Index: net/third_party/nss/patches/alpn.patch |
=================================================================== |
--- net/third_party/nss/patches/alpn.patch (revision 245705) |
+++ net/third_party/nss/patches/alpn.patch (working copy) |
@@ -1,245 +0,0 @@ |
-diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:41:44.744240754 -0800 |
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:41:52.234363230 -0800 |
-@@ -10458,8 +10458,10 @@ ssl3_SendNextProto(sslSocket *ss) |
- int padding_len; |
- static const unsigned char padding[32] = {0}; |
- |
-- if (ss->ssl3.nextProto.len == 0) |
-+ if (ss->ssl3.nextProto.len == 0 || |
-+ ss->ssl3.nextProtoState == SSL_NEXT_PROTO_SELECTED) { |
- return SECSuccess; |
-+ } |
- |
- PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss)); |
- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss)); |
-diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c |
---- a/nss/lib/ssl/ssl3ext.c 2014-01-03 19:39:28.442012014 -0800 |
-+++ b/nss/lib/ssl/ssl3ext.c 2014-01-03 19:41:52.234363230 -0800 |
-@@ -52,8 +52,12 @@ static SECStatus ssl3_HandleRenegotiatio |
- PRUint16 ex_type, SECItem *data); |
- static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, |
- PRUint16 ex_type, SECItem *data); |
-+static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss, |
-+ PRUint16 ex_type, SECItem *data); |
- static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss, |
- PRUint16 ex_type, SECItem *data); |
-+static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append, |
-+ PRUint32 maxBytes); |
- static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append, |
- PRUint32 maxBytes); |
- static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, |
-@@ -251,6 +255,7 @@ static const ssl3HelloExtensionHandler s |
- { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn }, |
- { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn }, |
- { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
-+ { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, |
- { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, |
- { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn }, |
- { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
-@@ -270,18 +275,19 @@ static const ssl3HelloExtensionHandler s |
- */ |
- static const |
- ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { |
-- { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, |
-- { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, |
-+ { ssl_server_name_xtn, &ssl3_SendServerNameXtn }, |
-+ { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn }, |
- #ifdef NSS_ENABLE_ECC |
-- { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, |
-- { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, |
-+ { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn }, |
-+ { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn }, |
- #endif |
-- { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
-- { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
-- { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, |
-- { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
-- { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
-- { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } |
-+ { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn }, |
-+ { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
-+ { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, |
-+ { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, |
-+ { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
-+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
-+ { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } |
- /* any extra entries will appear as { 0, NULL } */ |
- }; |
- |
-@@ -614,6 +620,11 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSoc |
- |
- PORT_Assert(!ss->firstHsDone); |
- |
-+ if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) { |
-+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
-+ return SECFailure; |
-+ } |
-+ |
- rv = ssl3_ValidateNextProtoNego(data->data, data->len); |
- if (rv != SECSuccess) |
- return rv; |
-@@ -647,6 +658,44 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSoc |
- return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result); |
- } |
- |
-+static SECStatus |
-+ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data) |
-+{ |
-+ const unsigned char* d = data->data; |
-+ PRUint16 name_list_len; |
-+ SECItem protocol_name; |
-+ |
-+ if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) { |
-+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
-+ return SECFailure; |
-+ } |
-+ |
-+ /* The extension data from the server has the following format: |
-+ * uint16 name_list_len; |
-+ * uint8 len; |
-+ * uint8 protocol_name[len]; */ |
-+ if (data->len < 4 || data->len > 2 + 1 + 255) { |
-+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
-+ return SECFailure; |
-+ } |
-+ |
-+ name_list_len = ((PRUint16) d[0]) << 8 | |
-+ ((PRUint16) d[1]); |
-+ if (name_list_len != data->len - 2 || |
-+ d[2] != data->len - 3) { |
-+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID); |
-+ return SECFailure; |
-+ } |
-+ |
-+ protocol_name.data = data->data + 3; |
-+ protocol_name.len = data->len - 3; |
-+ |
-+ SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE); |
-+ ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED; |
-+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type; |
-+ return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name); |
-+} |
-+ |
- static PRInt32 |
- ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append, |
- PRUint32 maxBytes) |
-@@ -680,6 +729,70 @@ loser: |
- return -1; |
- } |
- |
-+static PRInt32 |
-+ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) |
-+{ |
-+ PRInt32 extension_length; |
-+ unsigned char *alpn_protos = NULL; |
-+ |
-+ /* Renegotiations do not send this extension. */ |
-+ if (!ss->opt.nextProtoNego.data || ss->firstHsDone) { |
-+ return 0; |
-+ } |
-+ |
-+ extension_length = 2 /* extension type */ + 2 /* extension length */ + |
-+ 2 /* protocol name list length */ + |
-+ ss->opt.nextProtoNego.len; |
-+ |
-+ if (append && maxBytes >= extension_length) { |
-+ /* NPN requires that the client's fallback protocol is first in the |
-+ * list. However, ALPN sends protocols in preference order. So we |
-+ * allocate a buffer and move the first protocol to the end of the |
-+ * list. */ |
-+ SECStatus rv; |
-+ const unsigned int len = ss->opt.nextProtoNego.len; |
-+ |
-+ alpn_protos = PORT_Alloc(len); |
-+ if (alpn_protos == NULL) { |
-+ return SECFailure; |
-+ } |
-+ if (len > 0) { |
-+ /* Each protocol string is prefixed with a single byte length. */ |
-+ unsigned int i = ss->opt.nextProtoNego.data[0] + 1; |
-+ if (i <= len) { |
-+ memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i); |
-+ memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i); |
-+ } else { |
-+ /* This seems to be invalid data so we'll send as-is. */ |
-+ memcpy(alpn_protos, ss->opt.nextProtoNego.data, len); |
-+ } |
-+ } |
-+ |
-+ rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2); |
-+ if (rv != SECSuccess) |
-+ goto loser; |
-+ rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); |
-+ if (rv != SECSuccess) |
-+ goto loser; |
-+ rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2); |
-+ PORT_Free(alpn_protos); |
-+ alpn_protos = NULL; |
-+ if (rv != SECSuccess) |
-+ goto loser; |
-+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] = |
-+ ssl_app_layer_protocol_xtn; |
-+ } else if (maxBytes < extension_length) { |
-+ return 0; |
-+ } |
-+ |
-+ return extension_length; |
-+ |
-+loser: |
-+ if (alpn_protos) |
-+ PORT_Free(alpn_protos); |
-+ return -1; |
-+} |
-+ |
- static SECStatus |
- ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, |
- SECItem *data) |
-diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h |
---- a/nss/lib/ssl/ssl.h 2014-01-03 19:40:03.522585625 -0800 |
-+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:41:52.234363230 -0800 |
-@@ -206,6 +206,16 @@ SSL_IMPORT SECStatus SSL_SetNextProtoCal |
- * protocol in server-preference order. If no matching protocol is found it |
- * selects the first supported protocol. |
- * |
-+ * Using this function also allows the client to transparently support ALPN. |
-+ * The same set of protocols will be advertised via ALPN and, if the server |
-+ * uses ALPN to select a protocol, SSL_GetNextProto will return |
-+ * SSL_NEXT_PROTO_SELECTED as the state. |
-+ * |
-+ * Since NPN uses the first protocol as the fallback protocol, when sending an |
-+ * ALPN extension, the first protocol is moved to the end of the list. This |
-+ * indicates that the fallback protocol is the least preferred. The other |
-+ * protocols should be in preference order. |
-+ * |
- * The supported protocols are specified in |data| in wire-format (8-bit |
- * length-prefixed). For example: "\010http/1.1\006spdy/2". */ |
- SSL_IMPORT SECStatus SSL_SetNextProtoNego(PRFileDesc *fd, |
-@@ -215,7 +225,8 @@ SSL_IMPORT SECStatus SSL_SetNextProtoNeg |
- typedef enum SSLNextProtoState { |
- SSL_NEXT_PROTO_NO_SUPPORT = 0, /* No peer support */ |
- SSL_NEXT_PROTO_NEGOTIATED = 1, /* Mutual agreement */ |
-- SSL_NEXT_PROTO_NO_OVERLAP = 2 /* No protocol overlap found */ |
-+ SSL_NEXT_PROTO_NO_OVERLAP = 2, /* No protocol overlap found */ |
-+ SSL_NEXT_PROTO_SELECTED = 3 /* Server selected proto (ALPN) */ |
- } SSLNextProtoState; |
- |
- /* SSL_GetNextProto can be used in the HandshakeCallback or any time after |
-diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h |
---- a/nss/lib/ssl/sslt.h 2014-01-03 19:41:26.443941511 -0800 |
-+++ b/nss/lib/ssl/sslt.h 2014-01-03 19:41:52.234363230 -0800 |
-@@ -200,12 +200,13 @@ typedef enum { |
- #endif |
- ssl_signature_algorithms_xtn = 13, |
- ssl_use_srtp_xtn = 14, |
-+ ssl_app_layer_protocol_xtn = 16, |
- ssl_session_ticket_xtn = 35, |
- ssl_next_proto_nego_xtn = 13172, |
- ssl_channel_id_xtn = 30032, |
- ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
- } SSLExtensionType; |
- |
--#define SSL_MAX_EXTENSIONS 10 |
-+#define SSL_MAX_EXTENSIONS 11 |
- |
- #endif /* __sslt_h_ */ |