| Index: net/third_party/nss/patches/alpn.patch
|
| ===================================================================
|
| --- net/third_party/nss/patches/alpn.patch (revision 245705)
|
| +++ net/third_party/nss/patches/alpn.patch (working copy)
|
| @@ -1,245 +0,0 @@
|
| -diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
|
| ---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:41:44.744240754 -0800
|
| -+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:41:52.234363230 -0800
|
| -@@ -10458,8 +10458,10 @@ ssl3_SendNextProto(sslSocket *ss)
|
| - int padding_len;
|
| - static const unsigned char padding[32] = {0};
|
| -
|
| -- if (ss->ssl3.nextProto.len == 0)
|
| -+ if (ss->ssl3.nextProto.len == 0 ||
|
| -+ ss->ssl3.nextProtoState == SSL_NEXT_PROTO_SELECTED) {
|
| - return SECSuccess;
|
| -+ }
|
| -
|
| - PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
|
| - PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
|
| -diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
|
| ---- a/nss/lib/ssl/ssl3ext.c 2014-01-03 19:39:28.442012014 -0800
|
| -+++ b/nss/lib/ssl/ssl3ext.c 2014-01-03 19:41:52.234363230 -0800
|
| -@@ -52,8 +52,12 @@ static SECStatus ssl3_HandleRenegotiatio
|
| - PRUint16 ex_type, SECItem *data);
|
| - static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
|
| - PRUint16 ex_type, SECItem *data);
|
| -+static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss,
|
| -+ PRUint16 ex_type, SECItem *data);
|
| - static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
|
| - PRUint16 ex_type, SECItem *data);
|
| -+static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append,
|
| -+ PRUint32 maxBytes);
|
| - static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
|
| - PRUint32 maxBytes);
|
| - static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append,
|
| -@@ -251,6 +255,7 @@ static const ssl3HelloExtensionHandler s
|
| - { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
|
| - { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
|
| - { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
|
| -+ { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn },
|
| - { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn },
|
| - { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn },
|
| - { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
|
| -@@ -270,18 +275,19 @@ static const ssl3HelloExtensionHandler s
|
| - */
|
| - static const
|
| - ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
|
| -- { ssl_server_name_xtn, &ssl3_SendServerNameXtn },
|
| -- { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
|
| -+ { ssl_server_name_xtn, &ssl3_SendServerNameXtn },
|
| -+ { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
|
| - #ifdef NSS_ENABLE_ECC
|
| -- { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
|
| -- { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
|
| -+ { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
|
| -+ { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
|
| - #endif
|
| -- { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
|
| -- { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
|
| -- { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
|
| -- { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
|
| -- { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
|
| -- { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
|
| -+ { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
|
| -+ { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
|
| -+ { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
|
| -+ { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
|
| -+ { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
|
| -+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
|
| -+ { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
|
| - /* any extra entries will appear as { 0, NULL } */
|
| - };
|
| -
|
| -@@ -614,6 +620,11 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSoc
|
| -
|
| - PORT_Assert(!ss->firstHsDone);
|
| -
|
| -+ if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) {
|
| -+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
| -+ return SECFailure;
|
| -+ }
|
| -+
|
| - rv = ssl3_ValidateNextProtoNego(data->data, data->len);
|
| - if (rv != SECSuccess)
|
| - return rv;
|
| -@@ -647,6 +658,44 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSoc
|
| - return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result);
|
| - }
|
| -
|
| -+static SECStatus
|
| -+ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
|
| -+{
|
| -+ const unsigned char* d = data->data;
|
| -+ PRUint16 name_list_len;
|
| -+ SECItem protocol_name;
|
| -+
|
| -+ if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) {
|
| -+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
| -+ return SECFailure;
|
| -+ }
|
| -+
|
| -+ /* The extension data from the server has the following format:
|
| -+ * uint16 name_list_len;
|
| -+ * uint8 len;
|
| -+ * uint8 protocol_name[len]; */
|
| -+ if (data->len < 4 || data->len > 2 + 1 + 255) {
|
| -+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
|
| -+ return SECFailure;
|
| -+ }
|
| -+
|
| -+ name_list_len = ((PRUint16) d[0]) << 8 |
|
| -+ ((PRUint16) d[1]);
|
| -+ if (name_list_len != data->len - 2 ||
|
| -+ d[2] != data->len - 3) {
|
| -+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
|
| -+ return SECFailure;
|
| -+ }
|
| -+
|
| -+ protocol_name.data = data->data + 3;
|
| -+ protocol_name.len = data->len - 3;
|
| -+
|
| -+ SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
|
| -+ ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED;
|
| -+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
|
| -+ return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name);
|
| -+}
|
| -+
|
| - static PRInt32
|
| - ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append,
|
| - PRUint32 maxBytes)
|
| -@@ -680,6 +729,70 @@ loser:
|
| - return -1;
|
| - }
|
| -
|
| -+static PRInt32
|
| -+ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
|
| -+{
|
| -+ PRInt32 extension_length;
|
| -+ unsigned char *alpn_protos = NULL;
|
| -+
|
| -+ /* Renegotiations do not send this extension. */
|
| -+ if (!ss->opt.nextProtoNego.data || ss->firstHsDone) {
|
| -+ return 0;
|
| -+ }
|
| -+
|
| -+ extension_length = 2 /* extension type */ + 2 /* extension length */ +
|
| -+ 2 /* protocol name list length */ +
|
| -+ ss->opt.nextProtoNego.len;
|
| -+
|
| -+ if (append && maxBytes >= extension_length) {
|
| -+ /* NPN requires that the client's fallback protocol is first in the
|
| -+ * list. However, ALPN sends protocols in preference order. So we
|
| -+ * allocate a buffer and move the first protocol to the end of the
|
| -+ * list. */
|
| -+ SECStatus rv;
|
| -+ const unsigned int len = ss->opt.nextProtoNego.len;
|
| -+
|
| -+ alpn_protos = PORT_Alloc(len);
|
| -+ if (alpn_protos == NULL) {
|
| -+ return SECFailure;
|
| -+ }
|
| -+ if (len > 0) {
|
| -+ /* Each protocol string is prefixed with a single byte length. */
|
| -+ unsigned int i = ss->opt.nextProtoNego.data[0] + 1;
|
| -+ if (i <= len) {
|
| -+ memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i);
|
| -+ memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i);
|
| -+ } else {
|
| -+ /* This seems to be invalid data so we'll send as-is. */
|
| -+ memcpy(alpn_protos, ss->opt.nextProtoNego.data, len);
|
| -+ }
|
| -+ }
|
| -+
|
| -+ rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2);
|
| -+ if (rv != SECSuccess)
|
| -+ goto loser;
|
| -+ rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
|
| -+ if (rv != SECSuccess)
|
| -+ goto loser;
|
| -+ rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2);
|
| -+ PORT_Free(alpn_protos);
|
| -+ alpn_protos = NULL;
|
| -+ if (rv != SECSuccess)
|
| -+ goto loser;
|
| -+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
|
| -+ ssl_app_layer_protocol_xtn;
|
| -+ } else if (maxBytes < extension_length) {
|
| -+ return 0;
|
| -+ }
|
| -+
|
| -+ return extension_length;
|
| -+
|
| -+loser:
|
| -+ if (alpn_protos)
|
| -+ PORT_Free(alpn_protos);
|
| -+ return -1;
|
| -+}
|
| -+
|
| - static SECStatus
|
| - ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type,
|
| - SECItem *data)
|
| -diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
|
| ---- a/nss/lib/ssl/ssl.h 2014-01-03 19:40:03.522585625 -0800
|
| -+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:41:52.234363230 -0800
|
| -@@ -206,6 +206,16 @@ SSL_IMPORT SECStatus SSL_SetNextProtoCal
|
| - * protocol in server-preference order. If no matching protocol is found it
|
| - * selects the first supported protocol.
|
| - *
|
| -+ * Using this function also allows the client to transparently support ALPN.
|
| -+ * The same set of protocols will be advertised via ALPN and, if the server
|
| -+ * uses ALPN to select a protocol, SSL_GetNextProto will return
|
| -+ * SSL_NEXT_PROTO_SELECTED as the state.
|
| -+ *
|
| -+ * Since NPN uses the first protocol as the fallback protocol, when sending an
|
| -+ * ALPN extension, the first protocol is moved to the end of the list. This
|
| -+ * indicates that the fallback protocol is the least preferred. The other
|
| -+ * protocols should be in preference order.
|
| -+ *
|
| - * The supported protocols are specified in |data| in wire-format (8-bit
|
| - * length-prefixed). For example: "\010http/1.1\006spdy/2". */
|
| - SSL_IMPORT SECStatus SSL_SetNextProtoNego(PRFileDesc *fd,
|
| -@@ -215,7 +225,8 @@ SSL_IMPORT SECStatus SSL_SetNextProtoNeg
|
| - typedef enum SSLNextProtoState {
|
| - SSL_NEXT_PROTO_NO_SUPPORT = 0, /* No peer support */
|
| - SSL_NEXT_PROTO_NEGOTIATED = 1, /* Mutual agreement */
|
| -- SSL_NEXT_PROTO_NO_OVERLAP = 2 /* No protocol overlap found */
|
| -+ SSL_NEXT_PROTO_NO_OVERLAP = 2, /* No protocol overlap found */
|
| -+ SSL_NEXT_PROTO_SELECTED = 3 /* Server selected proto (ALPN) */
|
| - } SSLNextProtoState;
|
| -
|
| - /* SSL_GetNextProto can be used in the HandshakeCallback or any time after
|
| -diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
|
| ---- a/nss/lib/ssl/sslt.h 2014-01-03 19:41:26.443941511 -0800
|
| -+++ b/nss/lib/ssl/sslt.h 2014-01-03 19:41:52.234363230 -0800
|
| -@@ -200,12 +200,13 @@ typedef enum {
|
| - #endif
|
| - ssl_signature_algorithms_xtn = 13,
|
| - ssl_use_srtp_xtn = 14,
|
| -+ ssl_app_layer_protocol_xtn = 16,
|
| - ssl_session_ticket_xtn = 35,
|
| - ssl_next_proto_nego_xtn = 13172,
|
| - ssl_channel_id_xtn = 30032,
|
| - ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
|
| - } SSLExtensionType;
|
| -
|
| --#define SSL_MAX_EXTENSIONS 10
|
| -+#define SSL_MAX_EXTENSIONS 11
|
| -
|
| - #endif /* __sslt_h_ */
|
|
|
Chromium Code Reviews
Issue 142283002:
Update net/third_party/nss to NSS_3_15_5_BETA2. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/