summaryrefslogtreecommitdiffstats
path: root/net/third_party
diff options
context:
space:
mode:
authoragl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2012-05-24 14:51:10 +0000
committeragl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2012-05-24 14:51:10 +0000
commita107821af15125d7043ea8dd4d35bc329e9f9ac9 (patch)
treefb81c20348fabc596c7f66ea910df7806bd96cbb /net/third_party
parentc9875dfefb23080a2845485d865933a852aee89d (diff)
downloadchromium_src-a107821af15125d7043ea8dd4d35bc329e9f9ac9.zip
chromium_src-a107821af15125d7043ea8dd4d35bc329e9f9ac9.tar.gz
chromium_src-a107821af15125d7043ea8dd4d35bc329e9f9ac9.tar.bz2
nss: revert encrypted and origin bound certificates support.
This change is the result of running patch -R to revert the two patches. A minor change is needed to ssl_client_socket_nss.cc in order for the result to compile. BUG=129174 TEST=none git-svn-id: svn://svn.chromium.org/chrome/trunk/src@138793 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/third_party')
-rw-r--r--net/third_party/nss/README.chromium9
-rwxr-xr-xnet/third_party/nss/patches/applypatches.sh4
-rw-r--r--net/third_party/nss/patches/encryptedclientcerts.patch390
-rw-r--r--net/third_party/nss/patches/origin_bound_certs.patch219
-rw-r--r--net/third_party/nss/ssl/ssl.h2
-rw-r--r--net/third_party/nss/ssl/ssl3con.c108
-rw-r--r--net/third_party/nss/ssl/ssl3ext.c148
-rw-r--r--net/third_party/nss/ssl/sslimpl.h8
-rw-r--r--net/third_party/nss/ssl/sslsock.c24
-rw-r--r--net/third_party/nss/ssl/sslt.h6
10 files changed, 39 insertions, 879 deletions
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index 5e80af8..3f14a7a 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -40,11 +40,6 @@ Patches:
patches/didhandshakeresume.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=731798
- * Support origin bound certificates.
- http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.txt
- https://bugzilla.mozilla.org/show_bug.cgi?id=680292
- patches/origin_bound_certs.patch
-
* Add a function to restart a handshake after a client certificate request.
patches/restartclientauth.patch
@@ -53,10 +48,6 @@ Patches:
https://bugzilla.mozilla.org/show_bug.cgi?id=681839
patches/negotiatedextension.patch
- * Support the encrypted client certificates extension.
- https://bugzilla.mozilla.org/show_bug.cgi?id=692154
- patches/encryptedclientcerts.patch
-
* Add function to retrieve TLS client cert types requested by server.
https://bugzilla.mozilla.org/show_bug.cgi?id=51413
patches/getrequestedclientcerttypes.patch
diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh
index 55167bf..b713a46 100755
--- a/net/third_party/nss/patches/applypatches.sh
+++ b/net/third_party/nss/patches/applypatches.sh
@@ -24,16 +24,12 @@ patch -p6 < $patches_dir/clientauth.patch
patch -p6 < $patches_dir/didhandshakeresume.patch
-patch -p6 < $patches_dir/origin_bound_certs.patch
-
patch -p6 < $patches_dir/negotiatedextension.patch
patch -p6 < $patches_dir/getrequestedclientcerttypes.patch
patch -p6 < $patches_dir/restartclientauth.patch
-patch -p6 < $patches_dir/encryptedclientcerts.patch
-
patch -p4 < $patches_dir/dtls.patch
patch -p5 < $patches_dir/falsestartnpn.patch
diff --git a/net/third_party/nss/patches/encryptedclientcerts.patch b/net/third_party/nss/patches/encryptedclientcerts.patch
deleted file mode 100644
index 35ea585..0000000
--- a/net/third_party/nss/patches/encryptedclientcerts.patch
+++ /dev/null
@@ -1,390 +0,0 @@
-diff -pu -r a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
---- a/src/net/third_party/nss/ssl/ssl.h 2012-03-19 13:49:12.517522610 -0700
-+++ b/src/net/third_party/nss/ssl/ssl.h 2012-03-19 13:49:29.507749795 -0700
-@@ -186,6 +186,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi
- #define SSL_CBC_RANDOM_IV 23
- #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
- #define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */
-+#define SSL_ENCRYPT_CLIENT_CERTS 26 /* Enable encrypted client certs. */
-
- #ifdef SSL_DEPRECATED_FUNCTION
- /* Old deprecated function names */
-diff -pu -r a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
---- a/src/net/third_party/nss/ssl/sslimpl.h 2012-03-19 13:49:12.557523144 -0700
-+++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-03-19 13:49:29.507749795 -0700
-@@ -350,6 +350,7 @@ typedef struct sslOptionsStr {
- unsigned int cbcRandomIV : 1; /* 24 */
- unsigned int enableOCSPStapling : 1; /* 25 */
- unsigned int enableOBCerts : 1; /* 26 */
-+ unsigned int encryptClientCerts : 1; /* 27 */
- } sslOptions;
-
- typedef enum { sslHandshakingUndetermined = 0,
-diff -pu -r a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c
---- a/src/net/third_party/nss/ssl/ssl3con.c 2012-03-19 13:49:12.527522744 -0700
-+++ b/src/net/third_party/nss/ssl/ssl3con.c 2012-03-19 13:49:29.507749795 -0700
-@@ -2882,7 +2882,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket *
-
- ss->ssl3.prSpec = ss->ssl3.crSpec;
- ss->ssl3.crSpec = prSpec;
-- ss->ssl3.hs.ws = wait_finished;
-+
-+ if (ss->sec.isServer &&
-+ ss->opt.requestCertificate &&
-+ ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+ ss->ssl3.hs.ws = wait_client_cert;
-+ } else {
-+ ss->ssl3.hs.ws = wait_finished;
-+ }
-
- SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
- SSL_GETPID(), ss->fd ));
-@@ -4898,10 +4905,11 @@ loser:
- static SECStatus
- ssl3_SendCertificateVerify(sslSocket *ss)
- {
-- SECStatus rv = SECFailure;
-- PRBool isTLS;
-- SECItem buf = {siBuffer, NULL, 0};
-- SSL3Hashes hashes;
-+ SECStatus rv = SECFailure;
-+ PRBool isTLS;
-+ SECItem buf = {siBuffer, NULL, 0};
-+ SSL3Hashes hashes;
-+ ssl3CipherSpec *spec;
-
- PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-@@ -4910,13 +4918,17 @@ ssl3_SendCertificateVerify(sslSocket *ss
- SSL_GETPID(), ss->fd));
-
- ssl_GetSpecReadLock(ss);
-- rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
-+ spec = ss->ssl3.pwSpec;
-+ if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+ spec = ss->ssl3.cwSpec;
-+ }
-+ rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0);
- ssl_ReleaseSpecReadLock(ss);
- if (rv != SECSuccess) {
- goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
- }
-
-- isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-+ isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
- if (ss->ssl3.platformClientKey) {
- #ifdef NSS_PLATFORM_CLIENT_AUTH
- rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
-@@ -5924,6 +5936,10 @@ ssl3_SendClientSecondRound(sslSocket *ss
- {
- SECStatus rv;
- PRBool sendClientCert;
-+ PRBool sendEmptyCert;
-+ int n = 0, i;
-+ typedef SECStatus (*SendFunction)(sslSocket*);
-+ SendFunction send_funcs[5];
-
- PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-@@ -5970,35 +5986,40 @@ ssl3_SendClientSecondRound(sslSocket *ss
-
- ssl_GetXmitBufLock(ss); /*******************************/
-
-- if (ss->ssl3.sendEmptyCert) {
-- ss->ssl3.sendEmptyCert = PR_FALSE;
-- rv = ssl3_SendEmptyCertificate(ss);
-- /* Don't send verify */
-- if (rv != SECSuccess) {
-- goto loser; /* error code is set. */
-- }
-- } else if (sendClientCert) {
-- rv = ssl3_SendCertificate(ss);
-- if (rv != SECSuccess) {
-- goto loser; /* error code is set. */
-- }
-- }
-+ sendEmptyCert = ss->ssl3.sendEmptyCert;
-+ ss->ssl3.sendEmptyCert = PR_FALSE;
-
-- rv = ssl3_SendClientKeyExchange(ss);
-- if (rv != SECSuccess) {
-- goto loser; /* err is set. */
-+ if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+ send_funcs[n++] = ssl3_SendClientKeyExchange;
-+ send_funcs[n++] = ssl3_SendChangeCipherSpecs;
-+ if (sendEmptyCert) {
-+ send_funcs[n++] = ssl3_SendEmptyCertificate;
-+ }
-+ if (sendClientCert) {
-+ send_funcs[n++] = ssl3_SendCertificate;
-+ send_funcs[n++] = ssl3_SendCertificateVerify;
-+ }
-+ } else {
-+ if (sendEmptyCert) {
-+ send_funcs[n++] = ssl3_SendEmptyCertificate;
-+ }
-+ if (sendClientCert) {
-+ send_funcs[n++] = ssl3_SendCertificate;
-+ }
-+ send_funcs[n++] = ssl3_SendClientKeyExchange;
-+ if (sendClientCert) {
-+ send_funcs[n++] = ssl3_SendCertificateVerify;
-+ }
-+ send_funcs[n++] = ssl3_SendChangeCipherSpecs;
- }
-
-- if (sendClientCert) {
-- rv = ssl3_SendCertificateVerify(ss);
-- if (rv != SECSuccess) {
-- goto loser; /* err is set. */
-- }
-- }
-+ PORT_Assert(n <= sizeof(send_funcs)/sizeof(send_funcs[0]));
-
-- rv = ssl3_SendChangeCipherSpecs(ss);
-- if (rv != SECSuccess) {
-- goto loser; /* err code was set. */
-+ for (i = 0; i < n; i++) {
-+ rv = send_funcs[i](ss);
-+ if (rv != SECSuccess) {
-+ goto loser; /* err code was set. */
-+ }
- }
-
- /* XXX: If the server's certificate hasn't been authenticated by this
-@@ -6213,8 +6234,13 @@ ssl3_SendServerHelloSequence(sslSocket *
- return rv; /* err code is set. */
- }
-
-- ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
-- : wait_client_key;
-+ if (ss->opt.requestCertificate &&
-+ !ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+ ss->ssl3.hs.ws = wait_client_cert;
-+ } else {
-+ ss->ssl3.hs.ws = wait_client_key;
-+ }
-+
- return SECSuccess;
- }
-
-@@ -7458,7 +7484,11 @@ ssl3_HandleCertificateVerify(sslSocket *
- desc = isTLS ? decode_error : illegal_parameter;
- goto alert_loser; /* malformed */
- }
-- ss->ssl3.hs.ws = wait_change_cipher;
-+ if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+ ss->ssl3.hs.ws = wait_finished;
-+ } else {
-+ ss->ssl3.hs.ws = wait_change_cipher;
-+ }
- return SECSuccess;
-
- alert_loser:
-@@ -8358,7 +8388,11 @@ ssl3_HandleCertificate(sslSocket *ss, SS
- }
- } else {
- server_no_cert:
-- ss->ssl3.hs.ws = wait_client_key;
-+ if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+ ss->ssl3.hs.ws = wait_cert_verify;
-+ } else {
-+ ss->ssl3.hs.ws = wait_client_key;
-+ }
- }
-
- PORT_Assert(rv == SECSuccess);
-@@ -8968,6 +9002,8 @@ ssl3_HandleHandshakeMessage(sslSocket *s
- if (type == finished) {
- sender = ss->sec.isServer ? sender_client : sender_server;
- rSpec = ss->ssl3.crSpec;
-+ } else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+ rSpec = ss->ssl3.crSpec;
- }
- rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
- }
-diff -pu -r a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c
---- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-03-19 12:50:32.610015524 -0700
-+++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-03-19 13:49:29.507749795 -0700
-@@ -84,6 +84,12 @@ static SECStatus ssl3_ServerHandleNextPr
- PRUint16 ex_type, SECItem *data);
- static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
- PRUint32 maxBytes);
-+static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss,
-+ PRUint16 ex_type, SECItem *data);
-+static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss,
-+ PRUint16 ex_type, SECItem *data);
-+static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss,
-+ PRBool append, PRUint32 maxBytes);
-
- /*
- * Write bytes. Using this function means the SECItem structure
-@@ -240,6 +246,7 @@ static const ssl3HelloExtensionHandler c
- { ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn },
- #endif
- { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn },
-+ { ssl_encrypted_client_certs, &ssl3_ServerHandleEncryptedClientCertsXtn },
- { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
- { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn },
- { ssl_ob_cert_xtn, &ssl3_ServerHandleOBCertXtn },
-@@ -252,6 +259,7 @@ static const ssl3HelloExtensionHandler s
- { ssl_server_name_xtn, &ssl3_HandleServerNameXtn },
- /* TODO: add a handler for ssl_ec_point_formats_xtn */
- { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
-+ { ssl_encrypted_client_certs, &ssl3_ClientHandleEncryptedClientCertsXtn },
- { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
- { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
- { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
-@@ -279,6 +287,7 @@ ssl3HelloExtensionSender clientHelloSend
- { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
- #endif
- { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
-+ { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn },
- { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
- { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
- { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn }
-@@ -1082,6 +1091,18 @@ ssl3_ClientHandleSessionTicketXtn(sslSoc
- return SECSuccess;
- }
-
-+static SECStatus
-+ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
-+ SECItem *data)
-+{
-+ if (data->len != 0)
-+ return SECFailure;
-+
-+ /* Keep track of negotiated extensions. */
-+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-+ return SECSuccess;
-+}
-+
- SECStatus
- ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
- SECItem *data)
-@@ -1495,6 +1516,24 @@ loser:
- return rv;
- }
-
-+static SECStatus
-+ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
-+ SECItem *data)
-+{
-+ SECStatus rv = SECSuccess;
-+
-+ if (data->len != 0)
-+ return SECFailure;
-+
-+ if (ss->opt.encryptClientCerts) {
-+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-+ rv = ssl3_RegisterServerHelloExtensionSender(
-+ ss, ex_type, ssl3_SendEncryptedClientCertsXtn);
-+ }
-+
-+ return rv;
-+}
-+
- /*
- * Read bytes. Using this function means the SECItem structure
- * cannot be freed. The caller is expected to call this function
-@@ -1694,6 +1733,33 @@ ssl3_SendRenegotiationInfoXtn(
- return needed;
- }
-
-+static PRInt32
-+ssl3_SendEncryptedClientCertsXtn(
-+ sslSocket * ss,
-+ PRBool append,
-+ PRUint32 maxBytes)
-+{
-+ PRInt32 needed;
-+
-+ if (!ss->opt.encryptClientCerts)
-+ return 0;
-+
-+ needed = 4; /* two bytes of type and two of length. */
-+ if (append && maxBytes >= needed) {
-+ SECStatus rv;
-+ rv = ssl3_AppendHandshakeNumber(ss, ssl_encrypted_client_certs, 2);
-+ if (rv != SECSuccess)
-+ return -1;
-+ rv = ssl3_AppendHandshakeNumber(ss, 0 /* length */, 2);
-+ if (rv != SECSuccess)
-+ return -1;
-+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
-+ ssl_encrypted_client_certs;
-+ }
-+
-+ return needed;
-+}
-+
- /* This function runs in both the client and server. */
- static SECStatus
- ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
-diff -pu -r a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c
---- a/src/net/third_party/nss/ssl/sslsock.c 2012-03-19 12:59:07.586991902 -0700
-+++ b/src/net/third_party/nss/ssl/sslsock.c 2012-03-19 13:49:29.517749929 -0700
-@@ -188,6 +188,7 @@ static sslOptions ssl_defaults = {
- PR_TRUE, /* cbcRandomIV */
- PR_FALSE, /* enableOCSPStapling */
- PR_FALSE, /* enableOBCerts */
-+ PR_FALSE, /* encryptClientCerts */
- };
-
- /*
-@@ -826,6 +827,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- ss->opt.enableOBCerts = on;
- break;
-
-+ case SSL_ENCRYPT_CLIENT_CERTS:
-+ ss->opt.encryptClientCerts = on;
-+ break;
-+
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure;
-@@ -897,6 +902,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
- case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
- case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
- case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break;
-+ case SSL_ENCRYPT_CLIENT_CERTS:
-+ on = ss->opt.encryptClientCerts; break;
-
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -959,6 +966,8 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
- on = ssl_defaults.enableOCSPStapling;
- break;
- case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break;
-+ case SSL_ENCRYPT_CLIENT_CERTS:
-+ on = ssl_defaults.encryptClientCerts; break;
-
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -1126,6 +1135,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
- ssl_defaults.enableOBCerts = on;
- break;
-
-+ case SSL_ENCRYPT_CLIENT_CERTS:
-+ ssl_defaults.encryptClientCerts = on;
-+ break;
-+
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
-diff -pu -r a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt.h
---- a/src/net/third_party/nss/ssl/sslt.h 2012-03-19 12:50:32.610015524 -0700
-+++ b/src/net/third_party/nss/ssl/sslt.h 2012-03-19 13:49:29.517749929 -0700
-@@ -214,10 +214,11 @@ typedef enum {
- #endif
- ssl_session_ticket_xtn = 35,
- ssl_next_proto_nego_xtn = 13172,
-+ ssl_encrypted_client_certs = 13180, /* not IANA assigned. */
- ssl_renegotiation_info_xtn = 0xff01, /* experimental number */
- ssl_ob_cert_xtn = 13175 /* experimental number */
- } SSLExtensionType;
-
--#define SSL_MAX_EXTENSIONS 8
-+#define SSL_MAX_EXTENSIONS 9
-
- #endif /* __sslt_h_ */
diff --git a/net/third_party/nss/patches/origin_bound_certs.patch b/net/third_party/nss/patches/origin_bound_certs.patch
deleted file mode 100644
index 18d60ad..0000000
--- a/net/third_party/nss/patches/origin_bound_certs.patch
+++ /dev/null
@@ -1,219 +0,0 @@
-diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
---- a/src/net/third_party/nss/ssl/ssl.h 2012-02-29 14:41:25.755295547 -0800
-+++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-29 16:45:47.368569394 -0800
-@@ -168,6 +168,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi
- */
- #define SSL_CBC_RANDOM_IV 23
- #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
-+#define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */
-
- #ifdef SSL_DEPRECATED_FUNCTION
- /* Old deprecated function names */
-diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c
---- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-28 20:34:50.114663722 -0800
-+++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-29 17:05:21.684414824 -0800
-@@ -242,6 +242,7 @@ static const ssl3HelloExtensionHandler c
- { ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn },
- { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
- { ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn },
-+ { ssl_ob_cert_xtn, &ssl3_ServerHandleOBCertXtn },
- { -1, NULL }
- };
-
-@@ -254,6 +255,7 @@ static const ssl3HelloExtensionHandler s
- { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
- { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
- { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
-+ { ssl_ob_cert_xtn, &ssl3_ClientHandleOBCertXtn },
- { -1, NULL }
- };
-
-@@ -278,7 +280,8 @@ ssl3HelloExtensionSender clientHelloSend
- #endif
- { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
- { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
-- { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }
-+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
-+ { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn }
- /* any extra entries will appear as { 0, NULL } */
- };
-
-@@ -1723,3 +1726,80 @@ ssl3_HandleRenegotiationInfoXtn(sslSocke
- return rv;
- }
-
-+/* This sender is used by both the client and server. */
-+PRInt32
-+ssl3_SendOBCertXtn(sslSocket * ss, PRBool append,
-+ PRUint32 maxBytes)
-+{
-+ SECStatus rv;
-+ PRUint32 extension_length;
-+
-+ if (!ss)
-+ return 0;
-+
-+ if (!ss->opt.enableOBCerts)
-+ return 0;
-+
-+ /* extension length = extension_type (2-bytes) +
-+ * length(extension_data) (2-bytes) +
-+ */
-+
-+ extension_length = 4;
-+
-+ if (append && maxBytes >= extension_length) {
-+ /* extension_type */
-+ rv = ssl3_AppendHandshakeNumber(ss, ssl_ob_cert_xtn, 2);
-+ if (rv != SECSuccess) return -1;
-+ /* length of extension_data */
-+ rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
-+ if (rv != SECSuccess) return -1;
-+
-+ if (!ss->sec.isServer) {
-+ TLSExtensionData *xtnData = &ss->xtnData;
-+ xtnData->advertised[xtnData->numAdvertised++] = ssl_ob_cert_xtn;
-+ }
-+ }
-+
-+ return extension_length;
-+}
-+
-+SECStatus
-+ssl3_ServerHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
-+ SECItem *data)
-+{
-+ SECStatus rv;
-+
-+ /* Ignore the OBCert extension if it is disabled. */
-+ if (!ss->opt.enableOBCerts)
-+ return SECSuccess;
-+
-+ /* The echoed extension must be empty. */
-+ if (data->len != 0)
-+ return SECFailure;
-+
-+ /* Keep track of negotiated extensions. */
-+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-+
-+ rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
-+ ssl3_SendOBCertXtn);
-+
-+ return SECSuccess;
-+}
-+
-+SECStatus
-+ssl3_ClientHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
-+ SECItem *data)
-+{
-+ /* If we didn't request this extension, then the server may not echo it. */
-+ if (!ss->opt.enableOBCerts)
-+ return SECFailure;
-+
-+ /* The echoed extension must be empty. */
-+ if (data->len != 0)
-+ return SECFailure;
-+
-+ /* Keep track of negotiated extensions. */
-+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-+
-+ return SECSuccess;
-+}
-diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
---- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-28 20:34:50.114663722 -0800
-+++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 16:57:21.097919853 -0800
-@@ -349,6 +349,7 @@ typedef struct sslOptionsStr {
- unsigned int enableFalseStart : 1; /* 23 */
- unsigned int cbcRandomIV : 1; /* 24 */
- unsigned int enableOCSPStapling : 1; /* 25 */
-+ unsigned int enableOBCerts : 1; /* 26 */
- } sslOptions;
-
- typedef enum { sslHandshakingUndetermined = 0,
-@@ -1563,8 +1564,12 @@ extern SECStatus ssl3_ClientHandleSessio
- PRUint16 ex_type, SECItem *data);
- extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
- PRUint16 ex_type, SECItem *data);
-+extern SECStatus ssl3_ClientHandleOBCertXtn(sslSocket *ss,
-+ PRUint16 ex_type, SECItem *data);
- extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
- PRUint16 ex_type, SECItem *data);
-+extern SECStatus ssl3_ServerHandleOBCertXtn(sslSocket *ss,
-+ PRUint16 ex_type, SECItem *data);
-
- /* ClientHello and ServerHello extension senders.
- * Note that not all extension senders are exposed here; only those that
-@@ -1580,6 +1585,8 @@ extern PRInt32 ssl3_ClientSendStatusRequ
- */
- extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
- PRUint32 maxBytes);
-+extern PRInt32 ssl3_SendOBCertXtn(sslSocket *ss, PRBool append,
-+ PRUint32 maxBytes);
-
- /* Assigns new cert, cert chain and keys to ss->serverCerts
- * struct. If certChain is NULL, tries to find one. Aborts if
-diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c
---- a/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 14:41:25.755295547 -0800
-+++ b/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 17:03:16.272715683 -0800
-@@ -187,6 +187,7 @@ static sslOptions ssl_defaults = {
- PR_FALSE, /* enableFalseStart */
- PR_TRUE, /* cbcRandomIV */
- PR_FALSE, /* enableOCSPStapling */
-+ PR_FALSE, /* enableOBCerts */
- };
-
- sslSessionIDLookupFunc ssl_sid_lookup;
-@@ -750,6 +751,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- ss->opt.enableOCSPStapling = on;
- break;
-
-+ case SSL_ENABLE_OB_CERTS:
-+ ss->opt.enableOBCerts = on;
-+ break;
-+
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- rv = SECFailure;
-@@ -816,6 +821,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
- case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break;
- case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
- case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
-+ case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break;
-
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -873,6 +879,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
- case SSL_ENABLE_OCSP_STAPLING:
- on = ssl_defaults.enableOCSPStapling;
- break;
-+ case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break;
-
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -1036,6 +1043,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
- ssl_defaults.enableOCSPStapling = on;
- break;
-
-+ case SSL_ENABLE_OB_CERTS:
-+ ssl_defaults.enableOBCerts = on;
-+ break;
-+
- default:
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
-diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt.h
---- a/src/net/third_party/nss/ssl/sslt.h 2012-02-28 19:26:04.057351342 -0800
-+++ b/src/net/third_party/nss/ssl/sslt.h 2012-02-29 17:05:03.744171015 -0800
-@@ -205,9 +205,10 @@ typedef enum {
- #endif
- ssl_session_ticket_xtn = 35,
- ssl_next_proto_nego_xtn = 13172,
-- ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
-+ ssl_renegotiation_info_xtn = 0xff01, /* experimental number */
-+ ssl_ob_cert_xtn = 13175 /* experimental number */
- } SSLExtensionType;
-
--#define SSL_MAX_EXTENSIONS 7
-+#define SSL_MAX_EXTENSIONS 8
-
- #endif /* __sslt_h_ */
diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
index 8885575..1368e2f 100644
--- a/net/third_party/nss/ssl/ssl.h
+++ b/net/third_party/nss/ssl/ssl.h
@@ -191,8 +191,6 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
*/
#define SSL_CBC_RANDOM_IV 23
#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
-#define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */
-#define SSL_ENCRYPT_CLIENT_CERTS 26 /* Enable encrypted client certs. */
#ifdef SSL_DEPRECATED_FUNCTION
/* Old deprecated function names */
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index 55e4901..db9fad3 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -2991,14 +2991,7 @@ ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
ss->ssl3.prSpec = ss->ssl3.crSpec;
ss->ssl3.crSpec = prSpec;
-
- if (ss->sec.isServer &&
- ss->opt.requestCertificate &&
- ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- ss->ssl3.hs.ws = wait_client_cert;
- } else {
- ss->ssl3.hs.ws = wait_finished;
- }
+ ss->ssl3.hs.ws = wait_finished;
SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
SSL_GETPID(), ss->fd ));
@@ -5087,11 +5080,10 @@ loser:
static SECStatus
ssl3_SendCertificateVerify(sslSocket *ss)
{
- SECStatus rv = SECFailure;
- PRBool isTLS;
- SECItem buf = {siBuffer, NULL, 0};
- SSL3Hashes hashes;
- ssl3CipherSpec *spec;
+ SECStatus rv = SECFailure;
+ PRBool isTLS;
+ SECItem buf = {siBuffer, NULL, 0};
+ SSL3Hashes hashes;
PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
@@ -5100,17 +5092,13 @@ ssl3_SendCertificateVerify(sslSocket *ss)
SSL_GETPID(), ss->fd));
ssl_GetSpecReadLock(ss);
- spec = ss->ssl3.pwSpec;
- if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- spec = ss->ssl3.cwSpec;
- }
- rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0);
+ rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
ssl_ReleaseSpecReadLock(ss);
if (rv != SECSuccess) {
goto done; /* err code was set by ssl3_ComputeHandshakeHashes */
}
- isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
+ isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
if (ss->ssl3.platformClientKey) {
#ifdef NSS_PLATFORM_CLIENT_AUTH
rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
@@ -6165,10 +6153,6 @@ ssl3_SendClientSecondRound(sslSocket *ss)
{
SECStatus rv;
PRBool sendClientCert;
- PRBool sendEmptyCert;
- int n = 0, i;
- typedef SECStatus (*SendFunction)(sslSocket*);
- SendFunction send_funcs[5];
PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
@@ -6215,40 +6199,35 @@ ssl3_SendClientSecondRound(sslSocket *ss)
ssl_GetXmitBufLock(ss); /*******************************/
- sendEmptyCert = ss->ssl3.sendEmptyCert;
- ss->ssl3.sendEmptyCert = PR_FALSE;
-
- if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- send_funcs[n++] = ssl3_SendClientKeyExchange;
- send_funcs[n++] = ssl3_SendChangeCipherSpecs;
- if (sendEmptyCert) {
- send_funcs[n++] = ssl3_SendEmptyCertificate;
- }
- if (sendClientCert) {
- send_funcs[n++] = ssl3_SendCertificate;
- send_funcs[n++] = ssl3_SendCertificateVerify;
- }
- } else {
- if (sendEmptyCert) {
- send_funcs[n++] = ssl3_SendEmptyCertificate;
- }
- if (sendClientCert) {
- send_funcs[n++] = ssl3_SendCertificate;
- }
- send_funcs[n++] = ssl3_SendClientKeyExchange;
- if (sendClientCert) {
- send_funcs[n++] = ssl3_SendCertificateVerify;
- }
- send_funcs[n++] = ssl3_SendChangeCipherSpecs;
+ if (ss->ssl3.sendEmptyCert) {
+ ss->ssl3.sendEmptyCert = PR_FALSE;
+ rv = ssl3_SendEmptyCertificate(ss);
+ /* Don't send verify */
+ if (rv != SECSuccess) {
+ goto loser; /* error code is set. */
+ }
+ } else if (sendClientCert) {
+ rv = ssl3_SendCertificate(ss);
+ if (rv != SECSuccess) {
+ goto loser; /* error code is set. */
+ }
}
- PORT_Assert(n <= sizeof(send_funcs)/sizeof(send_funcs[0]));
+ rv = ssl3_SendClientKeyExchange(ss);
+ if (rv != SECSuccess) {
+ goto loser; /* err is set. */
+ }
- for (i = 0; i < n; i++) {
- rv = send_funcs[i](ss);
+ if (sendClientCert) {
+ rv = ssl3_SendCertificateVerify(ss);
if (rv != SECSuccess) {
- goto loser; /* err code was set. */
- }
+ goto loser; /* err is set. */
+ }
+ }
+
+ rv = ssl3_SendChangeCipherSpecs(ss);
+ if (rv != SECSuccess) {
+ goto loser; /* err code was set. */
}
/* XXX: If the server's certificate hasn't been authenticated by this
@@ -6463,13 +6442,8 @@ ssl3_SendServerHelloSequence(sslSocket *ss)
return rv; /* err code is set. */
}
- if (ss->opt.requestCertificate &&
- !ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- ss->ssl3.hs.ws = wait_client_cert;
- } else {
- ss->ssl3.hs.ws = wait_client_key;
- }
-
+ ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
+ : wait_client_key;
return SECSuccess;
}
@@ -7766,11 +7740,7 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
desc = isTLS ? decode_error : illegal_parameter;
goto alert_loser; /* malformed */
}
- if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- ss->ssl3.hs.ws = wait_finished;
- } else {
- ss->ssl3.hs.ws = wait_change_cipher;
- }
+ ss->ssl3.hs.ws = wait_change_cipher;
return SECSuccess;
alert_loser:
@@ -8683,11 +8653,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
}
} else {
server_no_cert:
- if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- ss->ssl3.hs.ws = wait_cert_verify;
- } else {
- ss->ssl3.hs.ws = wait_client_key;
- }
+ ss->ssl3.hs.ws = wait_client_key;
}
PORT_Assert(rv == SECSuccess);
@@ -9302,8 +9268,6 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
if (type == finished) {
sender = ss->sec.isServer ? sender_client : sender_server;
rSpec = ss->ssl3.crSpec;
- } else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
- rSpec = ss->ssl3.crSpec;
}
rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
}
diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c
index 6d5866b..b9fd6e7 100644
--- a/net/third_party/nss/ssl/ssl3ext.c
+++ b/net/third_party/nss/ssl/ssl3ext.c
@@ -84,12 +84,6 @@ static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
PRUint16 ex_type, SECItem *data);
static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
PRUint32 maxBytes);
-static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss,
- PRUint16 ex_type, SECItem *data);
-static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss,
- PRUint16 ex_type, SECItem *data);
-static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss,
- PRBool append, PRUint32 maxBytes);
/*
* Write bytes. Using this function means the SECItem structure
@@ -246,10 +240,8 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
{ ssl_ec_point_formats_xtn, &ssl3_HandleSupportedPointFormatsXtn },
#endif
{ ssl_session_ticket_xtn, &ssl3_ServerHandleSessionTicketXtn },
- { ssl_encrypted_client_certs, &ssl3_ServerHandleEncryptedClientCertsXtn },
{ ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
{ ssl_next_proto_nego_xtn, &ssl3_ServerHandleNextProtoNegoXtn },
- { ssl_ob_cert_xtn, &ssl3_ServerHandleOBCertXtn },
{ -1, NULL }
};
@@ -259,11 +251,9 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
{ ssl_server_name_xtn, &ssl3_HandleServerNameXtn },
/* TODO: add a handler for ssl_ec_point_formats_xtn */
{ ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
- { ssl_encrypted_client_certs, &ssl3_ClientHandleEncryptedClientCertsXtn },
{ ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
{ ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
{ ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
- { ssl_ob_cert_xtn, &ssl3_ClientHandleOBCertXtn },
{ -1, NULL }
};
@@ -287,10 +277,8 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
{ ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
#endif
{ ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
- { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn },
{ ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
- { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
- { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn }
+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }
/* any extra entries will appear as { 0, NULL } */
};
@@ -1099,18 +1087,6 @@ ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
return SECSuccess;
}
-static SECStatus
-ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
- SECItem *data)
-{
- if (data->len != 0)
- return SECFailure;
-
- /* Keep track of negotiated extensions. */
- ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
- return SECSuccess;
-}
-
SECStatus
ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
SECItem *data)
@@ -1524,24 +1500,6 @@ loser:
return rv;
}
-static SECStatus
-ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
- SECItem *data)
-{
- SECStatus rv = SECSuccess;
-
- if (data->len != 0)
- return SECFailure;
-
- if (ss->opt.encryptClientCerts) {
- ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
- rv = ssl3_RegisterServerHelloExtensionSender(
- ss, ex_type, ssl3_SendEncryptedClientCertsXtn);
- }
-
- return rv;
-}
-
/*
* Read bytes. Using this function means the SECItem structure
* cannot be freed. The caller is expected to call this function
@@ -1741,33 +1699,6 @@ ssl3_SendRenegotiationInfoXtn(
return needed;
}
-static PRInt32
-ssl3_SendEncryptedClientCertsXtn(
- sslSocket * ss,
- PRBool append,
- PRUint32 maxBytes)
-{
- PRInt32 needed;
-
- if (!ss->opt.encryptClientCerts)
- return 0;
-
- needed = 4; /* two bytes of type and two of length. */
- if (append && maxBytes >= needed) {
- SECStatus rv;
- rv = ssl3_AppendHandshakeNumber(ss, ssl_encrypted_client_certs, 2);
- if (rv != SECSuccess)
- return -1;
- rv = ssl3_AppendHandshakeNumber(ss, 0 /* length */, 2);
- if (rv != SECSuccess)
- return -1;
- ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
- ssl_encrypted_client_certs;
- }
-
- return needed;
-}
-
/* This function runs in both the client and server. */
static SECStatus
ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
@@ -1799,80 +1730,3 @@ ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
return rv;
}
-/* This sender is used by both the client and server. */
-PRInt32
-ssl3_SendOBCertXtn(sslSocket * ss, PRBool append,
- PRUint32 maxBytes)
-{
- SECStatus rv;
- PRUint32 extension_length;
-
- if (!ss)
- return 0;
-
- if (!ss->opt.enableOBCerts)
- return 0;
-
- /* extension length = extension_type (2-bytes) +
- * length(extension_data) (2-bytes) +
- */
-
- extension_length = 4;
-
- if (append && maxBytes >= extension_length) {
- /* extension_type */
- rv = ssl3_AppendHandshakeNumber(ss, ssl_ob_cert_xtn, 2);
- if (rv != SECSuccess) return -1;
- /* length of extension_data */
- rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
- if (rv != SECSuccess) return -1;
-
- if (!ss->sec.isServer) {
- TLSExtensionData *xtnData = &ss->xtnData;
- xtnData->advertised[xtnData->numAdvertised++] = ssl_ob_cert_xtn;
- }
- }
-
- return extension_length;
-}
-
-SECStatus
-ssl3_ServerHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
- SECItem *data)
-{
- SECStatus rv;
-
- /* Ignore the OBCert extension if it is disabled. */
- if (!ss->opt.enableOBCerts)
- return SECSuccess;
-
- /* The echoed extension must be empty. */
- if (data->len != 0)
- return SECFailure;
-
- /* Keep track of negotiated extensions. */
- ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-
- rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
- ssl3_SendOBCertXtn);
-
- return SECSuccess;
-}
-
-SECStatus
-ssl3_ClientHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
- SECItem *data)
-{
- /* If we didn't request this extension, then the server may not echo it. */
- if (!ss->opt.enableOBCerts)
- return SECFailure;
-
- /* The echoed extension must be empty. */
- if (data->len != 0)
- return SECFailure;
-
- /* Keep track of negotiated extensions. */
- ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-
- return SECSuccess;
-}
diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
index 4991aca..8ab865a 100644
--- a/net/third_party/nss/ssl/sslimpl.h
+++ b/net/third_party/nss/ssl/sslimpl.h
@@ -356,8 +356,6 @@ typedef struct sslOptionsStr {
unsigned int enableFalseStart : 1; /* 23 */
unsigned int cbcRandomIV : 1; /* 24 */
unsigned int enableOCSPStapling : 1; /* 25 */
- unsigned int enableOBCerts : 1; /* 26 */
- unsigned int encryptClientCerts : 1; /* 27 */
} sslOptions;
typedef enum { sslHandshakingUndetermined = 0,
@@ -1702,12 +1700,8 @@ extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
PRUint16 ex_type, SECItem *data);
extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
PRUint16 ex_type, SECItem *data);
-extern SECStatus ssl3_ClientHandleOBCertXtn(sslSocket *ss,
- PRUint16 ex_type, SECItem *data);
extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
PRUint16 ex_type, SECItem *data);
-extern SECStatus ssl3_ServerHandleOBCertXtn(sslSocket *ss,
- PRUint16 ex_type, SECItem *data);
/* ClientHello and ServerHello extension senders.
* Note that not all extension senders are exposed here; only those that
@@ -1723,8 +1717,6 @@ extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append,
*/
extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
PRUint32 maxBytes);
-extern PRInt32 ssl3_SendOBCertXtn(sslSocket *ss, PRBool append,
- PRUint32 maxBytes);
/* Assigns new cert, cert chain and keys to ss->serverCerts
* struct. If certChain is NULL, tries to find one. Aborts if
diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
index 3364902..ebc245a 100644
--- a/net/third_party/nss/ssl/sslsock.c
+++ b/net/third_party/nss/ssl/sslsock.c
@@ -187,8 +187,6 @@ static sslOptions ssl_defaults = {
PR_FALSE, /* enableFalseStart */
PR_TRUE, /* cbcRandomIV */
PR_FALSE, /* enableOCSPStapling */
- PR_FALSE, /* enableOBCerts */
- PR_FALSE, /* encryptClientCerts */
};
/*
@@ -866,14 +864,6 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
ss->opt.enableOCSPStapling = on;
break;
- case SSL_ENABLE_OB_CERTS:
- ss->opt.enableOBCerts = on;
- break;
-
- case SSL_ENCRYPT_CLIENT_CERTS:
- ss->opt.encryptClientCerts = on;
- break;
-
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
@@ -944,9 +934,6 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break;
case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
- case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break;
- case SSL_ENCRYPT_CLIENT_CERTS:
- on = ss->opt.encryptClientCerts; break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1008,9 +995,6 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
case SSL_ENABLE_OCSP_STAPLING:
on = ssl_defaults.enableOCSPStapling;
break;
- case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break;
- case SSL_ENCRYPT_CLIENT_CERTS:
- on = ssl_defaults.encryptClientCerts; break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1174,14 +1158,6 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
ssl_defaults.enableOCSPStapling = on;
break;
- case SSL_ENABLE_OB_CERTS:
- ssl_defaults.enableOBCerts = on;
- break;
-
- case SSL_ENCRYPT_CLIENT_CERTS:
- ssl_defaults.encryptClientCerts = on;
- break;
-
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h
index eddfffd..0636570 100644
--- a/net/third_party/nss/ssl/sslt.h
+++ b/net/third_party/nss/ssl/sslt.h
@@ -215,11 +215,9 @@ typedef enum {
#endif
ssl_session_ticket_xtn = 35,
ssl_next_proto_nego_xtn = 13172,
- ssl_encrypted_client_certs = 13180, /* not IANA assigned. */
- ssl_renegotiation_info_xtn = 0xff01, /* experimental number */
- ssl_ob_cert_xtn = 13175 /* experimental number */
+ ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
} SSLExtensionType;
-#define SSL_MAX_EXTENSIONS 9
+#define SSL_MAX_EXTENSIONS 7
#endif /* __sslt_h_ */