Add client-side support for the origin bound certificate TLS extension.

BUG=None TEST=None Review URL: http://codereview.chromium.org/7327029 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@92576 0039d316-1c4b-4281-b951-d872f2087c98
author: rkn@chromium.org <rkn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-07-14 18:45:31 +0000
committer: rkn@chromium.org <rkn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-07-14 18:45:31 +0000
commit: 4232942d75f96fd5f2b2dc792986588ccb89b88d (patch)
tree: 0d71ea1e93577b50e0a8f9a7a9abc5c65f0ced98 /net/third_party
parent: 21981be16627c729e3e646e424e757420b82b7d3 (diff)
download: chromium_src-4232942d75f96fd5f2b2dc792986588ccb89b88d.zip
chromium_src-4232942d75f96fd5f2b2dc792986588ccb89b88d.tar.gz
chromium_src-4232942d75f96fd5f2b2dc792986588ccb89b88d.tar.bz2
5 files changed, 103 insertions, 4 deletions
diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
index 20a5167..38edb7f 100644
--- a/net/third_party/nss/ssl/ssl.h
+++ b/net/third_party/nss/ssl/ssl.h
@@ -142,6 +142,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
 #define SSL_ENABLE_OCSP_STAPLING       23 /* Request OCSP stapling (client) */
 #define SSL_ENABLE_CACHED_INFO         24 /* Enable TLS cached information  */
                                           /* extension, off by default.     */
+#define SSL_ENABLE_OB_CERTS            25 /* Enable origin bound certs.     */
 
 #ifdef SSL_DEPRECATED_FUNCTION 
 /* Old deprecated function names */
diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c
index b68d2fd..e3513a3 100644
--- a/net/third_party/nss/ssl/ssl3ext.c
+++ b/net/third_party/nss/ssl/ssl3ext.c
@@ -249,6 +249,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
     { ssl_next_proto_neg_xtn,     &ssl3_ClientHandleNextProtoNegoXtn },
     { ssl_cached_info_xtn,        &ssl3_ClientHandleCachedInfoXtn },
     { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
+    { ssl_ob_cert_xtn,            &ssl3_ClientHandleOBCertXtn },
     { -1, NULL }
 };
 
@@ -274,7 +275,8 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
     { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn },
     { ssl_next_proto_neg_xtn,     &ssl3_ClientSendNextProtoNegoXtn },
     { ssl_cached_info_xtn,        &ssl3_ClientSendCachedInfoXtn },
-    { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn }
+    { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn },
+    { ssl_ob_cert_xtn,            &ssl3_SendOBCertXtn }
     /* any extra entries will appear as { 0, NULL }    */
 };
 
@@ -1867,3 +1869,80 @@ ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
     return rv;
 }
 
+/* This sender is used by both the client and server. */
+PRInt32
+ssl3_SendOBCertXtn(sslSocket * ss, PRBool append,
+		   PRUint32 maxBytes)
+{
+    SECStatus rv;
+    PRUint32 extension_length;
+  
+    if (!ss)
+        return 0;
+    
+    if (!ss->opt.enableOBCerts)
+        return 0;
+
+    /* extension length = extension_type (2-bytes) +
+     * length(extension_data) (2-bytes) +
+     */
+
+    extension_length = 4;
+
+    if (append && maxBytes >= extension_length) {
+        /* extension_type */
+        rv = ssl3_AppendHandshakeNumber(ss, ssl_ob_cert_xtn, 2); 
+        if (rv != SECSuccess) return -1;
+        /* length of extension_data */
+        rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); 
+        if (rv != SECSuccess) return -1;
+
+	if (!ss->sec.isServer) {
+	    TLSExtensionData *xtnData = &ss->xtnData;
+	    xtnData->advertised[xtnData->numAdvertised++] = ssl_ob_cert_xtn;
+	}
+    }
+
+    return extension_length;
+}
+
+SECStatus
+ssl3_ServerHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
+			   SECItem *data)
+{
+    SECStatus rv;
+
+    /* Ignore the OBCert extension if it is disabled. */
+    if (!ss->opt.enableOBCerts)
+	return SECSuccess;
+
+    /* The echoed extension must be empty. */
+    if (data->len != 0)
+	return SECFailure;
+
+    /* Keep track of negotiated extensions. */
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+
+    rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
+						 ssl3_SendOBCertXtn);
+
+    return SECSuccess;
+}
+
+SECStatus
+ssl3_ClientHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
+			   SECItem *data)
+{
+    /* If we didn't request this extension, then the server may not echo it. */
+    if (!ss->opt.enableOBCerts)
+	return SECFailure;
+
+    /* The echoed extension must be empty. */
+    if (data->len != 0)
+	return SECFailure;
+
+    /* Keep track of negotiated extensions. */
+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
+
+    return SECSuccess;
+}
diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
index bf47dc2..e9db8ae 100644
--- a/net/third_party/nss/ssl/sslimpl.h
+++ b/net/third_party/nss/ssl/sslimpl.h
@@ -350,6 +350,7 @@ typedef struct sslOptionsStr {
     unsigned int enableFalseStart       : 1;  /* 23 */
     unsigned int enableOCSPStapling     : 1;  /* 24 */
     unsigned int enableCachedInfo       : 1;  /* 25 */
+    unsigned int enableOBCerts          : 1;  /* 26 */
 } sslOptions;
 
 typedef enum { sslHandshakingUndetermined = 0,
@@ -1568,10 +1569,14 @@ extern SECStatus ssl3_ClientHandleCachedInfoXtn(sslSocket *ss,
 			PRUint16 ex_type, SECItem *data);
 extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
 			PRUint16 ex_type, SECItem *data);
+extern SECStatus ssl3_ClientHandleOBCertXtn(sslSocket *ss,
+			PRUint16 ex_type, SECItem *data);
 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
 			PRUint16 ex_type, SECItem *data);
 extern SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
 			PRUint16 ex_type, SECItem *data);
+extern SECStatus ssl3_ServerHandleOBCertXtn(sslSocket *ss,
+			PRUint16 ex_type, SECItem *data);
 
 /* ClientHello and ServerHello extension senders.
  * Note that not all extension senders are exposed here; only those that
@@ -1589,6 +1594,8 @@ extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
                      PRUint32 maxBytes);
 extern PRInt32 ssl3_ClientSendCachedInfoXtn(sslSocket *ss, PRBool append,
                      PRUint32 maxBytes);
+extern PRInt32 ssl3_SendOBCertXtn(sslSocket *ss, PRBool append,
+			PRUint32 maxBytes);
 
 /* Assigns new cert, cert chain and keys to ss->serverCerts
  * struct. If certChain is NULL, tries to find one. Aborts if
diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
index 340d17c..68fd3cb 100644
--- a/net/third_party/nss/ssl/sslsock.c
+++ b/net/third_party/nss/ssl/sslsock.c
@@ -187,6 +187,7 @@ static sslOptions ssl_defaults = {
     PR_FALSE,   /* enableFalseStart   */
     PR_FALSE,   /* enableOCSPStapling */
     PR_FALSE,   /* enableCachedInfo */
+    PR_TRUE,    /* enableOBCerts */
 };
 
 sslSessionIDLookupFunc  ssl_sid_lookup;
@@ -752,6 +753,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
 	ss->opt.enableCachedInfo = on;
 	break;
 
+      case SSL_ENABLE_OB_CERTS:
+	ss->opt.enableOBCerts = on;
+	break;
+
       default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	rv = SECFailure;
@@ -817,7 +822,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
                                   on = ss->opt.requireSafeNegotiation; break;
     case SSL_ENABLE_FALSE_START:  on = ss->opt.enableFalseStart;   break;
     case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
-    case SSL_ENABLE_CACHED_INFO:  on = ss->opt.enableCachedInfo; break;
+    case SSL_ENABLE_CACHED_INFO:  on = ss->opt.enableCachedInfo;   break;
+    case SSL_ENABLE_OB_CERTS:     on = ss->opt.enableOBCerts;      break;
 
     default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -873,6 +879,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
 	on = ssl_defaults.enableOCSPStapling;
 	break;
     case SSL_ENABLE_CACHED_INFO:  on = ssl_defaults.enableCachedInfo;   break;
+    case SSL_ENABLE_OB_CERTS:     on = ssl_defaults.enableOBCerts;      break;
 
     default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1028,6 +1035,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
 	ssl_defaults.enableCachedInfo = on;
 	break;
 
+      case SSL_ENABLE_OB_CERTS:
+	ssl_defaults.enableOBCerts = on;
+	break;
+
       default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h
index bca7496..907c1dc 100644
--- a/net/third_party/nss/ssl/sslt.h
+++ b/net/third_party/nss/ssl/sslt.h
@@ -206,9 +206,10 @@ typedef enum {
     ssl_session_ticket_xtn           = 35,
     ssl_next_proto_neg_xtn           = 13172,
     ssl_cached_info_xtn              = 13173,
-    ssl_renegotiation_info_xtn       = 0xff01	/* experimental number */
+    ssl_renegotiation_info_xtn       = 0xff01,	/* experimental number */
+    ssl_ob_cert_xtn                  = 0xff0f	/* experimental number */
 } SSLExtensionType;
 
-#define SSL_MAX_EXTENSIONS             8
+#define SSL_MAX_EXTENSIONS             9
 
 #endif /* __sslt_h_ */
author	rkn@chromium.org <rkn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-07-14 18:45:31 +0000
committer	rkn@chromium.org <rkn@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-07-14 18:45:31 +0000
commit	4232942d75f96fd5f2b2dc792986588ccb89b88d (patch)
tree	0d71ea1e93577b50e0a8f9a7a9abc5c65f0ced98 /net/third_party
parent	21981be16627c729e3e646e424e757420b82b7d3 (diff)
download	chromium_src-4232942d75f96fd5f2b2dc792986588ccb89b88d.zip chromium_src-4232942d75f96fd5f2b2dc792986588ccb89b88d.tar.gz chromium_src-4232942d75f96fd5f2b2dc792986588ccb89b88d.tar.bz2