrivateKey *channelID); | |
520 + | |
521 +/* SSL_SetClientChannelIDCallback sets a callback function that will be called | |
522 + * once the server's ServerHello has been processed. This is only applicable to | |
523 + * a client socket and setting this callback causes the TLS Channel ID | |
524 + * extension to be advertised. */ | |
525 +SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback( | |
526 + PRFileDesc *fd, | |
527 + SSLClientChannelIDCallback callback, | |
528 + void *arg); | |
529 + | |
530 /* | |
531 ** How long should we wait before retransmitting the next flight of | |
532 ** the DTLS handshake? Returns SECFailure if not DTLS or not in a | |
533 diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h | |
534 --- a/nss/lib/ssl/sslimpl.h» 2014-01-18 10:39:50.799150460 -0800 | |
535 +++ b/nss/lib/ssl/sslimpl.h» 2014-01-18 10:40:15.499552430 -0800 | |
536 @@ -709,6 +709,14 @@ struct sslSessionIDStr { | |
537 | 545 |
538 SECItem srvName; | 546 SECItem srvName; |
539 | 547 |
540 + /* originalHandshakeHash contains the hash of the original, full | 548 + /* originalHandshakeHash contains the hash of the original, full |
541 + * handshake prior to the server's final flow. This is either a | 549 + * handshake prior to the server's final flow. This is either a |
542 + * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for | 550 + * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for |
543 + * TLS 1.2). This is recorded and used only when ChannelID is | 551 + * TLS 1.2). This is recorded and used only when ChannelID is |
544 + * negotiated as it's used to bind the ChannelID signature on the | 552 + * negotiated as it's used to bind the ChannelID signature on the |
545 + * resumption handshake to the original handshake. */ | 553 + * resumption handshake to the original handshake. */ |
546 + SECItem originalHandshakeHash; | 554 + SECItem originalHandshakeHash; |
547 + | 555 + |
548 /* This lock is lazily initialized by CacheSID when a sid is first | 556 /* This lock is lazily initialized by CacheSID when a sid is first |
549 * cached. Before then, there is no need to lock anything because | 557 * cached. Before then, there is no need to lock anything because |
550 * the sid isn't being shared by anything. | 558 * the sid isn't being shared by anything. |
551 @@ -978,6 +986,9 @@ struct ssl3StateStr { | 559 @@ -980,6 +988,9 @@ struct ssl3StateStr { |
552 CERTCertificateList *clientCertChain; /* used by client */ | 560 CERTCertificateList *clientCertChain; /* used by client */ |
553 PRBool sendEmptyCert; /* used by client */ | 561 PRBool sendEmptyCert; /* used by client */ |
554 | 562 |
555 + SECKEYPrivateKey *channelID; /* used by client */ | 563 + SECKEYPrivateKey *channelID; /* used by client */ |
556 + SECKEYPublicKey *channelIDPub; /* used by client */ | 564 + SECKEYPublicKey *channelIDPub; /* used by client */ |
557 + | 565 + |
558 int policy; | 566 int policy; |
559 /* This says what cipher suites we can do, and should | 567 /* This says what cipher suites we can do, and should |
560 * be either SSL_ALLOWED or SSL_RESTRICTED | 568 * be either SSL_ALLOWED or SSL_RESTRICTED |
561 @@ -1255,6 +1266,8 @@ const unsigned char * preferredCipher; | 569 @@ -1257,6 +1268,8 @@ const unsigned char * preferredCipher; |
562 void *pkcs11PinArg; | 570 void *pkcs11PinArg; |
563 SSLNextProtoCallback nextProtoCallback; | 571 SSLNextProtoCallback nextProtoCallback; |
564 void *nextProtoArg; | 572 void *nextProtoArg; |
565 + SSLClientChannelIDCallback getChannelID; | 573 + SSLClientChannelIDCallback getChannelID; |
566 + void *getChannelIDArg; | 574 + void *getChannelIDArg; |
567 | 575 |
568 PRIntervalTime rTimeout; /* timeout for NSPR I/O */ | 576 PRIntervalTime rTimeout; /* timeout for NSPR I/O */ |
569 PRIntervalTime wTimeout; /* timeout for NSPR I/O */ | 577 PRIntervalTime wTimeout; /* timeout for NSPR I/O */ |
570 @@ -1599,6 +1612,11 @@ extern SECStatus ssl3_RestartHandshakeAf | 578 @@ -1603,6 +1616,11 @@ extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSoc
ket * ss, |
571 SECKEYPrivateKey * key, | 579 SECKEYPrivateKey * key, |
572 CERTCertificateList *certChain); | 580 CERTCertificateList *certChain); |
573 | 581 |
574 +extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq( | 582 +extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq( |
575 + sslSocket *ss, | 583 + sslSocket *ss, |
576 + SECKEYPublicKey *channelIDPub, | 584 + SECKEYPublicKey *channelIDPub, |
577 + SECKEYPrivateKey *channelID); | 585 + SECKEYPrivateKey *channelID); |
578 + | 586 + |
579 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error)
; | 587 extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error)
; |
580 | 588 |
581 /* | 589 /* |
582 diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c | 590 diff --git a/ssl/sslnonce.c b/ssl/sslnonce.c |
583 --- a/nss/lib/ssl/sslnonce.c» 2014-01-18 10:39:50.739149486 -0800 | 591 index be11008..1326a8b 100644 |
584 +++ b/nss/lib/ssl/sslnonce.c» 2014-01-18 10:40:15.499552430 -0800 | 592 --- a/ssl/sslnonce.c |
| 593 +++ b/ssl/sslnonce.c |
585 @@ -180,6 +180,9 @@ ssl_DestroySID(sslSessionID *sid) | 594 @@ -180,6 +180,9 @@ ssl_DestroySID(sslSessionID *sid) |
586 if (sid->u.ssl3.srvName.data) { | 595 if (sid->u.ssl3.srvName.data) { |
587 SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); | 596 SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); |
588 } | 597 } |
589 + if (sid->u.ssl3.originalHandshakeHash.data) { | 598 + if (sid->u.ssl3.originalHandshakeHash.data) { |
590 + SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); | 599 + SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE); |
591 + } | 600 + } |
592 | 601 |
593 if (sid->u.ssl3.lock) { | 602 if (sid->u.ssl3.lock) { |
594 PR_DestroyRWLock(sid->u.ssl3.lock); | 603 PR_DestroyRWLock(sid->u.ssl3.lock); |
595 diff -pu a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c | 604 diff --git a/ssl/sslsecur.c b/ssl/sslsecur.c |
596 --- a/nss/lib/ssl/sslsecur.c» 2014-01-18 10:39:50.799150460 -0800 | 605 index d44336e..5c6751a 100644 |
597 +++ b/nss/lib/ssl/sslsecur.c» 2014-01-18 10:40:15.499552430 -0800 | 606 --- a/ssl/sslsecur.c |
598 @@ -1584,6 +1584,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileD | 607 +++ b/ssl/sslsecur.c |
| 608 @@ -1582,6 +1582,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileDesc * fd, |
599 return ret; | 609 return ret; |
600 } | 610 } |
601 | 611 |
602 +SECStatus | 612 +SECStatus |
603 +SSL_RestartHandshakeAfterChannelIDReq(PRFileDesc * fd, | 613 +SSL_RestartHandshakeAfterChannelIDReq(PRFileDesc * fd, |
604 + SECKEYPublicKey * channelIDPub, | 614 + SECKEYPublicKey * channelIDPub, |
605 + SECKEYPrivateKey *channelID) | 615 + SECKEYPrivateKey *channelID) |
606 +{ | 616 +{ |
607 + sslSocket * ss = ssl_FindSocket(fd); | 617 + sslSocket * ss = ssl_FindSocket(fd); |
608 + SECStatus ret; | 618 + SECStatus ret; |
(...skipping 22 matching lines...) Expand all Loading... |
631 + | 641 + |
632 +loser: | 642 +loser: |
633 + SECKEY_DestroyPublicKey(channelIDPub); | 643 + SECKEY_DestroyPublicKey(channelIDPub); |
634 + SECKEY_DestroyPrivateKey(channelID); | 644 + SECKEY_DestroyPrivateKey(channelID); |
635 + return SECFailure; | 645 + return SECFailure; |
636 +} | 646 +} |
637 + | 647 + |
638 /* DO NOT USE. This function was exported in ssl.def with the wrong signature; | 648 /* DO NOT USE. This function was exported in ssl.def with the wrong signature; |
639 * this implementation exists to maintain link-time compatibility. | 649 * this implementation exists to maintain link-time compatibility. |
640 */ | 650 */ |
641 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c | 651 diff --git a/ssl/sslsock.c b/ssl/sslsock.c |
642 --- a/nss/lib/ssl/sslsock.c» 2014-01-18 10:39:50.769149984 -0800 | 652 index a939781..d3f3bf4 100644 |
643 +++ b/nss/lib/ssl/sslsock.c» 2014-01-18 10:40:15.499552430 -0800 | 653 --- a/ssl/sslsock.c |
644 @@ -276,6 +276,8 @@ ssl_DupSocket(sslSocket *os) | 654 +++ b/ssl/sslsock.c |
645 » ss->canFalseStartCallback = os->canFalseStartCallback; | 655 @@ -288,6 +288,8 @@ ssl_DupSocket(sslSocket *os) |
646 » ss->canFalseStartCallbackData = os->canFalseStartCallbackData; | 656 ss->canFalseStartCallback = os->canFalseStartCallback; |
647 » ss->pkcs11PinArg = os->pkcs11PinArg; | 657 ss->canFalseStartCallbackData = os->canFalseStartCallbackData; |
648 +» ss->getChannelID = os->getChannelID; | 658 ss->pkcs11PinArg = os->pkcs11PinArg; |
649 +» ss->getChannelIDArg = os->getChannelIDArg; | 659 + ss->getChannelID = os->getChannelID; |
650 | 660 + ss->getChannelIDArg = os->getChannelIDArg; |
651 » /* Create security data */ | 661 |
652 » rv = ssl_CopySecurityInfo(ss, os); | 662 /* Create security data */ |
653 @@ -1691,6 +1693,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile | 663 rv = ssl_CopySecurityInfo(ss, os); |
| 664 @@ -1733,6 +1735,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
654 ss->handshakeCallbackData = sm->handshakeCallbackData; | 665 ss->handshakeCallbackData = sm->handshakeCallbackData; |
655 if (sm->pkcs11PinArg) | 666 if (sm->pkcs11PinArg) |
656 ss->pkcs11PinArg = sm->pkcs11PinArg; | 667 ss->pkcs11PinArg = sm->pkcs11PinArg; |
657 + if (sm->getChannelID) | 668 + if (sm->getChannelID) |
658 + ss->getChannelID = sm->getChannelID; | 669 + ss->getChannelID = sm->getChannelID; |
659 + if (sm->getChannelIDArg) | 670 + if (sm->getChannelIDArg) |
660 + ss->getChannelIDArg = sm->getChannelIDArg; | 671 + ss->getChannelIDArg = sm->getChannelIDArg; |
661 return fd; | 672 return fd; |
662 loser: | 673 loser: |
663 return NULL; | 674 return NULL; |
664 @@ -2968,6 +2974,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProto | 675 @@ -3021,6 +3027,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protoco
lVariant) |
665 » ss->badCertArg = NULL; | 676 ss->badCertArg = NULL; |
666 » ss->pkcs11PinArg = NULL; | 677 ss->pkcs11PinArg = NULL; |
667 » ss->ephemeralECDHKeyPair = NULL; | 678 ss->ephemeralECDHKeyPair = NULL; |
668 +» ss->getChannelID = NULL; | 679 + ss->getChannelID = NULL; |
669 +» ss->getChannelIDArg = NULL; | 680 + ss->getChannelIDArg = NULL; |
670 | 681 |
671 » ssl_ChooseOps(ss); | 682 ssl_ChooseOps(ss); |
672 » ssl2_InitSocketPolicy(ss); | 683 ssl2_InitSocketPolicy(ss); |
673 diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h | 684 diff --git a/ssl/sslt.h b/ssl/sslt.h |
674 --- a/nss/lib/ssl/sslt.h» 2014-01-18 10:39:34.328882426 -0800 | 685 index 1d28feb..0900f28 100644 |
675 +++ b/nss/lib/ssl/sslt.h» 2014-01-18 10:40:15.499552430 -0800 | 686 --- a/ssl/sslt.h |
676 @@ -190,10 +190,11 @@ typedef enum { | 687 +++ b/ssl/sslt.h |
677 ssl_app_layer_protocol_xtn = 16, | 688 @@ -191,10 +191,11 @@ typedef enum { |
| 689 ssl_padding_xtn = 21, |
678 ssl_session_ticket_xtn = 35, | 690 ssl_session_ticket_xtn = 35, |
679 ssl_next_proto_nego_xtn = 13172, | 691 ssl_next_proto_nego_xtn = 13172, |
680 + ssl_channel_id_xtn = 30032, | 692 + ssl_channel_id_xtn = 30032, |
681 ssl_padding_xtn = 35655, | 693 ssl_renegotiation_info_xtn = 0xff01, |
682 ssl_renegotiation_info_xtn = 0xff01» /* experimental number */ | 694 ssl_tls13_draft_version_xtn = 0xff02 /* experimental number */ |
683 } SSLExtensionType; | 695 } SSLExtensionType; |
684 | 696 |
685 -#define SSL_MAX_EXTENSIONS 10 /* doesn't include ssl_padding_xtn. *
/ | 697 -#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. *
/ |
686 +#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. *
/ | 698 +#define SSL_MAX_EXTENSIONS 12 /* doesn't include ssl_padding_xtn. *
/ |
687 | 699 |
688 #endif /* __sslt_h_ */ | 700 #endif /* __sslt_h_ */ |
OLD | NEW |