| OLD | NEW |
|---|
| 1 diff -pu -r a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ss
l.h | 1 diff -pu -r a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3co
n.c |
| 2 --- a/src/net/third_party/nss/ssl/ssl.h»2012-03-19 14:34:10.103984357 -0700 | 2 --- a/net/third_party/nss/ssl/ssl3con.c»2012-11-09 15:21:56.747322689 -0800 |
| 3 +++ b/src/net/third_party/nss/ssl/ssl.h»2012-03-19 14:34:51.624539293 -0700 | 3 +++ b/net/third_party/nss/ssl/ssl3con.c»2012-11-09 15:28:27.933078020 -0800 |
| 4 @@ -184,6 +184,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi | 4 @@ -8365,6 +8365,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *ce |
| 5 * accept fragmented alerts). | |
| 6 */ | |
| 7 #define SSL_CBC_RANDOM_IV 23 | |
| 8 +#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ | |
| 9 | |
| 10 #ifdef SSL_DEPRECATED_FUNCTION | |
| 11 /* Old deprecated function names */ | |
| 12 @@ -435,6 +436,23 @@ SSL_IMPORT SECStatus SSL_PeerCertificate | |
| 13 » PRFileDesc *fd, CERTCertificate **certs, | |
| 14 » unsigned int *numCerts, unsigned int maxNumCerts); | |
| 15 | |
| 16 +/* SSL_GetStapledOCSPResponse returns the OCSP response that was provided by | |
| 17 + * the TLS server. The resulting data is copied to |out_data|. On entry, |*len| | |
| 18 + * must contain the size of |out_data|. On exit, |*len| will contain the size | |
| 19 + * of the OCSP stapled response. If the stapled response is too large to fit in | |
| 20 + * |out_data| then it will be truncated. If no OCSP response was given by the | |
| 21 + * server then it has zero length. | |
| 22 + * | |
| 23 + * You must set the SSL_ENABLE_OCSP_STAPLING option in order for OCSP responses | |
| 24 + * to be provided by a server. | |
| 25 + * | |
| 26 + * You can call this function during the certificate verification callback or | |
| 27 + * any time afterwards. | |
| 28 + */ | |
| 29 +SSL_IMPORT SECStatus SSL_GetStapledOCSPResponse(PRFileDesc *fd, | |
| 30 +» » » » » » unsigned char *out_data, | |
| 31 +» » » » » » unsigned int *len); | |
| 32 + | |
| 33 /* | |
| 34 ** Authenticate certificate hook. Called when a certificate comes in | |
| 35 ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the | |
| 36 diff -pu -r a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ss
l/ssl3con.c | |
| 37 --- a/src/net/third_party/nss/ssl/ssl3con.c» 2012-03-19 14:34:10.093984221 -0
700 | |
| 38 +++ b/src/net/third_party/nss/ssl/ssl3con.c» 2012-03-19 14:34:51.624539293 -0
700 | |
| 39 @@ -7899,6 +7899,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *ce | |
| 40 } | 5 } |
| 41 | 6 |
| 42 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 7 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
| 43 + * ssl3 CertificateStatus message. | 8 + * ssl3 CertificateStatus message. |
| 44 + * Caller must hold Handshake and RecvBuf locks. | 9 + * Caller must hold Handshake and RecvBuf locks. |
| 45 + * This is always called before ssl3_HandleCertificate, even if the Certificate | 10 + * This is always called before ssl3_HandleCertificate, even if the Certificate |
| 46 + * message is sent first. | 11 + * message is sent first. |
| 47 + */ | 12 + */ |
| 48 +static SECStatus | 13 +static SECStatus |
| 49 +ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length) | 14 +ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 87 +alert_loser: | 52 +alert_loser: |
| 88 + (void)SSL3_SendAlert(ss, alert_fatal, desc); | 53 + (void)SSL3_SendAlert(ss, alert_fatal, desc); |
| 89 + (void)ssl_MapLowLevelError(errCode); | 54 + (void)ssl_MapLowLevelError(errCode); |
| 90 + return SECFailure; | 55 + return SECFailure; |
| 91 +} | 56 +} |
| 92 + | 57 + |
| 93 +/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete | 58 +/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete |
| 94 * ssl3 Certificate message. | 59 * ssl3 Certificate message. |
| 95 * Caller must hold Handshake and RecvBuf locks. | 60 * Caller must hold Handshake and RecvBuf locks. |
| 96 */ | 61 */ |
| 97 @@ -8707,6 +8758,26 @@ ssl3_FinishHandshake(sslSocket * ss) | 62 @@ -9248,6 +9299,26 @@ ssl3_FinishHandshake(sslSocket * ss) |
| 98 return SECSuccess; | 63 return SECSuccess; |
| 99 } | 64 } |
| 100 | 65 |
| 101 +/* This function handles any pending Certificate messages. Certificate messages | 66 +/* This function handles any pending Certificate messages. Certificate messages |
| 102 + * can be pending if we expect a possible CertificateStatus message to follow. | 67 + * can be pending if we expect a possible CertificateStatus message to follow. |
| 103 + * | 68 + * |
| 104 + * This function must be called immediately after handling the | 69 + * This function must be called immediately after handling the |
| 105 + * CertificateStatus message, and before handling any ServerKeyExchange or | 70 + * CertificateStatus message, and before handling any ServerKeyExchange or |
| 106 + * CertificateRequest messages. | 71 + * CertificateRequest messages. |
| 107 + */ | 72 + */ |
| 108 +static SECStatus | 73 +static SECStatus |
| 109 +ssl3_MaybeHandlePendingCertificateMessage(sslSocket *ss) | 74 +ssl3_MaybeHandlePendingCertificateMessage(sslSocket *ss) |
| 110 +{ | 75 +{ |
| 111 + SECStatus rv = SECSuccess; | 76 + SECStatus rv = SECSuccess; |
| 112 + | 77 + |
| 113 + if (ss->ssl3.hs.pending_cert_msg.data) { | 78 + if (ss->ssl3.hs.pending_cert_msg.data) { |
| 114 + rv = ssl3_HandleCertificate(ss, ss->ssl3.hs.pending_cert_msg.data, | 79 + rv = ssl3_HandleCertificate(ss, ss->ssl3.hs.pending_cert_msg.data, |
| 115 + ss->ssl3.hs.pending_cert_msg.len); | 80 + ss->ssl3.hs.pending_cert_msg.len); |
| 116 + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); | 81 + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); |
| 117 + } | 82 + } |
| 118 + return rv; | 83 + return rv; |
| 119 +} | 84 +} |
| 120 + | 85 + |
| 121 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 | 86 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3 |
| 122 * hanshake message. | 87 * hanshake message. |
| 123 * Caller must hold Handshake and RecvBuf locks. | 88 * Caller must hold Handshake and RecvBuf locks. |
| 124 @@ -8801,14 +8872,42 @@ ssl3_HandleHandshakeMessage(sslSocket *s | 89 @@ -9376,14 +9447,42 @@ ssl3_HandleHandshakeMessage(sslSocket *s |
| 125 » rv = ssl3_HandleServerHello(ss, b, length); | 90 » rv = dtls_HandleHelloVerifyRequest(ss, b, length); |
| 126 break; | 91 break; |
| 127 case certificate: | 92 case certificate: |
| 128 + if (ss->ssl3.hs.may_get_cert_status) { | 93 + if (ss->ssl3.hs.may_get_cert_status) { |
| 129 + /* If we might get a CertificateStatus then we want to postpone the | 94 + /* If we might get a CertificateStatus then we want to postpone the |
| 130 + * processing of the Certificate message until after we have | 95 + * processing of the Certificate message until after we have |
| 131 + * processed the CertificateStatus */ | 96 + * processed the CertificateStatus */ |
| 132 + if (ss->ssl3.hs.pending_cert_msg.data || | 97 + if (ss->ssl3.hs.pending_cert_msg.data || |
| 133 + ss->ssl3.hs.ws != wait_server_cert) { | 98 + ss->ssl3.hs.ws != wait_server_cert) { |
| 134 + (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 99 + (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
| 135 + (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE); | 100 + (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE); |
| (...skipping 21 matching lines...) Expand all Loading... |
| 157 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); | 122 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); |
| 158 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH); | 123 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH); |
| 159 return SECFailure; | 124 return SECFailure; |
| 160 } | 125 } |
| 161 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); | 126 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); |
| 162 + if (rv != SECSuccess) | 127 + if (rv != SECSuccess) |
| 163 + break; | 128 + break; |
| 164 rv = ssl3_HandleServerKeyExchange(ss, b, length); | 129 rv = ssl3_HandleServerKeyExchange(ss, b, length); |
| 165 break; | 130 break; |
| 166 case certificate_request: | 131 case certificate_request: |
| 167 @@ -8817,6 +8916,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s | 132 @@ -9392,6 +9491,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s |
| 168 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST); | 133 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST); |
| 169 return SECFailure; | 134 return SECFailure; |
| 170 } | 135 } |
| 171 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); | 136 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); |
| 172 + if (rv != SECSuccess) | 137 + if (rv != SECSuccess) |
| 173 + break; | 138 + break; |
| 174 rv = ssl3_HandleCertificateRequest(ss, b, length); | 139 rv = ssl3_HandleCertificateRequest(ss, b, length); |
| 175 break; | 140 break; |
| 176 case server_hello_done: | 141 case server_hello_done: |
| 177 @@ -8830,6 +8932,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s | 142 @@ -9405,6 +9507,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s |
| 178 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); | 143 PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE); |
| 179 return SECFailure; | 144 return SECFailure; |
| 180 } | 145 } |
| 181 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); | 146 + rv = ssl3_MaybeHandlePendingCertificateMessage(ss); |
| 182 + if (rv != SECSuccess) | 147 + if (rv != SECSuccess) |
| 183 + break; | 148 + break; |
| 184 rv = ssl3_HandleServerHelloDone(ss); | 149 rv = ssl3_HandleServerHelloDone(ss); |
| 185 break; | 150 break; |
| 186 case certificate_verify: | 151 case certificate_verify: |
| 187 @@ -9719,6 +9824,12 @@ ssl3_DestroySSL3Info(sslSocket *ss) | 152 @@ -10369,6 +10474,12 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
| 188 ss->ssl3.hs.messages.len = 0; | 153 ss->ssl3.hs.messages.len = 0; |
| 189 ss->ssl3.hs.messages.space = 0; | 154 ss->ssl3.hs.messages.space = 0; |
| 190 } | 155 } |
| 191 + if (ss->ssl3.hs.pending_cert_msg.data) { | 156 + if (ss->ssl3.hs.pending_cert_msg.data) { |
| 192 + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); | 157 + SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE); |
| 193 + } | 158 + } |
| 194 + if (ss->ssl3.hs.cert_status.data) { | 159 + if (ss->ssl3.hs.cert_status.data) { |
| 195 + SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE); | 160 + SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE); |
| 196 + } | 161 + } |
| 197 | 162 |
| 198 /* free the SSL3Buffer (msg_body) */ | 163 /* free the SSL3Buffer (msg_body) */ |
| 199 PORT_Free(ss->ssl3.hs.msg_body.buf); | 164 PORT_Free(ss->ssl3.hs.msg_body.buf); |
| 200 diff -pu -r a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ss
l/ssl3ext.c | 165 diff -pu -r a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ex
t.c |
| 201 --- a/src/net/third_party/nss/ssl/ssl3ext.c» 2012-03-12 12:14:12.000000000 -0
700 | 166 --- a/net/third_party/nss/ssl/ssl3ext.c»2012-09-20 17:28:05.000000000 -0700 |
| 202 +++ b/src/net/third_party/nss/ssl/ssl3ext.c» 2012-03-19 14:34:51.624539293 -0
700 | 167 +++ b/net/third_party/nss/ssl/ssl3ext.c»2012-11-09 15:32:11.606363256 -0800 |
| 203 @@ -253,6 +253,7 @@ static const ssl3HelloExtensionHandler s | 168 @@ -234,6 +234,7 @@ static const ssl3HelloExtensionHandler s |
| 204 { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, | |
| 205 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, | 169 { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
| 206 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, | 170 { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
| 171 { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, |
| 207 + { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, | 172 + { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
| 208 { -1, NULL } | 173 { -1, NULL } |
| 209 }; | 174 }; |
| 210 | 175 |
| 211 @@ -276,7 +277,8 @@ ssl3HelloExtensionSender clientHelloSend | 176 @@ -258,7 +259,8 @@ ssl3HelloExtensionSender clientHelloSend |
| 212 { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, | |
| 213 #endif | 177 #endif |
| 214 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, | 178 { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
| 215 - { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn } | 179 { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
| 216 + { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, | 180 - { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn } |
| 181 + { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, |
| 217 + { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } | 182 + { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn } |
| 218 /* any extra entries will appear as { 0, NULL } */ | 183 /* any extra entries will appear as { 0, NULL } */ |
| 219 }; | 184 }; |
| 220 | 185 |
| 221 @@ -658,6 +660,80 @@ loser: | 186 @@ -640,6 +642,80 @@ loser: |
| 222 return -1; | 187 return -1; |
| 223 } | 188 } |
| 224 | 189 |
| 225 +SECStatus | 190 +SECStatus |
| 226 +ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, | 191 +ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, |
| 227 + SECItem *data) | 192 + SECItem *data) |
| 228 +{ | 193 +{ |
| 229 + /* If we didn't request this extension, then the server may not echo it. */ | 194 + /* If we didn't request this extension, then the server may not echo it. */ |
| 230 + if (!ss->opt.enableOCSPStapling) | 195 + if (!ss->opt.enableOCSPStapling) |
| 231 + return SECFailure; | 196 + return SECFailure; |
| (...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 292 + } else if (maxBytes < extension_length) { | 257 + } else if (maxBytes < extension_length) { |
| 293 + PORT_Assert(0); | 258 + PORT_Assert(0); |
| 294 + return 0; | 259 + return 0; |
| 295 + } | 260 + } |
| 296 + return extension_length; | 261 + return extension_length; |
| 297 +} | 262 +} |
| 298 + | 263 + |
| 299 /* | 264 /* |
| 300 * NewSessionTicket | 265 * NewSessionTicket |
| 301 * Called from ssl3_HandleFinished | 266 * Called from ssl3_HandleFinished |
| 302 diff -pu -r a/src/net/third_party/nss/ssl/ssl3prot.h b/src/net/third_party/nss/s
sl/ssl3prot.h | 267 diff -pu -r a/net/third_party/nss/ssl/ssl3prot.h b/net/third_party/nss/ssl/ssl3p
rot.h |
| 303 --- a/src/net/third_party/nss/ssl/ssl3prot.h» 2011-10-28 17:29:11.000000000 -0
700 | 268 --- a/net/third_party/nss/ssl/ssl3prot.h» 2012-04-25 07:50:12.000000000 -0
700 |
| 304 +++ b/src/net/third_party/nss/ssl/ssl3prot.h» 2012-03-19 14:34:51.624539293 -0
700 | 269 +++ b/net/third_party/nss/ssl/ssl3prot.h» 2012-11-09 15:28:27.933078020 -0
800 |
| 305 @@ -158,6 +158,7 @@ typedef enum { | 270 @@ -129,6 +129,7 @@ typedef enum { |
| 306 certificate_verify = 15, | 271 certificate_verify = 15, |
| 307 client_key_exchange = 16, | 272 client_key_exchange = 16, |
| 308 finished = 20, | 273 finished = 20, |
| 309 + certificate_status = 22, | 274 + certificate_status = 22, |
| 310 next_proto = 67 | 275 next_proto = 67 |
| 311 } SSL3HandshakeType; | 276 } SSL3HandshakeType; |
| 312 | 277 |
| 313 diff -pu -r a/src/net/third_party/nss/ssl/sslerr.h b/src/net/third_party/nss/ssl
/sslerr.h | 278 diff -pu -r a/net/third_party/nss/ssl/sslerr.h b/net/third_party/nss/ssl/sslerr.
h |
| 314 --- a/src/net/third_party/nss/ssl/sslerr.h» 2012-03-10 20:32:35.000000000 -0
800 | 279 --- a/net/third_party/nss/ssl/sslerr.h» 2012-07-12 17:51:57.000000000 -0700 |
| 315 +++ b/src/net/third_party/nss/ssl/sslerr.h» 2012-03-19 14:35:47.275278925 -0
700 | 280 +++ b/net/third_party/nss/ssl/sslerr.h» 2012-11-09 15:30:36.804971319 -0800 |
| 316 @@ -213,6 +213,8 @@ SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIE | 281 @@ -188,6 +188,8 @@ SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQ |
| 317 | 282 |
| 318 SSL_ERROR_INVALID_VERSION_RANGE» » = (SSL_ERROR_BASE + 120), | 283 SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION = (SSL_ERROR_BASE + 124), |
| 319 | 284 |
| 320 +SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 121), | 285 +SSL_ERROR_RX_UNEXPECTED_CERT_STATUS = (SSL_ERROR_BASE + 125), |
| 321 + | 286 + |
| 322 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ | 287 SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ |
| 323 } SSLErrorCodes; | 288 } SSLErrorCodes; |
| 324 #endif /* NO_SECURITY_ERROR_ENUM */ | 289 #endif /* NO_SECURITY_ERROR_ENUM */ |
| 325 diff -pu -r a/src/net/third_party/nss/ssl/SSLerrs.h b/src/net/third_party/nss/ss
l/SSLerrs.h | 290 diff -pu -r a/net/third_party/nss/ssl/SSLerrs.h b/net/third_party/nss/ssl/SSLerr
s.h |
| 326 --- a/src/net/third_party/nss/ssl/SSLerrs.h» 2012-03-10 20:32:34.000000000 -0
800 | 291 --- a/net/third_party/nss/ssl/SSLerrs.h»2012-07-12 17:51:57.000000000 -0700 |
| 327 +++ b/src/net/third_party/nss/ssl/SSLerrs.h» 2012-03-19 14:38:37.757544584 -0
700 | 292 +++ b/net/third_party/nss/ssl/SSLerrs.h»2012-11-09 15:30:19.924723400 -0800 |
| 328 @@ -420,3 +420,6 @@ ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_ | 293 @@ -400,3 +400,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY |
| 329 | 294 |
| 330 ER3(SSL_ERROR_INVALID_VERSION_RANGE, (SSL_ERROR_BASE + 120), | 295 ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION, (SSL_ERROR_BASE + 124), |
| 331 "SSL version range is not valid.") | 296 "SSL feature not supported for the protocol version.") |
| 332 + | 297 + |
| 333 +ER3(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS, (SSL_ERROR_BASE + 121), | 298 +ER3(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS, (SSL_ERROR_BASE + 125), |
| 334 +"SSL received an unexpected Certificate Status handshake message.") | 299 +"SSL received an unexpected Certificate Status handshake message.") |
| 335 diff -pu -r a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ss
l/sslimpl.h | 300 diff -pu -r a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h |
| 336 --- a/src/net/third_party/nss/ssl/sslimpl.h» 2012-03-19 14:34:10.093984221 -0
700 | 301 --- a/net/third_party/nss/ssl/ssl.h» 2012-11-09 15:27:15.952019947 -0800 |
| 337 +++ b/src/net/third_party/nss/ssl/sslimpl.h» 2012-03-19 14:34:51.634539426 -0
700 | 302 +++ b/net/third_party/nss/ssl/ssl.h» 2012-11-09 15:28:27.933078020 -0800 |
| 338 @@ -339,6 +339,7 @@ typedef struct sslOptionsStr { | 303 @@ -158,6 +158,7 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF |
| 304 * accept fragmented alerts). |
| 305 */ |
| 306 #define SSL_CBC_RANDOM_IV 23 |
| 307 +#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */ |
| 308 |
| 309 #ifdef SSL_DEPRECATED_FUNCTION |
| 310 /* Old deprecated function names */ |
| 311 @@ -409,6 +410,23 @@ SSL_IMPORT SECStatus SSL_PeerCertificate |
| 312 » PRFileDesc *fd, CERTCertificate **certs, |
| 313 » unsigned int *numCerts, unsigned int maxNumCerts); |
| 314 |
| 315 +/* SSL_GetStapledOCSPResponse returns the OCSP response that was provided by |
| 316 + * the TLS server. The resulting data is copied to |out_data|. On entry, |*len| |
| 317 + * must contain the size of |out_data|. On exit, |*len| will contain the size |
| 318 + * of the OCSP stapled response. If the stapled response is too large to fit in |
| 319 + * |out_data| then it will be truncated. If no OCSP response was given by the |
| 320 + * server then it has zero length. |
| 321 + * |
| 322 + * You must set the SSL_ENABLE_OCSP_STAPLING option in order for OCSP responses |
| 323 + * to be provided by a server. |
| 324 + * |
| 325 + * You can call this function during the certificate verification callback or |
| 326 + * any time afterwards. |
| 327 + */ |
| 328 +SSL_IMPORT SECStatus SSL_GetStapledOCSPResponse(PRFileDesc *fd, |
| 329 +» » » » » » unsigned char *out_data, |
| 330 +» » » » » » unsigned int *len); |
| 331 + |
| 332 /* |
| 333 ** Authenticate certificate hook. Called when a certificate comes in |
| 334 ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the |
| 335 diff -pu -r a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimp
l.h |
| 336 --- a/net/third_party/nss/ssl/sslimpl.h»2012-11-09 15:21:56.747322689 -0800 |
| 337 +++ b/net/third_party/nss/ssl/sslimpl.h»2012-11-09 15:28:27.943078167 -0800 |
| 338 @@ -316,6 +316,7 @@ typedef struct sslOptionsStr { |
| 339 unsigned int requireSafeNegotiation : 1; /* 22 */ | 339 unsigned int requireSafeNegotiation : 1; /* 22 */ |
| 340 unsigned int enableFalseStart : 1; /* 23 */ | 340 unsigned int enableFalseStart : 1; /* 23 */ |
| 341 unsigned int cbcRandomIV : 1; /* 24 */ | 341 unsigned int cbcRandomIV : 1; /* 24 */ |
| 342 + unsigned int enableOCSPStapling : 1; /* 25 */ | 342 + unsigned int enableOCSPStapling : 1; /* 25 */ |
| 343 } sslOptions; | 343 } sslOptions; |
| 344 | 344 |
| 345 typedef enum { sslHandshakingUndetermined = 0, | 345 typedef enum { sslHandshakingUndetermined = 0, |
| 346 @@ -783,6 +784,14 @@ const ssl3CipherSuiteDef *suite_def; | 346 @@ -795,6 +796,14 @@ const ssl3CipherSuiteDef *suite_def; |
| 347 PRBool isResuming; /* are we resuming a session */ | 347 PRBool isResuming; /* are we resuming a session */ |
| 348 PRBool usedStepDownKey; /* we did a server key exchange. */ | 348 PRBool usedStepDownKey; /* we did a server key exchange. */ |
| 349 PRBool sendingSCSV; /* instead of empty RI */ | 349 PRBool sendingSCSV; /* instead of empty RI */ |
| 350 + PRBool may_get_cert_status; /* the server echoed a | 350 + PRBool may_get_cert_status; /* the server echoed a |
| 351 + * status_request extension so | 351 + * status_request extension so |
| 352 + * may send a CertificateStatus | 352 + * may send a CertificateStatus |
| 353 + * handshake message. */ | 353 + * handshake message. */ |
| 354 + SECItem pending_cert_msg; /* a Certificate message which we | 354 + SECItem pending_cert_msg; /* a Certificate message which we |
| 355 + * save temporarily if we may get | 355 + * save temporarily if we may get |
| 356 + * a CertificateStatus message */ | 356 + * a CertificateStatus message */ |
| 357 + SECItem cert_status; /* an OCSP response */ | 357 + SECItem cert_status; /* an OCSP response */ |
| 358 sslBuffer msgState; /* current state for handshake messages*
/ | 358 sslBuffer msgState; /* current state for handshake messages*
/ |
| 359 /* protected by recvBufLock */ | 359 /* protected by recvBufLock */ |
| 360 sslBuffer messages; /* Accumulated handshake messages */ | 360 sslBuffer messages; /* Accumulated handshake messages */ |
| 361 @@ -1548,6 +1557,8 @@ extern SECStatus ssl3_HandleSupportedPoi | 361 @@ -1625,6 +1634,8 @@ extern SECStatus ssl3_HandleSupportedPoi |
| 362 PRUint16 ex_type, SECItem *data); | 362 PRUint16 ex_type, SECItem *data); |
| 363 extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, | 363 extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, |
| 364 PRUint16 ex_type, SECItem *data); | 364 PRUint16 ex_type, SECItem *data); |
| 365 +extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, | 365 +extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, |
| 366 + PRUint16 ex_type, SECItem *data); | 366 + PRUint16 ex_type, SECItem *data); |
| 367 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, | 367 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, |
| 368 PRUint16 ex_type, SECItem *data); | 368 PRUint16 ex_type, SECItem *data); |
| 369 | 369 |
| 370 @@ -1557,6 +1568,8 @@ extern SECStatus ssl3_ServerHandleSessio | 370 @@ -1634,6 +1645,8 @@ extern SECStatus ssl3_ServerHandleSessio |
| 371 */ | 371 */ |
| 372 extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append, | 372 extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append, |
| 373 PRUint32 maxBytes); | 373 PRUint32 maxBytes); |
| 374 +extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append, | 374 +extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append, |
| 375 + PRUint32 maxBytes); | 375 + PRUint32 maxBytes); |
| 376 | 376 |
| 377 /* ClientHello and ServerHello extension senders. | 377 /* ClientHello and ServerHello extension senders. |
| 378 * The code is in ssl3ext.c. | 378 * The code is in ssl3ext.c. |
| 379 diff -pu -r a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ss
l/sslsock.c | 379 diff -pu -r a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsoc
k.c |
| 380 --- a/src/net/third_party/nss/ssl/sslsock.c» 2012-03-19 14:34:10.083984085 -0
700 | 380 --- a/net/third_party/nss/ssl/sslsock.c»2012-11-09 15:17:00.432983977 -0800 |
| 381 +++ b/src/net/third_party/nss/ssl/sslsock.c» 2012-03-19 14:34:51.634539426 -0
700 | 381 +++ b/net/third_party/nss/ssl/sslsock.c»2012-11-09 15:28:27.943078167 -0800 |
| 382 @@ -185,7 +185,8 @@ static sslOptions ssl_defaults = { | 382 @@ -153,7 +153,8 @@ static sslOptions ssl_defaults = { |
| 383 2, /* enableRenegotiation (default: requires extension) */ | 383 2, /* enableRenegotiation (default: requires extension) */ |
| 384 PR_FALSE, /* requireSafeNegotiation */ | 384 PR_FALSE, /* requireSafeNegotiation */ |
| 385 PR_FALSE, /* enableFalseStart */ | 385 PR_FALSE, /* enableFalseStart */ |
| 386 - PR_TRUE /* cbcRandomIV */ | 386 - PR_TRUE /* cbcRandomIV */ |
| 387 + PR_TRUE, /* cbcRandomIV */ | 387 + PR_TRUE, /* cbcRandomIV */ |
| 388 + PR_FALSE, /* enableOCSPStapling */ | 388 + PR_FALSE, /* enableOCSPStapling */ |
| 389 }; | 389 }; |
| 390 | 390 |
| 391 /* | 391 /* |
| 392 @@ -812,6 +813,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh | 392 @@ -827,6 +828,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh |
| 393 ss->opt.cbcRandomIV = on; | 393 ss->opt.cbcRandomIV = on; |
| 394 break; | 394 break; |
| 395 | 395 |
| 396 + case SSL_ENABLE_OCSP_STAPLING: | 396 + case SSL_ENABLE_OCSP_STAPLING: |
| 397 + ss->opt.enableOCSPStapling = on; | 397 + ss->opt.enableOCSPStapling = on; |
| 398 + break; | 398 + break; |
| 399 + | 399 + |
| 400 default: | 400 default: |
| 401 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 401 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 402 rv = SECFailure; | 402 rv = SECFailure; |
| 403 @@ -881,6 +886,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh | 403 @@ -896,6 +901,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh |
| 404 on = ss->opt.requireSafeNegotiation; break; | 404 on = ss->opt.requireSafeNegotiation; break; |
| 405 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; | 405 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; |
| 406 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; | 406 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; |
| 407 + case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; | 407 + case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; |
| 408 | 408 |
| 409 default: | 409 default: |
| 410 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 410 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 411 @@ -939,6 +945,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo | 411 @@ -954,6 +960,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo |
| 412 break; | 412 break; |
| 413 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; | 413 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; |
| 414 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; | 414 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; |
| 415 + case SSL_ENABLE_OCSP_STAPLING: | 415 + case SSL_ENABLE_OCSP_STAPLING: |
| 416 + on = ssl_defaults.enableOCSPStapling; | 416 + on = ssl_defaults.enableOCSPStapling; |
| 417 + break; | 417 + break; |
| 418 | 418 |
| 419 default: | 419 default: |
| 420 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 420 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 421 @@ -1098,6 +1107,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo | 421 @@ -1117,6 +1126,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo |
| 422 ssl_defaults.cbcRandomIV = on; | 422 ssl_defaults.cbcRandomIV = on; |
| 423 break; | 423 break; |
| 424 | 424 |
| 425 + case SSL_ENABLE_OCSP_STAPLING: | 425 + case SSL_ENABLE_OCSP_STAPLING: |
| 426 + ssl_defaults.enableOCSPStapling = on; | 426 + ssl_defaults.enableOCSPStapling = on; |
| 427 + break; | 427 + break; |
| 428 + | 428 + |
| 429 default: | 429 default: |
| 430 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 430 PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| 431 return SECFailure; | 431 return SECFailure; |
| 432 @@ -1735,6 +1748,36 @@ SSL_VersionRangeSet(PRFileDesc *fd, cons | 432 @@ -1859,6 +1872,36 @@ SSL_VersionRangeSet(PRFileDesc *fd, cons |
| 433 return SECSuccess; | 433 return SECSuccess; |
| 434 } | 434 } |
| 435 | 435 |
| 436 +SECStatus | 436 +SECStatus |
| 437 +SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data, | 437 +SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data, |
| 438 + unsigned int *len) { | 438 + unsigned int *len) { |
| 439 + sslSocket *ss = ssl_FindSocket(fd); | 439 + sslSocket *ss = ssl_FindSocket(fd); |
| 440 + | 440 + |
| 441 + if (!ss) { | 441 + if (!ss) { |
| 442 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse", | 442 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse", |
| (...skipping 16 matching lines...) Expand all Loading... |
| 459 + | 459 + |
| 460 + ssl_ReleaseSSL3HandshakeLock(ss); | 460 + ssl_ReleaseSSL3HandshakeLock(ss); |
| 461 + ssl_Release1stHandshakeLock(ss); | 461 + ssl_Release1stHandshakeLock(ss); |
| 462 + | 462 + |
| 463 + return SECSuccess; | 463 + return SECSuccess; |
| 464 +} | 464 +} |
| 465 + | 465 + |
| 466 /************************************************************************/ | 466 /************************************************************************/ |
| 467 /* The following functions are the TOP LEVEL SSL functions. | 467 /* The following functions are the TOP LEVEL SSL functions. |
| 468 ** They all get called through the NSPRIOMethods table below. | 468 ** They all get called through the NSPRIOMethods table below. |
| 469 diff -pu -r a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/s
slt.h | 469 diff -pu -r a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h |
| 470 --- a/src/net/third_party/nss/ssl/sslt.h» 2012-03-15 18:23:55.000000000 -0
700 | 470 --- a/net/third_party/nss/ssl/sslt.h» 2012-06-06 19:06:19.000000000 -0700 |
| 471 +++ b/src/net/third_party/nss/ssl/sslt.h» 2012-03-19 14:34:51.634539426 -0
700 | 471 +++ b/net/third_party/nss/ssl/sslt.h» 2012-11-09 15:29:10.333701086 -0800 |
| 472 @@ -207,6 +207,7 @@ typedef enum { | 472 @@ -175,6 +175,7 @@ typedef enum { |
| 473 /* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */ | 473 /* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */ |
| 474 typedef enum { | 474 typedef enum { |
| 475 ssl_server_name_xtn = 0, | 475 ssl_server_name_xtn = 0, |
| 476 + ssl_cert_status_xtn = 5, | 476 + ssl_cert_status_xtn = 5, |
| 477 #ifdef NSS_ENABLE_ECC | 477 #ifdef NSS_ENABLE_ECC |
| 478 ssl_elliptic_curves_xtn = 10, | 478 ssl_elliptic_curves_xtn = 10, |
| 479 ssl_ec_point_formats_xtn = 11, | 479 ssl_ec_point_formats_xtn = 11, |
| 480 @@ -216,6 +217,6 @@ typedef enum { | 480 @@ -185,6 +186,6 @@ typedef enum { |
| 481 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ | 481 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
| 482 } SSLExtensionType; | 482 } SSLExtensionType; |
| 483 | 483 |
| 484 -#define SSL_MAX_EXTENSIONS 6 | 484 -#define SSL_MAX_EXTENSIONS 7 |
| 485 +#define SSL_MAX_EXTENSIONS 7 | 485 +#define SSL_MAX_EXTENSIONS 8 |
| 486 | 486 |
| 487 #endif /* __sslt_h_ */ | 487 #endif /* __sslt_h_ */ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 11275240:
Update net/third_party/nss/ssl to NSS 3.14. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/