 Chromium Code Reviews
 Chromium Code Reviews Issue 64553002:
  Certificate Transparency TLS extension patch for NSS  (Closed) 
  Base URL: https://chromium.googlesource.com/chromium/src.git@master
    
  
    Issue 64553002:
  Certificate Transparency TLS extension patch for NSS  (Closed) 
  Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW | 
|---|---|
| 1 /* | 1 /* | 
| 2 * vtables (and methods that call through them) for the 4 types of | 2 * vtables (and methods that call through them) for the 4 types of | 
| 3 * SSLSockets supported. Only one type is still supported. | 3 * SSLSockets supported. Only one type is still supported. | 
| 4 * Various other functions. | 4 * Various other functions. | 
| 5 * | 5 * | 
| 6 * This Source Code Form is subject to the terms of the Mozilla Public | 6 * This Source Code Form is subject to the terms of the Mozilla Public | 
| 7 * License, v. 2.0. If a copy of the MPL was not distributed with this | 7 * License, v. 2.0. If a copy of the MPL was not distributed with this | 
| 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 8 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | 
| 9 #include "seccomon.h" | 9 #include "seccomon.h" | 
| 10 #include "cert.h" | 10 #include "cert.h" | 
| (...skipping 155 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 166 PR_TRUE, /* detectRollBack */ | 166 PR_TRUE, /* detectRollBack */ | 
| 167 PR_FALSE, /* noStepDown */ | 167 PR_FALSE, /* noStepDown */ | 
| 168 PR_FALSE, /* bypassPKCS11 */ | 168 PR_FALSE, /* bypassPKCS11 */ | 
| 169 PR_FALSE, /* noLocks */ | 169 PR_FALSE, /* noLocks */ | 
| 170 PR_FALSE, /* enableSessionTickets */ | 170 PR_FALSE, /* enableSessionTickets */ | 
| 171 PR_FALSE, /* enableDeflate */ | 171 PR_FALSE, /* enableDeflate */ | 
| 172 2, /* enableRenegotiation (default: requires extension) */ | 172 2, /* enableRenegotiation (default: requires extension) */ | 
| 173 PR_FALSE, /* requireSafeNegotiation */ | 173 PR_FALSE, /* requireSafeNegotiation */ | 
| 174 PR_FALSE, /* enableFalseStart */ | 174 PR_FALSE, /* enableFalseStart */ | 
| 175 PR_TRUE, /* cbcRandomIV */ | 175 PR_TRUE, /* cbcRandomIV */ | 
| 176 PR_FALSE /* enableOCSPStapling */ | 176 PR_FALSE, /* enableOCSPStapling */ | 
| 177 PR_FALSE /* enableSignedCertTimestamps */ | |
| 177 }; | 178 }; | 
| 178 | 179 | 
| 179 /* | 180 /* | 
| 180 * default range of enabled SSL/TLS protocols | 181 * default range of enabled SSL/TLS protocols | 
| 181 */ | 182 */ | 
| 182 static SSLVersionRange versions_defaults_stream = { | 183 static SSLVersionRange versions_defaults_stream = { | 
| 183 SSL_LIBRARY_VERSION_3_0, | 184 SSL_LIBRARY_VERSION_3_0, | 
| 184 SSL_LIBRARY_VERSION_TLS_1_0 | 185 SSL_LIBRARY_VERSION_TLS_1_0 | 
| 185 }; | 186 }; | 
| 186 | 187 | 
| (...skipping 669 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 856 break; | 857 break; | 
| 857 | 858 | 
| 858 case SSL_CBC_RANDOM_IV: | 859 case SSL_CBC_RANDOM_IV: | 
| 859 ss->opt.cbcRandomIV = on; | 860 ss->opt.cbcRandomIV = on; | 
| 860 break; | 861 break; | 
| 861 | 862 | 
| 862 case SSL_ENABLE_OCSP_STAPLING: | 863 case SSL_ENABLE_OCSP_STAPLING: | 
| 863 ss->opt.enableOCSPStapling = on; | 864 ss->opt.enableOCSPStapling = on; | 
| 864 break; | 865 break; | 
| 865 | 866 | 
| 867 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | |
| 868 ss->opt.enableSignedCertTimestamps = on; | |
| 869 break; | |
| 870 | |
| 866 default: | 871 default: | 
| 867 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 872 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 
| 868 rv = SECFailure; | 873 rv = SECFailure; | 
| 869 } | 874 } | 
| 870 | 875 | 
| 871 /* We can't use the macros for releasing the locks here, | 876 /* We can't use the macros for releasing the locks here, | 
| 872 * because ss->opt.noLocks might have changed just above. | 877 * because ss->opt.noLocks might have changed just above. | 
| 873 * We must release these locks (monitors) here, if we aquired them above, | 878 * We must release these locks (monitors) here, if we aquired them above, | 
| 874 * regardless of the current value of ss->opt.noLocks. | 879 * regardless of the current value of ss->opt.noLocks. | 
| 875 */ | 880 */ | 
| (...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 926 on = ss->opt.enableSessionTickets; | 931 on = ss->opt.enableSessionTickets; | 
| 927 break; | 932 break; | 
| 928 case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break; | 933 case SSL_ENABLE_DEFLATE: on = ss->opt.enableDeflate; break; | 
| 929 case SSL_ENABLE_RENEGOTIATION: | 934 case SSL_ENABLE_RENEGOTIATION: | 
| 930 on = ss->opt.enableRenegotiation; break; | 935 on = ss->opt.enableRenegotiation; break; | 
| 931 case SSL_REQUIRE_SAFE_NEGOTIATION: | 936 case SSL_REQUIRE_SAFE_NEGOTIATION: | 
| 932 on = ss->opt.requireSafeNegotiation; break; | 937 on = ss->opt.requireSafeNegotiation; break; | 
| 933 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; | 938 case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break; | 
| 934 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; | 939 case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break; | 
| 935 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; | 940 case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break; | 
| 941 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | |
| 942 on = ss->opt.enableSignedCertTimestamps; | |
| 943 break; | |
| 936 | 944 | 
| 937 default: | 945 default: | 
| 938 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 946 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 
| 939 rv = SECFailure; | 947 rv = SECFailure; | 
| 940 } | 948 } | 
| 941 | 949 | 
| 942 ssl_ReleaseSSL3HandshakeLock(ss); | 950 ssl_ReleaseSSL3HandshakeLock(ss); | 
| 943 ssl_Release1stHandshakeLock(ss); | 951 ssl_Release1stHandshakeLock(ss); | 
| 944 | 952 | 
| 945 *pOn = on; | 953 *pOn = on; | 
| (...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 987 case SSL_ENABLE_RENEGOTIATION: | 995 case SSL_ENABLE_RENEGOTIATION: | 
| 988 on = ssl_defaults.enableRenegotiation; break; | 996 on = ssl_defaults.enableRenegotiation; break; | 
| 989 case SSL_REQUIRE_SAFE_NEGOTIATION: | 997 case SSL_REQUIRE_SAFE_NEGOTIATION: | 
| 990 on = ssl_defaults.requireSafeNegotiation; | 998 on = ssl_defaults.requireSafeNegotiation; | 
| 991 break; | 999 break; | 
| 992 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; | 1000 case SSL_ENABLE_FALSE_START: on = ssl_defaults.enableFalseStart; break; | 
| 993 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; | 1001 case SSL_CBC_RANDOM_IV: on = ssl_defaults.cbcRandomIV; break; | 
| 994 case SSL_ENABLE_OCSP_STAPLING: | 1002 case SSL_ENABLE_OCSP_STAPLING: | 
| 995 on = ssl_defaults.enableOCSPStapling; | 1003 on = ssl_defaults.enableOCSPStapling; | 
| 996 break; | 1004 break; | 
| 1005 case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS: | |
| 1006 ssl_defaults.enableSignedCertTimestamps = on; | |
| 
wtc
2013/11/08 19:51:31
BUG: this should be
    on = ssl_defaults.enableSi
 
ekasper
2013/11/18 17:47:18
Yikes, I appear to have completely botched this fi
 | |
| 1007 break; | |
| 997 | 1008 | 
| 998 default: | 1009 default: | 
| 999 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1010 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 
| 1000 rv = SECFailure; | 1011 rv = SECFailure; | 
| 1001 } | 1012 } | 
| 1002 | 1013 | 
| 1003 *pOn = on; | 1014 *pOn = on; | 
| 1004 return rv; | 1015 return rv; | 
| 1005 } | 1016 } | 
| 1006 | 1017 | 
| (...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1152 case SSL_ENABLE_FALSE_START: | 1163 case SSL_ENABLE_FALSE_START: | 
| 1153 ssl_defaults.enableFalseStart = on; | 1164 ssl_defaults.enableFalseStart = on; | 
| 1154 break; | 1165 break; | 
| 1155 | 1166 | 
| 1156 case SSL_CBC_RANDOM_IV: | 1167 case SSL_CBC_RANDOM_IV: | 
| 1157 ssl_defaults.cbcRandomIV = on; | 1168 ssl_defaults.cbcRandomIV = on; | 
| 1158 break; | 1169 break; | 
| 1159 | 1170 | 
| 1160 case SSL_ENABLE_OCSP_STAPLING: | 1171 case SSL_ENABLE_OCSP_STAPLING: | 
| 1161 ssl_defaults.enableOCSPStapling = on; | 1172 ssl_defaults.enableOCSPStapling = on; | 
| 1162 break; | 1173 break; | 
| 
wtc
2013/11/08 19:51:31
Please add a case for SSL_ENABLE_SIGNED_CERT_TIMES
 
ekasper
2013/11/18 17:47:18
Done.
 | |
| 1163 | 1174 | 
| 1164 default: | 1175 default: | 
| 1165 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 1176 PORT_SetError(SEC_ERROR_INVALID_ARGS); | 
| 1166 return SECFailure; | 1177 return SECFailure; | 
| 1167 } | 1178 } | 
| 1168 return SECSuccess; | 1179 return SECSuccess; | 
| 1169 } | 1180 } | 
| 1170 | 1181 | 
| 1171 /* function tells us if the cipher suite is one that we no longer support. */ | 1182 /* function tells us if the cipher suite is one that we no longer support. */ | 
| 1172 static PRBool | 1183 static PRBool | 
| (...skipping 811 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1984 } | 1995 } | 
| 1985 | 1996 | 
| 1986 if (!ss->sec.ci.sid) { | 1997 if (!ss->sec.ci.sid) { | 
| 1987 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | 1998 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | 
| 1988 return NULL; | 1999 return NULL; | 
| 1989 } | 2000 } | 
| 1990 | 2001 | 
| 1991 return &ss->sec.ci.sid->peerCertStatus; | 2002 return &ss->sec.ci.sid->peerCertStatus; | 
| 1992 } | 2003 } | 
| 1993 | 2004 | 
| 2005 const SECItem * | |
| 2006 SSL_PeerSignedCertTimestamps(PRFileDesc *fd) | |
| 2007 { | |
| 2008 sslSocket *ss = ssl_FindSocket(fd); | |
| 2009 | |
| 2010 if (!ss) { | |
| 2011 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps", | |
| 2012 SSL_GETPID(), fd)); | |
| 2013 return NULL; | |
| 2014 } | |
| 2015 | |
| 2016 if (!ss->sec.ci.sid) { | |
| 2017 PORT_SetError(SEC_ERROR_NOT_INITIALIZED); | |
| 2018 return NULL; | |
| 2019 } | |
| 2020 | |
| 2021 if (ss->version < SSL_LIBRARY_VERSION_3_0) { | |
| 2022 return NULL; | |
| 
wtc
2013/11/08 19:51:31
Please add:
    PORT_SetError(SSL_ERROR_FEATURE_NO
 
ekasper
2013/11/18 17:47:18
Strictly speaking yes, but I think it's nicer to a
 
wtc
2013/11/19 23:52:28
Yes, it does. Thanks.
To make it clear it's the u
 
ekasper
2013/11/20 16:06:27
Done.
 | |
| 2023 } | |
| 2024 return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps; | |
| 2025 } | |
| 2026 | |
| 1994 SECStatus | 2027 SECStatus | 
| 1995 SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { | 2028 SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) { | 
| 1996 sslSocket *ss = ssl_FindSocket(fd); | 2029 sslSocket *ss = ssl_FindSocket(fd); | 
| 1997 | 2030 | 
| 1998 if (!ss) { | 2031 if (!ss) { | 
| 1999 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession", | 2032 SSL_DBG(("%d: SSL[%d]: bad socket in SSL_HandshakeResumedSession", | 
| 2000 SSL_GETPID(), fd)); | 2033 SSL_GETPID(), fd)); | 
| 2001 return SECFailure; | 2034 return SECFailure; | 
| 2002 } | 2035 } | 
| 2003 | 2036 | 
| (...skipping 1120 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 3124 if (status != SECSuccess) { | 3157 if (status != SECSuccess) { | 
| 3125 loser: | 3158 loser: | 
| 3126 ssl_DestroySocketContents(ss); | 3159 ssl_DestroySocketContents(ss); | 
| 3127 ssl_DestroyLocks(ss); | 3160 ssl_DestroyLocks(ss); | 
| 3128 PORT_Free(ss); | 3161 PORT_Free(ss); | 
| 3129 ss = NULL; | 3162 ss = NULL; | 
| 3130 } | 3163 } | 
| 3131 } | 3164 } | 
| 3132 return ss; | 3165 return ss; | 
| 3133 } | 3166 } | 
| 3134 | |
| OLD | NEW |