| Index: net/third_party/nss/patches/signedcertificatetimestamps.patch
|
| ===================================================================
|
| --- net/third_party/nss/patches/signedcertificatetimestamps.patch (revision 242942)
|
| +++ net/third_party/nss/patches/signedcertificatetimestamps.patch (working copy)
|
| @@ -1,45 +1,7 @@
|
| -diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
|
| -index 67cc3a7..4cf02aa 100644
|
| ---- a/net/third_party/nss/ssl/ssl.h
|
| -+++ b/net/third_party/nss/ssl/ssl.h
|
| -@@ -161,6 +161,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
|
| - */
|
| - #define SSL_CBC_RANDOM_IV 23
|
| - #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
|
| -+/* Request Signed Certificate Timestamps via TLS extension (client) */
|
| -+#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25
|
| -
|
| - #ifdef SSL_DEPRECATED_FUNCTION
|
| - /* Old deprecated function names */
|
| -@@ -464,6 +466,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertificateChain(PRFileDesc *fd);
|
| - */
|
| - SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd);
|
| -
|
| -+/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp
|
| -+ * extension data provided by the TLS server. The return value is a pointer
|
| -+ * to an internal SECItem that contains the returned response (as a serialized
|
| -+ * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only
|
| -+ * valid until the callback function that calls SSL_PeerSignedCertTimestamps
|
| -+ * (e.g. the authenticate certificate hook, or the handshake callback) returns.
|
| -+ *
|
| -+ * If no Signed Certificate Timestamps were given by the server then the result
|
| -+ * will be empty. If there was an error, then the result will be NULL.
|
| -+ *
|
| -+ * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support
|
| -+ * for Signed Certificate Timestamps to a server.
|
| -+ *
|
| -+ * libssl does not do any parsing or validation of the response itself.
|
| -+ */
|
| -+SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd);
|
| -+
|
| - /* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses
|
| - * in the fd's data, which may be sent as part of a server side cert_status
|
| - * handshake message. Parameter |responses| is for the server certificate of
|
| -diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
|
| -index 0f1eea4..c2d9eeb 100644
|
| ---- a/net/third_party/nss/ssl/ssl3con.c
|
| -+++ b/net/third_party/nss/ssl/ssl3con.c
|
| -@@ -6639,10 +6639,22 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
|
| +diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
|
| +--- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:03:55.547150312 -0800
|
| ++++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:04:31.257733748 -0800
|
| +@@ -6681,10 +6681,22 @@ ssl3_HandleServerHello(sslSocket *ss, SS
|
| sid->u.ssl3.sessionIDLength = sidBytes.len;
|
| PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
|
|
|
| @@ -62,7 +24,7 @@
|
| /* If we will need a ChannelID key then we make the callback now. This
|
| * allows the handshake to be restarted cleanly if the callback returns
|
| * SECWouldBlock. */
|
| -@@ -6668,6 +6680,9 @@ alert_loser:
|
| +@@ -6710,6 +6722,9 @@ alert_loser:
|
| (void)SSL3_SendAlert(ss, alert_fatal, desc);
|
|
|
| loser:
|
| @@ -72,11 +34,10 @@
|
| errCode = ssl_MapLowLevelError(errCode);
|
| return SECFailure;
|
| }
|
| -diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c
|
| -index adb81ed..02e104d 100644
|
| ---- a/net/third_party/nss/ssl/ssl3ext.c
|
| -+++ b/net/third_party/nss/ssl/ssl3ext.c
|
| -@@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append,
|
| +diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
|
| +--- a/nss/lib/ssl/ssl3ext.c 2014-01-03 19:04:20.207553209 -0800
|
| ++++ b/nss/lib/ssl/ssl3ext.c 2014-01-03 19:04:31.257733748 -0800
|
| +@@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn
|
| PRUint32 maxBytes);
|
| static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type,
|
| SECItem *data);
|
| @@ -89,7 +50,7 @@
|
|
|
| /*
|
| * Write bytes. Using this function means the SECItem structure
|
| -@@ -259,6 +265,8 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
|
| +@@ -259,6 +265,8 @@ static const ssl3HelloExtensionHandler s
|
| { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn },
|
| { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn },
|
| { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
|
| @@ -98,7 +59,7 @@
|
| { -1, NULL }
|
| };
|
|
|
| -@@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
|
| +@@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSend
|
| { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
|
| { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
|
| { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
|
| @@ -109,7 +70,7 @@
|
| /* any extra entries will appear as { 0, NULL } */
|
| };
|
|
|
| -@@ -2364,3 +2374,65 @@ ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
|
| +@@ -2372,3 +2382,65 @@ ssl3_AppendPaddingExtension(sslSocket *s
|
|
|
| return extensionLen;
|
| }
|
| @@ -175,10 +136,45 @@
|
| + ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
|
| + return SECSuccess;
|
| +}
|
| -diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
|
| -index 79aca60..1e4655f 100644
|
| ---- a/net/third_party/nss/ssl/sslimpl.h
|
| -+++ b/net/third_party/nss/ssl/sslimpl.h
|
| +diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
|
| +--- a/nss/lib/ssl/ssl.h 2014-01-03 18:58:03.661401846 -0800
|
| ++++ b/nss/lib/ssl/ssl.h 2014-01-03 19:04:31.257733748 -0800
|
| +@@ -161,6 +161,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
|
| + */
|
| + #define SSL_CBC_RANDOM_IV 23
|
| + #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
|
| ++/* Request Signed Certificate Timestamps via TLS extension (client) */
|
| ++#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25
|
| +
|
| + #ifdef SSL_DEPRECATED_FUNCTION
|
| + /* Old deprecated function names */
|
| +@@ -464,6 +466,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertifi
|
| + */
|
| + SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd);
|
| +
|
| ++/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp
|
| ++ * extension data provided by the TLS server. The return value is a pointer
|
| ++ * to an internal SECItem that contains the returned response (as a serialized
|
| ++ * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only
|
| ++ * valid until the callback function that calls SSL_PeerSignedCertTimestamps
|
| ++ * (e.g. the authenticate certificate hook, or the handshake callback) returns.
|
| ++ *
|
| ++ * If no Signed Certificate Timestamps were given by the server then the result
|
| ++ * will be empty. If there was an error, then the result will be NULL.
|
| ++ *
|
| ++ * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support
|
| ++ * for Signed Certificate Timestamps to a server.
|
| ++ *
|
| ++ * libssl does not do any parsing or validation of the response itself.
|
| ++ */
|
| ++SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd);
|
| ++
|
| + /* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses
|
| + * in the fd's data, which may be sent as part of a server side cert_status
|
| + * handshake message. Parameter |responses| is for the server certificate of
|
| +diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
|
| +--- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:03:55.557150476 -0800
|
| ++++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:04:31.257733748 -0800
|
| @@ -312,29 +312,30 @@ typedef struct sslOptionsStr {
|
| * list of supported protocols. */
|
| SECItem nextProtoNego;
|
| @@ -233,19 +229,19 @@
|
| } sslOptions;
|
|
|
| typedef enum { sslHandshakingUndetermined = 0,
|
| -@@ -713,6 +714,11 @@ struct sslSessionIDStr {
|
| - * negotiated as it's used to bind the ChannelID signature on the
|
| +@@ -717,6 +718,11 @@ struct sslSessionIDStr {
|
| * resumption handshake to the original handshake. */
|
| SECItem originalHandshakeHash;
|
| -+
|
| +
|
| + /* Signed certificate timestamps received in a TLS extension.
|
| + ** (used only in client).
|
| + */
|
| + SECItem signedCertTimestamps;
|
| - } ssl3;
|
| - } u;
|
| - };
|
| -@@ -804,6 +810,18 @@ struct TLSExtensionDataStr {
|
| ++
|
| + /* This lock is lazily initialized by CacheSID when a sid is first
|
| + * cached. Before then, there is no need to lock anything because
|
| + * the sid isn't being shared by anything.
|
| +@@ -825,6 +831,18 @@ struct TLSExtensionDataStr {
|
| * is beyond ssl3_HandleClientHello function. */
|
| SECItem *sniNameArr;
|
| PRUint32 sniNameArrSize;
|
| @@ -264,55 +260,23 @@
|
| };
|
|
|
| typedef SECStatus (*sslRestartTarget)(sslSocket *);
|
| -diff --git a/net/third_party/nss/ssl/sslnonce.c b/net/third_party/nss/ssl/sslnonce.c
|
| -index eb5004c..1ca19ca 100644
|
| ---- a/net/third_party/nss/ssl/sslnonce.c
|
| -+++ b/net/third_party/nss/ssl/sslnonce.c
|
| -@@ -122,7 +122,21 @@ ssl_DestroySID(sslSessionID *sid)
|
| - if (sid->version < SSL_LIBRARY_VERSION_3_0) {
|
| - SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
|
| - SECITEM_ZfreeItem(&sid->u.ssl2.cipherArg, PR_FALSE);
|
| -+ } else {
|
| -+ if (sid->u.ssl3.sessionTicket.ticket.data) {
|
| -+ SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
|
| -+ }
|
| -+ if (sid->u.ssl3.srvName.data) {
|
| -+ SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
|
| -+ }
|
| -+ if (sid->u.ssl3.signedCertTimestamps.data) {
|
| -+ SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE);
|
| -+ }
|
| -+ if (sid->u.ssl3.originalHandshakeHash.data) {
|
| -+ SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
|
| -+ }
|
| - }
|
| -+
|
| - if (sid->peerID != NULL)
|
| - PORT_Free((void *)sid->peerID); /* CONST */
|
| +diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
|
| +--- a/nss/lib/ssl/sslnonce.c 2014-01-03 19:03:25.356657071 -0800
|
| ++++ b/nss/lib/ssl/sslnonce.c 2014-01-03 19:05:48.568996889 -0800
|
| +@@ -133,6 +133,9 @@ ssl_DestroySID(sslSessionID *sid)
|
| + if (sid->u.ssl3.originalHandshakeHash.data) {
|
| + SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
|
| + }
|
| ++ if (sid->u.ssl3.signedCertTimestamps.data) {
|
| ++ SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE);
|
| ++ }
|
|
|
| -@@ -142,16 +156,7 @@ ssl_DestroySID(sslSessionID *sid)
|
| - if ( sid->localCert ) {
|
| - CERT_DestroyCertificate(sid->localCert);
|
| - }
|
| -- if (sid->u.ssl3.sessionTicket.ticket.data) {
|
| -- SECITEM_FreeItem(&sid->u.ssl3.sessionTicket.ticket, PR_FALSE);
|
| -- }
|
| -- if (sid->u.ssl3.srvName.data) {
|
| -- SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
|
| -- }
|
| -- if (sid->u.ssl3.originalHandshakeHash.data) {
|
| -- SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
|
| -- }
|
| --
|
| -+
|
| - PORT_ZFree(sid, sizeof(sslSessionID));
|
| - }
|
| -
|
| -diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
|
| -index b5c17f0..965215d 100644
|
| ---- a/net/third_party/nss/ssl/sslsock.c
|
| -+++ b/net/third_party/nss/ssl/sslsock.c
|
| -@@ -173,7 +173,8 @@ static sslOptions ssl_defaults = {
|
| + if (sid->u.ssl3.lock) {
|
| + PR_DestroyRWLock(sid->u.ssl3.lock);
|
| +diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
|
| +--- a/nss/lib/ssl/sslsock.c 2014-01-03 18:57:38.240986619 -0800
|
| ++++ b/nss/lib/ssl/sslsock.c 2014-01-03 19:06:53.560058775 -0800
|
| +@@ -85,7 +85,8 @@ static sslOptions ssl_defaults = {
|
| PR_FALSE, /* requireSafeNegotiation */
|
| PR_FALSE, /* enableFalseStart */
|
| PR_TRUE, /* cbcRandomIV */
|
| @@ -322,7 +286,7 @@
|
| };
|
|
|
| /*
|
| -@@ -865,6 +866,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
|
| +@@ -777,6 +778,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
| ss->opt.enableOCSPStapling = on;
|
| break;
|
|
|
| @@ -333,7 +297,7 @@
|
| default:
|
| PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| rv = SECFailure;
|
| -@@ -935,6 +940,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
|
| +@@ -847,6 +852,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
|
| case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break;
|
| case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
|
| case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
|
| @@ -343,7 +307,7 @@
|
|
|
| default:
|
| PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| -@@ -996,6 +1004,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
|
| +@@ -908,6 +916,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
|
| case SSL_ENABLE_OCSP_STAPLING:
|
| on = ssl_defaults.enableOCSPStapling;
|
| break;
|
| @@ -353,7 +317,7 @@
|
|
|
| default:
|
| PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| -@@ -1163,6 +1174,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
|
| +@@ -1075,6 +1086,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
|
| ssl_defaults.enableOCSPStapling = on;
|
| break;
|
|
|
| @@ -364,7 +328,7 @@
|
| default:
|
| PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| return SECFailure;
|
| -@@ -1993,6 +2008,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc *fd)
|
| +@@ -1899,6 +1914,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc
|
| return &ss->sec.ci.sid->peerCertStatus;
|
| }
|
|
|
| @@ -394,15 +358,9 @@
|
| SECStatus
|
| SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) {
|
| sslSocket *ss = ssl_FindSocket(fd);
|
| -@@ -3133,4 +3171,3 @@ loser:
|
| - }
|
| - return ss;
|
| - }
|
| --
|
| -diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h
|
| -index b813c04..1f5e2c6 100644
|
| ---- a/net/third_party/nss/ssl/sslt.h
|
| -+++ b/net/third_party/nss/ssl/sslt.h
|
| +diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
|
| +--- a/nss/lib/ssl/sslt.h 2014-01-03 19:03:55.557150476 -0800
|
| ++++ b/nss/lib/ssl/sslt.h 2014-01-03 19:04:31.257733748 -0800
|
| @@ -202,6 +202,7 @@ typedef enum {
|
| ssl_signature_algorithms_xtn = 13,
|
| ssl_use_srtp_xtn = 14,
|
|
|
Chromium Code Reviews
Issue 111853013:
Update net/third_party/nss to NSS 3.15.4. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/