OLD | NEW |
1 diff --git a/ssl/ssl.h b/ssl/ssl.h | 1 diff --git a/lib/ssl/ssl.h b/lib/ssl/ssl.h |
2 index 716537d..80717db 100644 | 2 index 120c257..eb7f7ec 100644 |
3 --- a/ssl/ssl.h | 3 --- a/lib/ssl/ssl.h |
4 +++ b/ssl/ssl.h | 4 +++ b/lib/ssl/ssl.h |
5 @@ -292,6 +292,27 @@ SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 ciphe
r, PRBool *enabled); | 5 @@ -385,6 +385,27 @@ SSL_IMPORT SECStatus SSL_DHEGroupPrefSet(PRFileDesc *fd, |
6 SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); | 6 */ |
7 SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); | 7 SSL_IMPORT SECStatus SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enabled
); |
8 | 8 |
9 +/* SSLChannelBindingType enumerates the types of supported channel binding | 9 +/* SSLChannelBindingType enumerates the types of supported channel binding |
10 + * values. See RFC 5929. */ | 10 + * values. See RFC 5929. */ |
11 +typedef enum SSLChannelBindingType { | 11 +typedef enum SSLChannelBindingType { |
12 + SSL_CHANNEL_BINDING_TLS_UNIQUE = 1, | 12 + SSL_CHANNEL_BINDING_TLS_UNIQUE = 1, |
13 +} SSLChannelBindingType; | 13 +} SSLChannelBindingType; |
14 + | 14 + |
15 +/* SSL_GetChannelBinding copies the requested channel binding value, as defined | 15 +/* SSL_GetChannelBinding copies the requested channel binding value, as defined |
16 + * in RFC 5929, into |out|. The full length of the binding value is written | 16 + * in RFC 5929, into |out|. The full length of the binding value is written |
17 + * into |*outLen|. | 17 + * into |*outLen|. |
18 + * | 18 + * |
19 + * At most |outLenMax| bytes of data are copied. If |outLenMax| is | 19 + * At most |outLenMax| bytes of data are copied. If |outLenMax| is |
20 + * insufficient then the function returns SECFailure and sets the error to | 20 + * insufficient then the function returns SECFailure and sets the error to |
21 + * SEC_ERROR_OUTPUT_LEN, but |*outLen| is still set. | 21 + * SEC_ERROR_OUTPUT_LEN, but |*outLen| is still set. |
22 + * | 22 + * |
23 + * This call will fail if made during a renegotiation. */ | 23 + * This call will fail if made during a renegotiation. */ |
24 +SSL_IMPORT SECStatus SSL_GetChannelBinding(PRFileDesc *fd, | 24 +SSL_IMPORT SECStatus SSL_GetChannelBinding(PRFileDesc *fd, |
25 + SSLChannelBindingType binding_type, | 25 + SSLChannelBindingType binding_type, |
26 + unsigned char *out, | 26 + unsigned char *out, |
27 + unsigned int *outLen, | 27 + unsigned int *outLen, |
28 + unsigned int outLenMax); | 28 + unsigned int outLenMax); |
29 + | 29 + |
30 /* SSL Version Range API | 30 /* SSL Version Range API |
31 ** | 31 ** |
32 ** This API should be used to control SSL 3.0 & TLS support instead of the | 32 ** This API should be used to control SSL 3.0 & TLS support instead of the |
33 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c | 33 diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c |
34 index c0e8e79..7c06815 100644 | 34 index 2ae8ce9..ce92cf1 100644 |
35 --- a/ssl/ssl3con.c | 35 --- a/lib/ssl/ssl3con.c |
36 +++ b/ssl/ssl3con.c | 36 +++ b/lib/ssl/ssl3con.c |
37 @@ -12479,6 +12479,68 @@ ssl3_InitSocketPolicy(sslSocket *ss) | 37 @@ -13241,6 +13241,68 @@ ssl3_InitSocketPolicy(sslSocket *ss) |
38 PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites); | 38 ss->ssl3.signatureAlgorithmCount = PR_ARRAY_SIZE(defaultSignatureAlgorithms
); |
39 } | 39 } |
40 | 40 |
41 +SECStatus | 41 +SECStatus |
42 +ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, | 42 +ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, |
43 + unsigned char *out, | 43 + unsigned char *out, |
44 + unsigned int *outLen, | 44 + unsigned int *outLen, |
45 + unsigned int outLenMax) { | 45 + unsigned int outLenMax) { |
46 + PRBool isTLS; | 46 + PRBool isTLS; |
47 + int index = 0; | 47 + int index = 0; |
48 + unsigned int len; | 48 + unsigned int len; |
(...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
96 + rv = SECSuccess; | 96 + rv = SECSuccess; |
97 + | 97 + |
98 +loser: | 98 +loser: |
99 + ssl_ReleaseSSL3HandshakeLock(ss); | 99 + ssl_ReleaseSSL3HandshakeLock(ss); |
100 + return rv; | 100 + return rv; |
101 +} | 101 +} |
102 + | 102 + |
103 /* ssl3_config_match_init must have already been called by | 103 /* ssl3_config_match_init must have already been called by |
104 * the caller of this function. | 104 * the caller of this function. |
105 */ | 105 */ |
106 diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h | 106 diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h |
107 index e11860e..0ece0ed 100644 | 107 index c286518..976330e 100644 |
108 --- a/ssl/sslimpl.h | 108 --- a/lib/ssl/sslimpl.h |
109 +++ b/ssl/sslimpl.h | 109 +++ b/lib/ssl/sslimpl.h |
110 @@ -1864,6 +1864,11 @@ extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivat
eKey *svrPrivKey, | 110 @@ -1897,6 +1897,11 @@ extern PRBool ssl_GetSessionTicketKeysPKCS11(SECKEYPrivat
eKey *svrPrivKey, |
111 extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data, | 111 extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data, |
112 unsigned int length); | 112 unsigned int length); |
113 | 113 |
114 +extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, | 114 +extern SECStatus ssl3_GetTLSUniqueChannelBinding(sslSocket *ss, |
115 + unsigned char *out, | 115 + unsigned char *out, |
116 + unsigned int *outLen, | 116 + unsigned int *outLen, |
117 + unsigned int outLenMax); | 117 + unsigned int outLenMax); |
118 + | 118 + |
119 /* Construct a new NSPR socket for the app to use */ | 119 /* Construct a new NSPR socket for the app to use */ |
120 extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd); | 120 extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd); |
121 extern void ssl_FreePRSocket(PRFileDesc *fd); | 121 extern void ssl_FreePRSocket(PRFileDesc *fd); |
122 diff --git a/ssl/sslsock.c b/ssl/sslsock.c | 122 diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c |
123 index 042f24f..14ff328 100644 | 123 index efba686..c9a4493 100644 |
124 --- a/ssl/sslsock.c | 124 --- a/lib/ssl/sslsock.c |
125 +++ b/ssl/sslsock.c | 125 +++ b/lib/ssl/sslsock.c |
126 @@ -1345,6 +1345,27 @@ NSS_SetFrancePolicy(void) | 126 @@ -1540,6 +1540,28 @@ SSL_EnableWeakDHEPrimeGroup(PRFileDesc *fd, PRBool enable
d) |
127 return NSS_SetDomesticPolicy(); | 127 return SECSuccess; |
128 } | 128 } |
129 | 129 |
130 +SECStatus | 130 +SECStatus |
131 +SSL_GetChannelBinding(PRFileDesc *fd, | 131 +SSL_GetChannelBinding(PRFileDesc *fd, |
132 + SSLChannelBindingType binding_type, | 132 + SSLChannelBindingType binding_type, |
133 + unsigned char *out, | 133 + unsigned char *out, |
134 + unsigned int *outLen, | 134 + unsigned int *outLen, |
135 + unsigned int outLenMax) { | 135 + unsigned int outLenMax) { |
136 + sslSocket *ss = ssl_FindSocket(fd); | 136 + sslSocket *ss = ssl_FindSocket(fd); |
137 + | 137 + |
138 + if (!ss) { | 138 + if (!ss) { |
139 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding", | 139 + SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetChannelBinding", |
140 + SSL_GETPID(), fd)); | 140 + SSL_GETPID(), fd)); |
141 + return SECFailure; | 141 + return SECFailure; |
142 + } | 142 + } |
143 + | 143 + |
144 + if (binding_type != SSL_CHANNEL_BINDING_TLS_UNIQUE) { | 144 + if (binding_type != SSL_CHANNEL_BINDING_TLS_UNIQUE) { |
145 + PORT_SetError(PR_INVALID_ARGUMENT_ERROR); | 145 + PORT_SetError(PR_INVALID_ARGUMENT_ERROR); |
146 + return SECFailure; | 146 + return SECFailure; |
147 + } | 147 + } |
148 + | 148 + |
149 + return ssl3_GetTLSUniqueChannelBinding(ss, out, outLen, outLenMax); | 149 + return ssl3_GetTLSUniqueChannelBinding(ss, out, outLen, outLenMax); |
150 +} | 150 +} |
| 151 + |
| 152 #include "dhe-param.c" |
151 | 153 |
152 | 154 static const SSLDHEGroupType ssl_default_dhe_groups[] = { |
153 /* LOCKS ??? XXX */ | |
OLD | NEW |